Whats MORE Secure? OpenVMS or OpenBSD?
as400
was the most secure unix-like operating system in the world....And,
maybe even the MacOS-X also...
Can someone here please provide me on what makes OpenVMS so secure? I
know that OpenBSD by dfault comes very secure by default out of the box
with alot of system services being disabled....But I dont know about
what makes OpenVMS unhackable....Please explain the difference between
OpenVMS, OpenBSD, or even the MACOSX???
I though the MOST secure OS would be like this in order:
1. Mac-OS-X
2. OpenBSD
OpenVMS???? Well.....I dont know about this...Care to explain how
secure it is?
Larry Kilgallen
> I really thought that the UNIX-like OS called OpenBSD www.openbsd.org
> was the most secure unix-like operating system in the world...
Perhaps it is.
> Can someone here please provide me on what makes OpenVMS so secure? I
It is hard to get into details without information regarding how much
you know about VMS.
> know that OpenBSD by dfault comes very secure by default out of the box
> with alot of system services being disabled....But I dont know about
> what makes OpenVMS unhackable....Please explain the difference between
> OpenVMS, OpenBSD, or even the MACOSX???
At the simplest level, OpenBSD and MacOS-X are both Unix-style
operating systems. VMS is not.
> I though the MOST secure OS would be like this in order:
>
> 1. Mac-OS-X
>
> 2. OpenBSD
>
> OpenVMS???? Well.....I dont know about this...Care to explain how
> secure it is?
The fact that you omit MVS and OS400 from this list of possibilities
makes me think you have not looked very far. Certainly both of those
going to be more secure than a Unix-style operating system.
Christoph Gartmann
>I though the MOST secure OS would be like this in order:
>
>1. Mac-OS-X
>
>2. OpenBSD
>
>OpenVMS???? Well.....I dont know about this...Care to explain how
>secure it is?
From my viewpoint as the head of a scientifi data processing unit: OpenVMS
is definitely more secure than the two above.
I have used and maintained quite a bunch of different operating systems (more
different than OS-X and BSD which are basically the same). But in order to
explain the security differences, I would need to know what you know, otherwise
this leads too far.
Regards,
Christoph Gartmann
--
Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
Immunbiologie
Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
D-79011 Freiburg, Germany
http://www.immunbio.mpg.de/home/menue.html
as400
I though VMS was a UNIX OS.....MMMM....thats a real suprise to me....
b...@instantwhip.com
vms has multiple levels of security. with OpenVMS I can give you
the priviledges you need to run any app securely or access any file
without being able to gain access at a system or group level. I can
lock you in a box with a captive account like ftp where you can only
run ftp and nothing else. Mail is virus proof. There are privilidges
for
files, users, execs for single users or groups of users. There are
ACLs for additional directory or file access that needs to be
specialized.
vms is not unix. There is NO root to gain access of. You gain access
to
only what I give you on a single to directory to group basis.
Search this site for discussions with our friend Andrew formerly of sun
about
descriptors and how the vms kernel is superior and unhackable as proved
by defcon9 compared to any other os ... hackers routinely see the
message
"access violation error" when they try buffer overflows and other
tricks because
they do not work on the vms kernel even from outside products like
tcpware
and multinet stacks. See process.com for how every CERT relating to ip
stacks
just seems to return the above error and never affects vms.
and finally, search the CERT counts for vms compared to every other os.
I think at last count there was 13 in the last 15 years, and all of
those were
for local or internal processes like decwindows ...
we have run all our mail and web apps on vms servers for over 7 years
now
without "ONE" virus or hack. We sleep well at nights and can actually
get
work done during the day w/o having to worry about the patch of the
day.
I can go on and on about security and we have not even began to discuss
why it is the gold standard for clustering and uptime.
Search this site and the others I mentioned and you will see why the
vms
kernel is unhackable and superior to all other junk out there ...
it was done right by a group of MIT grads, not MIT drop outs like
windoze
Bill.
VAXman-
{...snip...}
>it was done right by a group of MIT grads, not MIT drop outs like
>windoze
>Bill.
Bob,
Billzebub is an "intel"lectual fuckwit, he would never have been accepted
into MIT. He was enrolled at Harvard -- a school that produces more than
its fair share of scumbags^H^H^H^H^H^H^H^H law(lie)yers -- and he dropped
out from Harvard. Is it any wonder that he's the scumbag he is after his
associating with the bumper crop of scum output from this institution?
Yes, I do loathe law(lie)yers if it not obvious.
--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM
"Well my son, life is like a beanstalk, isn't it?"
Peter 'EPLAN' LANGSTOEGER
>Really!!!!!!!??????
>
>I though VMS was a UNIX OS.....MMMM....thats a real suprise to me....
If you look at the interfaces (C-RTL), shells (BASH) and utilities (ls, ...),
VMS can (to a very far grade) behave like any unix. In fact, in earlier
days DEC did make many certification efforts to make VMS "unix" compliant.
