1 INFO-VAX	Wed, 05 Jul 2006	Volume 2006 : Issue 370       Contents:! Re: Google hires Alpha developers  Installing kermit  Re: Installing kermit  Re: Installing kermit  Re: Installing kermit  Re: MySQL License on OpenVMS? 5 Off-topic post Re: The possibility of vms opening up? & Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& RE: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& RE: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?F Transitive Emulator Ports Sparc/Solaris Apps to Linux on Xeon, Itanium Re: XML vs indexed files  F ----------------------------------------------------------------------  % Date: Tue, 04 Jul 2006 15:11:45 -0500 6 From: "David J. Dachtera" <djesys.no@spam.comcast.net>* Subject: Re: Google hires Alpha developers0 Message-ID: <44AACB81.DFD4DF3E@spam.comcast.net>   Tom Linden wrote:  > - > I thought Google was largely running Linux.   & See the comp.os.linux.alpha newsgroup.   --   David J Dachtera dba DJE Systems  http://www.djesys.com/  & Unofficial OpenVMS Marketing Home Page! http://www.djesys.com/vms/market/   ( Unofficial Affordable OpenVMS Home Page: http://www.djesys.com/vms/soho/   " Unofficial OpenVMS-IA32 Home Page: http://www.djesys.com/vms/ia32/   ) Unofficial OpenVMS Hobbyist Support Page: " http://www.djesys.com/vms/support/   ------------------------------   Date: 4 Jul 2006 14:58:38 -0700  From: contracer11@gmail.com  Subject: Installing kermitC Message-ID: <1152050318.498547.252850@a14g2000cwb.googlegroups.com>    Hi VMS masters:   C I=B4m trying install Kermit in my VAX (5.5-2), but when I edit file 
 CKVKER.COM I get this output:   $!<CR>; $! CKVKER.COM - C-Kermit 8.0 Construction for (Open)VMS<CR>  $!<CR> $! Version 1.39, 6 Apr 2004<CR>  $!<CR>@ $! DCL usage requires VMS 5.0 or higher - use CKVOLD.COM for VMS
 4=2Ex.<CR> $!<CR>( $ if p1 .eqs. "" then goto Skip_Help<CR>? $ if (f$locate(",",p1).ne.f$length(p1)) then goto Bad_param<CR> 2 $ if p1.nes."" then p1 =3D f$edit(p1,"UPCASE")<CR>1 $ if f$locate("H",p1).eq.f$length(p1) .and. -<CR> =      f$locate("?",p1).eq.f$length(p1) then goto Skip_Help<CR> 
 $Help:<CR> $type sys$input<CR> 
    Usage:<CR> B        $ @[directory]ckvker [ p1 [ p2 [ p3 [ p4 [ p5 ] ] ] ] ]<CR> <CR>        P1 =3D Build options<CR> $        P2 =3D Compiler selection<CR>"        P3 =3D C-Kermit DEFINES<CR>2        P4 =3D Additional compiler qualifiers (like /LIST/SHOW=3DINCLUDE)<CR>   B Could you tell me why I=B4m seeing <CR> in the end of every line ?E The CKVKER.COM doesn=B4t run with these carriage return in the end of  lines !    Thanks.    ------------------------------  * Date: Tue, 4 Jul 2006 17:20:14 -0500 (CDT)* From: sms@antinode.org (Steven M. Schweda) Subject: Re: Installing kermit2 Message-ID: <06070417201435_2024476F@antinode.org>   From: contracer11@gmail.com   E > I=B4m trying install Kermit in my VAX (5.5-2), but when I edit file  > CKVKER.COM > I get this output: >  > $!<CR>= > $! CKVKER.COM - C-Kermit 8.0 Construction for (Open)VMS<CR>  > $!<CR> > [...]   D > Could you tell me why I=B4m seeing <CR> in the end of every line ?G > The CKVKER.COM doesn=B4t run with these carriage return in the end of 	 > lines !   H    I'd guess that the reason was failure to follow the instructions when unpacking the kit.  3       http://www.columbia.edu/kermit/ckvins.html#x7   H       If you have the VMS C-Kermit source files in a ZIP archive, unpack       the archive with:               unzip -aa ckv211.zip   G    Specifying "-aa" should reform the DOS-compatible CR-LF line endings  to something locally popular.   E    If that's not it, it would probably help to know where you got the 2 kit, and/or what you did to get where you are now.  H ------------------------------------------------------------------------  3    Steven M. Schweda               sms@antinode-org 4    382 South Warwick Street        (+1) 651-699-9818    Saint Paul  MN  55105-2547    ------------------------------   Date: 4 Jul 2006 16:07:24 -0700  From: contracer11@gmail.com  Subject: Re: Installing kermitB Message-ID: <1152054443.934482.144720@75g2000cwc.googlegroups.com>   Thank you, Steven !    Steven M. Schweda wrote: > From: contracer11@gmail.com  > G > > I=B4m trying install Kermit in my VAX (5.5-2), but when I edit file  > > CKVKER.COM > > I get this output: > > 
 > > $!<CR>? > > $! CKVKER.COM - C-Kermit 8.0 Construction for (Open)VMS<CR> 
 > > $!<CR>	 > > [...]  > F > > Could you tell me why I=B4m seeing <CR> in the end of every line ?I > > The CKVKER.COM doesn=B4t run with these carriage return in the end of  > > lines !  > J >    I'd guess that the reason was failure to follow the instructions when > unpacking the kit. > 5 >       http://www.columbia.edu/kermit/ckvins.html#x7  > J >       If you have the VMS C-Kermit source files in a ZIP archive, unpack >       the archive with:  > ! >            unzip -aa ckv211.zip  > I >    Specifying "-aa" should reform the DOS-compatible CR-LF line endings  > to something locally popular.  > G >    If that's not it, it would probably help to know where you got the 4 > kit, and/or what you did to get where you are now. > J > ------------------------------------------------------------------------ > 5 >    Steven M. Schweda               sms@antinode-org 6 >    382 South Warwick Street        (+1) 651-699-9818 >    Saint Paul  MN  55105-2547    ------------------------------  * Date: Tue, 4 Jul 2006 18:37:47 -0500 (CDT)* From: sms@antinode.org (Steven M. Schweda) Subject: Re: Installing kermit2 Message-ID: <06070418374713_2024476F@antinode.org>   From: contracer11@gmail.com   # > >            unzip -aa ckv211.zip    > Thank you, Steven !   H    Glad to help.  Some folks actually use Zip and UnZip specifically forE repair/conversion of text file line endings, I was slightly amazed to F learn a while back.  I suppose that "Zip -0" would save some CPU time,- if you were doing both ends of the operation.   G    Also, it depends on who assembled the Kermit kit.  I see that my old F (8.0.200, 12 Dec 2001) CKVINS.TXT lacks any mention of this, so it may7 (or may not) be a "recent" change in the kit packaging.   H ------------------------------------------------------------------------  3    Steven M. Schweda               sms@antinode-org 4    382 South Warwick Street        (+1) 651-699-9818    Saint Paul  MN  55105-2547    ------------------------------   Date: 4 Jul 2006 21:34:19 -0700 ' From: "toby" <toby@telegraphics.com.au> & Subject: Re: MySQL License on OpenVMS?B Message-ID: <1152074059.145396.85260@l70g2000cwa.googlegroups.com>   toby wrote:  > Walter Kuhn wrote: > > Hello Groups,  > > N > > does anybody have information and experience about licensing models and/orL > > license fees for MySQL on OpenVMS (used in a commercial product)? Is theM > > OpenVMS port as available at http://www.pi-net.dyndns.org/anonymous/kits/ 	 > > free?  > E > According to http://www.mysql.com/support/supportedplatforms.html , I > there exist MySQL "Pro Certified" binaries for OpenVMS 8.2 on Alpha and D > IA64. Access to and support for those products is a benefit of the > MySQL Network,  D Correction: John Reinhardt points out that only "Limited Support" isF offered for VMS platforms (which apparently does not include certified binaries) -- my oversight!  6 You could still contact them about licensing, however.  - > a support subscription with several levels,  > http://www.mysql.com/network/  > ...  > > Thanks in advance  > >  > > Kind Regards > >  > > Walter Kuhn  > > KSG GesmbH > > Computerstrasse 6  > > A - 1101 Wien    ------------------------------  % Date: Tue, 04 Jul 2006 19:28:36 -0500 % From: Dan Foster <usenet@evilphb.org> > Subject: Off-topic post Re: The possibility of vms opening up?5 Message-ID: <slrneam1tk.5jj.usenet@zappy.catbert.org>   F Not directly VMS related, so I've marked the subject line accordingly.  8 My reply is below, if you're interested in knowing more.  d In article <1152056817.147516.9460@75g2000cwc.googlegroups.com>, AEF <spamsink2001@yahoo.com> wrote: > ? > Wow. I don't remember my source, but it made sense and stuck.  > 	 > Bummer.  > + > So why *don't* they do it as I described?   G Per U.S. presidential order in 2000, selective accuracy was effectively H disabled in most parts of the world. This pretty much equalized civilian' and military GPS use for the most part.   F [SA was re-imposed in certain areas in the U.S. after 9/11, and can beH done at will whereever and whenever needed, without denying the majority5 of NAVSTAR GPS users benefits of increased accuracy.]   C Not only that... WAAS (and EGNOS in Europe, MSAS in Japan, etc) has G since then come on-line in the last few years. This made civilian units < significantly better than the traditional military solution.  G WAAS [and its variants] significantly shrinks the error to as little as F 2-3m, which is better than even the uncorrected military PPS solution.  E There are even better [accuracy] solutions available to civilians, at H significant cost and for specialized markets. Surveying is one such use.  @ Civilian units still have limitations such as speed and altitude& restrictions, but still within reason.  H Now, something to keep in mind: the military solution is still better inD certain situations: higher availability, even in hostile situations.  C The short answer to your question is: it *used* to be that way, but / things has changed a bit in the last few years.   G With that said, 'the enemy' [whomever] may not necessarily be using the H U.S. NAVSTAR GPS system. They could very well be using *THEIR* _own_ GPSD system! [Or of their allies' system.] Greater availability for them,F better coverage for their areas of interest, and less risk of American
 interference.    -Dan   ------------------------------   Date: 4 Jul 2006 11:42:47 -0700 ( From: "geletine" <adaviscg1@hotmail.com>/ Subject: Re: The possibility of vms opening up? C Message-ID: <1152038567.124234.292000@l70g2000cwa.googlegroups.com>   
 AEF wrote: > geletine wrote:   > > > > David J. Dachtera wrote: > > > > snip... B > > > > > Another large obstacle is security. Some sites currently > > > > using VMS would N > > > > > be rather put off by the idea of having such things become "commonly > > > > > available". 	 > > > > > = > > > > Are you indicating that vms is security by obscurity?  > > > M > > > Sigh .. This argument always comes up by the somewhat less informed and N > > > imho, you should also ask the question of the banks i.e. why do they notH > > > provide detailed plans of their vaults and security systems on theM > > > internet? Is it because they are not really secure and rely on security  > > > by obscurity ? > > > 2 > > Its a  very nice way of avoiding a question :)I > > Many corporate companies use open source operating systems, does that I > > automatically mean they are giving the world access to their profits?  > H > Corporations have been hacked. Data has been stolen. Identity theft isD > a growing problem. Not all such breaches are made public. I'm sureE > some, if not many or even most, have been from systems running open  > source software.  C I don't know why you claim most of the insecurity is casued by open F source software opposed to incorrect education. I highly recommend you* read schneiers article about open softwareP Cryptography,http://www.schneier.com/crypto-gram-9909.html#OpenSourceandSecurity  D before you claim open source is to be blamed, and then read his book/ Secrets & Lies or any of his books if you like.   F if open source is so weak , why is the U.S. government's Department ofE Homeland Security planning to spend $1.24 million over three years  ?   3 http://www.eweek.com/article2/0,1895,1909946,00.asp     I > Security by obscurity alone is not great, but solid locks or vaults, or H > solid software (including the OS), combined with not revealing all the6 > inner workings of said security measures, *is* good.  > You admit Security by obscurity is not perfect alone, then youB contradict yourself and say it is, to me your trying to defend vms reason for being closed source.   G > The U.S. military keeps the true GPS error unavailable to the public. G > The public can't use GPS to its best accuarcy, and the military keeps F > just what that best accuracy is a secret. This way our enemies can'tI > build something just good enough to "sneak under the radar". This keeps 0 > them guessing and it makes it harder for them.  C Any goverment , military has better tools than its people, i am not 
