1 INFO-VAX	Wed, 05 Jul 2006	Volume 2006 : Issue 371       Contents: Any news of Sue ?  Re: Any news of Sue ?   Multiple FTP servers - possible?$ Re: Multiple FTP servers - possible?$ Re: Multiple FTP servers - possible? Re: MySQL License on OpenVMS?  Re: MySQL License on OpenVMS? " OT: RS232 neutral sharing DC power" OT: RS232 neutral sharing DC power& Re: OT: RS232 neutral sharing DC power1 Re: Simple Directmedia Layer (SDL) for OpenVMS???  Strange shadow disk hang Re: Strange shadow disk hang& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& RE: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?& Re: The possibility of vms opening up?P Re: Transitive Emulator Ports Sparc/Solaris Apps to Linux on Xeon,  Itanium  ItaJ Re: Transitive Emulator Ports Sparc/Solaris Apps to Linux on Xeon, ItaniumJ Re: Transitive Emulator Ports Sparc/Solaris Apps to Linux on Xeon, ItaniumJ Re: Transitive Emulator Ports Sparc/Solaris Apps to Linux on Xeon, Itanium  F ----------------------------------------------------------------------  % Date: Wed, 05 Jul 2006 04:19:10 -0400 - From: JF Mezei <jfmezei.spamnot@teksavvy.com>  Subject: Any news of Sue ?, Message-ID: <44AB75E2.FAC87829@teksavvy.com>    Anyone has recent news of Sue ?   H For someone who depends so much on email, Sue quitting the internet cold= turkey must have been just as painful as the knee surgery :-)     2 Sue, if you see this, we all miss you very much !     G And the engineers need some of your care/feeding in their habitat. They H haven't released a new version of VMS since you left for your operation.9 That is how unproductive they have become without you :-)     G Hope you are getting better and starting to enjoy summer as much as you % possibly can under your circumstance.    ------------------------------   Date: 5 Jul 2006 01:27:04 -0700   From: "Ian Miller" <ijm@uk2.net> Subject: Re: Any news of Sue ?C Message-ID: <1152088024.003821.129400@b68g2000cwa.googlegroups.com>   " Most recent news I have seen is at) http://www.openvms.org/pages.php?page=Sue    ------------------------------   Date: 5 Jul 2006 07:35:12 -0700 6 From: "hanblo {at} netscape.net" <hanblo@netscape.net>) Subject: Multiple FTP servers - possible? A Message-ID: <1152110112.587860.65530@j8g2000cwa.googlegroups.com>    Hello,? we have a problem with ftp-clients setting up connections at an D tremendous speed. This means our ftp-server isn't to happy about theE situation and starts refusing connections. Would the proper remedy be D to try to start a second ftp-server on another port? Anybody has any3 experience on how to handle this kind of situation? E OpenVMS 7.3-2, TCPIP 5.4 ECO 4 on AlphaServer ES47 7/1000 with 16 GB.    Regards  Hans   ------------------------------   Date: 5 Jul 2006 08:24:58 -0700 $ From: "Ed Wilts" <ewilts@ewilts.org>- Subject: Re: Multiple FTP servers - possible? C Message-ID: <1152113098.346675.324700@a14g2000cwb.googlegroups.com>    hanblo {at} netscape.net wrote:  > Hello,A > we have a problem with ftp-clients setting up connections at an  > tremendous speed.   B I've seen this happen with certain clients - they open up multipleC simultaneous sessions and transfer multiple files at the same time. @ You can set the limit as high as you want but they'll flood your connections anyway.   4 > This means our ftp-server isn't to happy about theG > situation and starts refusing connections. Would the proper remedy be 6 > to try to start a second ftp-server on another port?  C The proper remedy is to refuse connections and to limit the maximum C simultaneous connects per user to a reasonable limit.  You may also = need to restrict simultaneous connects per source IP address.   
    ..../Ed   ------------------------------  % Date: Wed, 05 Jul 2006 11:25:35 -0400 # From: sol gongola <sol@adldata.com> - Subject: Re: Multiple FTP servers - possible? 0 Message-ID: <1152113197.871705@nntp.acecape.com>   hanblo {at} netscape.net wrote:  > Hello,A > we have a problem with ftp-clients setting up connections at an F > tremendous speed. This means our ftp-server isn't to happy about theG > situation and starts refusing connections. Would the proper remedy be F > to try to start a second ftp-server on another port? Anybody has any5 > experience on how to handle this kind of situation? G > OpenVMS 7.3-2, TCPIP 5.4 ECO 4 on AlphaServer ES47 7/1000 with 16 GB.  > 	 > Regards  > Hans >   N I assume "tremendous speed" is many connections within a short period of time.< If you could set up a second ftp server on the same machine,? it wouldn't solve the problem of too many connection coming in.   7 Maybe if you described the situation a little better... 3 Are you supposed to be getting so many connections? 4 Are they for uploading to the server or downloading.C Are the connections coming from the internet or only from your LAN. + All from the same machine or many machines.   E Opening and closing connections for each transfer uses more resources 8 than keeping the connection open for multiple transfers.  ? If you have to have numerous file transfers, you might consider / using nfs or file sharing (pathworks or samba).    regards  sol    ------------------------------  $ Date: Wed, 5 Jul 2006 07:30:33 -0400) From: "Neil Rieck" <n.rieck@sympatico.ca> & Subject: Re: MySQL License on OpenVMS?; Message-ID: <44aba245$0$5183$9a6e19ea@news.newshosting.com>   2 "Walter Kuhn" <w.kuhn@ksg.co.at> wrote in message @ news:44aa759d$0$3888$91cee783@newsreader01.highway.telekom.at... > Hello Groups,  > M > does anybody have information and experience about licensing models and/or  K > license fees for MySQL on OpenVMS (used in a commercial product)? Is the  L > OpenVMS port as available at http://www.pi-net.dyndns.org/anonymous/kits/ 9 > free? If not, who tells the proce and who gets the fee?  >  > Thanks in advance  >  > Kind Regards > 
 > Walter Kuhn  > KSG GesmbH > Computerstrasse 6  > A - 1101 Wien  > 7 You might wish to check with Jean-Franois PIRONNE at: 2 http://www.pi-net.dyndns.org/anonymous/kits/#mysqlD He has ported MySQL to OpenVMS and should have some knowledge about E licensing. (although I thought it was much like LINUX; part of their  9 business model is to give it away but charge for support)   