(I think of IEEE POSIX 1000ff, FIPS 151-2, XPG 2, XPG 3, UNIX92?, ...)
They (DEC) even renamed VMS to OpenVMS, just to show - like UNIX - openess,
when they reached POSIX compliancy (must have been in the very early 90s).
I remember, once VMS (and IIRC also IBM MVS) was certified as "UNIX", they
(don't know now who, X Open Group or IEEE or ?) 'tightened' the UNIX standard
definitions (was it UNIX95 or XPG4 then ?) and lost on this way also
many real U**X opsys (because they were simply not compliant ;-)
DEC then stopped throwing money into UNIX certification, because the new
threat was M$ and DEC wanted to sleep with Billyboy (and died therefore).
UNIX certifications at all seem to completely lost importance then also.
In the meantime, a bunch of U**X programs have been "ported" to VMS
by simply compiling and linking it on VMS. Others got quite some efforts
to work around implied assumptions (like endianess, K&R C vs ANSI C vs GNU C,
32bit vs 64bit, ...) in the amount just as you need to port the program
from one U**X dialect to yet another dialect (which is still a big problem
for U**X programs I assume). And some programs still do not exist/run on VMS
(because functions still do not exist or do work a little bit different).
Porting didn't stop (see APACHE/MOZILLA/JAVA/XML/SSL/KERBEROS/PERL/GTK/...).
But internally VMS is to UNIX a completely different (and IMHO better) beast
(I think of null terminated strings in UNIX vs descriptors in VMS and so on)
And the default interfaces (SYS$xxxx). shell (DCL) and utilities (DIR, ...)
of [Open]VMS also don't show any UNIX familiarity.
Was it a real question or did you want to start yet another UNIXvsVMS flamewar?
--
Peter "EPLAN" LANGSTOEGER
Network and OpenVMS system specialist
E-mail pe...@langstoeger.at
A-1030 VIENNA AUSTRIA I'm not a pessimist, I'm a realist
Michael Unger
> [...]
> They (DEC) even renamed VMS to OpenVMS, just to show - like UNIX - openess,
> when they reached POSIX compliancy (must have been in the very early 90s).
^^^^^^^^^^^^^^^^^
Version 5.5 (VAX), end of 1991/begin of 1992, according to
<http://h71000.www7.hp.com/openvms/os/openvms-release-history.html>.
> [...]
Michael
--
Real names enhance the probability of getting real answers.
My e-mail account at DECUS Munich is no longer valid.
William Webb
> I really thought that the UNIX-like OS called OpenBSD www.openbsd.org
> maybe even the MacOS-X also...
>
> with alot of system services being disabled....But I dont know about
> what makes OpenVMS unhackable....Please explain the difference between
> OpenVMS, OpenBSD, or even the MACOSX???
>
>
> 1. Mac-OS-X
>
> 2. OpenBSD
>
> OpenVMS???? Well.....I dont know about this...Care to explain how
> secure it is?
>
>
I don't think anyone's ever posted a better explanation than the one
you'll find at the link listed below- (Hi, Keith-- hope you are well.)
http://groups.google.com/group/comp.os.vms/msg/69223e108e9909ad?dmode=source
Note that this was written by someone who is employed by a company
whose products compete against VMS, which makes it particularly
interesting.
Regards,
WWWebb
--
NOTE: This email address is only used for noncommerical VMS-related
correspondence.
All unsolicited commercial email will be deemed to be a request for
services pursuant to the terms and conditions located at
http://bellsouthpwp.net/w/e/webbww/
David J Dachtera
Well, I'd list them in this order:
1. OpenVMS
2. OpenBSD
3. Mac OS/X
...but that's just me. Micro$lop is not even an "also ran", IMO.
Take a look at the OpenVMS Guide to System Security. You can find it via
this link: http://www.hp.com/go/openvms/doc , select "OpenVMS Operating
System" in the left-hand column, and peruse the documentation. The
"Guide to System Security" will reference elements that are explained in
the System Management doc.'s. So, you'll need to do a fair bit of
reading to get all the pieces.
--
David J Dachtera
dba DJE Systems
http://www.djesys.com/
Unofficial OpenVMS Marketing Home Page
http://www.djesys.com/vms/market/
Unofficial Affordable OpenVMS Home Page:
http://www.djesys.com/vms/soho/
Unofficial OpenVMS-IA32 Home Page:
http://www.djesys.com/vms/ia32/
Unofficial OpenVMS Hobbyist Support Page:
http://www.djesys.com/vms/support/
Main, Kerry
> -----Original Message-----
> From: as400 [mailto:vin42...@yahoo.com]
> Sent: February 25, 2006 12:16 AM
> To: Info...@Mvb.Saic.Com
> Subject: Whats MORE Secure? OpenVMS or OpenBSD?
>
> I really thought that the UNIX-like OS called OpenBSD www.openbsd.org
> was the most secure unix-like operating system in the world....And,
> maybe even the MacOS-X also...
