> On Dec 2, 2017, at 5:48 AM, Doug Jackson via cctech <[email protected]>
> wrote:
>
> Camiel,
>
> Without sounding super negative (my day job as a security consultant let's
> me do that enough...) I would be especially wary of connecting anything
> with a 10 year old stack to the modern internet. The range of automatic
> attacks based on what the state of the OS was when it was last patched is
> staggering.
That's true to a point. On the other hand, many attacks require that the
machine is running on Intel instruction set hardware, and most of them also
depend on the OS being Windows.
While bugs happen, the level of security competence applied by VMS engineering
is quite high compared to the usual "hack it till it no longer crashes"
practice seen all too often nowadays. That applies especially to network
protocol implementations.
If the issue is design defects in the protocol specifications, such as may be
found in various revisions of SSL, then having a good OS is not a complete
answer. Even there, it can help; for example, I suspect that the "heartbreak"
attack on older SSL stacks, if it were operable on VMS, wouldn't get you very
far because of OS and instruction set differences. Certainly script kiddy
attacks would not work.
paul
