[Info-vax] Security, support and VMS, was: Re: A new VMS?

Simon Clubley clubley at remove_me.eisner.decus.org-Earth.UFP
Tue May 4 08:11:20 EDT 2021 

On 2021-05-03, abrsvc <dansabrservices at yahoo.com> wrote:
>
> If you take what you say to its full extent, than you would never see VAX/VMS V5.5 systems running today, nor Alpha V7.3-2 systems running today. I currently support both for more than 1 client each.
>
> Yes, many OpenVMS systems remain at "known" levels for extended periods of time. This is one of the reasons for uptimes measured in years.
>
> I would posit that until OpenVMS runs native on the hardware, the majority if not all of the holes will be with the OS under which VMS is running.
> To take a pre-emptive strike...  Yes, I know that you found a vulnerability in DCL that was there for a long time (and it was fixed), but that required you to be already connected.  Do you have examples of overtaking the system WITHOUT access?  While I won't claim that VMS is the best, you have to admit that a properly managed system is more secure than your standard Windows box.  You don't read about VMS having problems with virus attacks or programs that run because you opened up an Email.  These don't exist on VMS systems, they work differently.  That is not to say there aren't any potential issues at all, but in the grand scheme of tings, there are far fewer on VMS systems than on others.

Actually Dan, this has absolutely nothing to do with the DCL vulnerability
other than an example of what I am about to say as I have moved on from that.

VMS is not Unix or Windows.

This is good because it has functionality that neither of them have.

This is bad because there's a good number of design constructs in VMS
and other features in VMS that are unknown to researchers of those other
operating systems.

Researchers know how to probe things in VMS that are common to other
operating systems and find issues there. However, what about the parts
of VMS that are unique to VMS ? How much of a workout do those features
get from a security researcher point of view ?

Those common features on other operating systems have had basic flaws
found in them and fixed and VMS benefits from that work.

How many basic flaws are waiting to be discovered in the VMS specific
parts of VMS simply because the researchers don't know those VMS specific
parts of VMS, at least not yet ?

That's all I am trying to point out.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.

More information about the Info-vax mailing list