>
> Can someone here please provide me on what makes OpenVMS so secure? I
> know that OpenBSD by dfault comes very secure by default out
> of the box
> with alot of system services being disabled....But I dont know about
> what makes OpenVMS unhackable....Please explain the difference between
> OpenVMS, OpenBSD, or even the MACOSX???
>
Check out recent security whitepaper at:
http://h71028.www7.hp.com/ERC/downloads/4AA0-2896ENW.pdf
Other OpenVMS whitepapers are located at:
http://h71000.www7.hp.com/openvms/whitepapers/index.html
Regards
Kerry Main
Senior Consultant
HP Services Canada
Voice: 613-592-4660
Fax: 613-591-4477
kerryDOTmainAThpDOTcom
(remove the DOT's and AT)
OpenVMS - the secure, multi-site OS that just works.
as400
Security? Or, is it just used for Scientific Analysis??
Christoph Gartmann
>What Governent agencies use this highly secure OS?? CIA? NSA? Homeland
>Security? Or, is it just used for Scientific Analysis??
OpenVMS has almost disappeared from the latter but is found in banking,
healthcare, lottery, phone and other companies. Again, go to the OpenVMs
homepage and look for "Success Stories".
Karsten Nyblad
> What Governent agencies use this highly secure OS?? CIA? NSA? Homeland
> Security? Or, is it just used for Scientific Analysis??
VMS is used buy organizations that need high availability. The main
advantage is that its cluster technology makes it easy to build systems
where you rarely loose service for more than a few seconds. That might
be, e.g., stock exchanges or hospitals.
VMS was a very popular OS in the eighties and early nineties, and you
can be sure that there are still systems around in various militaries.
It is much cheaper to keep the old systems running than to replace them
with something newer.
However, these organizations and CIA, NSA, and the like are normally
very secretive about what systems they use. It is very likely that
there are VMS systems somewhere in some US spy organization.
VMS started as an OS used for engineering and science, but it lost that
market to SUN, Microsoft, and others. The problem is that in science
and in engineering you do not need the high availability that is VMSes
main advantage, and the competitors could deliver more computing power
for the buck.
Larry Kilgallen
> In article <1140931496....@e56g2000cwe.googlegroups.com>, "as400" <vin42...@yahoo.com> writes:
>>What Governent agencies use this highly secure OS?? CIA? NSA? Homeland
>>Security? Or, is it just used for Scientific Analysis??
>
> OpenVMS has almost disappeared from the latter
Not exactly. I know of a prominent scientific analysis group fully
dependent on VMS, entirely programmed in Fortran.
The exact nature of which government agencies use VMS for what is not
published, but none of them use it for Solitaire.
Alan Greig
Larry Kilgallen wrote:
> The exact nature of which government agencies use VMS for what is not
> published, but none of them use it for Solitaire.
Somewhere amongst the Galaxy documentation online there is a suggestion
of partitioning the system so that one instance handles "war game
simulations" - surely that's just hi-tec solitaire :-)
--
Alan Greig
dav...@montagar.com
passes many of the POSIX suites, and from an API point of view, is
compliant with most of the common interfaces. At one point, it was
classified by X/Open as a "UNIX" O/S.
That being said, OpenVMS is definitely not one of your "traditional"
UNIX systems, since it has many feaures and other API's that are not
(and likely will never be) found in a typical UNIX/Linux system.
Bill Gunshannon
Actually, it can not be considerd a "UNIX" O/S in even the loosest of
interpretations. It lacks even the most basic concepts that are part
and parcel of the Unix paradigm (the the great glee of many people here)
like the concept that everything (ie. files, devices, etc.) is just a
stream of bytes. It can be said to have a Unix-like API compatability
but, as the people trying to port Unix software to VMS will tell you,
even that is tenuous at best. It is no more unix than the OSes that
ran the STVOS were.
bill
--
Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
bi...@cs.scranton.edu | and a sheep voting on what's for dinner.
University of Scranton |
Scranton, Pennsylvania | #include <std.disclaimer.h>
as400
is it just a "bluff" story??
Im my true opinion, I think the MacOS-X is much much secure than
OpenVMS....Now I dont want to start a falme war here, but I I AM NOT
and repeat.....NOT a MAC-OS fan nor user and will not be...
The "unhackable" stories told by hackers at the Vegas DEFCON 9
Convention, was the original OpenVMS, or the Trusted version of VMS?
as400
secure?? Does it have most services disabled by defualt like OpenBSD?
Or, does it have full grade military type encryption schematics??
Please explain....
I searched the docs but theres quite alot of them..I want to read upon
the security aspects of this OS...
Larry Kilgallen
The term "Trusted" typically means "evaluated under some security standard".
V6 of VMS was evaluated at C2 and subsequent versions were long as that
was possible. There was never a version of VMS with the name "Trusted".
Up through V6.2 there was "Security Enhanced" VMS evaluated at B1. But
it was the regular VMS at DEFCON 9.