 Neil Rieck Kitchener/Waterloo/Cambridge,  Ontario, Canada.8 http://www3.sympatico.ca/n.rieck/links/cool_openvms.html9 http://www3.sympatico.ca/n.rieck/links/openvms_demos.html F http://www3.sympatico.ca/n.rieck/docs/openvms_notes_rms_rdb.html#mySQL   ------------------------------  % Date: Wed, 05 Jul 2006 17:33:22 +0200 / From: Paul Sture <paul.sture.nospam@hispeed.ch> & Subject: Re: MySQL License on OpenVMS?: Message-ID: <b9e0e$44abdbc3$50db5015$1043@news.hispeed.ch>   toby wrote: 
 > toby wrote:  >> Walter Kuhn wrote:  >>> Hello Groups,  >>> N >>> does anybody have information and experience about licensing models and/orL >>> license fees for MySQL on OpenVMS (used in a commercial product)? Is theM >>> OpenVMS port as available at http://www.pi-net.dyndns.org/anonymous/kits/ 	 >>> free? F >> According to http://www.mysql.com/support/supportedplatforms.html ,J >> there exist MySQL "Pro Certified" binaries for OpenVMS 8.2 on Alpha andE >> IA64. Access to and support for those products is a benefit of the  >> MySQL Network,  > F > Correction: John Reinhardt points out that only "Limited Support" isH > offered for VMS platforms (which apparently does not include certified > binaries) -- my oversight! >    John is correct.   From:   4 http://www.mysql.com/support/supportedplatforms.html    ! "Q. What is Limited Support (LS)?   E A: These are specific operating system and hardware combinations for  I which MySQL provides only limited support. For this tier, MySQL does not  I have the target OS/hardware; and MySQL does not build binaries for these  D combinations; and MySQL does not test on these platforms. The MySQL D Support Team will use commercially reasonable efforts to attempt to G provide technical support for these platforms, but with the customer's  H acknowledgement that there may be scenarios that cannot be resolved due  to the above limitations."   ------------------------------  % Date: Wed, 05 Jul 2006 04:06:53 -0400 - From: JF Mezei <jfmezei.spamnot@teksavvy.com> + Subject: OT: RS232 neutral sharing DC power , Message-ID: <44AB7302.445B19FE@teksavvy.com>    I have a gizmo that has 4 leads:  9 "+"      (8 to 40 volts DC, but I give it about 12 volts)  "-"      (common ground) Receive  (RS232) Transmit (RS232)    F If I apply a transformer power (12 volts) to the + and -,  can it hurtC the vax (DHQ11 RS232 boards) at the other end since the transformer ; would share the neutral with the neutral going to the VAX ?   G or do transformers totally isolate the output from whatever AC power is H being fed to them and thus would be as safe as batteries in this case ?   E (I am worried about some voltage differential between the transformer F (connected to one circuit of AC wiring), and the DHQ11 board connectedE to the vax and potentially to the othert "side" of the house). Or are H these things really totally isolated and I have nothing to worry about ?   ------------------------------  * Date: Wed, 5 Jul 2006 08:27:47 -0500 (CDT)* From: sms@antinode.org (Steven M. Schweda)+ Subject: OT: RS232 neutral sharing DC power 2 Message-ID: <06070508274715_2024476F@antinode.org>  - From: JF Mezei <jfmezei.spamnot@teksavvy.com>   " > I have a gizmo that has 4 leads: > ; > "+"      (8 to 40 volts DC, but I give it about 12 volts)  > "-"      (common ground) > Receive  (RS232) > Transmit (RS232)  H > If I apply a transformer power (12 volts) to the + and -,  can it hurtE > the vax (DHQ11 RS232 boards) at the other end since the transformer = > would share the neutral with the neutral going to the VAX ?   G    For any such question, accepting any answer you get in this forum is  taking a risk, of course.   I > or do transformers totally isolate the output from whatever AC power is J > being fed to them and thus would be as safe as batteries in this case ?   F    Some transformers provide isolation, and some (autotransformers) doG not.  Assuming that by "transformer" you mean a typical wall-wart power H supply which includes a transformer, then it's almost certain to provideF isolation from the AC mains.  (Note that a transformer, by its nature,E can supply only AC, not "+ and -", hence any DC power supply involves & more parts than simply a transformer.)  F    What is normally connected to a VAX serial port?  What do you thinkE is in a VT52 terminal?  Perhaps a power supply using a transformer to $ provide isolation from the AC mains?  G > (I am worried about some voltage differential between the transformer H > (connected to one circuit of AC wiring), and the DHQ11 board connectedG > to the vax and potentially to the othert "side" of the house). Or are J > these things really totally isolated and I have nothing to worry about ?  H    Barring a defective or unsuitable power supply, what could go wrong? H Concerns of this sort are, of course, why God gave us voltmeters and the wisdom to use them.   H ------------------------------------------------------------------------  3    Steven M. Schweda               sms@antinode-org 4    382 South Warwick Street        (+1) 651-699-9818    Saint Paul  MN  55105-2547    ------------------------------  % Date: Wed, 05 Jul 2006 08:18:37 -0700 # From: "Tom Linden" <tom@kednos.com> / Subject: Re: OT: RS232 neutral sharing DC power ) Message-ID: <op.tb715bxpzgicya@hyrrokkin>   / On Wed, 05 Jul 2006 01:06:53 -0700, JF Mezei  =   % <jfmezei.spamnot@teksavvy.com> wrote:   " > I have a gizmo that has 4 leads: > ; > "+"      (8 to 40 volts DC, but I give it about 12 volts)  > "-"      (common ground) > Receive  (RS232) > Transmit (RS232) >  > I > If I apply a transformer power (12 volts) to the + and -,  can it hurt=   E > the vax (DHQ11 RS232 boards) at the other end since the transformer = > would share the neutral with the neutral going to the VAX ?  > I > or do transformers totally isolate the output from whatever AC power i=  s I > being fed to them and thus would be as safe as batteries in this case =  ?   G They should, but you can verify it by putting an Ohmmeter across all  =    possible input/output leads.  > G > (I am worried about some voltage differential between the transformer I > (connected to one circuit of AC wiring), and the DHQ11 board connected=   G > to the vax and potentially to the othert "side" of the house). Or are I > these things really totally isolated and I have nothing to worry about=   ?   ------------------------------  % Date: Wed, 05 Jul 2006 11:34:59 +0200 ( From: JOUKJ <joukj@hrem.nano.tudelft.nl>: Subject: Re: Simple Directmedia Layer (SDL) for OpenVMS???< Message-ID: <1e1ad$44ab87c3$82a13c9d$21380@news1.tudelft.nl>   Tim Sneddon wrote: > JOUKJ wrote: > 
