Re: The possibility of vms opening up?

geletine wrote:
AEF wrote:
geletine wrote:
David J. Dachtera wrote:
Another large obstacle is security. Some sites currently
using VMS would
be rather put off by the idea of having such things become "commonly

Are you indicating that vms is security by obscurity?

Sigh .. This argument always comes up by the somewhat less informed and
imho, you should also ask the question of the banks i.e. why do they not
provide detailed plans of their vaults and security systems on the
internet? Is it because they are not really secure and rely on security
by obscurity ?

Its a very nice way of avoiding a question :)
Many corporate companies use open source operating systems, does that
automatically mean they are giving the world access to their profits?

Corporations have been hacked. Data has been stolen. Identity theft is
a growing problem. Not all such breaches are made public. I'm sure
some, if not many or even most, have been from systems running open
source software.

I don't know why you claim most of the insecurity is casued by open
source software opposed to incorrect education. I highly recommend you
read schneiers article about open software

OK, I did a quick read of this. ... Interesting. It appears that
"obscurity" is a double-edged sword, so to speak. One must be careful
what one is implying is "obscure". Is the Web site obscure? Is the OS
the Web site is running on obscure?

The article offers Microsoft as an example of being a closed source
with bad security. But at least he admits that it's not totally fair to
use it as an example because Microsoft is bad regardless of open vs.
close. I still remember when my DellNet dialup became DellNet by MSN
and how it instantly went from pretty-damn-good to really, really

What he doesn't comment on is the Macintosh OS.

HP OpenVMS Engineering asks that if someone discovers a security flaw
in VMS that they contact them privately and not publish it for the
whole world to see. Isn't that better, at least in this case, than
publishing the flaw for all to see?

before you claim open source is to be blamed, and then read his book
Secrets & Lies or any of his books if you like.

if open source is so weak , why is the U.S. government's Department of
Homeland Security planning to spend $1.24 million over three years ?,1895,1909946,00.asp

Security by obscurity alone is not great, but solid locks or vaults, or
solid software (including the OS), combined with not revealing all the
inner workings of said security measures, *is* good.

You admit Security by obscurity is not perfect alone, then you
contradict yourself and say it is, to me your trying to defend vms
reason for being closed source.

The U.S. military keeps the true GPS error unavailable to the public.
The public can't use GPS to its best accuarcy, and the military keeps
just what that best accuracy is a secret. This way our enemies can't
build something just good enough to "sneak under the radar". This keeps
them guessing and it makes it harder for them.

Any goverment , military has better tools than its people, i am not
denying that.
It was interesting to say the least when Phil Zimmermann was the
target of a three-year criminal investigation over pgp, at one time it
was said to be the best the public could get to military grade

Or perhaps it is because banks just do not believe doing so would
enhance their overall security and their Customers trust them to provide
the highest level of security possible.

I believe it comes down to politics.

No, it comes down to common sense. What possible benefit would there be
of the banks' publishing the inner workings of their security systems?

There's a world of difference between *depending* on obscurity for
security, and building very secure products that are not "open source".
While obscurity is not enough for good security, it still helps. In
fact, this is exactly what people who criticize VMS argue -- that it
only "appears" secure due to its low profile (obscurity).

Its fair criticizm by many to point out vms realively uknown presence
in the os world for being secure.

Are you next going to recommend that people post their true,
"unmunged", email addresses on this public forum? Should we all publish
our SYSTEM-account passwords on the Internet?

Please don't mention something i did not even hint at, private data is
not the same as a os, private personal information is nobody elses , an
os surounds this data as secure as it can, wheather that be closed
source or open source. Most websevers use Apache HTTP Server, does
that mean that personal information is freely available , nope, just
the http server.