Larry Kilgallen
> And no one seemed to answered this question...What make OpenVMS sooooo
> secure?? Does it have most services disabled by defualt like OpenBSD?
Evaluating operating systems as "like xxx" is a flawed approach.
The notion of "services" in BSD sound like TCPIP.
> Or, does it have full grade military type encryption schematics??
"Encryption Schematics" is not a meaningful term.
> I searched the docs but theres quite alot of them..I want to read upon
> the security aspects of this OS...
Then you want to read the NCSC Evaluation Report. Try
http://www.radium.ncsc.mil/tpep/epl/entries/CSC-EPL-93-002-A.html
JF Mezei
> Evaluating operating systems as "like xxx" is a flawed approach.
> The notion of "services" in BSD sound like TCPIP.
> "Encryption Schematics" is not a meaningful term.
Actually, in some way it is.
The more secure OSes are the ones which incorporate the new protocol
upgrades quickest. The ones that have the fixed to BIND vulnerabilities
quickest. The ones who inplement TLS, Kerberos etc quickest.
Consider that VMS doesn't automatically install with a TCPIP stack, SSL
etc. So you don't know what software config a VMS site has (HP SSL or
OpenSLL, which TCPIP stack etc). Consider the frequency at which
patches are issued for all of the TCPIP parts on VMS when other
operating systems get those patches right away. (with VMS being just as
vulnerable because it shares much of that code).
Consider that 1/3 of the installed base for VMS is now running on what
is essentially unsopported and stale software (VAX version) with stuff
like Bind 8 with plenty of weaknesses.
So yeah, VMS with only VT terminals and no telecom connectiohs is pretty
secure, and its login process is well designed.
Question for you: with the proprietary Apache version distributed for
Alpha VMS, if someone enters wrong username/password "n" times on a web
page, does it ring any alarms, does it activate intrusion detection and
block the account like a tradictional terminal login would do ?
Larry Kilgallen
> Larry Kilgallen wrote:
>> Evaluating operating systems as "like xxx" is a flawed approach.
>> The notion of "services" in BSD sound like TCPIP.
>
>> "Encryption Schematics" is not a meaningful term.
>
>
> Actually, in some way it is.
>
> The more secure OSes are the ones which incorporate the new protocol
> upgrades quickest. The ones that have the fixed to BIND vulnerabilities
> quickest. The ones who inplement TLS, Kerberos etc quickest.
Even if one accepts that paragraph, it in no way matches the term
"Encryption Schematics".
> Question for you: with the proprietary Apache version distributed for
> Alpha VMS, if someone enters wrong username/password "n" times on a web
> page, does it ring any alarms, does it activate intrusion detection and
> block the account like a tradictional terminal login would do ?
It will if it calls the $ACM system service to handle that username
and password (as it should). Whether Apache, OSU, WASD or any other
web server calls $ACM or not is nothing with which I am familiar. My
web vendor uses OSU, but without any logging in by clients.
Michael Moroney
>Can someone here please provide me on what makes OpenVMS so secure?
The reasons are far too many to list, but here are some:
0) VMS was written by paranoid people who knew what they were doing. :-)
1) So many Unix and Mickeysoft exploits are buffer overruns by supplying
something which expects a null terminated string a huge amount of data
with no nulls, which overwrites something. VMS system services use
descriptors, with a fixed or maximum length. That much data, and no
more.
2) VMS has 4 layers of security between user code and the kernel, so even
if you find a buffer overrun you just kill just the image and you find
yourself back at the prompt. Unix just has two (user and kernel).
The four are user, supervisor (equivalent to protecting the unix shell
from user programs), executive (filesystem) and kernel. VMS code at
the inner layers check whether data or memory supplied by outer code
can be acessed by the outer code.
3) Unix has two levels of accounts, ordinary accounts, and root with godlike
powers. VMS can give accounts limited privilege to do one or a few
types of privileged function _and nothing else_. Granted, some of these
can be taken advantage of to give you everything, but most don't.
4) Same as 3) but for specific programs/images. Kinda like an executable
file owned by root with 's' file protection, but only for specific
privileged functions. For example, ordinary processes can't affect or
even see processes owned by another user unless it has a privilege called
'world'. But you can type $ SHOW SYSTEM and see all the processes on
the system from any account because that command runs an image with
'world' privilege. But that image can't be taken advantage of to bypass
file protection, for example.
There are more but I'm out of time.
Bill Gunshannon
Kilg...@SpamCop.net (Larry Kilgallen) writes:
> In article <1140997192.3...@t39g2000cwt.googlegroups.com>, "as400" <vin42...@yahoo.com> writes:
>> And no one seemed to answered this question...What make OpenVMS sooooo
>> secure?? Does it have most services disabled by defualt like OpenBSD?
Isn't it time to stop feeding the troll?
>
> Evaluating operating systems as "like xxx" is a flawed approach.
> The notion of "services" in BSD sound like TCPIP.
>
>> Or, does it have full grade military type encryption schematics??
>
> "Encryption Schematics" is not a meaningful term.