 >> Hi All, >>F >> Did anyone try to port SDL (see http://www.libsdl.org/index.php) to >> OpenVMS?  >  > D > Yes. It was done by Alexey Chupahin. However, it would appear thatA > the download link at his site is not working. You can check out  > his libSDL site at:  > 9 >     http://fafner.dyndns.org/~alexey/libsdl/public.html  >  Thanks. I'll try.           Jouk    ------------------------------   Date: 5 Jul 2006 07:31:17 -0700 ( From: "Rich Jordan" <jordan@ccs4vms.com>! Subject: Strange shadow disk hang C Message-ID: <1152109877.127023.171720@v61g2000cwv.googlegroups.com>   = DS20e, OpenVMS V7.3 (all current class 1 and relevant 2 ECOs) : KZPCA controller attached to 6-disk internal hotswap bays.  E Three shadowsets, DKA0+DKA100,  DKA200+DKA300, DKA400+DKA500 as DSA0, $ DSA1, DSA2; DSA0 is the system disk.  B On Monday DSA1, which is primarily a data and user directory disk,D stopped responding.  The system showed no errors on the DSA1 device,A the two component disks, or the bus (or any other storage related D device), or any of the other drives on that same bus.  No entries inE the error log, no messages in the Operator log, no alerts, nothing at G all.  Any process that attempted to access anything on DSA1 would hang, . and if exit was attempted would go into RWAST.  ? A SHOW PROCESS/CHANNEL on a hung process would show one or more B channels to DSA1 as busy; there was no specific filename, just the drive.  E We ended up having to powercycle to clear the problem; the system was F unable to shut down, and once we tried we lost access to it (nobody atF the console due to the holiday) so could not manually crash it.  TCPIPD had partially remained up (we could PING and telnet connect) but theF job controller had shut down.  Since powerup it has been running fine, with no indication of problems.   5 Any thoughts on what could cause a problem like this?   F VMS upgrade is not a short term option, although I know it needs to be done at some point.    Thanks   Rich   ------------------------------   Date: 5 Jul 2006 09:52:13 -0700 / From: "Volker Halle" <volker_halle@hotmail.com> % Subject: Re: Strange shadow disk hang C Message-ID: <1152118333.165848.258400@v61g2000cwv.googlegroups.com>    Rich,   A a hang like this is one of the possible symptoms of a blocked XQP @ operation. You could have issued the SDA> SHOW PROC/LOCK commandF against the hanging process, once you saw the busy IO against the diskG (shadowset). Then examine any locks in WAITing (or CONVERTing) state to  find out, who's blocking them.  E SDA> CLUE XQP/ACT would have also shown all processes waiting for XQP  IOs to finish.  E The PWAIT$SDA extension (OpenVMS Freeware) has been recently enhanced F to automatically analyze such situations. The enhanced version will beE available on the next OpenVMS Freeware CD (V8), but is also available  from:   ( http://eisner.encompasserve.org/~miller/   Volker.    ------------------------------  % Date: Wed, 05 Jul 2006 11:36:56 +0200 / From: Paul Sture <paul.sture.nospam@hispeed.ch> / Subject: Re: The possibility of vms opening up? ; Message-ID: <8d636$44ab8839$50db5015$17708@news.hispeed.ch>   
 AEF wrote: > geletine wrote:    <snip>  F >> I don't know why you claim most of the insecurity is casued by openI >> source software opposed to incorrect education. I highly recommend you - >> read schneiers article about open software S >> Cryptography,http://www.schneier.com/crypto-gram-9909.html#OpenSourceandSecurity  > B > OK, I did a quick read of this. ... Interesting. It appears thatG > "obscurity" is a double-edged sword, so to speak. One must be careful G > what one is implying is "obscure". Is the Web site obscure? Is the OS % > the Web site is running on obscure?  > E > The article offers Microsoft as an example of being a closed source I > with bad security. But at least he admits that it's not totally fair to F > use it as an example because Microsoft is bad regardless of open vs.F > close. I still remember when my DellNet dialup became DellNet by MSNC > and how it instantly went from pretty-damn-good to really, really  > awful. > 1 > What he doesn't comment on is the Macintosh OS.  >   I Please note that the above article carries the date "September 15, 1999".   ( I don't think that OS X was around then.   ------------------------------  * Date: Wed, 5 Jul 2006 09:49:18 +0000 (UTC) From: david20@alpha2.mdx.ac.uk/ Subject: Re: The possibility of vms opening up? ) Message-ID: <e8g1uu$j72$1@news.mdx.ac.uk>   i In article <44AACF38.73C1E274@spam.comcast.net>, "David J. Dachtera" <djesys.no@spam.comcast.net> writes:  >geletine wrote: >>   >> > > David J. Dachtera wrote:  >> > > snip...A >> > > > Another large obstacle is security. Some sites currently  >> > > using VMS wouldM >> > > > be rather put off by the idea of having such things become "commonly  >> > > > available". >> > > >< >> > > Are you indicating that vms is security by obscurity? >> >L >> > Sigh .. This argument always comes up by the somewhat less informed andM >> > imho, you should also ask the question of the banks i.e. why do they not G >> > provide detailed plans of their vaults and security systems on the L >> > internet? Is it because they are not really secure and rely on security >> > by obscurity ?  >> >1 >> Its a  very nice way of avoiding a question :) H >> Many corporate companies use open source operating systems, does thatH >> automatically mean they are giving the world access to their profits? > E >Then, let's answer a question with a question: how likely is it that @ >hackers/crackers/script-kiddies/etc. will launch an attack on a& >vulnerability they do not know about? > I >....or, stated another way, if a system lacks common vulnerabilities, is 9 >it wise to publish the measures taken to eliminate them?  > : The answer from the security community is to publish them.M What it comes down to is whether you want to know where your measures fail so ? you can fix them or whether you only want the hackers to know.  O In the short term you gain from obscurity but in the long term the hacker gains G since he can exploit the vulnerability for longer so long as he doesn't M publicise it too much himself. Also unfortunately although obscurity + strong N security is good it all too often leads to obscurity + weak security ie people. writing the software relying on the obscurity.  