 denying that. A  It was interesting to say the least when Phil Zimmermann was the F target of a three-year criminal investigation over pgp, at one time it> was said to be the best the public could get to military grade encryption.   G > > > Or perhaps it is because banks just do not believe doing so would N > > > enhance their overall security and their Customers trust them to provide- > > > the highest level of security possible.  > > ( > > I believe it comes down to politics. > I > No, it comes down to common sense. What possible benefit would there be H > of the banks' publishing the inner workings of their security systems? > D > There's a world of difference between *depending* on obscurity forI > security, and building very secure products that are not "open source". E > While obscurity is not enough for good security, it still helps. In F > fact, this is exactly what people who criticize VMS argue -- that it; > only "appears" secure due to its low profile (obscurity).   E Its fair criticizm by many to point out vms realively uknown presence ! in the os world for being secure.   > > Are you next going to recommend that people post their true,I > "unmunged", email addresses on this public forum? Should we all publish / > our SYSTEM-account passwords on the Internet?   F Please don't mention something i did not even hint at, private data isG not the same as a os, private personal information is nobody elses , an B os surounds this data as secure as it can, wheather that be closedC source or open source.  Most websevers use Apache HTTP Server, does D that mean that personal information is freely available , nope, just the http server.   thanks   ------------------------------   Date: 4 Jul 2006 14:10:24 -0500 - From: Kilgallen@SpamCop.net (Larry Kilgallen) / Subject: Re: The possibility of vms opening up? 3 Message-ID: <uHLWuKMBWVug@eisner.encompasserve.org>   j In article <1152029086.974664.133530@a14g2000cwb.googlegroups.com>, "AEF" <spamsink2001@yahoo.com> writes:  E > Should we all publish our SYSTEM-account passwords on the Internet?   C I would not post that on the Internet, and the machines in question ' are not even connected to the Internet.    ------------------------------  % Date: Tue, 04 Jul 2006 15:24:03 -0500 6 From: "David J. Dachtera" <djesys.no@spam.comcast.net>/ Subject: Re: The possibility of vms opening up? 0 Message-ID: <44AACE63.83F29012@spam.comcast.net>   geletine wrote:  >  > David J. Dachtera wrote:	 > snip... L > > Another large obstacle is security. Some sites currently using VMS wouldH > > be rather put off by the idea of having such things become "commonly > > available".  > > 7 > Are you indicating that vms is security by obscurity?   F More like, "we don't want the world - or our competitors - to know theA intimate details of the systems we use internally to preserve the  integrity of our data".    --   David J Dachtera dba DJE Systems  http://www.djesys.com/  & Unofficial OpenVMS Marketing Home Page! http://www.djesys.com/vms/market/   ( Unofficial Affordable OpenVMS Home Page: http://www.djesys.com/vms/soho/   " Unofficial OpenVMS-IA32 Home Page: http://www.djesys.com/vms/ia32/   ) Unofficial OpenVMS Hobbyist Support Page: " http://www.djesys.com/vms/support/   ------------------------------  % Date: Tue, 04 Jul 2006 15:27:36 -0500 6 From: "David J. Dachtera" <djesys.no@spam.comcast.net>/ Subject: Re: The possibility of vms opening up? 0 Message-ID: <44AACF38.73C1E274@spam.comcast.net>   geletine wrote:  >  > > > David J. Dachtera wrote:
 > > > snip... @ > > > > Another large obstacle is security. Some sites currently > > > using VMS would L > > > > be rather put off by the idea of having such things become "commonly > > > > available".  > > > > ; > > > Are you indicating that vms is security by obscurity?  > > K > > Sigh .. This argument always comes up by the somewhat less informed and L > > imho, you should also ask the question of the banks i.e. why do they notF > > provide detailed plans of their vaults and security systems on theK > > internet? Is it because they are not really secure and rely on security  > > by obscurity ? > > 0 > Its a  very nice way of avoiding a question :)G > Many corporate companies use open source operating systems, does that G > automatically mean they are giving the world access to their profits?   D Then, let's answer a question with a question: how likely is it that? hackers/crackers/script-kiddies/etc. will launch an attack on a % vulnerability they do not know about?   G ...or, stated another way, if a system lacks common vulnerabilities, is 8 it wise to publish the measures taken to eliminate them?   --   David J Dachtera dba DJE Systems  http://www.djesys.com/  & Unofficial OpenVMS Marketing Home Page! http://www.djesys.com/vms/market/   ( Unofficial Affordable OpenVMS Home Page: http://www.djesys.com/vms/soho/   " Unofficial OpenVMS-IA32 Home Page: http://www.djesys.com/vms/ia32/   ) Unofficial OpenVMS Hobbyist Support Page: " http://www.djesys.com/vms/support/   ------------------------------   Date: 4 Jul 2006 21:48:08 GMT ( From: bill@cs.uofs.edu (Bill Gunshannon)/ Subject: Re: The possibility of vms opening up? , Message-ID: <4h060oF1pb7s2U1@individual.net>  C In article <1152029086.974664.133530@a14g2000cwb.googlegroups.com>, ' 	"AEF" <spamsink2001@yahoo.com> writes:  > G > The U.S. military keeps the true GPS error unavailable to the public. G > The public can't use GPS to its best accuarcy, and the military keeps F > just what that best accuracy is a secret. This way our enemies can'tI > build something just good enough to "sneak under the radar". This keeps 0 > them guessing and it makes it harder for them. >     G Your joking, right?  The most common Tactical GPS Reciever is the PLGR. J It is very long in the tooth and the only advantage it has over commercialE units (like those made by Garmin) is anti-spoofing.  A garden variety I Garmin like all the hunters buy is just as accurate as the Army's.  Sorry  to disappoint you.   bill   --  J Bill Gunshannon          |  de-moc-ra-cy (di mok' ra see) n.  Three wolvesD bill@cs.scranton.edu     |  and a sheep voting on what's for dinner. University of Scranton   |A Scranton, Pennsylvania   |         #include <std.disclaimer.h>       ------------------------------   Date: 4 Jul 2006 15:02:41 -0700 ( From: "geletine" <adaviscg1@hotmail.com>/ Subject: Re: The possibility of vms opening up? C Message-ID: <1152050561.818444.276300@a14g2000cwb.googlegroups.com>    David J. Dachtera wrote:F > Then, let's answer a question with a question: how likely is it thatA > hackers/crackers/script-kiddies/etc. will launch an attack on a ' > vulnerability they do not know about?   & I cannot reasonably argue with that :)  I > ...or, stated another way, if a system lacks common vulnerabilities, is : > it wise to publish the measures taken to eliminate them? > G from a closed source point of view no, where as open source software is C known to tell its users and developers whenever a vulnerabilitie is  found.   ------------------------------   Date: 4 Jul 2006 15:06:27 -0700 ( From: "geletine" <adaviscg1@hotmail.com>/ Subject: Re: The possibility of vms opening up? C Message-ID: <1152050787.138202.308800@l70g2000cwa.googlegroups.com>    David J. Dachtera wrote: > H > More like, "we don't want the world - or our competitors - to know theC > intimate details of the systems we use internally to preserve the  > integrity of our data".  > 1 so in your eyes vms is better left as a secret...    ------------------------------   Date: 4 Jul 2006 15:32:04 -0700  From: davidc@montagar.com / Subject: Re: The possibility of vms opening up? C Message-ID: <1152052324.674211.196500@p79g2000cwp.googlegroups.com>   D This thread has kindof rat-holed into some meaningless arguments, so) let's get back to the original questions:   E OpenVMS Source Listings are available to those that purchase a source E license.  The code is actually easy to read, well commented, and well ? structured.  I first started reading OpenVMS source listings on F microfiche when I was in college, and even not knowing BLISS, was ableB to understand the structures and concepts.  The code is organized,) commented, and pretty easy to understand.   F Note you get listings, not source code.  You get to see what they do -B but it isn't likely people are going to creating their own OpenVMSF flavors.  Besides, if you want, you can write your own drivers, SystemC Services, Symbionts, ACP's, etc to customize it anyway, without the - need to rebuild your own kernel from scratch.   ? So - the first point:  False, the source is not unobtainable or > obscured.  While not as easily available as LInux, it is stillC available.  There is no real claim of "security by obscurity" here. D Not that it matters, since Microsoft Windows has already proven that8 lack of source code does not eliminate the potential for vulnerabilities to be found.  7 As to OpenVMS security, it is better for a few reasons.   B 1)  OpenVMS passes information through verifiable structures, likeF descriptors.  Descriptors define the data type, address, and length of? the data.  The validity of the memory can be verified to insure F protected memory is not compromised.  Basically, the "buffer overflow"> vulnerabiilty in the OpenVMS Kernel just doesn't exist, or the  "null-terminated string" issues.  G 2) Protected mode validation, not only read and write, but calling mode E is checked (i.e. a user mode code is not allowed to alter kernel mode D structures).  Calls in the kernel check the protection of the memoryA against those of the caller, so not only is the memory checked to E insure it is there and can be written, but can be written by the user 7 anyway.  Essentially, you can corrupt yourself, but not  someone/something else.   C 3) Deliniation of privileges.  Unix and other systems have a pretty E much "root" or "not-root" division of privilege.  OpenVMS has lots of E different privileges that can provide a fine-tuned approach to giving B sensitive code access to things, without always giving the keys to: everything, thus decreasing the potential for exploiting a vulnerability, if exists.    4) I could go on...   B So back to your original thought:  No, I don't think making sourceE available will make it more "popular".  Microsoft didn't have to, and  they are "popular".   E Making the source code more widely available would unlikely result in B large scale security vulernabilies being found, mostly because theE major attack vectors just aren't there.  While there may be some bugs F found, as Microsoft demonstrates, availability of source code does notG correlate to vulnerabilities found.  If it did, Linux would have orders C of magnitude more bugs than Windows (based on copies of source code ; available).  Sorry, CERT doesn't bear that correlation out.   F However, went Windows source has been leaked, there is a major concern> for increase in vulnerabilities to be found.  This seems to beG primarily a "Windows" artifact, since I don't think there is that level D of concern within the OpenVMS group, and definately you don't see it with the Linux crowd.    ------------------------------  $ Date: Tue, 4 Jul 2006 19:21:45 -0400' From: "Main, Kerry" <Kerry.Main@hp.com> / Subject: RE: The possibility of vms opening up? T Message-ID: <FA60F2C4B72A584DBFC6091F6A2B8684016B005F@tayexc19.americas.cpqcorp.net>   > -----Original Message-----2 > From: geletine [mailto:adaviscg1@hotmail.com]=20 > Sent: July 4, 2006 2:43 PM > To: Info-VAX@Mvb.Saic.Com 1 > Subject: Re: The possibility of vms opening up?  >=20 > AEF wrote: > > geletine wrote: " > > > > > David J. Dachtera wrote: > > > > > snip... D > > > > > > Another large obstacle is security. Some sites currently > > > > > using VMS would B > > > > > > be rather put off by the idea of having such things=20 > become "commonly > > > > > > available".  > > > > > > ? > > > > > Are you indicating that vms is security by obscurity?  > > > > @ > > > > Sigh .. This argument always comes up by the somewhat=20 > less informed and > > > > > imho, you should also ask the question of the banks=20 > i.e. why do they not> > > > > provide detailed plans of their vaults and security=20 > systems on theA > > > > internet? Is it because they are not really secure and=20  > rely on security > > > > by obscurity ? > > > > 4 > > > Its a  very nice way of avoiding a question :); > > > Many corporate companies use open source operating=20  > systems, does that? > > > automatically mean they are giving the world access to=20  > their profits? > > ; > > Corporations have been hacked. Data has been stolen.=20  > Identity theft is F > > a growing problem. Not all such breaches are made public. I'm sureG > > some, if not many or even most, have been from systems running open  > > source software. >=20E > I don't know why you claim most of the insecurity is casued by open H > source software opposed to incorrect education. I highly recommend you, > read schneiers article about open software@ > Cryptography,http://www.schneier.com/crypto-gram-9909.html#Ope > nSourceandSecurity >=20  E Certainly open software is not the cause of insecure systems. They do C offer some advantages for some environments. As others have stated, D security is one of those areas of IT that has many layers. For thoseB movie buffs, the server in the first Mission Impossible movie is aD fictitious example. However, it does make the point - with the rightG amount of resources, time and effort, any system can be broken into.=20   @ Having stated this, my concerns on security with open source are
