[Info-vax] Security, support and VMS, was: Re: A new VMS?

Arne Vajhøj arne at vajhoej.dk
Tue May 4 13:12:18 EDT 2021 

On 5/4/2021 11:22 AM, chris wrote:
> On 05/03/21 19:38, Arne Vajhøj wrote:
>> On 5/3/2021 2:24 PM, Phillip Helbig (undress to reply) wrote:
>>> In article <s6pbt4$5hl$1 at dont-email.me>, Simon Clubley
>>> <clubley at remove_me.eisner.decus.org-Earth.UFP> writes:
>>>> We keep getting told that the remaining VMS are super important to 
>>>> their
>>>> owners and are vital to the running of their organisations.
>>>
>>> Yes, but how many of them are running VMS on private networks? Probably
>>> most.
>>
>> Practical all systems of any importance are on "private" network
>> today.
>>
>> But that does not mean that they can not be attacked.
>>
>> Unless they are not on a network at all or on a totally
>> isolated network then attacks can target a computer
>> that can be used to target a computer that ... and
>> so on.
>>
>> Very few networks are totally isolated today. Almost everything
>> is somewhat connected.
>>
>> So the attacker targets your wifes iPad, use that to get
>> to your work laptop, use that to get to the company windows
>> server and use that to reach the VMS system.

> That's very true, no system is absolutely secure, given enough time
> and resources, but that must be balanced against the benefit for the
> attacker. Most systems are just not worth the effort, given the
> resources required. Good firewalling, admin and process should stop
> all but the most determined attempts.

If what the system does is not important then most likely it will
not have value to hack it.

But if the system is important in some sense then most likely it
will have value for someone to hack it.

> Here, once systems and apps are installed, with initial patches if
> available, they are usually locked down for life. Stability and
> consistence being more important than obsessive patching, which
> itself can break more then it fixes...

This was common 30 years ago, but it is getting much rarer today.

For good reasons.

Con patching:
- N minutes of scheduled down time like once per month
- risk of M minutes of unplanned downtime due to faulty patch
   requiring rollback

Pro patching:
- prevent data leak to competitors, foreign states criminal blackmailers
- prevent unauthorized data modification that creates havoc by
   foreign states, terrorists or malicious competitors
- prevent system being temporarily made unavailable by criminal
   blackmailers or terrorists

If a system has important data or are doing something important,
then patching is good business (and in many cases regulatory/contractual
required).

Arne

More information about the Info-vax mailing list