 David Webb Security team leader CCSS Middlesex University       >--  >David J Dachtera  >dba DJE Systems >http://www.djesys.com/  > ' >Unofficial OpenVMS Marketing Home Page " >http://www.djesys.com/vms/market/ > ) >Unofficial Affordable OpenVMS Home Page:   >http://www.djesys.com/vms/soho/ > # >Unofficial OpenVMS-IA32 Home Page:   >http://www.djesys.com/vms/ia32/ > * >Unofficial OpenVMS Hobbyist Support Page:# >http://www.djesys.com/vms/support/    ------------------------------  * Date: Wed, 5 Jul 2006 09:32:01 +0000 (UTC) From: david20@alpha2.mdx.ac.uk/ Subject: Re: The possibility of vms opening up? ) Message-ID: <e8g0uh$ir3$1@news.mdx.ac.uk>   n In article <1152038567.124234.292000@l70g2000cwa.googlegroups.com>, "geletine" <adaviscg1@hotmail.com> writes: >AEF wrote:  >> geletine wrote:! >> > > > David J. Dachtera wrote:  >> > > > snip...C >> > > > > Another large obstacle is security. Some sites currently  >> > > > using VMS wouldO >> > > > > be rather put off by the idea of having such things become "commonly  >> > > > > available".
 >> > > > >> >> > > > Are you indicating that vms is security by obscurity? >> > >N >> > > Sigh .. This argument always comes up by the somewhat less informed andO >> > > imho, you should also ask the question of the banks i.e. why do they not I >> > > provide detailed plans of their vaults and security systems on the N >> > > internet? Is it because they are not really secure and rely on security >> > > by obscurity ?  >> > >3 >> > Its a  very nice way of avoiding a question :) J >> > Many corporate companies use open source operating systems, does thatJ >> > automatically mean they are giving the world access to their profits? >>I >> Corporations have been hacked. Data has been stolen. Identity theft is E >> a growing problem. Not all such breaches are made public. I'm sure F >> some, if not many or even most, have been from systems running open >> source software.  > D >I don't know why you claim most of the insecurity is casued by openG >source software opposed to incorrect education. I highly recommend you + >read schneiers article about open software Q >Cryptography,http://www.schneier.com/crypto-gram-9909.html#OpenSourceandSecurity  > E >before you claim open source is to be blamed, and then read his book 0 >Secrets & Lies or any of his books if you like. > G >if open source is so weak , why is the U.S. government's Department of F >Homeland Security planning to spend $1.24 million over three years  ? > 4 >http://www.eweek.com/article2/0,1895,1909946,00.asp >  > J >> Security by obscurity alone is not great, but solid locks or vaults, orI >> solid software (including the OS), combined with not revealing all the 7 >> inner workings of said security measures, *is* good.  > ? >You admit Security by obscurity is not perfect alone, then you C >contradict yourself and say it is, to me your trying to defend vms   >reason for being closed source. >   N Although VMS is proprietary the source listings are available and although theD cost isn't as small as most would wish it isn't anything outrageous.8 As I recall a few years ago it was something like $2000.    
 David Webb Security team leader CCSS Middlesex University        H >> The U.S. military keeps the true GPS error unavailable to the public.H >> The public can't use GPS to its best accuarcy, and the military keepsG >> just what that best accuracy is a secret. This way our enemies can't J >> build something just good enough to "sneak under the radar". This keeps1 >> them guessing and it makes it harder for them.  > D >Any goverment , military has better tools than its people, i am not >denying that.B > It was interesting to say the least when Phil Zimmermann was theG >target of a three-year criminal investigation over pgp, at one time it ? >was said to be the best the public could get to military grade  >encryption. > H >> > > Or perhaps it is because banks just do not believe doing so wouldO >> > > enhance their overall security and their Customers trust them to provide . >> > > the highest level of security possible. >> >) >> > I believe it comes down to politics.  >>J >> No, it comes down to common sense. What possible benefit would there beI >> of the banks' publishing the inner workings of their security systems?  >>E >> There's a world of difference between *depending* on obscurity for J >> security, and building very secure products that are not "open source".F >> While obscurity is not enough for good security, it still helps. InG >> fact, this is exactly what people who criticize VMS argue -- that it < >> only "appears" secure due to its low profile (obscurity). > F >Its fair criticizm by many to point out vms realively uknown presence" >in the os world for being secure. > ? >> Are you next going to recommend that people post their true, J >> "unmunged", email addresses on this public forum? Should we all publish0 >> our SYSTEM-account passwords on the Internet? > G >Please don't mention something i did not even hint at, private data is H >not the same as a os, private personal information is nobody elses , anC >os surounds this data as secure as it can, wheather that be closed D >source or open source.  Most websevers use Apache HTTP Server, doesE >that mean that personal information is freely available , nope, just  >the http server.  >  >thanks  >    ------------------------------  * Date: Wed, 5 Jul 2006 10:49:54 +0000 (UTC) From: david20@alpha2.mdx.ac.uk/ Subject: Re: The possibility of vms opening up? ) Message-ID: <e8g5gi$k4q$1@news.mdx.ac.uk>   i In article <1152056548.224987.90830@a14g2000cwb.googlegroups.com>, "AEF" <spamsink2001@yahoo.com> writes:  >geletine wrote:
 >> AEF wrote:  >> > geletine wrote:# >> > > > > David J. Dachtera wrote:  >> > > > > snip...E >> > > > > > Another large obstacle is security. Some sites currently  >> > > > > using VMS wouldQ >> > > > > > be rather put off by the idea of having such things become "commonly  >> > > > > > available". >> > > > > >@ >> > > > > Are you indicating that vms is security by obscurity? >> > > >P >> > > > Sigh .. This argument always comes up by the somewhat less informed andQ >> > > > imho, you should also ask the question of the banks i.e. why do they not K >> > > > provide detailed plans of their vaults and security systems on the P >> > > > internet? Is it because they are not really secure and rely on security >> > > > by obscurity ?  >> > > >5 >> > > Its a  very nice way of avoiding a question :) L >> > > Many corporate companies use open source operating systems, does thatL >> > > automatically mean they are giving the world access to their profits? >> >K >> > Corporations have been hacked. Data has been stolen. Identity theft is G >> > a growing problem. Not all such breaches are made public. I'm sure H >> > some, if not many or even most, have been from systems running open >> > source software.  >>F >> I don't know why you claim most of the insecurity is casued by openI >> source software opposed to incorrect education. I highly recommend you  > E >I didn't say that. I said some, if not many or most. That is not the  >same as most. > - >> read schneiers article about open software S >> Cryptography,http://www.schneier.com/crypto-gram-9909.html#OpenSourceandSecurity  >>G >> before you claim open source is to be blamed, and then read his book 2 >> Secrets & Lies or any of his books if you like. >>I >> if open source is so weak , why is the U.S. government's Department of H >> Homeland Security planning to spend $1.24 million over three years  ? > D >Maybe the same reason they had that wonderful color coded be-afraid >scheme? >  >>6 >> http://www.eweek.com/article2/0,1895,1909946,00.asp >> >>L >> > Security by obscurity alone is not great, but solid locks or vaults, orK >> > solid software (including the OS), combined with not revealing all the 9 >> > inner workings of said security measures, *is* good.  >>A >> You admit Security by obscurity is not perfect alone, then you E >> contradict yourself and say it is, to me your trying to defend vms " >> reason for being closed source. > B >Thanks for re-writing what I've written into something completely; >different, and then claiming that *I* contradicted myself.  > J >> > The U.S. military keeps the true GPS error unavailable to the public.J >> > The public can't use GPS to its best accuarcy, and the military keepsI >> > just what that best accuracy is a secret. This way our enemies can't L >> > build something just good enough to "sneak under the radar". This keeps3 >> > them guessing and it makes it harder for them.  >>F >> Any goverment , military has better tools than its people, i am not >> denying that.D >>  It was interesting to say the least when Phil Zimmermann was theI >> target of a three-year criminal investigation over pgp, at one time it A >> was said to be the best the public could get to military grade  >> encryption. >  >And your point is...? >  >>J >> > > > Or perhaps it is because banks just do not believe doing so wouldQ >> > > > enhance their overall security and their Customers trust them to provide 0 >> > > > the highest level of security possible. >> > >+ >> > > I believe it comes down to politics.  >> >L >> > No, it comes down to common sense. What possible benefit would there beK >> > of the banks' publishing the inner workings of their security systems?  >> >G >> > There's a world of difference between *depending* on obscurity for L >> > security, and building very secure products that are not "open source".H >> > While obscurity is not enough for good security, it still helps. InI >> > fact, this is exactly what people who criticize VMS argue -- that it > >> > only "appears" secure due to its low profile (obscurity). >>H >> Its fair criticizm by many to point out vms realively uknown presence$ >> in the os world for being secure. > F >I cannot understand this sentence due to its grammar. Allow me to tryD >again: Consider DEF-CON. Some claim that VMS won only because it isH >obscure and hackers aren't familiar with it. So obscurity helps. No oneG >broke in. So some can claim that's not a good test of VMS. Fine. But a 5 >good test of VMS would *still* find it to be secure.  > G >Hey, which is more likely to get hack attempts? A well-known Web site, E >or an obscure Web site. Assume each has the same security otherwise. ) >Which is more likely to get broken into?  >  >>A >> > Are you next going to recommend that people post their true, L >> > "unmunged", email addresses on this public forum? Should we all publish2 >> > our SYSTEM-account passwords on the Internet? >>I >> Please don't mention something i did not even hint at, private data is J >> not the same as a os, private personal information is nobody elses , anE >> os surounds this data as secure as it can, wheather that be closed F >> source or open source.  Most websevers use Apache HTTP Server, doesG >> that mean that personal information is freely available , nope, just  >> the http server.  > H >OK, so you're saying, or implying, that obscurity is good for data, but >bad for OSes. OK. > M In order for there to be any security you must always have something which is O hidden. For an OS having hidden passwords (or something similar ) is necessary  @ even though how the OS itself handles logins need not be hidden.  D The classic example is cryptography. It is generally accepted that aL cryptographic algorithm should not be secret it should be open for people toL review. You want to know as quickly as possible when there are problems withF the algorithm. However the actual keys someone uses with a particular 2 cryptographic algorithm had better be kept secret.I (with public-private key algorithms only the private key needs to be kept  secret)     
 David Webb Security team leader CCSS Middlesex University    	 >> thanks  >  >YW  >    ------------------------------   Date: 5 Jul 2006 03:57:21 -0700 ( From: "geletine" <adaviscg1@hotmail.com>/ Subject: Re: The possibility of vms opening up? C Message-ID: <1152097041.896473.286080@a14g2000cwb.googlegroups.com>    davidc@montagar.com wrote: > H > Note you get listings, not source code.  You get to see what they do -D > but it isn't likely people are going to creating their own OpenVMSH > flavors.  Besides, if you want, you can write your own drivers, SystemE > Services, Symbionts, ACP's, etc to customize it anyway, without the / > need to rebuild your own kernel from scratch.   + i think freevms is a vms clone of some type     >I > 2) Protected mode validation, not only read and write, but calling mode G > is checked (i.e. a user mode code is not allowed to alter kernel mode F > structures).  Calls in the kernel check the protection of the memoryC > against those of the caller, so not only is the memory checked to G > insure it is there and can be written, but can be written by the user 9 > anyway.  Essentially, you can corrupt yourself, but not  > someone/something else.   E On unix type systems, only privalaged users have access to the kernel A mode, A normal user can not just crash a system without rights... G I am not sure if you have heard of Filesystem in Userspace (fuse), This D allows non-privileged users to create their own file systems withoutD the need to write any kernel code by running the file system code inD user space,  Gmailfs is a famouse example which  google use in their free e-mail service...? This in my opinion is great step forward in separating users to , superusers, by having separate file systems.  E > 3) Deliniation of privileges.  Unix and other systems have a pretty G > much "root" or "not-root" division of privilege.  OpenVMS has lots of G > different privileges that can provide a fine-tuned approach to giving D > sensitive code access to things, without always giving the keys to< > everything, thus decreasing the potential for exploiting a > vulnerability, if exists.  >   ? Have you not heard of group indentifiers in unix type operating F systems? There is more than root and non-root, its possible to have as many as you wish.    ------------------------------   Date: 5 Jul 2006 04:05:42 -0700 ( From: "geletine" <adaviscg1@hotmail.com>/ Subject: Re: The possibility of vms opening up? C Message-ID: <1152097542.747317.237250@b68g2000cwa.googlegroups.com>   