>
>> I searched the docs but theres quite alot of them..I want to read upon
>> the security aspects of this OS...
>
> Then you want to read the NCSC Evaluation Report. Try
>
> http://www.radium.ncsc.mil/tpep/epl/entries/CSC-EPL-93-002-A.html
--
JF Mezei
> Even if one accepts that paragraph, it in no way matches the term
> "Encryption Schematics".
In a way it does. If VMS lags behind the others with software, it means
it cannot implement the lastest and greatest encryption and security
technologies that the others systems have.
So while the OS itself may ne well designed, its interfaces with the
real world lag behind. Weakest link is what counts. If the
application/network stack is behind, it doesn't matter if the OS is better.
And note that TCPIP services has a lot that operates in kernel mode and
will crash your system when things doen't go right.
Proper system management and realistic risk assessment is what REALLY
counts.
David J Dachtera
...which is why I pointed you to the "Guide to OpenVMS Security".
Like the UN*X newsgroups, we will expect you to do your own homework.
That said, this one might not "jump out and grab you":
VMS itself (not including the IP stacks) resists break-ins in many ways,
not the least of which is break-in evasion. See the System Management
Utilities Manuals, especially the SYSGEN manual regarding the associated
system parameters. Try Google-ing this group for that topic, also.
Identifying those parameters is left as an exercise for the reader.
JF Mezei
> VMS itself (not including the IP stacks) resists break-ins in many ways,
> not the least of which is break-in evasion.
VMS didn't always have the current level of break-in detection and
evasion, the intrusion database etc.
Some have said that for Unix, there is "nothing or everything" level of
privileges and only 2 modes/rings of OS protection. Can anyone confirm
that this is STILL true of all Unix systems including Tru64 ?
It would not be correct to compare today's VMS with ancient Unix, and
new Unix with ancient VMS.
Karsten Nyblad
> And no one seemed to answered this question...What make OpenVMS sooooo
> secure?? Does it have most services disabled by defualt like OpenBSD?
> Or, does it have full grade military type encryption schematics??
Secure from what? Is it going to be secure from some amateur hacker, an
identity thief, or is it going to be secure from spy organizations? Is
it going to be secure from tacks from insiders with legal access to the
machine? Is it going to be secure from hackers attacking it through the
network?
And what is the machine going to be used for? Is it going to protect
information of national security, great value, or it it very important
that the machine is operating 24/7? E.g., can you accept that the
operation of the machine gets interrupted by a DOS attack?
Your nick is as400. That is the former name of IBMs iSeries computers.
What is you interest in the subject of OS security?
VAXman-
>
>
>In article <JSXX5S...@eisner.encompasserve.org>,
> Kilg...@SpamCop.net (Larry Kilgallen) writes:
>> In article <1140997192.3...@t39g2000cwt.googlegroups.com>, "as400" <vin42...@yahoo.com> writes:
>>> And no one seemed to answered this question...What make OpenVMS sooooo
>>> secure?? Does it have most services disabled by defualt like OpenBSD?
>
>Isn't it time to stop feeding the troll?
Feed a reader; starve a troll.
dav...@alpha2.mdx.ac.uk
>Security? Or, is it just used for Scientific Analysis??
>
Telecom etc
For a list of a few companies who have given permission for their use of VMS to
be publicised by HP see
http://h71000.www7.hp.com/success-stories.html
Goverment agencies - probably
The military certainly eg J-STARS
There has in the past been some discussion on the number of Military systems
running VMS on this group Keith Cayemberg posted the following in June 2005
http://groups.google.com/group/comp.os.vms/msg/5d1dcf1b90744b9c
David Webb
Security team leader
CCSS
Middlesex University
b...@instantwhip.com
bind, SSH2, captive FTP accounts ... and vms is
unhackable as a mail server and webserver at least
with purveyor, because it has no privilidges!
Michael D. Ober
MAC OS-X, based on linux, is only secure because very, very few people use
it. This means that it isn't a target because the assholes who write viruii
and trojans go after the biggest guy on the block. Last year, the US Cert
database recorded more security vulnerabilities in linux than Windows XP. I
don't think any vulnerabilities were recorded in the Core VMS product, but a
handful were recorded in layered products on top of VMS. For raw security,
I would rate VMS the best, Windows second, and MAC OS-X third. For
practical security, I would rate VMS best, MAX OS-X second (due to tiny
market share), and Windows third.
I don't know how secure OpenBSD is.
Mike Ober.
"as400" <vin42...@yahoo.com> wrote in message
news:1140844548....@e56g2000cwe.googlegroups.com...
> I really thought that the UNIX-like OS called OpenBSD www.openbsd.org
> was the most secure unix-like operating system in the world....And,
> maybe even the MacOS-X also...
>
> Can someone here please provide me on what makes OpenVMS so secure? I
> know that OpenBSD by dfault comes very secure by default out of the box
> with alot of system services being disabled....But I dont know about
> what makes OpenVMS unhackable....Please explain the difference between
> OpenVMS, OpenBSD, or even the MACOSX???
