6 Dec
2017
6 Dec
'17
10:34 a.m.
On Dec 2, 2017, at 5:48 AM, Doug Jackson via cctech
<cctech at classiccmp.org> wrote:
Camiel,
Without sounding super negative (my day job as a security consultant let's
me do that enough...) I would be especially wary of connecting anything
with a 10 year old stack to the modern internet. The range of automatic
attacks based on what the state of the OS was when it was last patched is
staggering.
That's true to a point. On the other hand, many attacks require that the machine is
running on Intel instruction set hardware, and most of them also depend on the OS being
Windows.
While bugs happen, the level of security competence applied by VMS engineering is quite
high compared to the usual "hack it till it no longer crashes" practice seen all
too often nowadays. That applies especially to network protocol implementations.
If the issue is design defects in the protocol specifications, such as may be found in
various revisions of SSL, then having a good OS is not a complete answer. Even there, it
can help; for example, I suspect that the "heartbreak" attack on older SSL
stacks, if it were operable on VMS, wouldn't get you very far because of OS and
instruction set differences. Certainly script kiddy attacks would not work.
paul