1 INFO-VAX	Sun, 07 Aug 2005	Volume 2005 : Issue 438       Contents: DNS Cache poisoning and VMS  Re: EFI is out to lunch 3 Killing a process that has allocated the tape drive  Newbie DCL Question  Re: Newbie DCL Question  Re: Newbie DCL Question  Re: Newbie DCL Question  Re: Newbie DCL Question + Re: strange terminal-characteristic problem + Re: strange terminal-characteristic problem   F ----------------------------------------------------------------------  % Date: Sun, 07 Aug 2005 02:20:15 -0400 - From: JF Mezei <jfmezei.spamnot@teksavvy.com> $ Subject: DNS Cache poisoning and VMS, Message-ID: <42F5A806.EDC7BBA0@teksavvy.com>  C DNS cache poisoning is discussed now and then in networking groups.   1 Here is a good article which discusses the issue:   a http://news.com.com/DNS+servers--an+Internet+Achilles+heel/2100-7349_3-5816061.html?tag=nefd.lede    In particular: ##M The vulnerable servers run the popular Berkeley Internet Name Domain software N in an insecure way and should be upgraded, Kaminsky said. The systems run BINDL 4 or BIND 8 and are configured to use forwarders for DNS requests--something< the distributor of the software specifically warns against.   L BIND is distributed free by the Internet Software Consortium. In an alert onK its Web site, the ISC says that there "is a current, wide-scale...DNS cache M corruption attack." All name servers used as forwarders should be upgraded to  BIND 9, the group said.  ##    M Since TCPIP Services for VAX is still stuck at Bind 8, are there VMS specific I documents that detail how customers can protect from and more importantly ' detect if cache poisoning has occured ?   7 Any chance VAX users will see Bind 9 like Alpha users ?     N I used to have my bind server setup as forwarder to my ISPs but some time ago,M I made it grow up into its own and stopped forwarding. But I had been unaware . that setting it up as forwarder was dangerous.      N What difference does having it set as forwarder make it vulnerable ? From whatF I understand, the problem lies in a criminal DNS server providing fakeI responses for other domains which the requesting server then store in its M cache. Don't quite understand how being set as a forwarder makes a difference  to this.   ------------------------------  % Date: Sun, 07 Aug 2005 13:02:20 -0400 ' From: Dave Froble <davef@tsoft-inc.com>   Subject: Re: EFI is out to lunch0 Message-ID: <11fcfdc2aqdhpe2@corp.supernews.com>   JF Mezei wrote:  > Robert Deininger wrote:  > L >>>Who was the genius who decided that removing the battery would render the >>>motherboard useless ? >> >>I didn't say that, did I?  >  >  > Here is what you had said: >  > M >>>I've NEVER seen this recommended, and if it does actually succeed in clear H >>>ALL the nvram, it would almost certainly mean a service call, maybe aM >>>motherboard swap.  There are a bunch of unique tokens programmed in during E >>>manufacturing, and if they aren't right the firmware will object.  M >>>Programming them requires access to manufacturing mode, which is protected G >>>via a one-time password mechanism that isn't available to customers.  >>> I >>>Please DON'T take the battery out unless a qualified HP service person  >>>recommends it.  >  > L >>Thanks for sharing your vast expertise with decades-old hardware.  In whatI >>way is it relevent here?  Do you actually know anything about Integrity < >>servers?  Have you ever used one?  Have you ever seen one? >  > M > In most intelligently designed systems, loss of NVRAM results in some flash F > code creating default values at next powerup, or prompting for them. >  > G >>There are various flash parts in the system.  There are two copies of  >>everything vital.  >  >  > P > And if it is done intelligently, there should be code to create default valuesN > for NVRAM variables if NVRAM was zapped, at least to make the console usable< > and reset to a known default state. (eg: factory default). >  > N > You made allusion to special nvram tokens which if missing, would render theO > motherboard useless and require field service with a special password. I call  > that STUPID.   > M > If EFI is ever to make it mainstream, it needs to drop all that proprietary S > stuff that requires a field service call if the owner replaces the NVRAM battery.  > N > Having to re-enter your config, default boot drive, default boot parameters, > system time etc is expected.   > O > Is that "special password" and HP-only thing, or is it common to IA64 systems O > available from the few others who sell IA64 based systems ? If it is HP-only, N > it is a terrible business practice, especially if this is not clearly statedL > in the bill of sales that the owner will need to pay HP for service if theJ > battery is every replaced since HP refuses to relinquish the passowrd to > access the full system.   G Why are you complaining about the hardware?  You're looking at similar  I concepts in Microsoft's new software.  Their protection (DCA) is for the  I copyright holders, not the customers who buy the product.  It's sad that  * enough people will buy the product anyway.  B Wanna get you blood pressure up?  High enough to blow out all the  accumulated debris?   ) http://www.theinquirer.net/?article=25169   H One thought, (not accusation), is that HP builds systems for which they E want customers to have a maintenance contract.  If you don't have HW  G maintenance, you aren't contributing more money to them, so why should  G they build in robustness that would aid someone who won't have that HW   maintenance contract?   > In the far past, if a mfg produced a product with undesirable F characteristics, there was many others from which to choose.  In this F day of 'consolidation' with fewer vendors, the concept of 'you'll get / what we want you to get' is becoming prevalent.    --  4 David Froble                       Tel: 724-529-04504 Dave Froble Enterprises, Inc.      Fax: 724-529-0596> DFE Ultralights, Inc.              E-Mail: davef@tsoft-inc.com 170 Grimplin Road  Vanderbilt, PA  15486    ------------------------------  $ Date: Sun, 7 Aug 2005 20:32:52 +03000 From: "MUSTAFA ATAKAN" <matakan@inteltek.com.tr>< Subject: Killing a process that has allocated the tape driveL Message-ID: <F014DACB8BE63442993543B780A2F018014A62DC@asteriks.inteltek.ist>  , This is a multi-part message in MIME format.  ' ------_=_NextPart_001_01C59B76.3F6D70A1  Content-Type: text/plain;  	charset="us-ascii" + Content-Transfer-Encoding: quoted-printable    Hi,  =20 F   I have a problem in killing a process that has already allocated theG tape drive (that is, the system user mounted the tape drive, but closed G the session without deallocating the drive). I want to the kill process E since I want to mount the tape drive (as a system user, of course) in ' another telnet session. In other words:  =20 H ------------------------------------------------------------------------H ------------------------------------------------------------------------ -----------------------  $mount $2$mga1: /ov=3Did9 %MOUNT-I-OPRQST, device already allocated to another user  =20  $dismount $2$mga1:< %SYSTEM-W-DEVALLOC, device already allocated to another user =20  $ show dev mga1 /full C Magtape $2$MGA1: (TILOT3), device type COMPAQ SuperDLT1, is online, 