>
Bob Koehler
>
> OpenVMS???? Well.....I dont know about this...Care to explain how
> secure it is?
>
"Cool and Unhackable" - DEFCON9
Mostly because security isn't based on a faulty design and is
designed in.
Bob Koehler
> Security? Or, is it just used for Scientific Analysis??
>
All of them.
Bob Koehler
OS X is good, but not as secure as VMS. The devil _is_ in the
details.
The unhackable attribution from DEFCON9 is real.
VAXman-
>
>
>
>MAC OS-X, based on linux, is only secure because very, very few people use
>it. This means that it isn't a target because the assholes who write viruii
>and trojans go after the biggest guy on the block. Last year, the US Cert
>database recorded more security vulnerabilities in linux than Windows XP. I
>don't think any vulnerabilities were recorded in the Core VMS product, but a
>handful were recorded in layered products on top of VMS. For raw security,
>I would rate VMS the best, Windows second, and MAC OS-X third. For
>practical security, I would rate VMS best, MAX OS-X second (due to tiny
>market share), and Windows third.
If you're going to contribute to this conversation, please get the facts
straight first. OS X is NOT based on Linux; it is based on OpenBSD.
I have also seen the argument -- which I have always felt as been support-
ed by specious correlation -- that the volume player will be the one that
is going to have worst track record because it's being targetted the most.
Perhaps, it's just because it's so easy to hack and not because there is
just more there to be hacked.
Larry Kilgallen
> Larry Kilgallen wrote:
>> Even if one accepts that paragraph, it in no way matches the term
>> "Encryption Schematics".
>
> In a way it does. If VMS lags behind the others with software, it means
> it cannot implement the lastest and greatest encryption and security
> technologies that the others systems have.
That may be "encryption", and it might even be a VMS shortcoming,
but it is still not "encryption schematics".
Martin Vorlaender
> TCPware has the latest bind
TCPware (and Multinet, too) BIND implementations are
still based on version 8.x.
Certainly NOT the latest and most secure.
TCP/IP Services comes with a BIND 9.x.
cu,
Martin
--
| Martin Vorlaender | OpenVMS rules!
VMS is today what | work: m...@pdv-systeme.de
Microsoft wants | http://www.pdv-systeme.de/users/martinv/
Windows NT 8.0 to be! | home: mar...@radiogaga.harz.de
Larry Kilgallen
> David J Dachtera wrote:
>> VMS itself (not including the IP stacks) resists break-ins in many ways,
>> not the least of which is break-in evasion.
>
> VMS didn't always have the current level of break-in detection and
> evasion, the intrusion database etc.
And the very first version of VMS did not have indexed files.
But breakin evasion has been there for 15 years. The recent
change (5 years ago) has to make the accounting cluster-wide.
Andrew
Bob Koehler wrote:
> In article <1140844548....@e56g2000cwe.googlegroups.com>, "as400" <vin42...@yahoo.com> writes:
> >
> > OpenVMS???? Well.....I dont know about this...Care to explain how
> > secure it is?
> >
>
> "Cool and Unhackable" - DEFCON9
>
I don't have an opinion on the relative merits of OpenVMS or OpenBSD
though one would conclude that the ready availability of source makes
OpenBSD easier to compromise
That said as you may well remember that 99.9% of the hackers attending
DEFCON9 and participating in the capture the flag excercise you refer
to had no idea what OpenVMS was. On the other hand most of them had the
kernel/library source code for the vunerabilities they attempted to
exploit on the other platforms. In the circumstances it would been
truly remarkable if anyone had sucessfully hacked OpenVMS.
Regretably these facts reduce the impact of your point to 0.
Regards
Andrew Harrison
Martin Vorlaender
> Bob Koehler wrote:
> > "Cool and Unhackable" - DEFCON9
> That said as you may well remember that 99.9% of the hackers attending
> DEFCON9 and participating in the capture the flag excercise you refer
> to had no idea what OpenVMS was. On the other hand most of them had the
> kernel/library source code for the vunerabilities they attempted to
> exploit on the other platforms.
I don't think so. The people you are thinking of are called "Script
Kiddies",
and those certainly don't attend a DEFCON.
> In the circumstances it would been
> truly remarkable if anyone had sucessfully hacked OpenVMS.
See http://www.vmsone.com/~opcom/defcon9.htm
"...a lot of interest was generated by it. In the spirit of spreading the
good word and educating the people about VMS, we ended up answering a lot
of questions about VMS, and showing how the machine automagically added
user accounts, and demonstrated the various terminal games and web pages
which had been created. We were also aware that, in this crowd of 5000+
hackers, someone might be able to weasel their way into the machine if any
security measures were taken lightly."
cu,
Martin
--
Emacs would be a great | Martin Vorlaender | OpenVMS rules!
operating system, | work: m...@pdv-systeme.de
if only it came with | http://www.pdv-systeme.de/users/martinv/
a decent editor... | home: mar...@radiogaga.harz.de
Andrew
JF Mezei wrote:
> David J Dachtera wrote:
> > VMS itself (not including the IP stacks) resists break-ins in many ways,
> > not the least of which is break-in evasion.