 AEF wrote: > G > I cannot understand this sentence due to its grammar. Allow me to try E > again: Consider DEF-CON. Some claim that VMS won only because it is I > obscure and hackers aren't familiar with it. So obscurity helps. No one H > broke in. So some can claim that's not a good test of VMS. Fine. But a6 > good test of VMS would *still* find it to be secure. > D It was a unfair security test at DEF-CON , as nobody knew the system inside out, as you do.    H > Hey, which is more likely to get hack attempts? A well-known Web site,F > or an obscure Web site. Assume each has the same security otherwise.* > Which is more likely to get broken into?  D you assume each has the same security, out of interest what made you	 say that?     I > OK, so you're saying, or implying, that obscurity is good for data, but  > bad for OSes. OK.  > E exactly, where as your saying obscurity is good for data and good for  Oses.    ------------------------------   Date: 5 Jul 2006 04:18:14 -0700 ( From: "geletine" <adaviscg1@hotmail.com>/ Subject: Re: The possibility of vms opening up? A Message-ID: <1152098294.466135.58430@j8g2000cwa.googlegroups.com>    David J. Dachtera wrote: > > O > In order for there to be any security you must always have something which is P > hidden. For an OS having hidden passwords (or something similar ) is necessaryB > even though how the OS itself handles logins need not be hidden. > G Thats right, unix tends to use shadowed passwords, which cannot be seen  with any text editor.   F > The classic example is cryptography. It is generally accepted that aN > cryptographic algorithm should not be secret it should be open for people toN > review. You want to know as quickly as possible when there are problems withG > the algorithm. However the actual keys someone uses with a particular 4 > cryptographic algorithm had better be kept secret.K > (with public-private key algorithms only the private key needs to be kept 	 > secret)   E This is along the same lines i am trying to get accross by suggesting G the possibility and benefits to opening up vms. I am glad somebody sees   the same vision or idea as i do. >  > David Webb > Security team leader > CCSS > Middlesex University  F University is a great example of open source, the original unix gainedE its reputation through the famous bsd unix, which is still maintained  in its differnt flavours. E Opposed to vms,. which i am not denying is secure, but took the "keep % it secret" rake in the cash approach. = Science has been open since Benjamin Franklin contributed his G inventions including the Franklin stove, bifocals and the lightning rod  to the public domain.    ------------------------------  * Date: Wed, 5 Jul 2006 11:00:28 +0000 (UTC) From: david20@alpha2.mdx.ac.uk/ Subject: Re: The possibility of vms opening up? ) Message-ID: <e8g64c$k4q$2@news.mdx.ac.uk>   i In article <1152059585.407964.16860@l70g2000cwa.googlegroups.com>, "AEF" <spamsink2001@yahoo.com> writes:  >  >geletine wrote:
 >> AEF wrote:  >> > geletine wrote:# >> > > > > David J. Dachtera wrote:  >> > > > > snip...E >> > > > > > Another large obstacle is security. Some sites currently  >> > > > > using VMS wouldQ >> > > > > > be rather put off by the idea of having such things become "commonly  >> > > > > > available". >> > > > > >@ >> > > > > Are you indicating that vms is security by obscurity? >> > > >P >> > > > Sigh .. This argument always comes up by the somewhat less informed andQ >> > > > imho, you should also ask the question of the banks i.e. why do they not K >> > > > provide detailed plans of their vaults and security systems on the P >> > > > internet? Is it because they are not really secure and rely on security >> > > > by obscurity ?  >> > > >5 >> > > Its a  very nice way of avoiding a question :) L >> > > Many corporate companies use open source operating systems, does thatL >> > > automatically mean they are giving the world access to their profits? >> >K >> > Corporations have been hacked. Data has been stolen. Identity theft is G >> > a growing problem. Not all such breaches are made public. I'm sure H >> > some, if not many or even most, have been from systems running open >> > source software.  >>F >> I don't know why you claim most of the insecurity is casued by openI >> source software opposed to incorrect education. I highly recommend you - >> read schneiers article about open software S >> Cryptography,http://www.schneier.com/crypto-gram-9909.html#OpenSourceandSecurity  > A >OK, I did a quick read of this. ... Interesting. It appears that F >"obscurity" is a double-edged sword, so to speak. One must be carefulF >what one is implying is "obscure". Is the Web site obscure? Is the OS$ >the Web site is running on obscure? > D >The article offers Microsoft as an example of being a closed sourceH >with bad security. But at least he admits that it's not totally fair toE >use it as an example because Microsoft is bad regardless of open vs. E >close. I still remember when my DellNet dialup became DellNet by MSN B >and how it instantly went from pretty-damn-good to really, really >awful.  > 0 >What he doesn't comment on is the Macintosh OS. > F >HP OpenVMS Engineering asks that if someone discovers a security flawC >in VMS that they contact them privately and not publish it for the C >whole world to see. Isn't that better, at least in this case, than $ >publishing the flaw for all to see? >  >>  O I think most people would agree that this is the best action. The problem comes D when the security flaw is reported and the vendor then does nothing.L Generally then after trying repeatedly to get a response from the vendor andG giving the vendor a reasonable amount of time people have published the N vulnerability in order to try and get the vendor to take action or to at leastK allow the people in charge of vulnerable systems to decide whether they can I apply a work-around or even shut down the service with the vulnerability. I Unfortunately there is sometimes a difference of opinion on how long is a , reasonable period for the vendor to respond.    
