Discussion:
Announcing a premier mailserver for OpenVMS
(too old to reply)
u***@gmail.com
2017-05-15 21:59:46 UTC
Permalink
Raw Message
for those who have not heard yet

PreciseMail Anti-Spam Gateway



PreciseMail Anti-Spam Gateway is an enterprise email security solution that eliminates spam, phishing and virus threats at the Internet gateway or mail server.


Advantages:

Provides complete integrated email security
Proven out-of the-box spam detection accuracy rate of 98% with zero loss of legitimate messages
Easy centralized web-based administration
Intuitive user-controlled spam management
Flexible deployment options for any mail environment
Reliably manages email filtering on multiple MTAs
Comprehensive graphical reporting
Optional Sophos Anti-Virus module
Over 20 years of experience providing messaging solutions to mission critical environments

Why Customers Like PreciseMail

Effective: PreciseMail Anti-Spam Gateway blocks spam, viruses, and phishing threats at the Internet gateway or on the mail server. PreciseMail combines several best-of-breed spam filtering methods to achieve a high spam detection rate - an impressive 98% out-of-the-box in a recent Network World product review - with zero loss of legitimate messages.

Flexible: PreciseMail is a software solution that works with any mail server. PreciseMail can also be integrated directly with Sendmail, Sun's Messaging Server, or Process Software's PMDF.

Easy: PreciseMail's intuitive web-based interface provides each user access to their quarantined messages, and allows easy creation of block lists, allow lists, and modification of spam filtering preferences. The web-based administrator interface centralizes all configuration, reporting, and management tasks.

Process Software is focused on networking and messaging products and services for mission critical networks. In 20 years of business, we've grown our base to over 3,000 customers, which include many Fortune 1000 companies, educational institutes, and government agencies. Some customers include BDP International, Pennsylvania State University, Pride Industries, and Elias Sports Bureau. All our products are backed by a team of sales and support professionals with significant experience assisting organizations with their mission-critical networks.
Steven Schweda
2017-05-15 22:35:22 UTC
Permalink
Raw Message
Post by u***@gmail.com
for those who have not heard yet
It would be nice if you could you contain your enthusiasm
enough to stop posting duplicate sales and marketing info in
every thread you can find (and/or starting new ones for the
duplicates). Thanks.
Stephen Hoffman
2017-05-15 23:12:41 UTC
Permalink
Raw Message
for those who have not heard yet PreciseMail Anti-Spam Gateway
Sure, but that package and the rest of OpenVMS is going to entice far
too few folks — too few to matter — over onto OpenVMS.

Certainly not in comparison to what Exchange Server or Exchange Online
provides folks, and what those packages provide far more effectively.
Likely cheaper, too. Or what can be down with Postfix and Dovecot on
Linux or BSD, for those looking for open source or free solutions.

DEC and IBM and HP all got slammed in this particular market. With
established products. And all exited it. What's changed that would
cause (enough) folks to migrate away from Exchange Server, and over to
OpenVMS? Not much that I can see, unfortunately. If anything, the
competitive advantages of Microsoft are far larger than they were, too.

And if folks do decide to migrate away from Exchange Server and don't
want to go to a hosted provider or to a Linux or BSD server running
available open-source packages — Postfix and Dovecot, or OwnCloud or
such — then Kerio Connect and some other established products do work
and work well, and do feature things that Exchange Server offers.

http://www.kerio.com/products/kerio-connect

Brilliant Systems marketed something similar here in the OpenVMS
market with Quintara, though that's seemingly not been updated since
~2010 or so based on the PDF files and docs posted.

http://www.brilliant.com/qsoft.html


As for your efforts and your support, that's certainly very valuable.
I'd simply prefer folks look at what's available on other platforms —
at the competitive products and services, and learn what folks are
using and what they expect for features and capabilities — and also
that the folks at VSI get some time to work on OpenVMS and to bring
OpenVMS forward. But marketing OpenVMS as a mail server? That's
going to take some time both at VSI — and at Process, if that software
is included — to make your proposed configuration acceptable to folks
accustomed to configuring Windows Server and Exchange Server, or to
configuring Linux or BSD and the associated mail server components.
On Itanium? As for the competition, I simply don't see OpenVMS being
any more viable against Exchange Server — and now with SharePoint
Server, and Microsoft Azure and Exchange Online — than back when DEC,
HP, IBM and others bailed out of that particular market. VSI has to
pick what they're going to address here, and keeping the installed base
happy is going to be the goal for the next five years and quite
possibly longer. I don't see VSI going directly against an entrenched
Microsoft client or server product offering over the next five or ten
years, either.
--
Pure Personal Opinion | HoffmanLabs LLC
Jason Howe
2017-05-16 00:19:09 UTC
Permalink
Raw Message
On Mon, 15 May 2017 19:12:41 -0400, Stephen Hoffman
for those who have not heard yet PreciseMail Anti-Spam Gateway
Sure, but that package and the rest of OpenVMS is going to entice far too few
folks — too few to matter — over onto OpenVMS.
Certainly not in comparison to what Exchange Server or Exchange Online
provides folks, and what those packages provide far more effectively. Likely
cheaper, too. Or what can be down with Postfix and Dovecot on Linux or BSD,
for those looking for open source or free solutions.
DEC and IBM and HP all got slammed in this particular market. With
established products.
[snip a lot of stuff I agree with]

You forgot the pull of the almighty Google. We migrated from Groupwise (which
is a really really great mailsystem, by the way) to gmail. Gmail!

It's hard to hang your hat on some of this core infrastrucutre these days, when
so many people are willing to give it away for basically free.
--
Jason
Mark Daniel
2017-05-16 04:29:55 UTC
Permalink
Raw Message
Post by Jason Howe
On Mon, 15 May 2017 19:12:41 -0400, Stephen Hoffman
for those who have not heard yet PreciseMail Anti-Spam Gateway
Sure, but that package and the rest of OpenVMS is going to entice far too few
folks — too few to matter — over onto OpenVMS.
Certainly not in comparison to what Exchange Server or Exchange Online
provides folks, and what those packages provide far more effectively. Likely
cheaper, too. Or what can be down with Postfix and Dovecot on Linux or BSD,
for those looking for open source or free solutions.
DEC and IBM and HP all got slammed in this particular market. With
established products.
[snip a lot of stuff I agree with]
You forgot the pull of the almighty Google. We migrated from Groupwise (which
is a really really great mailsystem, by the way) to gmail. Gmail!
It's hard to hang your hat on some of this core infrastrucutre these days, when
so many people are willing to give it away for basically free.
Free? https://privacy.google.com/your-data.html
Stephen Hoffman
2017-05-16 14:44:17 UTC
Permalink
Raw Message
You forgot the pull of the almighty Google. It's hard to hang your
hat on some of this core infrastrucutre these days, when so many people
are willing to give it away for basically free.
Ayup.

We are not in the same market that OpenVMS was launched in. Not by
any stretch. Not even close to the same market.

At the low- to mid-range... There are folks that'll sell you
exceedingly nice packaged systems with very easy-to-use and very
capable hardware and software and three years' support for ~US$600.
This for folks that want "smaller" servers, and which are capable of
tasks that were once performed by mid- and upper-end OpenVMS Alpha
systems. Lots of options for hosting services, too. Whether for
Exchange hosting, for generic mail hosting, and for the ad-supported
hosting. Or for a small project such as yours, boot up a "bare
metal" x86-64 server for ~€3 per month hosted; 2 GB / 50 GB and 1 IPv4.
Or €12 per month for a nice ARMv8 "bare metal" config (8 cores, 8
GB, 200 GB, 1 IPv4), for those inclined to head in that direction.
Both of those to host your services in an established data center with
full-time coverage.

Why hand this off? Why host? Established service providers are also
a whole lot better at dealing with filtering spam and with implementing
2FA and the rest, too — the corpus that Google has access to is
massive. With self-hosting locally or with a bare-metal in an
established data center, you get to own all that, as well as your
server reputation and a pile of other details. All feasible to learn
certainly, and some folks here thrive on it — but for many folks and
for many businesses... why?

For those that want to or need to host their own... Massive changes in
capabilities of competitive systems since OpenVMS got rolling, and
prices have cratered for many formerly-expensive services. A NUC or
smaller can provide a small business or office server, or a home
server, for those inclined to self-host. Or a Mac mini for that
matter, and which is massive overkill for many of these cases. Or
boot up a Windows Server Nano service or a VM guest in some one- or
two-socket box or board in your own data center(s). Staffing is its
own discussion. too. Cheap and variously outsourced and servers
increasingly automated for commodity and common hardware and software,
and staffing that's not so cheap and still bespoke for
application-specific and unusual hardware and software configurations.
Windows Server and Exchange Server and Active Directory are common.
OpenVMS... isn't.

As for folks suggesting hosting mail on OpenVMS because it is... or is
not... {whatever}... Have a good look at what's available now. Go
learn it. Go do a competitive analysis. Go make a case for OpenVMS
here that's factual, and that's not seriously overpriced. On the
low-end — figure probably a thousand or so users and smaller on a
mid-range Mac mini with add-on storage — that's going to be a tough
case. Or self-hosting on Linux or BSD and integrated tools, or with
Kerio or OwnCloud or other add-ons, for that matter — because many
businesses are not going to use a Mac mini or a NUC. And are not
going to use OpenVMS here, either. This all up against Exchange
Server on Windows Server, which is the commodity self-hosted choice for
many folks.

OpenVMS isn't going to get traction in the self-hosting email market.
Not enough to matter, and not enough to justify a big push or a big
investment in email tools. Not without a whole lot of work. The
foundation work that VSI is doing will certainly help here for those
that want to self-host mail, but it's going to be a bigger help for
folks that are using existing apps on OpenVMS, and that are integrating
OpenVMS with — among other services — Active Directory and Exchange
Server for network and email services. Building out apps and tools
from the installed base — and starting to expand to wholly new apps and
wholly new deployments and customers — will take five or ten years
after the x86-64 port is available, too. Yes, getting MIME integrated
will help with OpenVMS, as will getting AD integration, sorting out the
certificate mess, overhauling updates, and (many) other related updates
that VSI is either working on or that they already know of. That VSI
wants and needs to work on, and variously is working on.

As mentioned earlier, there are ~700 network-accessible OpenVMS servers
operating on the 'net right now. Mail servers are inherently exposed,
too. Of these, less than 200 PMDF hosts and one (1) PreciseMail
server is currently reported. (Somebody's running PMDF with a
LetsEncrypt cert, too. But I digress.) Which should tell you where
self-hosting mail on OpenVMS will start out from. (BTW, I do hope VSI
is using this and other available data to make contact with and make
nice these folks, but I digress...) Seven million Exchange Server
configurations, with 600,000 of those at Amazon, and roughly a quarter
million at OVH and Digital Ocean. (Imagine trying to configure and
manage and troubleshoot and quickly patch even a decent chunk of a
quarter million OpenVMS servers? But I digress. Again.)

But becoming a primary mail server or getting a central role in most
network services, akin to what various OpenVMS servers provided folks
back in the 1980s and 1990s, particularly with DECnet and MAIL-11?
That era is not going to happen again any time soon.
--
Pure Personal Opinion | HoffmanLabs LLC
David Froble
2017-05-16 15:18:18 UTC
Permalink
Raw Message
Stephen Hoffman wrote:

<big snip>
Post by Stephen Hoffman
But becoming a primary mail server or getting a central role in most
network services, akin to what various OpenVMS servers provided folks
back in the 1980s and 1990s, particularly with DECnet and MAIL-11?
That era is not going to happen again any time soon.
Well, why should it? As mentioned, some of this stuff has been commodisized (is
that a word?) and for some of us, that's not what VMS is about. One size
doesn't fit all, and where VMS is better utilized it's the special needs.

Ok, that gives up the volume sales and use. Wait, not it doesn't, nothing there
to give up, it's long gone. Better to address those markets where VMS provides
advantages. Such does exist. Probably much more than most realize. Markets
where "free" isn't so strongly desired, and where users wouldn't consider
running without support. Monthly support payments can seem rather small, but
they add up. That's where the money is to be had.
u***@gmail.com
2017-05-16 16:20:23 UTC
Permalink
Raw Message
Post by Stephen Hoffman
for those who have not heard yet PreciseMail Anti-Spam Gateway
Sure, but that package and the rest of OpenVMS is going to entice far
too few folks — too few to matter — over onto OpenVMS.
Certainly not in comparison to what Exchange Server or Exchange Online
provides folks, and what those packages provide far more effectively.
Likely cheaper, too. Or what can be down with Postfix and Dovecot on
Linux or BSD, for those looking for open source or free solutions.
DEC and IBM and HP all got slammed in this particular market. With
established products. And all exited it. What's changed that would
cause (enough) folks to migrate away from Exchange Server, and over to
OpenVMS?
--
Pure Personal Opinion | HoffmanLabs LLC
HOW ABOUT SECURITY SO YOU CAN ACTUALLY READ YOUR MAIL
AND THE REST OF THE WORLD CAN'T
Stephen Hoffman
2017-05-16 16:51:59 UTC
Permalink
Raw Message
Post by u***@gmail.com
HOW ABOUT SECURITY SO YOU CAN ACTUALLY READ YOUR MAIL
AND THE REST OF THE WORLD CAN'T
You write that like there aren't other options that provide that.