 allocated,C deallocate on dismount, mounted, file-oriented device, available to  cluster,C device has multiple I/O paths, error logging is enabled, controller  supportsD compaction (compaction disabled), device supports fastskip (per_io).+ Error count 2 Operations completed 33626407 ) Owner process "SYSTEM" Owner UIC [SYSTEM] > Owner process ID 20602CF3 Dev Prot S:RWPL,O:RWPL,G:RWPL,W:RWPL .. ...  =20  $ stop /id=3D20602CF3  $ stop /id=3D20602CF3  $ stop /id=3D20602CF3  =20  $ show user system /full ...  ... 4 SYSTEM TILOT3 SYSTEM 20602CF3 TNA346: (disconnected) ...  ... H ------------------------------------------------------------------------H ------------------------------------------------------------------------ -----------------------  =20 F What is the reason that i can not stop the above process? Is there anyE command like "kill -9" in *nix environments? Is there any way to stop > this process without rebooting or waiting some timeout period? =20  Thanks in advance...  ' ------_=_NextPart_001_01C59B76.3F6D70A1  Content-Type: text/html; 	charset="us-ascii" + Content-Transfer-Encoding: quoted-printable   > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD>7 <META http-equiv=3DContent-Type content=3D"text/html; =  charset=3Dus-ascii">@ <META content=3D"MSHTML 6.00.2900.2668" name=3DGENERATOR></HEAD> <BODY>) <DIV><FONT face=3DArial size=3D2><SPAN=20 2 class=3D561271717-07082005>Hi,</SPAN></FONT></DIV>) <DIV><FONT face=3DArial size=3D2><SPAN=20 5 class=3D561271717-07082005></SPAN></FONT>&nbsp;</DIV> J <DIV><FONT face=3DArial size=3D2><SPAN class=3D561271717-07082005>&nbsp; = I have a=20 H problem in killing a process that has already allocated the tape drive = (that is,=20I the system user mounted the tape drive, but closed the session without=20 E deallocating the drive). I want to the kill process since I want to =  mount the=20H tape drive (as a system user, of course) in another telnet session. In = other=20 words:</SPAN></FONT></DIV>) <DIV><FONT face=3DArial size=3D2><SPAN=20 5 class=3D561271717-07082005></SPAN></FONT>&nbsp;</DIV> ) <DIV><FONT face=3DArial size=3D2><SPAN=20 J class=3D561271717-07082005>----------------------------------------------=J -------------------------------------------------------------------------=D ------------------------------------------------</SPAN></FONT></DIV>J <DIV><FONT face=3DArial size=3D2><SPAN class=3D561271717-07082005>$mount = $2$mga1:=20  /ov=3Did</SPAN></FONT></DIV>J <DIV><FONT size=3D2><SPAN class=3D561271717-07082005></SPAN></FONT><FONT =  > size=3D2><SPAN class=3D561271717-07082005><FONT face=3DArial = size=3D2>%MOUNT-I-OPRQST,=20C device already allocated to another user</FONT></SPAN></FONT></DIV> ) <DIV><FONT face=3DArial size=3D2><SPAN=20 5 class=3D561271717-07082005></SPAN></FONT>&nbsp;</DIV> ( <DIV><FONT face=3DArial size=3D2><SPAN =' class=3D561271717-07082005>$dismount=20  $2$mga1:</SPAN></FONT></DIV>J <DIV><FONT size=3D2><SPAN class=3D561271717-07082005></SPAN></FONT><FONT =  ? size=3D2><SPAN class=3D561271717-07082005><FONT face=3DArial=20 C size=3D2>%SYSTEM-W-DEVALLOC, device already allocated to another=20  user</FONT></SPAN></FONT></DIV> J <DIV><FONT size=3D2><SPAN class=3D561271717-07082005><FONT face=3DArial=20* size=3D2></FONT></SPAN></FONT>&nbsp;</DIV>< <DIV><FONT size=3D2><SPAN class=3D561271717-07082005><FONT =  size=3D2><FONT face=3DArial>$=20 <FONT size=3D2>show dev mga1 =. /full</FONT></FONT></FONT></SPAN></FONT></DIV>< <DIV><FONT size=3D2><SPAN class=3D561271717-07082005><FONT = size=3D2><FONT face=3DArial=20F size=3D2>Magtape $2$MGA1: (TILOT3), device type COMPAQ SuperDLT1, is =
 online,=20, allocated,</FONT></FONT></SPAN></FONT></DIV>< <DIV><FONT size=3D2><SPAN class=3D561271717-07082005><FONT = size=3D2><FONT face=3DArial=20A size=3D2>deallocate on dismount, mounted, file-oriented device, =  available to=20 * cluster,</FONT></FONT></SPAN></FONT></DIV>< <DIV><FONT size=3D2><SPAN class=3D561271717-07082005><FONT = size=3D2><FONT face=3DArial=20C size=3D2>device has multiple I/O paths, error logging is enabled, = 