 David Webb Security team leader CCSS Middlesex University    G >> before you claim open source is to be blamed, and then read his book 2 >> Secrets & Lies or any of his books if you like. >>I >> if open source is so weak , why is the U.S. government's Department of H >> Homeland Security planning to spend $1.24 million over three years  ? >>6 >> http://www.eweek.com/article2/0,1895,1909946,00.asp >> >>L >> > Security by obscurity alone is not great, but solid locks or vaults, orK >> > solid software (including the OS), combined with not revealing all the 9 >> > inner workings of said security measures, *is* good.  >>A >> You admit Security by obscurity is not perfect alone, then you E >> contradict yourself and say it is, to me your trying to defend vms " >> reason for being closed source. >>J >> > The U.S. military keeps the true GPS error unavailable to the public.J >> > The public can't use GPS to its best accuarcy, and the military keepsI >> > just what that best accuracy is a secret. This way our enemies can't L >> > build something just good enough to "sneak under the radar". This keeps3 >> > them guessing and it makes it harder for them.  >>F >> Any goverment , military has better tools than its people, i am not >> denying that.D >>  It was interesting to say the least when Phil Zimmermann was theI >> target of a three-year criminal investigation over pgp, at one time it A >> was said to be the best the public could get to military grade  >> encryption. >>J >> > > > Or perhaps it is because banks just do not believe doing so wouldQ >> > > > enhance their overall security and their Customers trust them to provide 0 >> > > > the highest level of security possible. >> > >+ >> > > I believe it comes down to politics.  >> >L >> > No, it comes down to common sense. What possible benefit would there beK >> > of the banks' publishing the inner workings of their security systems?  >> >G >> > There's a world of difference between *depending* on obscurity for L >> > security, and building very secure products that are not "open source".H >> > While obscurity is not enough for good security, it still helps. InI >> > fact, this is exactly what people who criticize VMS argue -- that it > >> > only "appears" secure due to its low profile (obscurity). >>H >> Its fair criticizm by many to point out vms realively uknown presence$ >> in the os world for being secure. >>A >> > Are you next going to recommend that people post their true, L >> > "unmunged", email addresses on this public forum? Should we all publish2 >> > our SYSTEM-account passwords on the Internet? >>I >> Please don't mention something i did not even hint at, private data is J >> not the same as a os, private personal information is nobody elses , anE >> os surounds this data as secure as it can, wheather that be closed F >> source or open source.  Most websevers use Apache HTTP Server, doesG >> that mean that personal information is freely available , nope, just  >> the http server.  >>  	 >> thanks  >    ------------------------------   Date: 5 Jul 2006 04:23:31 -0700 ( From: "geletine" <adaviscg1@hotmail.com>/ Subject: Re: The possibility of vms opening up? B Message-ID: <1152098611.216691.83620@l70g2000cwa.googlegroups.com>   david20@alpha2.mdx.ac.uk wrote:  > Q > I think most people would agree that this is the best action. The problem comes F > when the security flaw is reported and the vendor then does nothing.N > Generally then after trying repeatedly to get a response from the vendor andI > giving the vendor a reasonable amount of time people have published the P > vulnerability in order to try and get the vendor to take action or to at leastM > allow the people in charge of vulnerable systems to decide whether they can K > apply a work-around or even shut down the service with the vulnerability. K > Unfortunately there is sometimes a difference of opinion on how long is a . > reasonable period for the vendor to respond. >   C I agree ,the whole nature of open source is to show that beyond the B vendor anybody can submit a patch to fix a vulnerability which theB vendor perhaps did not see or has not had time to fix it, where byC catching the problems alot quicker or perhaps even the vendor would 
 never know...    ------------------------------   Date: 5 Jul 2006 04:51:46 -0700 ( From: "geletine" <adaviscg1@hotmail.com>/ Subject: Re: The possibility of vms opening up? B Message-ID: <1152100306.591781.222700@j8g2000cwa.googlegroups.com>   david20@alpha2.mdx.ac.uk wrote: < > The answer from the security community is to publish them.O > What it comes down to is whether you want to know where your measures fail so @ > you can fix them or whether you only want the hackers to know.Q > In the short term you gain from obscurity but in the long term the hacker gains I > since he can exploit the vulnerability for longer so long as he doesn't O > publicise it too much himself. Also unfortunately although obscurity + strong P > security is good it all too often leads to obscurity + weak security ie people0 > writing the software relying on the obscurity. >   5 Some more wise and intellegent words well written....    ------------------------------   Date: 5 Jul 2006 04:48:10 -0700 ( From: "geletine" <adaviscg1@hotmail.com>/ Subject: Re: The possibility of vms opening up? B Message-ID: <1152100090.638589.133370@75g2000cwc.googlegroups.com>   Main, Kerry wrote:  B > Having stated this, my concerns on security with open source are > primarily: > @ > 1. The notion of open systems security is based on having veryB > knowledgeable resources on the Internet that not only understandC > security, but also security from the point of view of clustering, C > threading, kernel mechanisms and increasingly complex application  > environments.  > ? open source clustering information can be found at least at the  following web pages  http://www.linux-ha.org/ http://www.beowulf.org/ ! http://openmosix.sourceforge.net/       I > However, while a very small number of these knowledgeable resources are J > dedicated resources, most of the open source advocates have day jobs andF > they do open source reviews when they get a chance. Over time, sinceH > this majority are not being paid for these code reviews, they may loseF > interest in constantly reviewing the hundreds of open source modules > being updated every day. > G Since Novell have entered the linux market, alot of there employers get B paid to work on open source solutions. Lets not forget red hat and osdl. B theo who maintains openbsd as a full time job and as anybody knowsE there is proberly nobody in this planet who is passionate as security  as him.   C > 2. If a security patch does get released, at the local level, who ? > ensures the patch does not break clustering, forward-backward I > compatibility or other specific configs like an older version of the OS I > ? The responsibility for testing and ensuring OS compatibility with all J > of the other OS and layered product patches falls on the shoulder of theJ > local IT person. For some shops with very knowledgeable technical staff, > that may be acceptable.  > G If you look at the linux kernel for instance, all fixes are released in A patches and support the older kernels for backward compatibility. E Freebsd is another example , where two versions are maintainted , the  older 5.x and the newer 6x.     J > Unfortunately, most large shops will understandably not introduce any OSI > security patches without some degree of application testing first. This F > means a great deal of additional effort is required to do all of theC > monthly QA compatibility testing of applications. With Linux (and G > Windows) releasing 7-20 *security* (not bug fixes) patches per month, G > this QA testing impact is huge in terms of people, equipment, putting D > new app testing on hold while OS security compatibility testing is > completed. > B This is why to give two examples novell and red hat exist, to make? maintaining a linux system easy, with full support when needed.   