Some good options are available at no software cost, too. Various of
those can be acquired with support, if you want to buy that. Or
commercial options.

But here's an easy one... Go price out the options with OpenVMS and
with the competing server products, write up an explanation for
whatever price differences you find, and call me back.

I won't even ask how you are going to address and fund the rest of what
Windows Server with Active Directory and Exchange Server and such
typically provide, or the open-source analogs, or what Kerio offers.

BTW, I tried what you are suggesting, years ago. I really wanted to
run OpenVMS for a particular server application, including mail and
web. The then-current bottom-end HPE OpenVMS hardware and software
configuration price was priced much higher, and with some configuration
trade-offs. That's also starting out with somebody around that knows
well how to manage and troubleshoot an OpenVMS server, too. Which
aren't skills that most entities even have available. The pricing
difference was... large.

The VSI x86-64 port will help here with the hardware costs and
configuration options. We'll learn what the VSI pricing plans are as
the port becomes available, too.
--
Pure Personal Opinion | HoffmanLabs LLC
u***@gmail.com
2017-05-17 11:33:17 UTC
Permalink
Raw Message
Post by Stephen Hoffman
Post by u***@gmail.com
HOW ABOUT SECURITY SO YOU CAN ACTUALLY READ YOUR MAIL
AND THE REST OF THE WORLD CAN'T
You write that like there aren't other options that provide that.
Some good options are available at no software cost, too. Various of
those can be acquired with support, if you want to buy that. Or
commercial options.
But here's an easy one... Go price out the options with OpenVMS and
with the competing server products, write up an explanation for
whatever price differences you find, and call me back.
I won't even ask how you are going to address and fund the rest of what
Windows Server with Active Directory and Exchange Server and such
typically provide, or the open-source analogs, or what Kerio offers.
BTW, I tried what you are suggesting, years ago. I really wanted to
run OpenVMS for a particular server application, including mail and
web. The then-current bottom-end HPE OpenVMS hardware and software
configuration price was priced much higher, and with some configuration
trade-offs. That's also starting out with somebody around that knows
well how to manage and troubleshoot an OpenVMS server, too. Which
aren't skills that most entities even have available. The pricing
difference was... large.
The VSI x86-64 port will help here with the hardware costs and
configuration options. We'll learn what the VSI pricing plans are as
the port becomes available, too.
--
Pure Personal Opinion | HoffmanLabs LLC
Funny I ran purveyor tcpware precisemail sophos for a
300 person business and the entry cost was minimal.
weare talking about businesses not personal use I hope.
Stephen Hoffman
2017-05-17 13:39:55 UTC
Permalink
Raw Message
Funny I ran purveyor tcpware precisemail sophos for a 300 person
business and the entry cost was minimal. weare talking about businesses
not personal use I hope.
Good on you!

There was one PreciseMail server on the 'net when I checked, based on a
simplistic search.

There are around two hundred OpenVMS boxes running SMTP on the 'net,
and I'd suspect some number of those are actually running PreciseMail;
so probably more than one, less than two hundred.

You've some rare skills.

But then these discussions always involve business and financial
decisions, including purchase and support prices and staffing. Some
hard-to-demonstrate security advantage is well down the priority list
for most folks making purchasing decisions. Run the prices for the
different mail server implementations. Then figure out how to sell
the different configurations; how to justify the prices and the
selection and the staffing and support costs to local management.
OpenVMS hardware and software prices are higher, and VSI is working to
address this with their licensing changes and with the port. Price
out an entry-level Integrity server with a decent chunk of storage, and
compare that with an x86-64 box and storage, too. Then price out that
there's no entry-level configurations right now, too — three hundred
users doesn't need a big server. Remember to account for the need to
train the local staff about the whole stack here too, given it's a rare
combination.

While you're pricing competitive servers and considering differences in
features... For those that don't need in-house servers and that are
invested in using Microsoft clients, hosted Exchange and Office365 is
really hard combination to beat. Whether for security, or simply to
outsource the whole effort of dealing with mail and mail servers.

For in-house implementations, pretty much everybody is running Active
Directory if using Microsoft or a mix of products, or maybe running
Open Directory if there's little or no Microsoft software around — and
that's pretty rare. This as anybody that's trying to manage large
numbers of systems without LDAP is buried in security and maintenance
problems. So if the mail system doesn't easily integrate with LDAP,
it's not going to be nearly as interesting to customers.

Do remember that business and management folks can and variously will
trade-off security or integrity for lower acquisition or lower running
costs, too. As happened in NHS.

Again, there is just no way VSI is going to pull in an appreciable
number of new OpenVMS sites as mail servers. None. Not without a
whole lot of work, and not without prices and features that are
directly competitive with what Windows Server, Active Directory and
Exchange Server provide. Or Linux or BSD servers running open source,
for those with few Microsoft systems around. Spending time and effort
competing with Kerio just isn't a good plan, AFAICT — spending that
time and effort improving the environment for the existing and bespoke
apps and the installed base is going to keep more folks on OpenVMS.
If the VSI IP mail server is enough for them, great — most will
probably gateway that server via Exchange Server, too.

But go run the prices. Then figure out how you're going to sell that
to enough folks to matter, and selling against the established on-site
and hosted-services providers. Again, DEC, IBM, HP and others — all
with established office and mail servers — all looked at this market,
where it was headed, and bailed out years ago. Ask yourself what's
changed? And what is given up — particularly work for the installed
base — with spending time and effort developing and maintaining and
supporting a mail server package that'll be broadly interesting to
folks.

I just don't see a market for OpenVMS here. Not for most of ten
years, and not before a whole lot of work by VSI and Process and
others. And whether the server market then will even look anything
like it does now?
--
Pure Personal Opinion | HoffmanLabs LLC
Hunter Goatley
2017-05-18 15:24:50 UTC
Permalink
Raw Message
Post by Stephen Hoffman
There was one PreciseMail server on the 'net when I checked, based on a
simplistic search.
There are around two hundred OpenVMS boxes running SMTP on the 'net, and
I'd suspect some number of those are actually running PreciseMail; so
probably more than one, less than two hundred.
Just FYI, PreciseMail runs as either a PMDF channel or as a proxy SMTP
server. Either way, it won't show up when talking with an OpenVMS system
running an SMTP server, because the proxy server will just show the
banner from the backend server.
--
Hunter
------
Hunter Goatley, Process Software, http://www.process.com/
***@goatley.com http://hunter.goatley.com/
Jason Howe
2017-05-16 17:43:43 UTC
Permalink
Raw Message
HOW ABOUT SECURITY SO YOU CAN ACTUALLY READ YOUR MAIL AND THE REST OF THE
WORLD CAN'T
Surly, you're joking Mr. Ultradwc!

I assume you mean not read at the transport level, as once it gets to your own
server, it's a bit easier to keep secure then when the information is on the
wire.

As far as transport on the wire goes, as with any point-to-point communication,
even when ecrypted, its difficult to determine if there is a man-in-the-middle
SSL proxy doing deep-packet inspection on the fly (hint, there probably is), or
if the mailserver that sends it to you is even the originating server -- maybe
the outoging or recieving mailserver is multiplexing mail out to a shaddow NSA
account -- but you'll never know.

Please tell me how VMS allows me to detect/guard against those senarios any
better than a different mailsystem. I think the best any mail system can hope
for is to enforce transport level encryption, to at least keep the plain-text
packet sniffers at bay...but honestly, for determined parties, I'm not sure how
much of a guard that is anyway. It probably helps with message tampering
en-route though.

Obviously, the easy answer to this is to encrypt the text of your messages with
an ecryption key which only the recieving party has. This, however, is a fairly
impractical solution as far as email goes, and I'd recommend a different
communications protocol if you need that level of secrecy.
--
Jason
u***@gmail.com
2017-05-17 11:36:10 UTC
Permalink
Raw Message
Post by Jason Howe
HOW ABOUT SECURITY SO YOU CAN ACTUALLY READ YOUR MAIL AND THE REST OF THE
WORLD CAN'T
Surly, you're joking Mr. Ultradwc!
I assume you mean not read at the transport level, as once it gets to your own
server, it's a bit easier to keep secure then when the information is on the
wire.
As far as transport on the wire goes, as with any point-to-point communication,
even when ecrypted, its difficult to determine if there is a man-in-the-middle
SSL proxy doing deep-packet inspection on the fly (hint, there probably is), or
if the mailserver that sends it to you is even the originating server -- maybe
the outoging or recieving mailserver is multiplexing mail out to a shaddow NSA
account -- but you'll never know.
Please tell me how VMS allows me to detect/guard against those senarios any
better than a different mailsystem. I think the best any mail system can hope
for is to enforce transport level encryption, to at least keep the plain-text
packet sniffers at bay...but honestly, for determined parties, I'm not sure how
much of a guard that is anyway. It probably helps with message tampering
en-route though.
Obviously, the easy answer to this is to encrypt the text of your messages with
an ecryption key which only the recieving party has. This, however, is a fairly
impractical solution as far as email goes, and I'd recommend a different
communications protocol if you need that level of secrecy.
--
Jason
I am talking server level. If it is so easy to secure, why
all the server breaches and stolen mail and info? Surely
you are joking.
Stephen Hoffman
2017-05-17 13:41:22 UTC
Permalink
Raw Message
I am talking server level. If it is so easy to secure, why all the
server breaches and stolen mail and info? Surely you are joking.
Why are you so certain that OpenVMS is immune to how those breaches are
actually transpiring?
--
Pure Personal Opinion | HoffmanLabs LLC
u***@gmail.com
2017-05-21 21:17:49 UTC
Permalink
Raw Message
Post by Stephen Hoffman
I am talking server level. If it is so easy to secure, why all the
server breaches and stolen mail and info? Surely you are joking.
Why are you so certain that OpenVMS is immune to how those breaches are
actually transpiring?
--
Pure Personal Opinion | HoffmanLabs LLC
Because I ran the stuff for years without a single breech
that's how.
Stephen Hoffman
2017-05-21 22:51:38 UTC
Permalink
Raw Message
Post by Stephen Hoffman
I am talking server level. If it is so easy to secure, why all the
server breaches and stolen mail and info? Surely you are joking.
Why are you so certain that OpenVMS is immune to how those breaches are
actually transpiring?
Because I ran the stuff for years without a single breech that's how.
Without a single breach that you knew of.
--
Pure Personal Opinion | HoffmanLabs LLC
u***@gmail.com
2017-05-22 12:19:14 UTC
Permalink
Raw Message
Post by Stephen Hoffman
Post by Stephen Hoffman
I am talking server level. If it is so easy to secure, why all the
server breaches and stolen mail and info? Surely you are joking.
Why are you so certain that OpenVMS is immune to how those breaches are
actually transpiring?
Because I ran the stuff for years without a single breech that's how.
Without a single breach that you knew of.
--
Pure Personal Opinion | HoffmanLabs LLC
no I would be the first to know. I watched the logs like a hawk
and made adjustments to packet filtering to eliminate threats.
Stephen Hoffman
2017-05-22 14:59:30 UTC
Permalink
Raw Message
Post by Stephen Hoffman
Post by Stephen Hoffman
I am talking server level. If it is so easy to secure, why all the
server breaches and stolen mail and info? Surely you are joking.
Why are you so certain that OpenVMS is immune to how those breaches are
actually transpiring?
Because I ran the stuff for years without a single breech that's how.
Without a single breach that you knew of.
no I would be the first to know. I watched the logs like a hawk and
made adjustments to packet filtering to eliminate threats.
I'd be surprised if any OpenVMS site logged enough. I don't log
nearly enough. And I'm paranoid.
--
Pure Personal Opinion | HoffmanLabs LLC
Bill Gunshannon
2017-05-21 23:04:58 UTC
Permalink
Raw Message
Post by u***@gmail.com
Post by Stephen Hoffman
I am talking server level. If it is so easy to secure, why all the
server breaches and stolen mail and info? Surely you are joking.
Why are you so certain that OpenVMS is immune to how those breaches are
actually transpiring?
--
Pure Personal Opinion | HoffmanLabs LLC
Because I ran the stuff for years without a single breech
that's how.
I made the same claim about Windows Server and everybody here
kept saying there were breaches, I just didn't know about them.

bill
Kerry Main
2017-05-22 13:31:45 UTC
Permalink
Raw Message
-----Original Message-----
Gunshannon via Info-vax
Sent: May 21, 2017 7:05 PM
Subject: Re: [Info-vax] Announcing a premier mailserver for OpenVMS
On Wednesday, May 17, 2017 at 9:41:24 AM UTC-4, Stephen Hoffman
Post by Stephen Hoffman
I am talking server level. If it is so easy to secure, why all the
server breaches and stolen mail and info? Surely you are joking.
Why are you so certain that OpenVMS is immune to how those
breaches are
Post by Stephen Hoffman
actually transpiring?
--
Pure Personal Opinion | HoffmanLabs LLC
Because I ran the stuff for years without a single breech
that's how.
I made the same claim about Windows Server and everybody here
kept saying there were breaches, I just didn't know about them.
bill
The big difference is that the large number of monthly security issues
causing very public issues with real customers using commodity OS's is
well published in the press.