 controller=20 * supports</FONT></FONT></SPAN></FONT></DIV>< <DIV><FONT size=3D2><SPAN class=3D561271717-07082005><FONT = size=3D2><FONT face=3DArial=20F size=3D2>compaction (compaction disabled), device supports fastskip=20+ (per_io).</FONT></FONT></SPAN></FONT></DIV> < <DIV><FONT size=3D2><SPAN class=3D561271717-07082005><FONT = size=3D2><FONT face=3DArial=20. size=3D2>Error count 2 Operations completed=20* 33626407</FONT></FONT></SPAN></FONT></DIV>< <DIV><FONT size=3D2><SPAN class=3D561271717-07082005><FONT = size=3D2><FONT face=3DArial=20' size=3D2>Owner process <STRONG>"<FONT = 0 color=3D#ff0000>SYSTEM"</FONT></STRONG> Owner=20. UIC [SYSTEM]</FONT></FONT></SPAN></FONT></DIV>< <DIV><FONT size=3D2><SPAN class=3D561271717-07082005><FONT = size=3D2><FONT face=3DArial=20) size=3D2>Owner process ID <STRONG><FONT = / color=3D#ff0000>20602CF3</FONT></STRONG> Dev=20 B Prot S:RWPL,O:RWPL,G:RWPL,W:RWPL</FONT></FONT></SPAN></FONT></DIV>< <DIV><FONT size=3D2><SPAN class=3D561271717-07082005><FONT = size=3D2><FONT face=3DArial=20. size=3D2>...</FONT></FONT></SPAN></FONT></DIV>< <DIV><FONT size=3D2><SPAN class=3D561271717-07082005><FONT = size=3D2><FONT face=3DArial=20/ size=3D2>....</FONT></FONT></SPAN></FONT></DIV> < <DIV><FONT size=3D2><SPAN class=3D561271717-07082005><FONT = size=3D2><FONT face=3DArial=201 size=3D2></FONT></FONT></SPAN></FONT>&nbsp;</DIV> < <DIV><FONT size=3D2><SPAN class=3D561271717-07082005><FONT =  size=3D2><FONT size=3D2><FONT=20 face=3DArial>$ stop = 7 /id=3D20602CF3</FONT></FONT></FONT></SPAN></FONT></DIV> 5 <DIV><FONT size=3D2><SPAN class=3D561271717-07082005> < <DIV><FONT size=3D2><SPAN class=3D561271717-07082005><FONT =  size=3D2><FONT size=3D2><FONT=20 face=3DArial>$ stop = 7 /id=3D20602CF3</FONT></FONT></FONT></SPAN></FONT></DIV> 5 <DIV><FONT size=3D2><SPAN class=3D561271717-07082005> < <DIV><FONT size=3D2><SPAN class=3D561271717-07082005><FONT =  size=3D2><FONT size=3D2><FONT=20 face=3DArial>$ stop=20J /id=3D20602CF3</FONT></FONT></FONT></SPAN></FONT></DIV></SPAN></FONT></DI= V></SPAN></FONT></DIV>< <DIV><FONT size=3D2><SPAN class=3D561271717-07082005><FONT = size=3D2><FONT face=3DArial=201 size=3D2></FONT></FONT></SPAN></FONT>&nbsp;</DIV> < <DIV><FONT size=3D2><SPAN class=3D561271717-07082005><FONT =  size=3D2><FONT size=3D2><FONT=201 face=3DArial>$ <FONT size=3D2>show user system=20 5 /full</FONT></FONT></FONT></FONT></SPAN></FONT></DIV> < <DIV><FONT size=3D2><SPAN class=3D561271717-07082005><FONT =  size=3D2><FONT size=3D2><FONT=20C face=3DArial size=3D2>....</FONT></FONT></FONT></SPAN></FONT></DIV> ) <DIV><FONT face=3DArial size=3D2><SPAN=20 3 class=3D561271717-07082005>....</SPAN></FONT></DIV> < <DIV><FONT size=3D2><SPAN class=3D561271717-07082005><FONT =  size=3D2><FONT size=3D2><FONT=20> face=3DArial size=3D2>SYSTEM TILOT3 SYSTEM 20602CF3 TNA346:=207 (disconnected)</FONT></FONT></FONT></SPAN></FONT></DIV> < <DIV><FONT size=3D2><SPAN class=3D561271717-07082005><FONT = size=3D2><FONT face=3DArial=20/ size=3D2>....</FONT></FONT></SPAN></FONT></DIV> < <DIV><FONT size=3D2><SPAN class=3D561271717-07082005><FONT = size=3D2><FONT face=3DArial=20/ size=3D2>....</FONT></FONT></SPAN></FONT></DIV> < <DIV><FONT size=3D2><SPAN class=3D561271717-07082005><FONT = size=3D2><FONT face=3DArial=20J size=3D2>----------------------------------------------------------------=J -------------------------------------------------------------------------=@ ------------------------------</FONT></FONT></SPAN></FONT></DIV>) <DIV><FONT face=3DArial size=3D2><SPAN=20 5 class=3D561271717-07082005></SPAN></FONT>&nbsp;</DIV> < <DIV><FONT size=3D2><SPAN class=3D561271717-07082005><FONT = size=3D2><FONT face=3DArial=20G size=3D2>What is the reason that i can not stop the above process? Is =  there any=20G command like "kill -9" in *nix environments? Is there any way to stop =  this=20 4 process without rebooting or waiting some timeout=20) period?