>
> VMS didn't always have the current level of break-in detection and
> evasion, the intrusion database etc.
>
>
> Some have said that for Unix, there is "nothing or everything" level of
> privileges and only 2 modes/rings of OS protection. Can anyone confirm
> that this is STILL true of all Unix systems including Tru64 ?
>
Its certainly not true for Solaris at least from the administrator
perspective. You can do away with the root user if you wish.
Regards
Andrew Harrison
b...@instantwhip.com
http://www.computerworld.com/securitytopics/security/story/0,10801,109008,00.html
b...@instantwhip.com
http://www.computerworld.com/securitytopics/security/story/0,10801,109008,00.html
b...@instantwhip.com
http://www.computerworld.com/securitytopics/security/story/0,10801,109008,00.html
dav...@alpha2.mdx.ac.uk
Yes the idea that Windows is as secure as other operating systems but it just
gets more security alerts because there are so many more systems to attack is
easily disproved. Just compare the security record of IIS to Apache.
There are far far more Apache webservers than IIS webservers yet although
Apache has had a few vulnerabilities IIS has had far more.
David Webb
Security team leader
CCSS
Middlesex University
b...@instantwhip.com
"ACCESS VIOLATION ERROR"
Bill Gunshannon
b...@instantwhip.com writes:
> here you go Andrew, another unix variant bites the dust ...
>
> http://www.computerworld.com/securitytopics/security/story/0,10801,109008,00.html
>
Yeah Bob, and your very own reference may explain why VMS is still
(apparently) invuulnerable.
"All it takes is a certain level of interest on the part of hackers
and security researchers to increase the threats associated with
any platform, they said."
Thus, no threats is just as likely to mean no interest as real security.
""All software has bugs, and a certain percentage of those bugs
will be security vulnerabilties," said Ira Winkler, an independent
security analyst and author of the book Spies Among Us.
And given enough of an installed base and interest in a technology,
the likelihood of such vulnerabilties being discovered also increases
significantly, said Pete Lindstrom, an analyst at Spire Security LLC
in Malvern, Pa."
Not arguing that VMS isn't secure, only that it may well be its relative
obscurity and sinking installed base that keeps it that way. Of course,
the good news is that isn't likely to change any time soon. And the bad
news is that it isn't likely to change any time soon.
bill
Andrew
b...@instantwhip.com wrote:
> here you go Andrew, another unix variant bites the dust ...
>
> http://www.computerworld.com/securitytopics/security/story/0,10801,109008,00.html
In case you hadn't noticed OS-X is not a Solaris derivative. Lumping
all the UNIX platforms together is excatly the same tactic used by
Microsoft to try to prove that Windows is statistically more secure
than UNIX.
It didn't work for them so what made you think it would work for you.
Regards
Andrew Harrison
Bob Koehler
>
OS X is not based on Linux. It does not have the Linux kernel. It
does use some of the same gnu tools. gnu is not Linux.
Andrew
Michael Moroney wrote:
> "as400" <vin42...@yahoo.com> writes:
>
> >Can someone here please provide me on what makes OpenVMS so secure?
>
>
> 0) VMS was written by paranoid people who knew what they were doing. :-)
>
> 1) So many Unix and Mickeysoft exploits are buffer overruns by supplying
> something which expects a null terminated string a huge amount of data
> with no nulls, which overwrites something. VMS system services use
> descriptors, with a fixed or maximum length. That much data, and no
> more.
>
> 2) VMS has 4 layers of security between user code and the kernel, so even
> if you find a buffer overrun you just kill just the image and you find
> yourself back at the prompt. Unix just has two (user and kernel).
> The four are user, supervisor (equivalent to protecting the unix shell
> from user programs), executive (filesystem) and kernel. VMS code at
> the inner layers check whether data or memory supplied by outer code
> can be acessed by the outer code.
>
> 3) Unix has two levels of accounts, ordinary accounts, and root with godlike
> powers. VMS can give accounts limited privilege to do one or a few
> types of privileged function _and nothing else_. Granted, some of these
> can be taken advantage of to give you everything, but most don't.
>
Some UNIX's only have 2 levels of account but the largest volume
commercial UNIX Solaris has similar account capabilities to OpenVMS.
> 4) Same as 3) but for specific programs/images. Kinda like an executable
> file owned by root with 's' file protection, but only for specific
> privileged functions. For example, ordinary processes can't affect or
> even see processes owned by another user unless it has a privilege called
> 'world'. But you can type $ SHOW SYSTEM and see all the processes on
> the system from any account because that command runs an image with
> 'world' privilege. But that image can't be taken advantage of to bypass
> file protection, for example.