Re: "I just don't know about them" - You only have to talk to Mr. Google
to find Windows issues that have impacted many similar university
environments as yours.

And for those that think Linux is any better than Windows, I would refer
them to the Red Hat security (not bug fixes, just security) patches
site:
<https://www.redhat.com/archives/enterprise-watch-list/> Click on thread
for any month, going back as long as you want and add them up. Also look
at number of monthly "kernel" issues. Yes, not all security patches
apply to all environments, but someone has to review this list on a
regular basis to determine which applies to their environment and which
do not. This assumes of course, the SysAdmin knows what services every
OS is using on the hundreds of V/P OS's they use.

With OpenVMS, yes, there have been proven security issues in previous
decades (Finger albeit on VAX only, SMG - 10-15 years ago - both of
which required accounts on the system, and a few others). Yes,
potentially, there will be issues in the future because no platform can
state they are 100% secure. Having stated this, while there are lots of
theoretical "may or could or might impact OpenVMS" type issues, there
are no real examples in the press.

It is extremely difficult to find any mention of any recent security
issues causing any real issues impacting Customer OpenVMS applications.

Again, I am not saying there are no OpenVMS security issues and/or
processes to be addressed (there certainly are) but as far as I know,
there have been no recent (last 5 years?) OpenVMS based security issues
in the press describing impacted Customer services.

Certainly willing to be corrected, but if someone has any examples, I
would love to see a pointer.


Regards,

Kerry Main
Kerry dot main at starkgaming dot com
Bill Gunshannon
2017-05-22 14:53:42 UTC
Permalink
Raw Message
Post by Kerry Main
-----Original Message-----
Gunshannon via Info-vax
Sent: May 21, 2017 7:05 PM
Subject: Re: [Info-vax] Announcing a premier mailserver for OpenVMS
On Wednesday, May 17, 2017 at 9:41:24 AM UTC-4, Stephen Hoffman
Post by Stephen Hoffman
I am talking server level. If it is so easy to secure, why all the
server breaches and stolen mail and info? Surely you are joking.
Why are you so certain that OpenVMS is immune to how those
breaches are
Post by Stephen Hoffman
actually transpiring?
--
Pure Personal Opinion | HoffmanLabs LLC
Because I ran the stuff for years without a single breech
that's how.
I made the same claim about Windows Server and everybody here
kept saying there were breaches, I just didn't know about them.
bill
The big difference is that the large number of monthly security issues
causing very public issues with real customers using commodity OS's is
well published in the press.
And that doesn't mean mine weren't properly secured.
Post by Kerry Main
Re: "I just don't know about them" - You only have to talk to Mr. Google
to find Windows issues that have impacted many similar university
environments as yours.
And that doesn't mean mine weren't properly secured.
Post by Kerry Main
And for those that think Linux is any better than Windows, I would refer
them to the Red Hat security (not bug fixes, just security) patches
<https://www.redhat.com/archives/enterprise-watch-list/> Click on thread
for any month, going back as long as you want and add them up. Also look
at number of monthly "kernel" issues. Yes, not all security patches
apply to all environments, but someone has to review this list on a
regular basis to determine which applies to their environment and which
do not. This assumes of course, the SysAdmin knows what services every
OS is using on the hundreds of V/P OS's they use.
With OpenVMS, yes, there have been proven security issues in previous
decades (Finger albeit on VAX only, SMG - 10-15 years ago - both of
which required accounts on the system, and a few others). Yes,
potentially, there will be issues in the future because no platform can
state they are 100% secure. Having stated this, while there are lots of
theoretical "may or could or might impact OpenVMS" type issues, there
are no real examples in the press.
It is extremely difficult to find any mention of any recent security
issues causing any real issues impacting Customer OpenVMS applications.
Again, I am not saying there are no OpenVMS security issues and/or
processes to be addressed (there certainly are) but as far as I know,
there have been no recent (last 5 years?) OpenVMS based security issues
in the press describing impacted Customer services.
Certainly willing to be corrected, but if someone has any examples, I
would love to see a pointer.
I have given you examples. Numerous instances of Server 2003, 2008,
2012. No system level intrusions, ever.

Linux in various flavors. RedHat, CentOS Debian. No system level
intrusions, ever.

Same for FreeBSD (well, they have had one since I left but even with
no one watching the store it took a year and a half before my work
fell far enough behind for it to happen!!)

You really need to give it a rest. No OS is secure out of the box.
Not Windows, not Unix, and not VMS. All of them can be run in a
secure manner it the admins are knowledgeable enough and willing
to put in the effort needed. And, no, Windows and Unix don't take
any more effort to secure than VMS does.

bill
Kerry Main
2017-05-22 15:30:01 UTC
Permalink
Raw Message
-----Original Message-----
Gunshannon via Info-vax
Sent: May 22, 2017 10:54 AM
Subject: Re: [Info-vax] Announcing a premier mailserver for OpenVMS
[snip]
Post by Kerry Main
The big difference is that the large number of monthly security issues
causing very public issues with real customers using commodity OS's is
well published in the press.
And that doesn't mean mine weren't properly secured.
You were either lucky or you were religiously applying the monthly
patches. When native / kernel level services have remote access flaws,
regardless any good SysAdmin work to secure systems becomes less
relevant.
Post by Kerry Main
Re: "I just don't know about them" - You only have to talk to Mr.
Google
Post by Kerry Main
to find Windows issues that have impacted many similar university
environments as yours.
And that doesn't mean mine weren't properly secured.
Define "properly secured".

In my mind, this means religiously applying all the monthly Windows
server based security patches that were applicable to the kernels,
services and apps applicable to your environment.

Is this a strategy that you implemented as part of your "properly
secured" environment?
Post by Kerry Main
And for those that think Linux is any better than Windows, I would
refer
Post by Kerry Main
them to the Red Hat security (not bug fixes, just security) patches
<https://www.redhat.com/archives/enterprise-watch-list/> Click on
thread
Post by Kerry Main
for any month, going back as long as you want and add them up. Also
look
Post by Kerry Main
at number of monthly "kernel" issues. Yes, not all security patches
apply to all environments, but someone has to review this list on a
regular basis to determine which applies to their environment and
which
Post by Kerry Main
do not. This assumes of course, the SysAdmin knows what services
every
Post by Kerry Main
OS is using on the hundreds of V/P OS's they use.
With OpenVMS, yes, there have been proven security issues in
previous
Post by Kerry Main
decades (Finger albeit on VAX only, SMG - 10-15 years ago - both of
which required accounts on the system, and a few others). Yes,
potentially, there will be issues in the future because no platform can
state they are 100% secure. Having stated this, while there are lots of
theoretical "may or could or might impact OpenVMS" type issues,
there
Post by Kerry Main
are no real examples in the press.
It is extremely difficult to find any mention of any recent security
issues causing any real issues impacting Customer OpenVMS
applications.
Post by Kerry Main
Again, I am not saying there are no OpenVMS security issues and/or
processes to be addressed (there certainly are) but as far as I know,
there have been no recent (last 5 years?) OpenVMS based security
issues
Post by Kerry Main
in the press describing impacted Customer services.
Certainly willing to be corrected, but if someone has any examples, I
would love to see a pointer.
I have given you examples. Numerous instances of Server 2003, 2008,
2012. No system level intrusions, ever.
I was referring to examples of OpenVMS. The number of Windows Server
security issues that have impacted Cust's is huge.
Linux in various flavors. RedHat, CentOS Debian. No system level
intrusions, ever.
I was referring to examples of OpenVMS. The number of Linux Server
security issues that have impacted Cust's is huge.

Also see point above about "properly secured". This means you must have
been very busy with monthly security patches that impacted whatever
server versions you were running.
Same for FreeBSD (well, they have had one since I left but even with
no one watching the store it took a year and a half before my work
fell far enough behind for it to happen!!)
You really need to give it a rest. No OS is secure out of the box.
Not Windows, not Unix, and not VMS. All of them can be run in a
secure manner it the admins are knowledgeable enough and willing
to put in the effort needed. And, no, Windows and Unix don't take
any more effort to secure than VMS does.
bill
Who said anything about "out of the box?"

Again, no one is saying OpenVMS is 100% secure. You did read my related
comments on this right?

The issue is when the SysAdmin does all they can and then the system is
breached (remotely or via logged in user) by one of the many monthly
security patch issues that have not yet been patched - for whatever
reason (and there are many).

It is a question of the VOLUME of security patches that a SysAdmin or
OPS dept has to review, test, create deployment pkgs, then schedule
(change mgmt. / CABS are such a wonderful experience)/ deploy,
deploy/test each and every month.

This is the big hidden mgmt. cost associated with commodity OS's.


Regards,

Kerry Main
Kerry dot main at starkgaming dot com
Bill Gunshannon
2017-05-22 18:01:12 UTC
Permalink
Raw Message
Post by Kerry Main
-----Original Message-----
Gunshannon via Info-vax
Sent: May 22, 2017 10:54 AM
Subject: Re: [Info-vax] Announcing a premier mailserver for OpenVMS
[snip]
Post by Kerry Main
The big difference is that the large number of monthly security
issues
Post by Kerry Main
causing very public issues with real customers using commodity OS's
is
Post by Kerry Main
well published in the press.
And that doesn't mean mine weren't properly secured.
You were either lucky or you were religiously applying the monthly
patches. When native / kernel level services have remote access flaws,
regardless any good SysAdmin work to secure systems becomes less
relevant.
The patches aren't a silver bullet. A fully patched system can be just
as vulnerable as an unpatched one.
Post by Kerry Main
Post by Kerry Main
Re: "I just don't know about them" - You only have to talk to Mr.
Google
Post by Kerry Main
to find Windows issues that have impacted many similar university
environments as yours.
And that doesn't mean mine weren't properly secured.
Define "properly secured".
Go read the NIST White Papers and the stuff put out by DISA.
All of which I have mentioned here numerous times in the past.

STIGS - Security Technical Implementation Guides

They had one for VMS for a long time. But that probably means nothing
to most people here.
Post by Kerry Main
In my mind, this means religiously applying all the monthly Windows
server based security patches that were applicable to the kernels,
services and apps applicable to your environment.
Is this a strategy that you implemented as part of your "properly
secured" environment?
The boxes were kept up to date but it takes a lot more than that,
no matter what the OS.
Post by Kerry Main
Post by Kerry Main
And for those that think Linux is any better than Windows, I would
refer
Post by Kerry Main
them to the Red Hat security (not bug fixes, just security) patches
<https://www.redhat.com/archives/enterprise-watch-list/> Click on
thread
Post by Kerry Main
for any month, going back as long as you want and add them up. Also
look
Post by Kerry Main
at number of monthly "kernel" issues. Yes, not all security patches
apply to all environments, but someone has to review this list on a
regular basis to determine which applies to their environment and
which
Post by Kerry Main
do not. This assumes of course, the SysAdmin knows what services
every
Post by Kerry Main
OS is using on the hundreds of V/P OS's they use.
With OpenVMS, yes, there have been proven security issues in
previous
Post by Kerry Main
decades (Finger albeit on VAX only, SMG - 10-15 years ago - both of
which required accounts on the system, and a few others). Yes,
potentially, there will be issues in the future because no platform
can
Post by Kerry Main
state they are 100% secure. Having stated this, while there are lots
of
Post by Kerry Main
theoretical "may or could or might impact OpenVMS" type issues,
there
Post by Kerry Main
are no real examples in the press.
It is extremely difficult to find any mention of any recent security
issues causing any real issues impacting Customer OpenVMS
applications.
Post by Kerry Main
Again, I am not saying there are no OpenVMS security issues and/or
processes to be addressed (there certainly are) but as far as I
know,
Post by Kerry Main
there have been no recent (last 5 years?) OpenVMS based security
issues
Post by Kerry Main
in the press describing impacted Customer services.
Certainly willing to be corrected, but if someone has any examples,
I
Post by Kerry Main
would love to see a pointer.
I have given you examples. Numerous instances of Server 2003, 2008,
2012. No system level intrusions, ever.
I was referring to examples of OpenVMS. The number of Windows Server
security issues that have impacted Cust's is huge.
And yet I ran Windows Server for over 20 years, starting with NT and
never had one of these "security issues". It can be done.
Post by Kerry Main
Linux in various flavors. RedHat, CentOS Debian. No system level
intrusions, ever.
I was referring to examples of OpenVMS. The number of Linux Server
security issues that have impacted Cust's is huge.
Also see point above about "properly secured". This means you must have
been very busy with monthly security patches that impacted whatever
server versions you were running.
And your saying that VMS Sysadmins sit around drinking coffee and their
systems just run securely by magic?