</FONT></FONT></SPAN></FONT></DIV> < <DIV><FONT size=3D2><SPAN class=3D561271717-07082005><FONT = size=3D2><FONT face=3DArial=201 size=3D2></FONT></FONT></SPAN></FONT>&nbsp;</DIV> 0 <DIV><FONT face=3D"Courier New" size=3D2><SPAN =# class=3D561271717-07082005><FONT=20 H face=3D"Courier New" size=3D2><FONT face=3DArial><FONT face=3D"Courier = New" size=3D2><FONT=20 face=3DArial>Thanks in=20 H advance...</FONT></DIV></FONT></FONT></FONT></SPAN></FONT></BODY></HTML>  ) ------_=_NextPart_001_01C59B76.3F6D70A1--    ------------------------------  # Date: Sun, 07 Aug 2005 06:19:10 GMT  From: Kevin <kevin@ps8.co.uk>  Subject: Newbie DCL Question4 Message-ID: <yJhJe.1050$Y04.98@newsfe4-win.ntli.net>   Hi  F If this isn't an appropriate group to post this question, I apologise.  G I am prompting the user for a nickname using read/prompt from within a  F login script in a captive account.   I will use this name to create a ! subdirectory later in the script.   D Apart from using f$length to check size, and f$edit to collapse and G convert to uppercase, how can I validate against users entering quoted  8 strings and various punctuation that will upset cre/dir?   Regards    Kevin    ------------------------------  % Date: Sun, 07 Aug 2005 02:48:21 -0400 - From: JF Mezei <jfmezei.spamnot@teksavvy.com>   Subject: Re: Newbie DCL Question, Message-ID: <42F5AE9B.4095406D@teksavvy.com>   Kevin wrote:E > Apart from using f$length to check size, and f$edit to collapse and H > convert to uppercase, how can I validate against users entering quoted: > strings and various punctuation that will upset cre/dir?     One way would be to do:    $newstring = string + ".YYY" $on error then goto problem  $create 'newstring $! $DELETE 'newstring';*  $GOTO CONTINUE $! $!	 $PROBLEM:  $ON ERROR THEN CONTINUE ' $DELETE 'newstring';*     !just in case  $GOTO PROMPT_AGAIN    M In other words, use the CREATE command to test if this is a valuid file name.    Another way could be to:   $ON ERROR THEN GOTO PROBLEM  $CREATE/DIR [.'string']     N Note that with ODS5 , filename have become much more versatile and can containN tons of funny characters. So the above code may not detectillformed words withF spacial characters since the CREATE command may not complain about it.  L You could use F$LOCATE to find specific characters and declarethe string badK if any are found. But you'd have to do a lot of tests.  You could also just N loop with an F$EXTRACT for each character in the string and compare it against 0 <= X <= 9 or A <= x <= Z   ------------------------------  # Date: Sun, 07 Aug 2005 10:21:09 GMT A From: "Colin Butcher" <colin_DOT.butcher_AT@xdelta_DOT.co_DOT.uk>   Subject: Re: Newbie DCL Question< Message-ID: <pglJe.83975$G8.1523@text.news.blueyonder.co.uk>  & Use f$parse in "syntax_only" mode, eg:  = if f$parse(input_string,,,"directory","syntax_only") .eqs. ""  then    <go back and try again> else+   <got a valid directory name, so carry on>  endif    --     Hope this helps, Colin. ) colin DOT butcher AT xdelta DOT co DOT uk E It's not mine, but I like this definition: Legacy = stuff that works.    ------------------------------   Date: 7 Aug 2005 03:45:07 -0700 ) From: "Bob Gezelter" <gezelter@rlgsc.com>   Subject: Re: Newbie DCL QuestionC Message-ID: <1123411506.957738.199900@g14g2000cwa.googlegroups.com>    Kevin,  " Your posting is quite appropriate.  E There is, however, a far better solution to the problem you describe.   E Captive accounts are a good solution to providing applications access A without providing users with DCL access. Generic access accounts, F namely accounts with a widely circulated password are not in general aG good idea. The exceptions are for VERY innocuous applications, and even  those are debateable.   