 primarily:  > 1. The notion of open systems security is based on having very@ knowledgeable resources on the Internet that not only understandA security, but also security from the point of view of clustering, A threading, kernel mechanisms and increasingly complex application  environments.=20  G However, while a very small number of these knowledgeable resources are H dedicated resources, most of the open source advocates have day jobs andD they do open source reviews when they get a chance. Over time, sinceF this majority are not being paid for these code reviews, they may loseD interest in constantly reviewing the hundreds of open source modules being updated every day.=20   A 2. If a security patch does get released, at the local level, who = ensures the patch does not break clustering, forward-backward G compatibility or other specific configs like an older version of the OS G ? The responsibility for testing and ensuring OS compatibility with all H of the other OS and layered product patches falls on the shoulder of theH local IT person. For some shops with very knowledgeable technical staff, that may be acceptable.=20  H Unfortunately, most large shops will understandably not introduce any OSG security patches without some degree of application testing first. This D means a great deal of additional effort is required to do all of theA monthly QA compatibility testing of applications. With Linux (and E Windows) releasing 7-20 *security* (not bug fixes) patches per month, E this QA testing impact is huge in terms of people, equipment, putting B new app testing on hold while OS security compatibility testing is
 completed.=20   E The same testing effort applies to OpenVMS, but the very high rate at A which these monthly security patches occur on Linux (and Windows) A platforms makes this issue much larger. See RH security web site: G https://www.redhat.com/archives/enterprise-watch-list/ (click on thread  for each month and add them up)   E 3. Most large companies are moving big time away from having their IT E staff twiddle in the OS weeds with custom OS level patching. In their F mgmts view, that is why they pay vendors for support contracts. The ITG Staffing costs typically dwarf any support contracts (usually 50-60% of B IT budget), so the cost of support contracts is not as big as someD promoters of open source would like everyone to believe. These largeH Cust Managers would rather have their senior IT folks looking at ways toH better integrate their applications and or otherwise provide added value to the business.=20     F > before you claim open source is to be blamed, and then read his book1 > Secrets & Lies or any of his books if you like.  >=20H > if open source is so weak , why is the U.S. government's Department ofG > Homeland Security planning to spend $1.24 million over three years  ?  >=205 > http://www.eweek.com/article2/0,1895,1909946,00.asp  >=20  F The military and DHS is always experimenting with new technologies andA in ways to better secure their environment. That is a good thing. C However, $1.24M over 3 years is a very small pebble on a very large H beach. $400K per year is statistically insignificant in view of what theA military and DHS spends annually on their IT security budgets.=20      >=20@ > > Security by obscurity alone is not great, but solid locks=20 > or vaults, or ; > > solid software (including the OS), combined with not=20  > revealing all the 8 > > inner workings of said security measures, *is* good. >=20@ > You admit Security by obscurity is not perfect alone, then youD > contradict yourself and say it is, to me your trying to defend vms! > reason for being closed source.  >=20  D No, what he stated was that obscurity + solid platform security is aH good thing. Remember the banking analogy. Just because the bank does notH publish their security plans does not mean they have weak security based on "security by obscurity". =20    Snip..   Regards,  
 Kerry Main Senior Consultant  HP Services Canada Voice: 613-592-4660  Fax: 613-591-4477  kerryDOTmainAThpDOTcom (remove the DOT's and AT)=20  4 OpenVMS - the secure, multi-site OS that just works.   ------------------------------  % Date: Tue, 04 Jul 2006 18:16:30 -0500 6 From: "David J. Dachtera" <djesys.no@spam.comcast.net>/ Subject: Re: The possibility of vms opening up? 0 Message-ID: <44AAF6CE.63DB3F0E@spam.comcast.net>   geletine wrote:  >  > David J. Dachtera wrote: > > J > > More like, "we don't want the world - or our competitors - to know theE > > intimate details of the systems we use internally to preserve the  > > integrity of our data".  > > 3 > so in your eyes vms is better left as a secret...    It depends.    --   David J Dachtera dba DJE Systems  http://www.djesys.com/  & Unofficial OpenVMS Marketing Home Page! http://www.djesys.com/vms/market/   ( Unofficial Affordable OpenVMS Home Page: http://www.djesys.com/vms/soho/   " Unofficial OpenVMS-IA32 Home Page: http://www.djesys.com/vms/ia32/   ) Unofficial OpenVMS Hobbyist Support Page: " http://www.djesys.com/vms/support/   ------------------------------  % Date: Tue, 04 Jul 2006 18:21:46 -0500 6 From: "David J. Dachtera" <djesys.no@spam.comcast.net>/ Subject: Re: The possibility of vms opening up? 0 Message-ID: <44AAF80A.9AC11C3B@spam.comcast.net>   geletine wrote:  >  > David J. Dachtera wrote:H > > Then, let's answer a question with a question: how likely is it thatC > > hackers/crackers/script-kiddies/etc. will launch an attack on a ) > > vulnerability they do not know about?  > ( > I cannot reasonably argue with that :) > K > > ...or, stated another way, if a system lacks common vulnerabilities, is < > > it wise to publish the measures taken to eliminate them? > > I > from a closed source point of view no, where as open source software is E > known to tell its users and developers whenever a vulnerabilitie is  > found.   Found, yes.   ' ...BUT: is the fix easily identifiable?   G This argument aside, of course, I'll reiterate that there are licensing B and rights issues beyond the scope of Usenet which are not open toD public discussion. (Well, we can discuss them, but the chances of us0 being able to change any aspect of them is nil.)   --   David J Dachtera dba DJE Systems  http://www.djesys.com/  & Unofficial OpenVMS Marketing Home Page! http://www.djesys.com/vms/market/   ( Unofficial Affordable OpenVMS Home Page: http://www.djesys.com/vms/soho/   " Unofficial OpenVMS-IA32 Home Page: http://www.djesys.com/vms/ia32/   ) Unofficial OpenVMS Hobbyist Support Page: " http://www.djesys.com/vms/support/   ------------------------------   Date: 4 Jul 2006 16:46:57 -0700 $ From: "AEF" <spamsink2001@yahoo.com>/ Subject: Re: The possibility of vms opening up? @ Message-ID: <1152056817.147516.9460@75g2000cwc.googlegroups.com>   Bill Gunshannon wrote:E > In article <1152029086.974664.133530@a14g2000cwb.googlegroups.com>, ) > 	"AEF" <spamsink2001@yahoo.com> writes:  > > I > > The U.S. military keeps the true GPS error unavailable to the public. I > > The public can't use GPS to its best accuarcy, and the military keeps H > > just what that best accuracy is a secret. This way our enemies can'tK > > build something just good enough to "sneak under the radar". This keeps 2 > > them guessing and it makes it harder for them. > >  >  > I > Your joking, right?  The most common Tactical GPS Reciever is the PLGR. L > It is very long in the tooth and the only advantage it has over commercialG > units (like those made by Garmin) is anti-spoofing.  A garden variety K > Garmin like all the hunters buy is just as accurate as the Army's.  Sorry  > to disappoint you. >  > bill    = Wow. I don't remember my source, but it made sense and stuck.    Bummer.   ) So why *don't* they do it as I described?  >  > --L > Bill Gunshannon          |  de-moc-ra-cy (di mok' ra see) n.  Three wolvesF > bill@cs.scranton.edu     |  and a sheep voting on what's for dinner. > University of Scranton   |@ > Scranton, Pennsylvania   |         #include <std.disclaimer.h>   ------------------------------   Date: 4 Jul 2006 16:42:28 -0700 $ From: "AEF" <spamsink2001@yahoo.com>/ Subject: Re: The possibility of vms opening up? B Message-ID: <1152056548.224987.90830@a14g2000cwb.googlegroups.com>   geletine wrote:  > AEF wrote: > > geletine wrote: " > > > > > David J. Dachtera wrote: > > > > > snip... D > > > > > > Another large obstacle is security. Some sites currently > > > > > using VMS would P > > > > > > be rather put off by the idea of having such things become "commonly > > > > > > available".  > > > > > > ? > > > > > Are you indicating that vms is security by obscurity?  > > > > O > > > > Sigh .. This argument always comes up by the somewhat less informed and P > > > > imho, you should also ask the question of the banks i.e. why do they notJ > > > > provide detailed plans of their vaults and security systems on theO > > > > internet? Is it because they are not really secure and rely on security  > > > > by obscurity ? > > > > 4 > > > Its a  very nice way of avoiding a question :)K > > > Many corporate companies use open source operating systems, does that K > > > automatically mean they are giving the world access to their profits?  > > J > > Corporations have been hacked. Data has been stolen. Identity theft isF > > a growing problem. Not all such breaches are made public. I'm sureG > > some, if not many or even most, have been from systems running open  > > source software. > E > I don't know why you claim most of the insecurity is casued by open H > source software opposed to incorrect education. I highly recommend you  D I didn't say that. I said some, if not many or most. That is not the
 same as most.   , > read schneiers article about open softwareR > Cryptography,http://www.schneier.com/crypto-gram-9909.html#OpenSourceandSecurity > F > before you claim open source is to be blamed, and then read his book1 > Secrets & Lies or any of his books if you like.  > H > if open source is so weak , why is the U.S. government's Department ofG > Homeland Security planning to spend $1.24 million over three years  ?   C Maybe the same reason they had that wonderful color coded be-afraid  scheme?    > 5 > http://www.eweek.com/article2/0,1895,1909946,00.asp  >  > K > > Security by obscurity alone is not great, but solid locks or vaults, or J > > solid software (including the OS), combined with not revealing all the8 > > inner workings of said security measures, *is* good. > @ > You admit Security by obscurity is not perfect alone, then youD > contradict yourself and say it is, to me your trying to defend vms! > reason for being closed source.   A Thanks for re-writing what I've written into something completely : different, and then claiming that *I* contradicted myself.  I > > The U.S. military keeps the true GPS error unavailable to the public. I > > The public can't use GPS to its best accuarcy, and the military keeps H > > just what that best accuracy is a secret. This way our enemies can'tK > > build something just good enough to "sneak under the radar". This keeps 2 > > them guessing and it makes it harder for them. > E > Any goverment , military has better tools than its people, i am not  > denying that. C >  It was interesting to say the least when Phil Zimmermann was the H > target of a three-year criminal investigation over pgp, at one time it@ > was said to be the best the public could get to military grade
 > encryption.    And your point is...?    > I > > > > Or perhaps it is because banks just do not believe doing so would P > > > > enhance their overall security and their Customers trust them to provide/ > > > > the highest level of security possible.  > > > * > > > I believe it comes down to politics. > > K > > No, it comes down to common sense. What possible benefit would there be J > > of the banks' publishing the inner workings of their security systems? > > F > > There's a world of difference between *depending* on obscurity forK > > security, and building very secure products that are not "open source". G > > While obscurity is not enough for good security, it still helps. In H > > fact, this is exactly what people who criticize VMS argue -- that it= > > only "appears" secure due to its low profile (obscurity).  > G > Its fair criticizm by many to point out vms realively uknown presence # > in the os world for being secure.   E I cannot understand this sentence due to its grammar. Allow me to try C again: Consider DEF-CON. Some claim that VMS won only because it is G obscure and hackers aren't familiar with it. So obscurity helps. No one F broke in. So some can claim that's not a good test of VMS. Fine. But a4 good test of VMS would *still* find it to be secure.  F Hey, which is more likely to get hack attempts? A well-known Web site,D or an obscure Web site. Assume each has the same security otherwise.( Which is more likely to get broken into?   > @ > > Are you next going to recommend that people post their true,K > > "unmunged", email addresses on this public forum? Should we all publish 1 > > our SYSTEM-account passwords on the Internet?  > H > Please don't mention something i did not even hint at, private data isI > not the same as a os, private personal information is nobody elses , an D > os surounds this data as secure as it can, wheather that be closedE > source or open source.  Most websevers use Apache HTTP Server, does F > that mean that personal information is freely available , nope, just > the http server.  G OK, so you're saying, or implying, that obscurity is good for data, but  bad for OSes. OK.    > thanks   YW   ------------------------------   Date: 4 Jul 2006 17:33:05 -0700 $ From: "AEF" <spamsink2001@yahoo.com>/ Subject: Re: The possibility of vms opening up? B Message-ID: <1152059585.407964.16860@l70g2000cwa.googlegroups.com>   geletine wrote:  > AEF wrote: > > geletine wrote: " > > > > > David J. Dachtera wrote: > > > > > snip... D > > > > > > Another large obstacle is security. Some sites currently > > > > > using VMS would P > > > > > > be rather put off by the idea of having such things become "commonly > > > > > > available".  > > > > > > ? > > > > > Are you indicating that vms is security by obscurity?  > > > > O > > > > Sigh .. This argument always comes up by the somewhat less informed and P > > > > imho, you should also ask the question of the banks i.e. why do they notJ > > > > provide detailed plans of their vaults and security systems on theO > > > > internet? Is it because they are not really secure and rely on security  > > > > by obscurity ? > > > > 4 > > > Its a  very nice way of avoiding a question :)K > > > Many corporate companies use open source operating systems, does that K > > > automatically mean they are giving the world access to their profits?  > > J > > Corporations have been hacked. Data has been stolen. Identity theft isF > > a growing problem. Not all such breaches are made public. I'm sureG > > some, if not many or even most, have been from systems running open  > > source software. > E > I don't know why you claim most of the insecurity is casued by open H > source software opposed to incorrect education. I highly recommend you, > read schneiers article about open softwareR > Cryptography,http://www.schneier.com/crypto-gram-9909.html#OpenSourceandSecurity  @ OK, I did a quick read of this. ... Interesting. It appears thatE "obscurity" is a double-edged sword, so to speak. One must be careful E what one is implying is "obscure". Is the Web site obscure? Is the OS # the Web site is running on obscure?   C The article offers Microsoft as an example of being a closed source G with bad security. But at least he admits that it's not totally fair to D use it as an example because Microsoft is bad regardless of open vs.D close. I still remember when my DellNet dialup became DellNet by MSNA and how it instantly went from pretty-damn-good to really, really  awful.  / What he doesn't comment on is the Macintosh OS.   E HP OpenVMS Engineering asks that if someone discovers a security flaw B in VMS that they contact them privately and not publish it for theB whole world to see. Isn't that better, at least in this case, than# publishing the flaw for all to see?    > F > before you claim open source is to be blamed, and then read his book1 > Secrets & Lies or any of his books if you like.  > H > if open source is so weak , why is the U.S. government's Department ofG > Homeland Security planning to spend $1.24 million over three years  ?  > 5 > http://www.eweek.com/article2/0,1895,1909946,00.asp  >  > K > > Security by obscurity alone is not great, but solid locks or vaults, or J > > solid software (including the OS), combined with not revealing all the8 > > inner workings of said security measures, *is* good. > @ > You admit Security by obscurity is not perfect alone, then youD > contradict yourself and say it is, to me your trying to defend vms! > reason for being closed source.  > I > > The U.S. military keeps the true GPS error unavailable to the public. I > > The public can't use GPS to its best accuarcy, and the military keeps H > > just what that best accuracy is a secret. This way our enemies can'tK > > build something just good enough to "sneak under the radar". This keeps 2 > > them guessing and it makes it harder for them. > E > Any goverment , military has better tools than its people, i am not  > denying that. C >  It was interesting to say the least when Phil Zimmermann was the H > target of a three-year criminal investigation over pgp, at one time it@ > was said to be the best the public could get to military grade
 > encryption.  > I > > > > Or perhaps it is because banks just do not believe doing so would P > > > > enhance their overall security and their Customers trust them to provide/ > > > > the highest level of security possible.  > > > * > > > I believe it comes down to politics. > > K > > No, it comes down to common sense. What possible benefit would there be J > > of the banks' publishing the inner workings of their security systems? > > F > > There's a world of difference between *depending* on obscurity forK > > security, and building very secure products that are not "open source". G > > While obscurity is not enough for good security, it still helps. In H > > fact, this is exactly what people who criticize VMS argue -- that it= > > only "appears" secure due to its low profile (obscurity).  > G > Its fair criticizm by many to point out vms realively uknown presence # > in the os world for being secure.  > @ > > Are you next going to recommend that people post their true,K > > "unmunged", email addresses on this public forum? Should we all publish 1 > > our SYSTEM-account passwords on the Internet?  > H > Please don't mention something i did not even hint at, private data isI > not the same as a os, private personal information is nobody elses , an D > os surounds this data as secure as it can, wheather that be closedE > source or open source.  Most websevers use Apache HTTP Server, does F > that mean that personal information is freely available , nope, just > the http server. >  > thanks   ------------------------------   Date: 4 Jul 2006 19:31:44 -0500 - From: Kilgallen@SpamCop.net (Larry Kilgallen) / Subject: RE: The possibility of vms opening up? 3 Message-ID: <ntW0QgfwIuuv@eisner.encompasserve.org>   ~ In article <FA60F2C4B72A584DBFC6091F6A2B8684016B005F@tayexc19.americas.cpqcorp.net>, "Main, Kerry" <Kerry.Main@hp.com> writes:    J > Unfortunately, most large shops will understandably not introduce any OSD > security patches without some degree of application testing first.  