I often wonder how many VMS systems have been "visited" back in the days
when they shipped with maintenance accounts with well known passwords.
Post by Kerry Main
Same for FreeBSD (well, they have had one since I left but even with
no one watching the store it took a year and a half before my work
fell far enough behind for it to happen!!)
You really need to give it a rest. No OS is secure out of the box.
Not Windows, not Unix, and not VMS. All of them can be run in a
secure manner it the admins are knowledgeable enough and willing
to put in the effort needed. And, no, Windows and Unix don't take
any more effort to secure than VMS does.
bill
Who said anything about "out of the box?"
Again, no one is saying OpenVMS is 100% secure. You did read my related
comments on this right?
Actually, lots of people here have been saying that for years.
VMS - secure. Anything else - unsecure.
Post by Kerry Main
The issue is when the SysAdmin does all they can and then the system is
breached (remotely or via logged in user) by one of the many monthly
security patch issues that have not yet been patched - for whatever
reason (and there are many).
And yet, in 20 years it never happened at an academic site where the
kids have lots of free time on their hands.
Post by Kerry Main
It is a question of the VOLUME of security patches that a SysAdmin or
OPS dept has to review, test, create deployment pkgs, then schedule
(change mgmt. / CABS are such a wonderful experience)/ deploy,
deploy/test each and every month.
This is the big hidden mgmt. cost associated with commodity OS's.
Security patches nbot being released for VMS does not mean there are no
flaws. It more likely means no one is looking for them.

bill
Kerry Main
2017-05-22 18:37:19 UTC
Permalink
Raw Message
-----Original Message-----
Gunshannon via Info-vax
Sent: May 22, 2017 2:01 PM
Subject: Re: [Info-vax] Announcing a premier mailserver for OpenVMS
Post by Kerry Main
-----Original Message-----
Bill
Post by Kerry Main
Gunshannon via Info-vax
Sent: May 22, 2017 10:54 AM
Subject: Re: [Info-vax] Announcing a premier mailserver for
OpenVMS
Post by Kerry Main
[snip]
Post by Kerry Main
The big difference is that the large number of monthly security
issues
Post by Kerry Main
causing very public issues with real customers using commodity OS's
is
Post by Kerry Main
well published in the press.
And that doesn't mean mine weren't properly secured.
You were either lucky or you were religiously applying the monthly
patches. When native / kernel level services have remote access flaws,
regardless any good SysAdmin work to secure systems becomes less
relevant.
The patches aren't a silver bullet. A fully patched system can be just
as vulnerable as an unpatched one.
Post by Kerry Main
Post by Kerry Main
Re: "I just don't know about them" - You only have to talk to Mr.
Google
Post by Kerry Main
to find Windows issues that have impacted many similar university
environments as yours.
And that doesn't mean mine weren't properly secured.
Define "properly secured".
Go read the NIST White Papers and the stuff put out by DISA.
All of which I have mentioned here numerous times in the past.
STIGS - Security Technical Implementation Guides
They had one for VMS for a long time. But that probably means nothing
to most people here.
Security Guides like this are best practices which usually state
something in the document along the lines of "review vendor published
security patches to determine which ones are applicable to your
environment, test important applications with these patches, and then
roll-out the new security patches after ITSM or similar change
management processes are followed"
Post by Kerry Main
In my mind, this means religiously applying all the monthly Windows
server based security patches that were applicable to the kernels,
services and apps applicable to your environment.
Is this a strategy that you implemented as part of your "properly
secured" environment?
The boxes were kept up to date but it takes a lot more than that,
no matter what the OS.
Keeping boxes up to date with security is a minimum base level activity.
It is expected.

Log file reviews, user awareness, disabling services not used, training
etc. are all layered on top of keeping the box current.

If a system is breached and the known security patch has not been
applied, regardless of whether the SysAdmin was able to schedule
downtime with the business, it is usually the SysAdmin (or the server
group as a whole) who gets roasted by senior mgmt.
Post by Kerry Main
Post by Kerry Main
And for those that think Linux is any better than Windows, I would
refer
Post by Kerry Main
them to the Red Hat security (not bug fixes, just security) patches
<https://www.redhat.com/archives/enterprise-watch-list/> Click on
thread
Post by Kerry Main
for any month, going back as long as you want and add them up.
Also
Post by Kerry Main
look
Post by Kerry Main
at number of monthly "kernel" issues. Yes, not all security patches
apply to all environments, but someone has to review this list on a
regular basis to determine which applies to their environment and
which
Post by Kerry Main
do not. This assumes of course, the SysAdmin knows what services
every
Post by Kerry Main
OS is using on the hundreds of V/P OS's they use.
With OpenVMS, yes, there have been proven security issues in
previous
Post by Kerry Main
decades (Finger albeit on VAX only, SMG - 10-15 years ago - both of
which required accounts on the system, and a few others). Yes,
potentially, there will be issues in the future because no platform
can
Post by Kerry Main
state they are 100% secure. Having stated this, while there are lots
of
Post by Kerry Main
theoretical "may or could or might impact OpenVMS" type issues,
there
Post by Kerry Main
are no real examples in the press.
It is extremely difficult to find any mention of any recent security
issues causing any real issues impacting Customer OpenVMS
applications.
Post by Kerry Main
Again, I am not saying there are no OpenVMS security issues and/or
processes to be addressed (there certainly are) but as far as I
know,
Post by Kerry Main
there have been no recent (last 5 years?) OpenVMS based security
issues
Post by Kerry Main
in the press describing impacted Customer services.
Certainly willing to be corrected, but if someone has any
examples,
Post by Kerry Main
I
Post by Kerry Main
would love to see a pointer.
I have given you examples. Numerous instances of Server 2003, 2008,
2012. No system level intrusions, ever.
I was referring to examples of OpenVMS. The number of Windows
Server
Post by Kerry Main
security issues that have impacted Cust's is huge.
And yet I ran Windows Server for over 20 years, starting with NT and
never had one of these "security issues". It can be done.
Did not say it could not be done. Having stated this, if you had stated
you never had a breach without keeping your boxes up to date, then that
would leave me wondering why not.
Post by Kerry Main
Linux in various flavors. RedHat, CentOS Debian. No system level
intrusions, ever.
I was referring to examples of OpenVMS. The number of Linux Server
security issues that have impacted Cust's is huge.
Also see point above about "properly secured". This means you must
have
Post by Kerry Main
been very busy with monthly security patches that impacted whatever
server versions you were running.
And your saying that VMS Sysadmins sit around drinking coffee and their
systems just run securely by magic?
I often wonder how many VMS systems have been "visited" back in the days
when they shipped with maintenance accounts with well known
passwords.
If we want to discuss 20+ year old issues, I wonder how many Windows NT
3.5 security issues there were?
Post by Kerry Main
Same for FreeBSD (well, they have had one since I left but even with
no one watching the store it took a year and a half before my work
fell far enough behind for it to happen!!)
You really need to give it a rest. No OS is secure out of the box.
Not Windows, not Unix, and not VMS. All of them can be run in a
secure manner it the admins are knowledgeable enough and willing
to put in the effort needed. And, no, Windows and Unix don't take
any more effort to secure than VMS does.
bill
Who said anything about "out of the box?"
Again, no one is saying OpenVMS is 100% secure. You did read my
related
Post by Kerry Main
comments on this right?
Actually, lots of people here have been saying that for years.
VMS - secure. Anything else - unsecure.
Well, speaking for myself, to the best of my recollection, I have never
stated OpenVMS was 100% secure - even back in the days when Andrew and I
(and others) were debating OpenVMS vs. Solaris and Linux was but a
twinkle in Linus's eyes.
Post by Kerry Main
The issue is when the SysAdmin does all they can and then the system
is
Post by Kerry Main
breached (remotely or via logged in user) by one of the many monthly
security patch issues that have not yet been patched - for whatever
reason (and there are many).
And yet, in 20 years it never happened at an academic site where the
kids have lots of free time on their hands.
Post by Kerry Main
It is a question of the VOLUME of security patches that a SysAdmin or
OPS dept has to review, test, create deployment pkgs, then schedule
(change mgmt. / CABS are such a wonderful experience)/ deploy,
deploy/test each and every month.
This is the big hidden mgmt. cost associated with commodity OS's.
Security patches nbot being released for VMS does not mean there are no
flaws. It more likely means no one is looking for them.
bill
However, if you were running a highly sensitive app on OpenVMS, from a
security (ok, not marketing) perspective, would this not be a good
thing?

Again, no OS platform is 100% secure.

There are always going to be security challenges from more sophisticated
hackers, but If 95+% of the worlds hackers and script kiddies only know
Windows /Linux /UNIX, is that not a good thing from an OpenVMS Customer
security perspective?


Regards,

Kerry Main
Kerry dot main at starkgaming dot com
David Froble
2017-05-22 21:01:55 UTC
Permalink
Raw Message
Post by Kerry Main
There are always going to be security challenges from more sophisticated
hackers, but If 95+% of the worlds hackers and script kiddies only know
Windows /Linux /UNIX, is that not a good thing from an OpenVMS Customer
security perspective?
You mean like walking on the sidewalk, instead of the middle of the street, and
looking both ways before crossing?

Reputed quote by Bear Bryant, legendary football coach, "luck follows speed" ...

:-)
Stephen Hoffman
2017-05-22 21:55:42 UTC
Permalink
Raw Message
Post by David Froble
Post by Kerry Main
There are always going to be security challenges from more
sophisticated hackers, but If 95+% of the worlds hackers and script
kiddies only know Windows /Linux /UNIX, is that not a good thing from
an OpenVMS Customer security perspective?
You mean like walking on the sidewalk, instead of the middle of the
street, and looking both ways before crossing?
That does seems a pabulum, doesn't it? Then there's the question of
whether "sophisticated" hacking is even needed for accessing many of
the OpenVMS servers. As for folks with experience, I was on the
receiving end of a CTF stage that involved OpenVMS; some part of the
qualification for DEFCON, IIRC. A number of the folks engaged in that
CTF learned a whole lot about OpenVMS very quickly, too. Oh, and some
of the available hacking tools do show up configuration issues with
OpenVMS servers, having used those tools in various security reviews.
That's before rummaging a list of CVEs that likely or do apply to
OpenVMS components and which really isn't rocket science. And for not
the first time, nobody that's attacking a server cares if the
vulnerable software is part of the base OS or a layered product or some
add-on or out-of-scope and supposed-to-be-network-segment-isolated,
it's all targets of opportunity and if it's there, it's a target.
Which means bringing the whole configuration forward, including TLSv1.3
support and encrypted cluster transports and a host of other updates
already discussed. But then I also don't understand why Kerry is even
pointing to changes in how some folks partition their applications and
their clusters either, as most of the server or servers are still going
to have to communicate with other systems effectively and securely.
VSI is aware of a number of CVEs and issues and is doing work here, and
there's a whole lot more work beyond VSI IP, and then there's the
not-insubstantial ongoing work, as well as the necessary work getting
the revenue streams built and flowing.
--
Pure Personal Opinion | HoffmanLabs LLC
Kerry Main
2017-05-22 23:53:04 UTC
Permalink
Raw Message
-----Original Message-----
Stephen Hoffman via Info-vax
Sent: May 22, 2017 5:56 PM
Subject: Re: [Info-vax] Announcing a premier mailserver for OpenVMS
Post by David Froble
Post by Kerry Main
There are always going to be security challenges from more
sophisticated hackers, but If 95+% of the worlds hackers and script
kiddies only know Windows /Linux /UNIX, is that not a good thing
from
Post by David Froble
Post by Kerry Main
an OpenVMS Customer security perspective?
You mean like walking on the sidewalk, instead of the middle of the
street, and looking both ways before crossing?
That does seems a pabulum, doesn't it? Then there's the question of
whether "sophisticated" hacking is even needed for accessing many of
the OpenVMS servers. As for folks with experience, I was on the
receiving end of a CTF stage that involved OpenVMS; some part of the
qualification for DEFCON, IIRC. A number of the folks engaged in that
CTF learned a whole lot about OpenVMS very quickly, too. Oh, and some
of the available hacking tools do show up configuration issues with
OpenVMS servers, having used those tools in various security reviews.
That's before rummaging a list of CVEs that likely or do apply to
OpenVMS components and which really isn't rocket science. And for not
the first time, nobody that's attacking a server cares if the
vulnerable software is part of the base OS or a layered product or some
add-on or out-of-scope and supposed-to-be-network-segment-isolated,
it's all targets of opportunity and if it's there, it's a target.
Which means bringing the whole configuration forward, including TLSv1.3
support and encrypted cluster transports and a host of other updates
already discussed. But then I also don't understand why Kerry is even
pointing to changes in how some folks partition their applications and
their clusters either, as most of the server or servers are still going
to have to communicate with other systems effectively and securely.
VSI is aware of a number of CVEs and issues and is doing work here, and
there's a whole lot more work beyond VSI IP, and then there's the
not-insubstantial ongoing work, as well as the necessary work getting
the revenue streams built and flowing.
Again, as stated many times, yes, there is lots of room for improvement.
No one is saying there is no catch-up to do. The new TCPIP stack will be
but one of many steps for improving the overall features. VSI knows they
have lots to do in this area.

