On 2017-09-04, IanD <
iloveo...@gmail.com> wrote:
>
> Most places I worked in where Vax's were still in use, they were internally
> focused tucked away inside the bowls of a corporate network and not internet
> facing at all. They also tended to be running on emulators to mitigate the
> hardware risk
>
They also need to be isolated from the other parts of the internal network;
isolating them from the external networks is not enough.
A recent high profile Windows XP example would be the disabling of the
NHS computer network due to WannaCry.
There are a good number of comparisons which can be made between old VMS
versions and old Windows versions when it comes to security.
BTW, as you are aware, emulators only handle the hardware risk; insecure
operating system code running on an emulator is still insecure operating
system code. I hope the people choosing to virtualise their VAX and Alpha
systems also realise this.
> The DEFCON event that showed up glaring holes in VMS security should have
> been a wake-up call that VMS needed / needs work
>
> When the exploit was discovered for VMS at DEFCON, I saw endless comments
> about that being because of the tcp stack and not part of VMS and all other
> down-playing. That type of attitude is scary IMO and will not help VMS harden
> itself against modern exploits
>
Multiple exploits actually, both within TCP/IP and VMS itself. I too have
also noticed how some people move the discussion away from VMS itself and
towards the TCP/IP stack when discussing that event.
On a related note, sometimes something can still be of concern even if
it's not a full exploit as it can point to possible weaknesses elsewhere.
As such, I encourage people to report any dodgy code they find so the
dodgy code can be fixed and so that a review can be carried out to see
if the same type of dodgy code is being used elsewhere in a place where
it might _really_ matter.
> Transparency, fast reporting mechanisms, community focus on security as
> drastically needed
>
I think everyone around here now knows what I think about this area. :-)
> The greatest security risk is the attitude that thinks everything is ok and
> that VMS is sitting pretty security wise
As I've mentioned before, in some ways the Linux/Windows people are more
secure than VMS because they _know_ their systems are subject to
vulnerabilities being found and they plan accordingly.