G A far better solution is to issue each user of a captive system a login B which directs them to an individual login directory, much like the< sub-directories you mention in your posting. Their LOGIN.COMF environment sets up the logical names and symbols to access the common captive application.  E This approach has the advantages of both security and accountability. > There are no shared passwords, accesses to the application areB associated with a particular user, and there is ZERO potential for0 playing with the nickname to subvert the system.  G I have used this approach many times, and it has survived all manner of G security audits. The nickname approach would be far harder to defend to  an audit team.  ! I hope that the above is helpful.   $ - Bob Gezelter, http://www.rlgsc.com=   The OpenVMS Consultant, OpenVMS.org, http://www.OpenVMS.org E   Contributing Editor, Computer Security Handbook, 3rd & 4th Editions A   Contributor, Handbook of Information Security, OpenVMS Security    ------------------------------  % Date: Sun, 07 Aug 2005 13:27:29 -0400 . From: JF Mezei <jfmezei.spamnot@vaxination.ca>  Subject: Re: Newbie DCL Question- Message-ID: <42F6447F.E99DC572@vaxination.ca>    Colin Butcher wrote: > ( > Use f$parse in "syntax_only" mode, eg: > ? > if f$parse(input_string,,,"directory","syntax_only") .eqs. ""   L This will give you the current directory given a string such as "CHOCOLATE".  K And if the input string is "CHOCOLATE.CAKE" then an f$parse will not detect H any problem, but when you create/dir [.'input_string] it will create theJ chocolate subdirectory as well as the cake subdirectory (under chocolate).  L So you'd have to use f$parse in combination with an f$locate to ensure there is no dot in the input string.   ------------------------------  % Date: Sun, 07 Aug 2005 01:49:44 -0400 - From: JF Mezei <jfmezei.spamnot@teksavvy.com> 4 Subject: Re: strange terminal-characteristic problem, Message-ID: <42F5A0E1.BE7EDDA1@teksavvy.com>  / Phillip Helbig---remove CLOTHES to reply wrote: / > Everything appears to work OK EXCEPT editing.   = Then it is a 7bit vs 8 bit problem and/or flow control issue.   I > I don't yet have DECnet running.  If I set host via LAT or TELNET, then  > everything works fine again.  L Ok, perhaps you need to remind me again how the terminal is connected to oneL machine and from that machine to the suspect vax. I was under the impression% it was with DECNET (SET HOST <node>).     R If you SET HOST/DTE to the console port, remember that there are 3 ports involved.    : [TERMINAL]----[TXA1:][NODE1][TXA2:]---------[OPA0:][NODE2]  N You need to ensure that TXA2 is set properly to match OPA0: for both eight bitI and flow control. And during your terminal sessions, SHOW TERM won't show L TXA2:s properties unless you SHOW TERM TXA2 with sufficient privs. (or ALLOC$ TXA2 before setting its properties).   ------------------------------  % Date: Sun, 07 Aug 2005 13:10:04 -0400 ' From: Dave Froble <davef@tsoft-inc.com> 4 Subject: Re: strange terminal-characteristic problem0 Message-ID: <11fcfrjq3bqlkf9@corp.supernews.com>  / Phillip Helbig---remove CLOTHES to reply wrote:   < > In EDT.  Not at the console prompt, not at the VMS prompt. >   G Not been following this closly.  Figured it was a HW problem until you  A stated that you moved the disk to another system and the problem   followed the disk.  H Does that disk have an EDT ini file (or whatever it's called)?  Perhaps A you're configuring EDT in some manner that's causing the problem?    --  4 David Froble                       Tel: 724-529-04504 Dave Froble Enterprises, Inc.      Fax: 724-529-0596> DFE Ultralights, Inc.              E-Mail: davef@tsoft-inc.com 170 Grimplin Road  Vanderbilt, PA  15486    ------------------------------   End of INFO-VAX 2005.438 ************************