Having stated this, with all of the many mission critical OpenVMS
environments around the globe, I am not aware of any security bugs in
the last 5+ years that has resulted in a Cust OpenVMS environment being
negatively impacted by an OS level security issue. User account /
password issues are platform independent so there are likely some issues
in this area.

Again, read my prev sentence.

Regards,

Kerry Main
Kerry dot main at starkgaming dot com
a***@yahoo.com
2017-05-22 21:16:07 UTC
Permalink
Raw Message
Post by Kerry Main
-----Original Message-----
Gunshannon via Info-vax
Sent: May 22, 2017 2:01 PM
Subject: Re: [Info-vax] Announcing a premier mailserver for OpenVMS
Post by Kerry Main
-----Original Message-----
Bill
Post by Kerry Main
Gunshannon via Info-vax
Sent: May 22, 2017 10:54 AM
Subject: Re: [Info-vax] Announcing a premier mailserver for
OpenVMS
Post by Kerry Main
[snip]
Post by Kerry Main
The big difference is that the large number of monthly security
issues
Post by Kerry Main
causing very public issues with real customers using commodity
OS's
Post by Kerry Main
is
Post by Kerry Main
well published in the press.
And that doesn't mean mine weren't properly secured.
You were either lucky or you were religiously applying the monthly
patches. When native / kernel level services have remote access
flaws,
Post by Kerry Main
regardless any good SysAdmin work to secure systems becomes less
relevant.
The patches aren't a silver bullet. A fully patched system can be
just
as vulnerable as an unpatched one.
Post by Kerry Main
Post by Kerry Main
Re: "I just don't know about them" - You only have to talk to Mr.
Google
Post by Kerry Main
to find Windows issues that have impacted many similar university
environments as yours.
And that doesn't mean mine weren't properly secured.
Define "properly secured".
Go read the NIST White Papers and the stuff put out by DISA.
All of which I have mentioned here numerous times in the past.
STIGS - Security Technical Implementation Guides
They had one for VMS for a long time. But that probably means nothing
to most people here.
Security Guides like this are best practices which usually state
something in the document along the lines of "review vendor published
security patches to determine which ones are applicable to your
environment, test important applications with these patches, and then
roll-out the new security patches after ITSM or similar change
management processes are followed"
I am not a sysadmin, but I'd guess that Bill was talking about something very different.
Like systematic application of principle of least privilege.
Like not running service that you can live without.
Like running services that you can't live without only at time you need them. And other similar things.
Kerry Main
2017-05-22 23:10:20 UTC
Permalink
Raw Message
-----Original Message-----
already5chosen--- via Info-vax
Sent: May 22, 2017 5:16 PM
Subject: Re: [Info-vax] Announcing a premier mailserver for OpenVMS
Post by Kerry Main
-----Original Message-----
Bill
Post by Kerry Main
Gunshannon via Info-vax
Sent: May 22, 2017 2:01 PM
Subject: Re: [Info-vax] Announcing a premier mailserver for
OpenVMS
Post by Kerry Main
Post by Kerry Main
-----Original Message-----
Of
Post by Kerry Main
Bill
Post by Kerry Main
Gunshannon via Info-vax
Sent: May 22, 2017 10:54 AM
Subject: Re: [Info-vax] Announcing a premier mailserver for
OpenVMS
Post by Kerry Main
[snip]
Post by Kerry Main
The big difference is that the large number of monthly
security
Post by Kerry Main
Post by Kerry Main
issues
Post by Kerry Main
causing very public issues with real customers using commodity
OS's
Post by Kerry Main
is
Post by Kerry Main
well published in the press.
And that doesn't mean mine weren't properly secured.
You were either lucky or you were religiously applying the monthly
patches. When native / kernel level services have remote access
flaws,
Post by Kerry Main
regardless any good SysAdmin work to secure systems becomes
less
Post by Kerry Main
Post by Kerry Main
relevant.
The patches aren't a silver bullet. A fully patched system can be
just
as vulnerable as an unpatched one.
Post by Kerry Main
Post by Kerry Main
Re: "I just don't know about them" - You only have to talk to Mr.
Google
Post by Kerry Main
to find Windows issues that have impacted many similar
university
Post by Kerry Main
Post by Kerry Main
Post by Kerry Main
environments as yours.
And that doesn't mean mine weren't properly secured.
Define "properly secured".
Go read the NIST White Papers and the stuff put out by DISA.
All of which I have mentioned here numerous times in the past.
STIGS - Security Technical Implementation Guides
They had one for VMS for a long time. But that probably means
nothing
Post by Kerry Main
to most people here.
Security Guides like this are best practices which usually state
something in the document along the lines of "review vendor
published
Post by Kerry Main
security patches to determine which ones are applicable to your
environment, test important applications with these patches, and then
roll-out the new security patches after ITSM or similar change
management processes are followed"
I am not a sysadmin, but I'd guess that Bill was talking about
something
very different.
Like systematic application of principle of least privilege.
Like not running service that you can live without.
Like running services that you can't live without only at time you
need
them. And other similar things.
That again is basically following best security practices that are often
referred to as "Server OS hardening".

Server OS hardening best practices still requires the application of
vendor OS patches that are applicable to those services that are
required.

Internet definition -

"Server Hardening is the process of enhancing server security through a
variety of means which results in a much more secure server operating
environment."

Regards,

Kerry Main
Kerry dot main at starkgaming dot com
David Froble
2017-05-22 20:57:27 UTC
Permalink
Raw Message
Post by Bill Gunshannon
Actually, lots of people here have been saying that for years.
VMS - secure. Anything else - unsecure.
Well, the devil is in the details, as usual.

What is VMS? Note that TCP/IP has not been sold as part of the OS.

:-)

So, if much of the problem is in the TCP/IP, then one could not count that
against VMS security. Yeah, yeah, I know, what good is a general purpose OS
today without TCP/IP? Not very ...

This is why lawyers make (extort) money ....
Post by Bill Gunshannon
Security patches nbot being released for VMS does not mean there are no
flaws. It more likely means no one is looking for them.
Quite likely.

The people who say they have never had a problem is no proof that there are no
problems. It's like saying one is a safe driver because one hasn't had any
wrecks, yet ...
Jason Howe
2017-05-22 22:52:03 UTC
Permalink
Raw Message
Post by David Froble
The people who say they have never had a problem is no proof that there are no
problems. It's like saying one is a safe driver because one hasn't had any
wrecks, yet ...
Indeed, this brings to mine a quote of Eyeore from the original Winnie the Pooh
books, "They're funny things, Accidents. You never have them until you're
having them."

I've found this sentiment to be broadly applicable to various areas of life.

IT security breeches, being one of them.
--
Jason
Jason Howe
2017-05-22 23:03:50 UTC
Permalink
Raw Message
Post by Kerry Main
-----Original Message----- From: Info-vax
premier mailserver for OpenVMS
[snip]
Post by Kerry Main
The big difference is that the large number of monthly security
issues
Post by Kerry Main
causing very public issues with real customers using commodity OS's
is
Post by Kerry Main
well published in the press.
And that doesn't mean mine weren't properly secured.
You were either lucky or you were religiously applying the monthly patches.
When native / kernel level services have remote access flaws, regardless any
good SysAdmin work to secure systems becomes less relevant.
The patches aren't a silver bullet. A fully patched system can be just as
vulnerable as an unpatched one.
Post by Kerry Main
Post by Kerry Main
Re: "I just don't know about them" - You only have to talk to Mr.
Google
Post by Kerry Main
to find Windows issues that have impacted many similar university
environments as yours.
And that doesn't mean mine weren't properly secured.
Define "properly secured".
Go read the NIST White Papers and the stuff put out by DISA. All of which I
have mentioned here numerous times in the past.
STIGS - Security Technical Implementation Guides
They had one for VMS for a long time. But that probably means nothing to most
people here.
Post by Kerry Main
In my mind, this means religiously applying all the monthly Windows server
based security patches that were applicable to the kernels, services and apps
applicable to your environment.
Is this a strategy that you implemented as part of your "properly secured"
environment?
The boxes were kept up to date but it takes a lot more than that, no matter
what the OS.
Post by Kerry Main
Post by Kerry Main
And for those that think Linux is any better than Windows, I would
refer
Post by Kerry Main
<https://www.redhat.com/archives/enterprise-watch-list/> Click on
thread
Post by Kerry Main
for any month, going back as long as you want and add them up. Also
look
Post by Kerry Main
at number of monthly "kernel" issues. Yes, not all security patches apply
to all environments, but someone has to review this list on a regular basis
to determine which applies to their environment and
which
Post by Kerry Main
do not. This assumes of course, the SysAdmin knows what services
every
Post by Kerry Main
OS is using on the hundreds of V/P OS's they use.
With OpenVMS, yes, there have been proven security issues in
previous
Post by Kerry Main
decades (Finger albeit on VAX only, SMG - 10-15 years ago - both of which
required accounts on the system, and a few others). Yes, potentially,
there will be issues in the future because no platform
can
Post by Kerry Main
state they are 100% secure. Having stated this, while there are lots
of
Post by Kerry Main
theoretical "may or could or might impact OpenVMS" type issues,
there
Post by Kerry Main
are no real examples in the press.
It is extremely difficult to find any mention of any recent security issues
causing any real issues impacting Customer OpenVMS
applications.
Post by Kerry Main
Again, I am not saying there are no OpenVMS security issues and/or
processes to be addressed (there certainly are) but as far as I
know,
Post by Kerry Main
there have been no recent (last 5 years?) OpenVMS based security
issues
Post by Kerry Main
in the press describing impacted Customer services.
Certainly willing to be corrected, but if someone has any examples,
I
Post by Kerry Main
would love to see a pointer.
I have given you examples. Numerous instances of Server 2003, 2008, 2012.
No system level intrusions, ever.
I was referring to examples of OpenVMS. The number of Windows Server security
issues that have impacted Cust's is huge.
And yet I ran Windows Server for over 20 years, starting with NT and never had
one of these "security issues". It can be done.
Post by Kerry Main
Linux in various flavors. RedHat, CentOS Debian. No system level
intrusions, ever.
I was referring to examples of OpenVMS. The number of Linux Server security
issues that have impacted Cust's is huge.
Also see point above about "properly secured". This means you must have been
very busy with monthly security patches that impacted whatever server
versions you were running.
And your saying that VMS Sysadmins sit around drinking coffee and their
systems just run securely by magic?
I often wonder how many VMS systems have been "visited" back in the days when
they shipped with maintenance accounts with well known passwords.
Post by Kerry Main
Same for FreeBSD (well, they have had one since I left but even with no one
watching the store it took a year and a half before my work fell far enough
behind for it to happen!!)
You really need to give it a rest. No OS is secure out of the box. Not
Windows, not Unix, and not VMS. All of them can be run in a secure manner
it the admins are knowledgeable enough and willing to put in the effort
needed. And, no, Windows and Unix don't take any more effort to secure than
VMS does.
bill
Who said anything about "out of the box?"
Again, no one is saying OpenVMS is 100% secure. You did read my related
comments on this right?
Actually, lots of people here have been saying that for years. VMS - secure.
Anything else - unsecure.
It's almost worse than that. At a certain point it comes across as "VMS admins
know how to secure their systems. Everyone else? Who knows!" I'm not singling
anyone out here, its just a general feeling I've noticed. I've made the
point before, though perhaps not explicitly enough, that a system is only as
secure/reliable as it's Administrator. That includes doing engaging in all the
"Best Practices" for your particular platform.

It seems that some folks tend to focus one very secure piece of their
environment, rather than taking a holistic look at security and risk assessment.
It's all only as secure as the weakest link. Have you identified yours? What
did you do to mitigate it? What's the next one?

Stay Safe,
Jason
David Froble
2017-05-23 03:51:21 UTC
Permalink
Raw Message
Post by Jason Howe
It seems that some folks tend to focus one very secure piece of their
environment, rather than taking a holistic look at security and risk assessment.
It's all only as secure as the weakest link. Have you identified yours? What
did you do to mitigate it? What's the next one?
You mean like, several locks and such on the front door, while the back door is
standing wide open?

:-)
Simon Clubley
2017-05-24 18:33:24 UTC
Permalink
Raw Message
Post by Kerry Main
It is extremely difficult to find any mention of any recent security
issues causing any real issues impacting Customer OpenVMS applications.
Again, I am not saying there are no OpenVMS security issues and/or
processes to be addressed (there certainly are) but as far as I know,
there have been no recent (last 5 years?) OpenVMS based security issues
in the press describing impacted Customer services.
Security by obscurity is not the same thing as a secure operating system.