4 You started that sentence with an incorrect "Un" :-)   ------------------------------  % Date: Tue, 04 Jul 2006 22:20:24 -0400 - From: JF Mezei <jfmezei.spamnot@teksavvy.com> / Subject: Re: The possibility of vms opening up? , Message-ID: <44AB21E2.57CFCFEC@teksavvy.com>   Bill Gunshannon wrote:G > units (like those made by Garmin) is anti-spoofing.  A garden variety K > Garmin like all the hunters buy is just as accurate as the Army's.  Sorry  > to disappoint you.  F Not true.  Civilian GPS do not have access to all the frequencies. TheH military satellites (the USA GPS satellites are military) have differentD levels of service. The military have access to all of them (requiresH keys). Civilians only have access to the basic signal whose precision isF not so great. The difference between consumer and military signals hasH been greatly reduced since about 1999 when SA (purposefully degrading ofF civilian signal) was removed, and in recent years when WAAS satellitesH became operational and provide some correction for the civilian signals.G The military units with access to the L2 signal are still more precise.   H The EU systems will give L2 precision to civilians. And this is what theH Bush regime has opposed the EU launching its own GPS constellation. ThisF will be a civilian service without any military having a finger on the! switch to suddently shut it down.    ------------------------------  % Date: Tue, 04 Jul 2006 22:23:52 -0400 - From: JF Mezei <jfmezei.spamnot@teksavvy.com> / Subject: Re: The possibility of vms opening up? , Message-ID: <44AB22B2.49312C54@teksavvy.com>   davidc@montagar.com wrote:D > 1)  OpenVMS passes information through verifiable structures, like > descriptors.    H That is not the case all the time anymore, not since they ported so much? unix software to VMS, including TCPIP Services which by today's . standards, is a core operating system feature.   ------------------------------  % Date: Tue, 04 Jul 2006 22:35:04 -0400 - From: JF Mezei <jfmezei.spamnot@teksavvy.com> / Subject: Re: The possibility of vms opening up? , Message-ID: <44AB2551.E1E6C9E3@teksavvy.com>  
 AEF wrote:G > HP OpenVMS Engineering asks that if someone discovers a security flaw D > in VMS that they contact them privately and not publish it for theD > whole world to see. Isn't that better, at least in this case, than% > publishing the flaw for all to see?     D Works both way. As long as a flas is kept private, there is far less) incentive to make a patch and publish it.   8 When a flaw becomes very public, the vendor has a lot ofC pressure/motivation to release a patch and made noise about a patch  being available right away.     > Still waiting to hear on whether the BIND server on VAX-VMS isD susseptible to many weakenesses that have been advertised for BIND-8F over the years.  That is the true result of "obscurity". All the otherG OS have had patches for their BIND, but at VMS, we are still waiting to , hear on whether we should be worried or not.    E In the heydays of VMS, when engineering resources were probably quite H numerous, they had the time/resources to keep up with the Joness, but inC today's environment, they seem to barely have the time to answer to G their few customers who count and we don't even know if there is anyone $ left of the TCPIP engineering group.  F When you have too few engineers left to maintains such a full featuredE OS, they cannot realistically be expected to be able to close all the F flaws/bugs. Opening sectios of the OS would allow "foreigners" to findH flaws and suggest fixes. And by making those flaws public, it would alsoF force HP to make the fixes public and thus generate visibility for VMS> and more importantly, show that VMS is still being developped.   ------------------------------   Date: 4 Jul 2006 13:12:37 -0700   From: "Ian Miller" <ijm@uk2.net>O Subject: Transitive Emulator Ports Sparc/Solaris Apps to Linux on Xeon, Itanium B Message-ID: <1152043957.595598.97910@m73g2000cwd.googlegroups.com>  6 http://www.itjungle.com/breaking/bn062806-story02.html  F "In theory, there is no reason why the QuickTransit tools could not beA used to port OpenVMS or OS/400 applications to new architectures,  either."  	 Comments?    ------------------------------  % Date: Tue, 04 Jul 2006 21:58:54 -0400 / From: Randy Park <rvfulltime@_removeme_isp.com> ! Subject: Re: XML vs indexed files 8 Message-ID: <6n6ma21vkpbtponinctc0vchvq0ol7n632@4ax.com>  R On Tue, 04 Jul 2006 03:56:56 -0400, JF Mezei <jfmezei.spamnot@teksavvy.com> wrote:  D >OK, some here, including at least one VMS engineer seem to be quite >enamoured by XML. >  > H >XML seems to be great for storing variable format/content records whereG >one or more fields may be missing from some records, and fields can be  >all variable length.  > H >However, how does one handle XML in a context where you want to be able" >to search though XML "records" ?  > I >For instance, I could store GPS waypoint in XML in a text file. But if I G >want to extract all "records" that match certain criteria, how do I go * >about it ? a massive brute force search ? > H >If I want to add new records as well as replace existing records with a: >matching primary key, how would I go about it  with XML ? > E >I can see XML is great for inter-platform exchanges of raw data. But 8 >does it really have a use as a in-platform "database" ?  F There is a VMS oriented commerical product that will extract data fromQ an XML "text" file.  It treats the XML file as just a file of sequential records. O You can then output the data in a formatted report, to an RMS file (yes, isam), L to an HTML web page, etc. If you have the appropriate networking and serversP set up the data can even be elsewhere on the network.   It is a full blown data O extraction and report writing tool.  Yes you can add records if the XML file is K on a VMS system (well you might have to do a new file and merge).  Matching A primary keys is not a concept that applies to XML formatted data.   P The name of the product is Xentis, sold by Graymatter Software.  In the interestT of full disclosure I used to have a financial interest in the product, but no longer do.    --  = Posted via a free Usenet account from http://www.teranews.com    ------------------------------   End of INFO-VAX 2006.370 ************************