Post by Stephen Hoffman
FWIW... Some interesting topics, and some topics related to recent
discussions here in the comp.os.vms newsgroup. Some relevant to
OpenVMS. Some not.
The most recent OpenSSH has taken some steps to mitigate against
RAMbleed, Spectre, and ilk, by keeping the private keys encrypted when
not in immediate use.
Hacking into a hardware security module (HSM):
In some organizations, HSMs are used as vaults for sensitive
information such as private keys and passwords.
Yet another supply-chain attack, this time against some Android devices:
"The Influence of Organizational Structure on Software Quality: an
Empirical Case Study"
"the organizational metrics when applied to data from Windows Vista
were statistically significant predictors of failure-proneness."
x86 Rust-based OS paging intro—some background for how another
operating system implements virtual memory paging and memory protection
on x86, for those interested in details:
"Zanzibar: Google’s Consistent, Global Authorization System"
"Zanzibar scales to trillions of access control lists and millions of
authorization requests per second to support services used by billions
of people. It has maintained 95th-percentile latency of less than 10
milliseconds and availability of greater than 99.999% over 3 years of
Some cryptography source code programming examples:
C++11 and multi-threading, given a C++11 compiler implementation is
planned for VSI OpenVMS x86-64...
KLEE, automated test coverage using LLVM compilers:
"Netflix has identified several TCP networking vulnerabilities in
FreeBSD and Linux kernels."
There's no reproducer/test available quite yet, but that'll undoubtedly
be posted online (somewhere) fairly soon...
"TaxDC: A Taxonomy of Non-Deterministic Concurrency Bugs in Datacenter
"We present TaxDC, the largest and most comprehensive taxonomy of
non-deterministic concurrency bugs in distributed systems..."
Wanna learn vim?
In addition to the existing MiTM Proxy, there's now PolarProxy:
VSI OpenVMS with VAFS is incompatible with host-based volume shadowing
"The new file system will support disks > 2TB. Shadowing doesn't, and
cannot without a lot of work."
(The addressing limit here is technically 2 TiB, and not 2 TB.)
Cloud hosting for security-conscious customers is very big business.
This particular cloud-hosting contract process has been going for a
while for those that might have missed earlier discussions, too.
Oracle, Amazon AWS, Microsoft Azure, IBM, and US DoD contracts:
"Yesterday, I had a story taken down on Forbes for a post about Jedi DoD"
"Title: Modern Star Wars: JEDI, the Dark Side and the Fight for the
Future of the Military"
Some other related reading:
ps: There's a nasty Firefox bug around, and one that's reportedly being
exploited in targeted attacks. Patch to current, if you're using
Firefox or Firefox ESR...
Pure Personal Opinion | HoffmanLabs LLC