>
Ditto
Regards
Andrew Harrison
b...@instantwhip.com
windoze = windoze = security risk
openvms = 13 certs in 15 years = defcon9 unhackable = secure
William Webb
> So was it ture that OpenVMS is unkackable claim by many hackers?? Or,
> is it just a "bluff" story??
>
> Im my true opinion, I think the MacOS-X is much much secure than
> OpenVMS....Now I dont want to start a falme war here, but I I AM NOT
> and repeat.....NOT a MAC-OS fan nor user and will not be...
>
> The "unhackable" stories told by hackers at the Vegas DEFCON 9
> Convention, was the original OpenVMS, or the Trusted version of VMS?
>
>
If you're referring to SEVMS, no, it wasn't.
WWWebb
--
NOTE: This email address is only used for noncommerical VMS-related
correspondence.
All unsolicited commercial email will be deemed to be a request for
services pursuant to the terms and conditions located at
http://bellsouthpwp.net/w/e/webbww/
JF Mezei
> The unhackable attribution from DEFCON9 is real.
if I had submitted my PSION-3 at that same conference, I also contend it
would have been un-hackable, simply because the odds of having someone
with the proprietary sofwtare to access it would have been low, and
noody would have had the epertise to hack into it.
So yeah, VMS is unhackable by windows weenies or unix hackers. But if
Hoff or FredK or other VMS engineers have been there, would they have
been truly unable to hack themselves in ? (include some TCPIP engineers
if there are any left, and the odds of penetration would have been much higher).
JF Mezei
> TCP/IP Services comes with a BIND 9.x.
Correction:. TCPIP Services on Alpha (and that IA64 thing) comes with
Bind 9. The same version on VAX came with Bind 8.
JF Mezei
>
> and trying them on OpenVMS would just result in
>
> "ACCESS VIOLATION ERROR"
Bob, be careful with this. Many applications require heavy duty
privileges. Consider a POP server. It needs SYSPRIV in order to access
any user's files. In fact, there was a vulnerability for the POP server
a few years ago because any user on VMS could run the POP server and
giving it some log file name and the SYSPRIV embedded in the installed
image would succeed in creating any file anywhere on the system.
VMS is so low key that this vilnerability didn't quite make it.
And when they find vulnerabilities for BIND 8 or BIND 9 and issue urgent
patches, where are the urgent patches for VMS ?
Alan Winston - SSRL Central Computing
>b...@instantwhip.com wrote:
>>
>> and trying them on OpenVMS would just result in
>>
>> "ACCESS VIOLATION ERROR"
Almost an authentic error message.
>
>Bob, be careful with this. Many applications require heavy duty
>privileges. Consider a POP server. It needs SYSPRIV in order to access
>any user's files. In fact, there was a vulnerability for the POP server
>a few years ago because any user on VMS could run the POP server and
>giving it some log file name and the SYSPRIV embedded in the installed
>image would succeed in creating any file anywhere on the system.
>
>VMS is so low key that this vilnerability didn't quite make it.
>
I can almost make sense of Bob's claim by reading it as saying that this is the
result of attempted buffer overflow attacks.
>And when they find vulnerabilities for BIND 8 or BIND 9 and issue urgent
>patches, where are the urgent patches for VMS ?
Can't speak to UCX/ TCP/IP services, but what Multinet customers got was a
pretty quick note from the Multinet engineers that they'd examined the BIND
code for the vulnerability and it wasn't an issue on VMS.
-- Alan
JF Mezei
> Can't speak to UCX/ TCP/IP services, but what Multinet customers got was a
> pretty quick note from the Multinet engineers that they'd examined the BIND
> code for the vulnerability and it wasn't an issue on VMS.
Ahhh... But then you're not talking about VMS anymore. You are talking
about VMS with 3rd party add-ons.
A bit similar to MVS that came with no security and you had to buy
security packages separately (RACF etc).
If VMS management do not have the resources to advise customers about
whether a new advisory about Bind affects them or not, then what sort of
"comfort" factor exists for customers who really wonder if that public
advisory will affect them ?
Hopefully Process will inherit all of VMS and its engineers once HP gets
rid of it, and Process can then make a success of it and have better
communications with customers.
Dave Weatherall
wrote:
> And no one seemed to answered this question...What make OpenVMS sooooo
> secure?? Does it have most services disabled by defualt like OpenBSD?
> Or, does it have full grade military type encryption schematics??
>
> Please explain....
>
> I searched the docs but theres quite alot of them..I want to read upon
> the security aspects of this OS...
Actually, instant Bob, in one of his more cogent posts, did.
--
Cheers - Dave W.
Hunter Goatley
> <b...@instantwhip.com> wrote...
>> TCPware has the latest bind
>
> TCPware (and Multinet, too) BIND implementations are
> still based on version 8.x.
> Certainly NOT the latest and most secure.
>
Hunter
------
Hunter Goatley, Process Software, http://www.process.com/
PreciseMail Anti-Spam Gateway for OpenVMS, Tru64, Solaris, & Linux
goath...@goatley.com http://www.goatley.com/hunter/