[Coco] Re: OS Vulnerabilities
John E. Malmberg
wb8tyw at qsl.net
Sat Feb 28 15:26:21 EST 2004
David Hazelton wrote:
> As an Ex-VMS system administrator, Who still uses VMS?
> I do have to agree with John on the Hardness of VMS, But there were
> known holes with VMS too, At least with Version 5.5.
The known exploits were fixed with OpenVMS 5.2, unless the system
manager undid the fixes.
Those two exploits were when system administrators did not change the
default passwords for the standard accounts, and that DECNET allowed
remote anonymous users to run scripts.
A famous worm exploited the second case, and the first weakness is
obvious. To be affected by that worm, the systems had to be connected
to the internet DECnet protocol.
The response from VMS Engineering was not to let that happen again, and
so far they have been successful.
Password security was also locked down, and a dictionary of forbidden
passwords that can be customized by the system manager was implemented.
As was break in evasion techniques. Unless you are very lucky, it would
take years to brute force guess a password to get in.
5.5-2, the oldest supported version of 5.x is quite secure against a
remote intruder taking control. There are some security patches, but
those exploits require someone who already had a non privileged account.
> (I know that was before OpenVMS).
No it wasn't. That was when the marketing folks did a name change and
caused a lot of confusion. Same OS, new name.
> When I moved over to Unix, I was told that the reason
> why Unix was so unsecure was that Unix was in the schools and the holes
> became more popular than those on VMS. There might have been some truth
> to it, but I doubt it.
VMS was in most of the schools back then and still is in many. The only
reason it was displaced by UNIX was that ATT was giving away the license
for free and DIGITAL was not.
> I believe that at least in the 80's, VMS was
> secure because of who used it and why...Business. Unix had more of a
> R&D environment, where one did not want the OS to stop advancements, but
> allowed easier access to it's power.
UNIX came from an environment were it was designed primarily for
embedded process control, and development of such.
When an OS is designed for such, you do not have to be concerned with
malicious programmers trying to break things, and to give better process
control, you can take shortcuts. The evolution of UNIX to be a general
purpose timesharing environment grew out of that.
The main exploit in UNIX has been buffer overflows, and as UNIX has
matured, most of those have been fixed. If you will notice that
"recent" additions to the UNIX syscalls are duplicates of the older
calls, but with an argument that gave the bounds limit.
OpenVMS grew out of the DecSYSTEM-10 and RSTS-E/RSX-11 environment that
were in the schools / businesses and actively being attacked.
OpenVMS was designed from the experience that was gained from the
DecSYSTEM-10 and RSTS/RSX in the schools, and designed to resist damage
from both hackers, and programmer accidents.
And programmer / user accidents are still the most prevalent problems.
When training a UNIX based programmer to work on OpenVMS, I would get
lots of complaints about how bad VMS was because it was either refusing
to compile their program, or refusing to run it, yet the same code would
run on UNIX.
When examining the code, I never found a VMS specific bug. I only found
bugs that should have caused the program to fail on UNIX, except that
the errors in the program were not being detected by the other compiler,
or the specific UNIX they were used to did not notice that they were
writing into random memory.
> And Again, John; who still uses VMS?
Most semiconductor manufacturing.
About 1/2 the major stock exchanges, most of the rest use Tandem.
Hospitals, banks, military, railroads, customs, genealogy, video rental
tracking, music industry. Manufacturing automation, Real estate MLS
listings, payroll outsourcing companies, insurance, 911 systems,
wireless phone billing, lotteries, and there are probably quite a few
that I do not know about.
It mainly is a back end industrial server these days, but there are some
people people that are needing some extreme graphics on it, I do not
know what those applications are.
In areas where downtime is measured in multiples of $1000 per minute, it
has a strong niche with all competing solutions costing many times more.
wb8tyw at qsl.net
Personal Opinion Only
More information about the Coco