Why on earth do you think I have been pushing VSI to get a formal and
public security reporting system underway _now_ before knowledge that
VMS is about to become available on x86-64 becomes more widely known ?

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
Paul Sture
2017-05-24 18:57:29 UTC
Permalink
Raw Message
Post by Simon Clubley
Post by Kerry Main
It is extremely difficult to find any mention of any recent security
issues causing any real issues impacting Customer OpenVMS applications.
Again, I am not saying there are no OpenVMS security issues and/or
processes to be addressed (there certainly are) but as far as I know,
there have been no recent (last 5 years?) OpenVMS based security issues
in the press describing impacted Customer services.
Security by obscurity is not the same thing as a secure operating system.
Why on earth do you think I have been pushing VSI to get a formal and
public security reporting system underway _now_ before knowledge that
VMS is about to become available on x86-64 becomes more widely known ?
I have a feeling that those conversant with exploits in the x86-64 world
will see the entry of VMS onto that platform as a challenge worth taking
up, particularly if it is being marketed as a secure OS.

VSI really does need a decent reporting system in place before that
happens. I agree with you on that, and also see it as an important
part of marketing.

If/when vulnerability reports start to flow, in today's world any lack
of a decent reporting structure will be picked on pretty sharply.
--
Everybody has a testing environment. Some people are lucky enough to
have a totally separate environment to run production in.
Kerry Main
2017-05-25 01:31:11 UTC
Permalink
Raw Message
-----Original Message-----
Simon Clubley via Info-vax
Sent: May 24, 2017 2:33 PM
Subject: Re: [Info-vax] Announcing a premier mailserver for OpenVMS
Post by Kerry Main
It is extremely difficult to find any mention of any recent security
issues causing any real issues impacting Customer OpenVMS
applications.
Post by Kerry Main
Again, I am not saying there are no OpenVMS security issues and/or
processes to be addressed (there certainly are) but as far as I know,
there have been no recent (last 5 years?) OpenVMS based security
issues
Post by Kerry Main
in the press describing impacted Customer services.
Security by obscurity is not the same thing as a secure operating system.
Why on earth do you think I have been pushing VSI to get a formal and
public security reporting system underway _now_ before knowledge that
VMS is about to become available on x86-64 becomes more widely
known ?
Simon.
While I agree with you that a formal security reporting process is
needed at some point, I certainly no not expect a huge rush of security
issues to magically appear just because OpenVMS is running on X86-64.

If there is a security issue that a good security researcher resource is
trying to report, a simple temporary workaround is to visit the VSI
"Contact Us" home page at: (has phone #'s, email)
<http://www.vmssoftware.com/contact.html>

In addition, if a regular here on c.o.v. were to discover a security
issue, they likely know the appropriate VSI contacts to notify.

When the beta release of OpenVMS X86-64 is released, as in all previous
releases, I expect there will be a beta issue reporting process as well.


Regards,

Kerry Main
Kerry dot main at starkgaming dot com
Simon Clubley
2017-05-25 13:06:22 UTC
Permalink
Raw Message
Post by Kerry Main
While I agree with you that a formal security reporting process is
needed at some point, I certainly no not expect a huge rush of security
issues to magically appear just because OpenVMS is running on X86-64.
I would not be too sure of that given the "VMS! VMS! VMS number one!"
tone on VSI's security webpage.
Post by Kerry Main
If there is a security issue that a good security researcher resource is
trying to report, a simple temporary workaround is to visit the VSI
"Contact Us" home page at: (has phone #'s, email)
<http://www.vmssoftware.com/contact.html>
So are you happy to inform the intelligence agencies of a vulnerability
in VMS that they can use against any VMS site they choose ?

Because that's what you are doing when you send normal unencrypted
email to an OS vendor in the US.
Post by Kerry Main
In addition, if a regular here on c.o.v. were to discover a security
issue, they likely know the appropriate VSI contacts to notify.
And there is currently no way to contact VSI _securely_.

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
Kerry Main
2017-05-26 23:50:10 UTC
Permalink
Raw Message
-----Original Message-----
Simon Clubley via Info-vax
Sent: May 25, 2017 9:06 AM
Subject: Re: [Info-vax] Announcing a premier mailserver for OpenVMS
Post by Kerry Main
While I agree with you that a formal security reporting process is
needed at some point, I certainly no not expect a huge rush of security
issues to magically appear just because OpenVMS is running on X86-64.
I would not be too sure of that given the "VMS! VMS! VMS number one!"
tone on VSI's security webpage.
Post by Kerry Main
If there is a security issue that a good security researcher resource is
trying to report, a simple temporary workaround is to visit the VSI
"Contact Us" home page at: (has phone #'s, email)
<http://www.vmssoftware.com/contact.html>
So are you happy to inform the intelligence agencies of a vulnerability
in VMS that they can use against any VMS site they choose ?
Because that's what you are doing when you send normal unencrypted
email to an OS vendor in the US.
Post by Kerry Main
In addition, if a regular here on c.o.v. were to discover a security
issue, they likely know the appropriate VSI contacts to notify.
And there is currently no way to contact VSI _securely_.
Simon.
Time for basics .. pick up telephone, call VSI phone number listed on "Contact Us"

Course, the bag guys or N S A could be listening, so maybe one should drive to Bolton and present a hand written letter.

😊

Again, yes, a security reporting process is needed, but it’s a matter of priorities.

OpenVMS on X86-64 will not even be available until next year.


Regards,

Kerry Main
Kerry dot main at starkgaming dot com
Simon Clubley
2017-05-27 17:27:48 UTC
Permalink
Raw Message
Post by Kerry Main
Time for basics .. pick up telephone, call VSI phone number listed on "Contact Us"
Course, the bag guys or N S A could be listening, so maybe one
should drive to Bolton and present a hand written letter.
Again, yes, a security reporting process is needed, but it’s a matter of priorities.
OpenVMS on X86-64 will not even be available until next year.
Ok, if you want basics, then consider this:

As I have mentioned before, vulnerabilities do not affect upcoming
sales, they affect the current installed base.

The current installed base includes a large base on HPE support.

Those HPE systems are very likely to be affected by the same
vulnerabilities reported to VSI. Furthermore, it is quite possible
for a vulnerability which is found on one VMS hardware architecture
to exist on another VMS hardware architecture.

Therefore, if a VSI bug report leaks then it very likely affects
similar systems currently under support at HPE.

Is that basic enough for you ? :-)

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
David Froble
2017-05-25 02:26:14 UTC
Permalink
Raw Message
Post by Simon Clubley
Post by Kerry Main
It is extremely difficult to find any mention of any recent security
issues causing any real issues impacting Customer OpenVMS applications.
Again, I am not saying there are no OpenVMS security issues and/or
processes to be addressed (there certainly are) but as far as I know,
there have been no recent (last 5 years?) OpenVMS based security issues
in the press describing impacted Customer services.
Security by obscurity is not the same thing as a secure operating system.
Reality is what it is. For whatever reasons, if VMS systems are not having
issues, then, "they are not having issues".

You can argue "what if" all you want, but you really cannot dispute "what is".

That mentioned, there is the case of losing your "obscurity" ..
Post by Simon Clubley
Why on earth do you think I have been pushing VSI to get a formal and
public security reporting system underway _now_ before knowledge that
VMS is about to become available on x86-64 becomes more widely known ?
You can beat that horse all you want. I do believe Clare has mentioned that
he's done his part, and if the manpower isn't available this week, or this
month, or whatever, then, it's not available. VSI by need is following the
money. You ready to cough up some?
Simon Clubley
2017-05-25 13:10:19 UTC
Permalink
Raw Message
Post by David Froble
Post by Simon Clubley
Security by obscurity is not the same thing as a secure operating system.
Reality is what it is. For whatever reasons, if VMS systems are not having
issues, then, "they are not having issues".
You can argue "what if" all you want, but you really cannot dispute "what is".
That mentioned, there is the case of losing your "obscurity" ..
You also don't know what vulerabilities the intelligence agencies
(for example) may currently have for VMS.
Post by David Froble
Post by Simon Clubley
Why on earth do you think I have been pushing VSI to get a formal and
public security reporting system underway _now_ before knowledge that
VMS is about to become available on x86-64 becomes more widely known ?
You can beat that horse all you want. I do believe Clare has mentioned that
he's done his part, and if the manpower isn't available this week, or this
month, or whatever, then, it's not available. VSI by need is following the
money. You ready to cough up some?
In fairness to Clair, the last round of public discussions we had
here revealed that once I had raised the issue, he had tackled it
rather quickly.

The holdup now appears to be somewhere in the rest of VSI.

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
John Reagan
2017-05-25 12:39:00 UTC
Permalink
Raw Message
Post by Simon Clubley
Post by Kerry Main
It is extremely difficult to find any mention of any recent security
issues causing any real issues impacting Customer OpenVMS applications.
Again, I am not saying there are no OpenVMS security issues and/or
processes to be addressed (there certainly are) but as far as I know,
there have been no recent (last 5 years?) OpenVMS based security issues
in the press describing impacted Customer services.
Security by obscurity is not the same thing as a secure operating system.
Why on earth do you think I have been pushing VSI to get a formal and
public security reporting system underway _now_ before knowledge that
VMS is about to become available on x86-64 becomes more widely known ?
Simon.
OK, I need some education here. My view is that email is hard to secure due to its store-and-forward nature. The end point doesn't have to be even on the net when you send the initial email.

That is unlike things like Telegram, Signal, Whatsapp, etc. which trade keys and establish the secure end-to-end connection to send the message. (There are rumors that the CIA has broken into Signal/Whatsapp messages)

I think the best you can do with email is PGP keys. And that is what you see Apple doing. They have a regular email address and they provide their public PGP keys that you can use to encrypt email you send to Apple and to verify that security statements from Apple are indeed from Apple.

https://support.apple.com/en-us/HT201220

https://support.apple.com/en-us/HT201214

Are you suggesting anything more than that?
Simon Clubley
2017-05-25 13:19:31 UTC
Permalink
Raw Message
Post by John Reagan
I think the best you can do with email is PGP keys. And that is what you
see Apple doing. They have a regular email address and they provide their
public PGP keys that you can use to encrypt email you send to Apple and to
verify that security statements from Apple are indeed from Apple.
https://support.apple.com/en-us/HT201220
https://support.apple.com/en-us/HT201214
Are you suggesting anything more than that?
No, that's the kind of thing I am suggesting.

HPE also do something similar:

https://www.hpe.com/h41268/live/index_e.aspx?qid=11503

It turns out that Clair created something around 6 months ago after
I started raising the issue but due to holdups somewhere else in VSI
it's still not on the VSI website after all that time.

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
Stephen Hoffman
2017-05-25 17:50:53 UTC
Permalink
Raw Message
Post by John Reagan
Post by Simon Clubley
Security by obscurity is not the same thing as a secure operating system.
Why on earth do you think I have been pushing VSI to get a formal and
public security reporting system underway _now_ before knowledge that
VMS is about to become available on x86-64 becomes more widely known ?
Simon.
OK, I need some education here. My view is that email is hard to
secure due to its store-and-forward nature. The end point doesn't have
to be even on the net when you send the initial email.
That is unlike things like Telegram, Signal, Whatsapp, etc. which trade
keys and establish the secure end-to-end connection to send the
message. (There are rumors that the CIA has broken into Signal/Whatsapp
messages)
I think the best you can do with email is PGP keys. And that is what
you see Apple doing. They have a regular email address and they
provide their public PGP keys that you can use to encrypt email you
send to Apple and to verify that security statements from Apple are
indeed from Apple.
https://support.apple.com/en-us/HT201220
https://support.apple.com/en-us/HT201214
Are you suggesting anything more than that?
You're right about metadata being exposed with email. But there's
rather more here.

We have no idea what the internal organization of VSI is. Who is
responsible for what. Who's still working at VSI, for that matter and
who has left in disgrace. With no clear point of contact — what Simon
has been hammering on — we have no single point for security report
submissions. There's no ***@VSISOFTWARE.EXAMPLE.COM address.
No PGP keys. There are no posted guidelines, either. This as
discussed above.

Now as for email encryption, posting public keys and PGP keys means we
can post reports to VSI that only VSI security folks with access to the
VSI private key can read. This addressing the privacy of the message
contents — though not the general metadata issues with the mail — at
least so long as the posted public key is valid and the posted private
key is kept, well, private. Folks with access to all but our clients
can't see the messages, and folks at VSI without private key access
also can't see, and y'all can keep your clients with security access
and security-related data isolated as that becomes necessary. It's
not scattered in clients all over VSI, and potentially clients both on
and off your VSI internal network.

