[Coco] Re: OS Vulnerabilities

John E. Malmberg wb8tyw at qsl.net
Sat Feb 28 15:26:21 EST 2004 

David Hazelton wrote:

> 
> As an Ex-VMS system administrator, Who still uses VMS?
> 
> I do have to agree with John on the Hardness of VMS, But there were 
> known  holes with VMS too,  At least with Version 5.5.

The known exploits were fixed with OpenVMS 5.2, unless the system 
manager undid the fixes.

Those two exploits were when system administrators did not change the 
default passwords for the standard accounts, and that DECNET allowed 
remote anonymous users to run scripts.

A famous worm exploited the second case, and the first weakness is 
obvious.  To be affected by that worm, the systems had to be connected 
to the internet DECnet protocol.

The response from VMS Engineering was not to let that happen again, and 
so far they have been successful.

Password security was also locked down, and a dictionary of forbidden 
passwords that can be customized by the system manager was implemented.

As was break in evasion techniques.  Unless you are very lucky, it would 
take years to brute force guess a password to get in.

5.5-2, the oldest supported version of 5.x is quite secure against a 
remote intruder taking control.  There are some security patches, but 
those exploits require someone who already had a non privileged account.

> (I know that was before OpenVMS).

No it wasn't.  That was when the marketing folks did a name change and 
caused a lot of confusion.  Same OS, new name.

> When I moved over to Unix, I was told that the reason 
> why Unix was so unsecure was that Unix was in the schools and the holes 
> became more popular than those on VMS.  There might have been some truth 
> to it, but I doubt it.

VMS was in most of the schools back then and still is in many.  The only 
reason it was displaced by UNIX was that ATT was giving away the license 
for free and DIGITAL was not.

> I believe that at least in the 80's, VMS was 
> secure because of who used it and why...Business.  Unix had more of a 
> R&D environment, where one did not want the OS to stop advancements, but 
> allowed easier access to it's power.

UNIX came from an environment were it was designed primarily for 
embedded process control, and development of such.

When an OS is designed for such, you do not have to be concerned with 
malicious programmers trying to break things, and to give better process 
control, you can take shortcuts.  The evolution of UNIX to be a general 
purpose timesharing environment grew out of that.

The main exploit in UNIX has been buffer overflows, and as UNIX has 
matured, most of those have been fixed.  If you will notice that 
"recent" additions to the UNIX syscalls are duplicates of the older 
calls, but with an argument that gave the bounds limit.

OpenVMS grew out of the DecSYSTEM-10 and RSTS-E/RSX-11 environment that 
were in the schools / businesses and actively being attacked.

OpenVMS was designed from the experience that was gained from the 
DecSYSTEM-10 and RSTS/RSX in the schools, and designed to resist damage 
from both hackers, and programmer accidents.

And programmer / user accidents are still the most prevalent problems.

When training a UNIX based programmer to work on OpenVMS, I would get 
lots of complaints about how bad VMS was because it was either refusing 
to compile their program, or refusing to run it, yet the same code would 
run on UNIX.

When examining the code, I never found a VMS specific bug.  I only found 
bugs that should have caused the program to fail on UNIX, except that 
the errors in the program were not being detected by the other compiler, 
or the specific UNIX they were used to did not notice that they were 
writing into random memory.

> And Again, John; who still uses VMS?

Most semiconductor manufacturing.

About 1/2 the major stock exchanges, most of the rest use Tandem.

Hospitals, banks, military, railroads, customs, genealogy, video rental 
tracking, music industry.  Manufacturing automation, Real estate MLS 
listings, payroll outsourcing companies, insurance, 911 systems, 
wireless phone billing, lotteries, and there are probably quite a few 
that I do not know about.

It mainly is a back end industrial server these days, but there are some 
people people that are needing some extreme graphics on it, I do not 
know what those applications are.

In areas where downtime is measured in multiples of $1000 per minute, it 
has a strong niche with all competing solutions costing many times more.

-John
wb8tyw at qsl.net
Personal Opinion Only

More information about the Coco mailing list