Mailing List Archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] For all you vi heathen ;-)

On Sun, 19 Jul 2020 at 22:12, Curt J. Sampson <> wrote:
On 2020-07-18 00:39 +0900 (Sat), Benjamin Kowarsch wrote:

> Running VMS is about the smartest approach to security on this planet.

These kinds of statements are exactly why so many people set up such
terribly insecure systems. A product does not give you good security. Ever.

Absolutely not. Besides, other than outfits like the NSA, large banking
and insurance corporations for their most sensitive stuff, who is
still running VMS systems? And those who do, they do so because
they know that VMS is the best there is when it comes to security,
not because they read somebody on the internet say something.

> Well, on VMS a "restricted shell"  is called a captive account
> and it actually performs to specification, not best effort.

Hard as it is to get things to perform to specification, it's even harder
to ensure that the specification itself is correct.

> ...being handed out to anybody who would email in and ask for one. Nobody
> has ever managed to break out.

Oh dear. "I don't know of of any failures" == "There have been no failures."

I didn't say that. The point is this, unlike the vast and overwhelming majority of
Nix and Nix like systems out there, VMS has been designed with security
in mind from the start and this focus has been maintained ever since.

DEC used to bring their boxes to these hacker contests where you could win
price money for breaking into some system since the manufacturers
then got the info how their system was hacked and were able to fix

IIRC there was one single incident where someone managed to break into
a VMS system. DEC had to constantly raise the price money well
above what any other vendor was offering to even find any takers, the
hackers preferred to invest their efforts into hacking some other system
because they knew that way they had a good chance to go home with
some actual cash in their pockets.

That doesn't mean there are no vulnerabilities, but it illustrates the point,
that a system designed from the start with security in mind will run rings
around all those where security was a mere afterthought, bolted on later.

> There is a difference between system design with security designed in
> from the start, and system "design" with "security" bolted on afterwards.

Certainly! If you know this, I find it surprising you recommend OpenBSD to
people wanting to be more secure.

I mentioned OpenBSD for two simple reasons:

* courtesy, this is a form of open source people after all
* I got the impression that the OpenBSD project prioritises security.

Now, I will grant you that prioritising security is not anywhere near as good
as designed with security in mind from the start, but priority on security
is still better than not prioritising security.

There seem to be too many script kiddies out there in the world of system
software implementation and packaging who want stuff simply because it is
"cool" without much concern what the implications are. That certainly does
not count as priority on security. I'd rather trust a regime by which certain
stuff is excluded until it has been shown to meet the regime's security
policy. That appears to be the regime under which OpenBSD is operating.

It most certainly is not the regime under which Linux, Windows, and
MacOS are being developed/maintained. In their realms features trump
security and reliability ***more often than not***.

Home | Main Index | Thread Index