Another and very useful reason for that security account is that it can
also be a (trusted) source of outbound notifications; of messages and
packages that are digitally signed with the VSI private key. That's
the security announcement list that's mentioned in the Apple postings
above, among other uses. How y'all notify us to update our systems
more quickly, if (when) security problems are identified and fixes made
available.

Okay. So now it's time to teach everybody here how to cause problems
both VSI and for VSI customers. Y'all are far too fond of using
random email accounts around here on comp.os.vms newsgroup and in
private email sent around. Some of your senior management routinely
posts from gmail. That's a problem. Why? That teaches us that
random gmail accounts are VSI folks. That means that we might end up
sending bug reports to folks that are not actually VSI folks, or are
not still VSI folks (fired, whatever), or to accounts that are have
non-VSI folks reading the mail. (Yes, these cases can happen with VSI
accounts, but hopefully rather less often.) Possibly including
sensitive bug reports. That usage also means that we might happen to
receive mail from ***@EXAMPLE.COM with some OpenVMS executable
VSI-CLUE-COLLECT.EXE attached, and some poor schmucks out here might
actually load and run that code and... who knows what
***@EXAMPLE.COM really sent them. Or maybe it's not an
attachment, it's ***@EXAMPLE.COM sending a pointer to a
download that's hosted at the VS1SOFTWARE.COM, VSİSOFTWARE.COM,
VS|SOFTWARE.COM or vsisoſtware.com web site, etc. Or that they sent
you, for that matter.)

BTW, this is just a subset of the problems here. I hope y'all have
2-factor authentication enabled on your gmail accounts if you're using
those for intra-VSI messages as well having 2FA enabled as on the VSI
email services, because y'all are fracking huge targets, and the
results of one of you making a very-easy-to-make mistake here are...
large. Such as one of you getting phished — or somebody else with
legitimate access to one of your shared systems at home that also
happens to have, for instance, access to your VSI email — then using
that to phish somebody else at VSI with yet more access. Yes, this
stuff is happening, too. Here's an organization that got nailed by a
single download: https://panic.com/blog/stolen-source-code/ — and they
weren't aiming at that organization. Ponder whether they inserted
something into Panic's code.

Networks are hugely more hostile than they were, even a few years ago.

I'll give y'all (VSI) a freebie, too. I'll visit Bolton, and provide
a session and a Q&A on this topic. At no charge. Why? Because I
don't want to be cleaning up after an OpenVMS breach, and I really
don't want to be cleaning up after a VSI breach. OpenVMS was already
targeted by Mr Mitnick ~thirty years ago. Y'all are larger targets
now too, both collectively and individually. To put a scale on the
value here, your individual and organizational value as a target is
close to the sum of the value of what's stored on our OpenVMS systems;
the aggregate value of any VSI OpenVMS systems being actively
maintained and updated.

ps: Don't infer that I'm disparaging Google gmail in the above message,
either. Google gmail with 2FA enabled is more secure than most of
the privately-managed mail servers around the 'net.
--
Pure Personal Opinion | HoffmanLabs LLC
John Reagan
2017-05-25 18:55:13 UTC
Permalink
Raw Message
Post by Stephen Hoffman
Okay. So now it's time to teach everybody here how to cause problems
both VSI and for VSI customers. Y'all are far too fond of using
random email accounts around here on comp.os.vms newsgroup and in
private email sent around. Some of your senior management routinely
posts from gmail. That's a problem. Why? That teaches us that
random gmail accounts are VSI folks. That means that we might end up
I've had my ***@gmail.com account before I moved to VSI. I also use it
(and other anonymous accounts) for non-VSI things. I rarely look at my inbox.
I don't encourage sending stuff to that account (a few folks have send email
there)

As for sending bug reports to my vmssoftware.com account, yes, that presumes
that I didn't get fired for sloppy BLISS coding or other obscene gestures.
It also presumes that I don't leave my Mac unlocked when I leave my office
or that our mail server isn't still running WinXP with SMBv1 enabled. It
also presumes that I'm not a Russian foreign agent (I'm not but if I was,
I'd lie about it).

No argument from me about using a static account or some non-email method
to send in bug reports (see: https://bugreport.apple.com). I've personally
never received a security bug report. Perhaps I'm not trustworthy.

John (if that's my real name)
Stephen Hoffman
2017-05-25 19:05:59 UTC
Permalink
Raw Message
Post by Stephen Hoffman
Okay. So now it's time to teach everybody here how to cause problems
both VSI and for VSI customers. Y'all are far too fond of using
random email accounts around here on comp.os.vms newsgroup and in
private email sent around. Some of your senior management routinely
posts from gmail. That's a problem. Why? That teaches us that
random gmail accounts are VSI folks. That means that we might end up
use it (and other anonymous accounts) for non-VSI things. I rarely
look at my inbox. I don't encourage sending stuff to that account (a
few folks have send email there)
As for sending bug reports to my vmssoftware.com account, yes, that
presumes that I didn't get fired for sloppy BLISS coding or other
obscene gestures. It also presumes that I don't leave my Mac unlocked
when I leave my office or that our mail server isn't still running
WinXP with SMBv1 enabled. It also presumes that I'm not a Russian
foreign agent (I'm not but if I was, I'd lie about it).
No argument from me about using a static account or some non-email
method to send in bug reports (see: https://bugreport.apple.com).
I've personally never received a security bug report. Perhaps I'm not
trustworthy.
John (if that's my real name)
Use your VSI address here. Always. Or do I need to go register
***@gmail.com and then see how many of your coworkers I can fool,
and how many folks I can fool here?
Hey {VSI name}, can you install this attached new kit for {language
critical} or this new VMS patch for {whatever critical} on your server?
Or we wait until somebody decides y'all are worth the very small effort
to target and gain access, and away we go...
--
Pure Personal Opinion | HoffmanLabs LLC
John Reagan
2017-05-25 20:03:22 UTC
Permalink
Raw Message
Post by Stephen Hoffman
Post by Stephen Hoffman
Okay. So now it's time to teach everybody here how to cause problems
both VSI and for VSI customers. Y'all are far too fond of using
random email accounts around here on comp.os.vms newsgroup and in
private email sent around. Some of your senior management routinely
posts from gmail. That's a problem. Why? That teaches us that
random gmail accounts are VSI folks. That means that we might end up
use it (and other anonymous accounts) for non-VSI things. I rarely
look at my inbox. I don't encourage sending stuff to that account (a
few folks have send email there)
As for sending bug reports to my vmssoftware.com account, yes, that
presumes that I didn't get fired for sloppy BLISS coding or other
obscene gestures. It also presumes that I don't leave my Mac unlocked
when I leave my office or that our mail server isn't still running
WinXP with SMBv1 enabled. It also presumes that I'm not a Russian
foreign agent (I'm not but if I was, I'd lie about it).
No argument from me about using a static account or some non-email
method to send in bug reports (see: https://bugreport.apple.com).
I've personally never received a security bug report. Perhaps I'm not
trustworthy.
John (if that's my real name)
Use your VSI address here. Always. Or do I need to go register
and how many folks I can fool here?
I use Google Groups (I know, another rathole for another thread) so I need an email. I also use the same email for non-computer groups and for my extensive collection of cat videos on YouTube. Using my work email for non-work activities doesn't feel right either. [BTW, I won't ever send you a link to a cat video. If you get one, it isn't from me.]
Post by Stephen Hoffman
Hey {VSI name}, can you install this attached new kit for {language
critical} or this new VMS patch for {whatever critical} on your server?
Or we wait until somebody decides y'all are worth the very small effort
to target and gain access, and away we go...
Well, all patches from VSI are signed with the VSI private key. PCSI/VMSINSTAL will bitch about it (unless you choose to tell PCSI to ignore the validation, but that's your explicit choice). So even if I send you a patch kit, you can't trust it if the key doesn't match. There might have been a man-in-the-middle that unpacked the PCSI kit, added some malware, and repacked the kit.
Stephen Hoffman
2017-05-25 21:02:32 UTC
Permalink
Raw Message
Post by John Reagan
Use your VSI address here. Always. Or do I need to go register>
fool,> and how many folks I can fool here?
I use Google Groups (I know, another rathole for another thread) so I
need an email. I also use the same email for non-computer groups and
for my extensive collection of cat videos on YouTube. Using my work
email for non-work activities doesn't feel right either. [BTW, I won't
ever send you a link to a cat video. If you get one, it isn't from me.]
Your security is our security. You are a target. A big one. Cat
videos would be the best possible outcome here, too.
Post by John Reagan
Hey {VSI name}, can you install this attached new kit for {language>
critical} or this new VMS patch for {whatever critical} on your server?
Or we wait until somebody decides y'all are worth the very small
effort> to target and gain access, and away we go...
Well, all patches from VSI are signed with the VSI private key.
PCSI/VMSINSTAL will bitch about it (unless you choose to tell PCSI to
ignore the validation, but that's your explicit choice). So even if I
send you a patch kit, you can't trust it if the key doesn't match.
There might have been a man-in-the-middle that unpacked the PCSI kit,
added some malware, and repacked the kit.
I'm sure all of the internal-use and testing-related executables and
test kits and one-off images that get passed around both for internal
use and for customers and any copies of standalone tools are all
digitally signed. For somebody that's a little more inclined to cause
problems or more interested in breaching your systems or customer
systems, it's clear that everybody that runs an unsigned kit — which
happens once or twice — knows how to check that a new public key cert
that's been loaded, too.

Why spend the effort with SCS or DECnet traffic on individual OpenVMS
hosts when pwning more might just be feasible?

But my offer stands. I'll come down to Bolton — free — and discuss
security, security reporting, bug bounties, and recent attacks.
--
Pure Personal Opinion | HoffmanLabs LLC
Simon Clubley
2017-05-26 17:27:18 UTC
Permalink
Raw Message
But my offer stands. I'll come down to Bolton ? free ? and discuss
security, security reporting, bug bounties, and recent attacks.
And if you are greeted by someone who doesn't know you face to face,
I hope the first thing they do is to make you prove your identity
before allowing you deeper into the VSI building. :-)

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
u***@gmail.com
2017-05-26 06:36:24 UTC
Permalink
Raw Message
Post by John Reagan
Post by Stephen Hoffman
Post by Stephen Hoffman
Okay. So now it's time to teach everybody here how to cause problems
both VSI and for VSI customers. Y'all are far too fond of using
random email accounts around here on comp.os.vms newsgroup and in
private email sent around. Some of your senior management routinely
posts from gmail. That's a problem. Why? That teaches us that
random gmail accounts are VSI folks. That means that we might end up
use it (and other anonymous accounts) for non-VSI things. I rarely
look at my inbox. I don't encourage sending stuff to that account (a
few folks have send email there)
As for sending bug reports to my vmssoftware.com account, yes, that
presumes that I didn't get fired for sloppy BLISS coding or other
obscene gestures. It also presumes that I don't leave my Mac unlocked
when I leave my office or that our mail server isn't still running
WinXP with SMBv1 enabled. It also presumes that I'm not a Russian
foreign agent (I'm not but if I was, I'd lie about it).
No argument from me about using a static account or some non-email
method to send in bug reports (see: https://bugreport.apple.com).
I've personally never received a security bug report. Perhaps I'm not
trustworthy.
John (if that's my real name)
Use your VSI address here. Always. Or do I need to go register
and how many folks I can fool here?
I use Google Groups (I know, another rathole for another thread) so I need an email. I also use the same email for non-computer groups and for my extensive collection of cat videos on YouTube. Using my work email for non-work activities doesn't feel right either. [BTW, I won't ever send you a link to a cat video. If you get one, it isn't from me.]
Post by Stephen Hoffman
Hey {VSI name}, can you install this attached new kit for {language
critical} or this new VMS patch for {whatever critical} on your server?
Or we wait until somebody decides y'all are worth the very small effort
to target and gain access, and away we go...
Well, all patches from VSI are signed with the VSI private key. PCSI/VMSINSTAL will bitch about it (unless you choose to tell PCSI to ignore the validation, but that's your explicit choice). So even if I send you a patch kit, you can't trust it if the key doesn't match. There might have been a man-in-the-middle that unpacked the PCSI kit, added some malware, and repacked the kit.
this is the kind of employee I would want :)
Simon Clubley
2017-05-26 17:33:31 UTC
Permalink
Raw Message
Post by John Reagan
As for sending bug reports to my vmssoftware.com account, yes, that presumes
that I didn't get fired for sloppy BLISS coding or other obscene gestures.
It also presumes that I don't leave my Mac unlocked when I leave my office
or that our mail server isn't still running WinXP with SMBv1 enabled. It
also presumes that I'm not a Russian foreign agent (I'm not but if I was,
I'd lie about it).
It also assumes various intelligence services are not monitoring email
that's in transit to the VSI mailboxes so they can look for bug reports
(for example) which they can use to compromise VMS systems.

