[Info-vax] VSI strategy for OpenVMS

Simon Clubley clubley at remove_me.eisner.decus.org-Earth.UFP
Thu Sep 16 13:50:52 EDT 2021 

On 2021-09-16, Arne Vajhøj <arne at vajhoej.dk> wrote:
> On 9/15/2021 7:07 PM, kemain.nospam at gmail.com wrote:
>> One lottery company support admin told me that they had adopted a
>> patch-n-pray philosophy as they just do not have the cycles to properly test
>> all these monthly patches with all their Apps on a continual basis.
>
> If the system is important then patch-and-pray seems much more
> attractive than notpatch-and-pray.
>
> If you patch and there is a problem introduced by the patch,
> then it gets reported and fixed and a new patch shows up. That
> can cost hundreds of thousands or millions for downtime.
>

I would not be surprised if some people also think (from a job security
point of view) they are covered if things go wrong because you can always
blame the vendor for issuing a bad patch as you did your job of applying
the patch.

> If you don't patch and the system get hacked then:
> - you may be extorted many millions via ransomware
> - your data may be publicized resulting in loss of confidence
>    by customer that will either cost many millions or close the business
> - your data may end up with competitors possible residing in
>    foreign countries providing few legal option seriously
>    damaging the business future
> - and worst case the hackers modify data and leave without
>    anyone noticing - this could again cost millions or
>    lives and may very likely close the business
>

Also:

- Future potential employers ask "You worked WHERE??? So you are
the person who didn't apply the patches when you should have done."

>> It will be interesting to see if OpenVMS runs into this same challenge not
>> that it will soon be released on X86-64.
>
> I don't think the change in HW platform would result in many more
> patches.
>

It's not that clear Arne. The change in architecture to x86-64 will bring
along security researchers who have tools for probing operating systems
running on that architecture.

> If the list of available open source stuff on VMS increase
> from 100s to 10000s then it will increase number of patches.
>

There's also plenty to probe in VMS itself if you get a sufficiently
skilled set of professional researchers interested in spending the
time to learn and probe the internals of VMS.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.

More information about the Info-vax mailing list