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
Kerry Main
2017-05-26 23:42:19 UTC
Permalink
Raw Message
-----Original Message-----
Stephen Hoffman via Info-vax
Sent: May 25, 2017 1:51 PM
Subject: Re: [Info-vax] Announcing a premier mailserver for OpenVMS
[snip ..]
ps: Don't infer that I'm disparaging Google gmail in the above message,
either. Google gmail with 2FA enabled is more secure than most of
the privately-managed mail servers around the 'net.
ROTFL ...
From the Google privacy policy they state explicitly they WILL scan your emails looking for interesting information to "share" (sell) to their partners. They require you to agree to this in order to create the account.
Now, they say it is no content, but do you really believe them?

What if a disgruntled Google SysAdmin decided to go deeper?

Not sure about others here, but some of the "targeted" popup ads I receive seems a whole lot more targeted than generic advertising.


Regards,

Kerry Main
Kerry dot main at starkgaming dot com
Jason Howe
2017-05-17 20:03:31 UTC
Permalink
Raw Message
Post by Jason Howe
HOW ABOUT SECURITY SO YOU CAN ACTUALLY READ YOUR MAIL AND THE REST OF THE
WORLD CAN'T
Surly, you're joking Mr. Ultradwc!
I assume you mean not read at the transport level, as once it gets to your
own server, it's a bit easier to keep secure then when the information is on
the wire.
As far as transport on the wire goes, as with any point-to-point
communication, even when ecrypted, its difficult to determine if there is a
man-in-the-middle SSL proxy doing deep-packet inspection on the fly (hint,
there probably is), or if the mailserver that sends it to you is even the
originating server -- maybe the outoging or recieving mailserver is
multiplexing mail out to a shaddow NSA account -- but you'll never know.
Please tell me how VMS allows me to detect/guard against those senarios any
better than a different mailsystem. I think the best any mail system can
hope for is to enforce transport level encryption, to at least keep the
plain-text packet sniffers at bay...but honestly, for determined parties, I'm
not sure how much of a guard that is anyway. It probably helps with message
tampering en-route though.
Obviously, the easy answer to this is to encrypt the text of your messages
with an ecryption key which only the recieving party has. This, however, is
a fairly impractical solution as far as email goes, and I'd recommend a
different communications protocol if you need that level of secrecy.
-- Jason
I am talking server level. If it is so easy to secure, why all the server
breaches and stolen mail and info? Surely you are joking.
Are you arguinging that the underlying OS has anything to do with the following:
poor systems administration (unpatched software/open configurations)
poor application coding (SQL Injection / XSS attacks)
social engineering/phishing (to get/reset credentials)
weak/common passwords (YOU are the weakest link!)

Those seem to be some of the top ways that folks get breached.

Seriously though, please name a common attack vector out there and then explain
how OpenVMS/LInux/Windows either mitigates or exacerbates the likelness of
success of that attack. My general thought is that it's all a complete
shit-show (much of it application specific) and the folks who provide reliable
and timely patches to new attack vectors as they are discovered win the security
award.
--
Jason
Stephen Hoffman
2017-05-17 21:34:33 UTC
Permalink
Raw Message
Post by Jason Howe
Are you arguinging that the underlying OS has anything to do with the
following: poor systems administration (unpatched software/open
configurations) poor application coding (SQL Injection / XSS attacks)
social engineering/phishing (to get/reset credentials) weak/common
passwords (YOU are the weakest link!)
Those seem to be some of the top ways that folks get breached.
Ayup. Phishing and spear-phishing is particularly popular lately, too.
Post by Jason Howe
Seriously though, please name a common attack vector out there and then
explain how OpenVMS/LInux/Windows either mitigates or exacerbates the
likelness of success of that attack. My general thought is that it's
all a complete shit-show (much of it application specific) and the
folks who provide reliable and timely patches to new attack vectors as
they are discovered win the security award.
All that, and the end-user folks and the product teams that expend the
effort to make application and network and server exploitation that
much harder, and installing those updates that much quicker, and around
easily and expeditiously performing and recovering data from backups.
Getting a consistent and recoverable live backup of RMS-based OpenVMS
applications is... problematic, too.
--
Pure Personal Opinion | HoffmanLabs LLC
IanD
2017-05-21 18:08:40 UTC
Permalink
Raw Message
On Thursday, May 18, 2017 at 7:34:35 AM UTC+10, Stephen Hoffman wrote:

<snip>
Post by Stephen Hoffman
Getting a consistent and recoverable live backup of RMS-based OpenVMS
applications is... problematic, too.
This is our pain point too

Shadowing 'can' help but again, it's all hit and miss and all your doing is reducing the snap-shot window, not eliminating the root cause that there doesn't seem to be any way to take a 100% clean backup of an RMS file while its in use

RMS has journalling but this doesn't help when it comes to backups and it has performance hits we simply could not tolerate

What was good in times gone by doesn't necessarily translate into what is good today unless its been modernized along the way

Besides that, there are other file systems out there that make a lot of these issues go away and have rather good snapshot options (zfs for example)

That leads me to another question, asked elsewhere I think, What is the new flashy file-system that is coming to VMS? Will it address these sorts of limitations around clean backups?
Jan-Erik Soderholm
2017-05-21 19:10:34 UTC
Permalink
Raw Message
Post by IanD
<snip>
Post by Stephen Hoffman
Getting a consistent and recoverable live backup of RMS-based OpenVMS
applications is... problematic, too.
This is our pain point too
Shadowing 'can' help but again, it's all hit and miss and all your doing
is reducing the snap-shot window, not eliminating the root cause that
there doesn't seem to be any way to take a 100% clean backup of an RMS
file while its in use
RMS has journalling but this doesn't help when it comes to backups and
it has performance hits we simply could not tolerate
What was good in times gone by doesn't necessarily translate into what
is good today unless its been modernized along the way
Besides that, there are other file systems out there that make a lot of
these issues go away and have rather good snapshot options (zfs for
example)
That leads me to another question, asked elsewhere I think, What is the
new flashy file-system that is coming to VMS? Will it address these
sorts of limitations around clean backups?
The solution might be to not keep your live data in plain RMS files
but to use a proper database product that fully supports online
and consistent backups.
Stephen Hoffman
2017-05-21 22:38:13 UTC
Permalink
Raw Message
Post by IanD
<snip>
Post by Stephen Hoffman
Getting a consistent and recoverable live backup of RMS-based OpenVMS
applications is... problematic, too.
This is our pain point too
Shadowing 'can' help but again, it's all hit and miss and all your
doing is reducing the snap-shot window, not eliminating the root cause
that there doesn't seem to be any way to take a 100% clean backup of an
RMS file while its in use
RMS has journalling but this doesn't help when it comes to backups and
it has performance hits we simply could not tolerate
What was good in times gone by doesn't necessarily translate into what
is good today unless its been modernized along the way
Besides that, there are other file systems out there that make a lot of
these issues go away and have rather good snapshot options (zfs for
example)
That leads me to another question, asked elsewhere I think, What is the
new flashy file-system that is coming to VMS? Will it address these
sorts of limitations around clean backups?
Th volume structure needs to get the blocks in and out. it's RMS ad
the application that know what's going on, however. Most RMS
applications — OpenVMS applications, as well as user applications —
don't wrap their activities in transactions, which means there's no
knowledge of quiescence. This isn't the volume structure so much as
OpenVMS itself — SYSUAF and RIGHTSLIST et al, mail et al, the queue
manager, user-written applications, etc — not having any means of
synchronization of backups with file I/O activity. Getting this to
work better requires changes to the application, as well as to some
other pieces.

Options include using a different database and one that supports
transactions and backups, or work in RMS and applications and backup
and HBVS to provide the same.

This is basically the same problem that storage-level controllers have
with getting a good and restorable snapshot.

I'm not entirely certain that ZFS gets a consistent snapshot that's
coordinated with the application I/O activity, or if it reduces the
window akin to what HBVS can be used for.

Converting and tuning RMS files is somewhat less common in many OpenVMS
environments in recent years, but that's another and related issue.

In man cases, OpenVMS folks and Unix folks just ignore the possibility
of partial transactions. And most folks usually get away with it,
too. Or the folks choose and use a different database and one that
has transactions and integrated support for this and other features.
--
Pure Personal Opinion | HoffmanLabs LLC
u***@gmail.com
2017-05-21 21:18:46 UTC
Permalink
Raw Message
Post by Jason Howe
Post by Jason Howe
HOW ABOUT SECURITY SO YOU CAN ACTUALLY READ YOUR MAIL AND THE REST OF THE
WORLD CAN'T
Surly, you're joking Mr. Ultradwc!
I assume you mean not read at the transport level, as once it gets to your
own server, it's a bit easier to keep secure then when the information is on
the wire.
As far as transport on the wire goes, as with any point-to-point
communication, even when ecrypted, its difficult to determine if there is a
man-in-the-middle SSL proxy doing deep-packet inspection on the fly (hint,
there probably is), or if the mailserver that sends it to you is even the
originating server -- maybe the outoging or recieving mailserver is
multiplexing mail out to a shaddow NSA account -- but you'll never know.
Please tell me how VMS allows me to detect/guard against those senarios any
better than a different mailsystem. I think the best any mail system can
hope for is to enforce transport level encryption, to at least keep the
plain-text packet sniffers at bay...but honestly, for determined parties, I'm
not sure how much of a guard that is anyway. It probably helps with message
tampering en-route though.
Obviously, the easy answer to this is to encrypt the text of your messages
with an ecryption key which only the recieving party has. This, however, is
a fairly impractical solution as far as email goes, and I'd recommend a
different communications protocol if you need that level of secrecy.
-- Jason
I am talking server level. If it is so easy to secure, why all the server
breaches and stolen mail and info? Surely you are joking.
poor systems administration (unpatched software/open configurations)
poor application coding (SQL Injection / XSS attacks)
social engineering/phishing (to get/reset credentials)
weak/common passwords (YOU are the weakest link!)
Those seem to be some of the top ways that folks get breached.
Seriously though, please name a common attack vector out there and then explain
how OpenVMS/LInux/Windows either mitigates or exacerbates the likelness of
success of that attack. My general thought is that it's all a complete
shit-show (much of it application specific) and the folks who provide reliable
and timely patches to new attack vectors as they are discovered win the security
award.
--
Jason
malware hacks are the most dangerous and I can
eliminate those on openvms.
Stephen Hoffman
2017-05-21 22:23:24 UTC
Permalink
Raw Message
malware hacks are the most dangerous and I can eliminate those on openvms.
If you're referring to the cause of breaches, malware simply isn't the
cause of well over half of the breaches listed in the 2017 Verizon
DBIR. (It's humans: phishing, spear-phishing, and insider threats.)

As for malware and security, we've already discussed areas where
OpenVMS trails other platforms.

As for business factors, I just don't see folks abandoning Windows
Server, Exchange Server and Sharepoint or other existing mail servers
for OpenVMS in enough numbers to particularly matter. Certainly not
until VSI gets some ease-of-use work done — fewer folks want to deal
with command-line-managed systems these days — and gets the prices in
better alignment with competitive platforms and that including the
x86-64 platform shipping and stable. As for folks looking to add a
third-party mail server stack to OpenVMS, that adds to the costs and
complexity and support — and it opens up other competing mixed-vendor
configurations on other platforms, too.

Or just buy the hardware and software for the mail server
configurations, and offer to host mail for folks.
--
Pure Personal Opinion | HoffmanLabs LLC
Kerry Main
2017-05-22 13:41:30 UTC
Permalink
Raw Message
-----Original Message-----
Stephen Hoffman via Info-vax
Sent: May 21, 2017 6:23 PM
Subject: Re: [Info-vax] Announcing a premier mailserver for OpenVMS
malware hacks are the most dangerous and I can eliminate those on
openvms.
If you're referring to the cause of breaches, malware simply isn't the
cause of well over half of the breaches listed in the 2017 Verizon
DBIR. (It's humans: phishing, spear-phishing, and insider threats.)
As for malware and security, we've already discussed areas where
OpenVMS trails other platforms.
Agree, but I would love a pointer to any real Cust environment that has yet been impacted by any of these potential issues you have raised.
As for business factors, I just don't see folks abandoning Windows
Server, Exchange Server and Sharepoint or other existing mail servers
for OpenVMS in enough numbers to particularly matter. Certainly not
until VSI gets some ease-of-use work done — fewer folks want to deal
with command-line-managed systems these days — and gets the prices in
better alignment with competitive platforms and that including the
x86-64 platform shipping and stable. As for folks looking to add a
third-party mail server stack to OpenVMS, that adds to the costs and
complexity and support — and it opens up other competing mixed-
vendor
configurations on other platforms, too.
Agree that most new mail servers will not likely sell on IA64. That’s pretty much a given.

However, how does adding a commercial mail server to OpenVMS (with additional costs) differ from adding a commercial mail server like Exchange (with additional costs) to Windows?

Yes, mgmt. gui's are important, but many of these are written in Java or remote client mgmt. via browser, so the server OS is not that critical for Apps mgmt.

[snip..]


Regards,

Kerry Main
Kerry dot main at starkgaming dot com
Loading...