G > The same testing effort applies to OpenVMS, but the very high rate at C > which these monthly security patches occur on Linux (and Windows) C > platforms makes this issue much larger. See RH security web site: I > https://www.redhat.com/archives/enterprise-watch-list/ (click on thread ! > for each month and add them up)   E No system is inherently secure without fixes, aless you restrict what ; services are to be run, which is turn would make the system  featureless.G ie any system not on the internet is secure , as from external attacks, C but that user does not have e-mail, usenet, a web server , ssh, irc  ,,etc...D One has to take risk otherwise the internet would never exist in the first place beyond say DARPA .    G > 3. Most large companies are moving big time away from having their IT G > staff twiddle in the OS weeds with custom OS level patching. In their H > mgmts view, that is why they pay vendors for support contracts. The ITI > Staffing costs typically dwarf any support contracts (usually 50-60% of D > IT budget), so the cost of support contracts is not as big as someF > promoters of open source would like everyone to believe. These largeJ > Cust Managers would rather have their senior IT folks looking at ways toJ > better integrate their applications and or otherwise provide added value > to the business. > G I never said open source cannot live without vendors support contracts. B Of course a buisness does wants whats best for his buisness . openF source or closed source, having said that, some closed source licencesA are so astronomically high, buisness have no choice but to choose B cheaper options and open source quite often is chosen in favour of closed source.   ------------------------------  # Date: Wed, 05 Jul 2006 12:02:54 GMT 5 From: rdeininger@mindspringdot.com (Robert Deininger) / Subject: Re: The possibility of vms opening up? [ Message-ID: <rdeininger-0507060802510001@dialup-4.233.173.230.dial1.manchester1.level3.net>   C In article <1152050561.818444.276300@a14g2000cwb.googlegroups.com>, ) "geletine" <adaviscg1@hotmail.com> wrote:    >David J. Dachtera wrote:   J >> ...or, stated another way, if a system lacks common vulnerabilities, is; >> it wise to publish the measures taken to eliminate them?  >>H >from a closed source point of view no, where as open source software isD >known to tell its users and developers whenever a vulnerabilitie is >found.   D You have no way of knowing that all vulnerabilities in "open source"A software are reported when found.  A malicious person who finds a 9 vulnerability may well keep it to himself and exploit it.   E One way to exploit it is to create a nasty virus and release it.  Are J vulnerabilities often "discovered" by the community this way?  (I'm not anC open-source user, so I have no experience to judge the likelihood.)   C Another way to exploit a vulnerability is to use it to compromise a I select, high-value target system.   Would such an event be noticed by the I system's owner?  Would it be reported to the larger community so everyone  could patch the hole?   J VMS is NOT "closed source", since the source is widely available.  It justG isn't free of cost.  Making the source available free of cost would not I necessarily improve security.  Yes, it would be easier for helpful people H to find and report vulnerabilities, but they would have little incentiveD to do so.  It would also make it easier for malicious people to findF vulnerabilities and quietly exploit them for gain, and they would have much incentive to do so.  I A large proportion of systems running VMS are high-value targets.  VMS is J one layer in the security of those systems, and reducing VMS security even7 a little, with no clear benefit, would be frowned upon.    ------------------------------   Date: 5 Jul 2006 05:18:59 -0700 $ From: "AEF" <spamsink2001@yahoo.com>/ Subject: Re: The possibility of vms opening up? B Message-ID: <1152101939.099948.283640@75g2000cwc.googlegroups.com>   Paul Sture wrote:  > AEF wrote: > > geletine wrote:  >  > <snip> > H > >> I don't know why you claim most of the insecurity is casued by openK > >> source software opposed to incorrect education. I highly recommend you / > >> read schneiers article about open software U > >> Cryptography,http://www.schneier.com/crypto-gram-9909.html#OpenSourceandSecurity  > > D > > OK, I did a quick read of this. ... Interesting. It appears thatI > > "obscurity" is a double-edged sword, so to speak. One must be careful I > > what one is implying is "obscure". Is the Web site obscure? Is the OS ' > > the Web site is running on obscure?  > > G > > The article offers Microsoft as an example of being a closed source K > > with bad security. But at least he admits that it's not totally fair to H > > use it as an example because Microsoft is bad regardless of open vs.H > > close. I still remember when my DellNet dialup became DellNet by MSNE > > and how it instantly went from pretty-damn-good to really, really 
 > > awful. > > 3 > > What he doesn't comment on is the Macintosh OS.  > >  > K > Please note that the above article carries the date "September 15, 1999".  > * > I don't think that OS X was around then.   I said OS, not OS-X.   ------------------------------  % Date: Thu, 06 Jul 2006 00:05:04 +1200 1 From: Tux Wonder-Dog <wes.parish@paradise.net.nz> / Subject: Re: The possibility of vms opening up? # Message-ID: <44abab96@clear.net.nz>    David J. Dachtera wrote:   > geletine wrote:  >>  	 >> hello, * >>  this is my second post to this forum..H >> >From an academic perspective, i think vms would greatly benifit fromF >> the source being available, from being the obscure os that it is to >> perhaps a wider audience ?  >>  F >> Is there a worrying factor that when the source becomes available ,J >> security vunerabilities will come out the closet, or the code is not so? >> well documented for anyone but the core vms developers, will  >> understand. >>  - >> I opologise if this has been asked before.  >>   >> thanks..  > G > One great obstacle to open-sourcing VMS is software that was licensed H > from other parties where obtaining release rights/permission now would- > be prohibitive in terms of effort and cost.   J That is something I've put some thought into.  Something like VMS tends toK attract a large community around it, of hobbyists etc., who use it on their I own private machines if at all possible.  And likewise, the engineers who H developed it are often fond of it and keep using it as long as they can.  I That's two elements of a community big enough to untangle such a problem.   H Then you see the effects of a community dedicated enough in the likes ofH Groklaw.net.  I doubt that opening the source of VMS under some suitableK license such as the MPL, would be a problem too difficult for people on the - newsgroup and HP, working together, to solve.   I Of course, I suggested in the past that HP do this sort of procedure on a I source tree too old to be commercially valuable - say three or four major J releases into the past, so it won't compete with current releases, current policies, and suchlike.   H And third-party licensed code would simply be done without if permissionG wasn't granted.  Filling in those gaps would be well within the average , commpetence of the members of the newsgroup.  . Just my 0.02c, heavily inflated, of course! ;)  
 Wesley Parish  > J > Another large obstacle is security. Some sites currently using VMS wouldF > be rather put off by the idea of having such things become "commonly
 > available".   L That's where my idea of using an earlier source tree might help.  If currentJ practices aren't exposed, but only previous ones, it might help reduce the blood pressure.    What do you think? >    --  O "Good, late in to more rewarding well."  "Well, you tonight.  And I was U lookintelligent woman of Ming home.  I trust you with a tender silence."  I C get a word into my hands, a different and unbelike, probably - 'she D fortunate fat woman', wrong word.  I think to me, I justupid.G Let not emacs meta-X dissociate-press write your romantic dialogs...!!!    ------------------------------   Date: 5 Jul 2006 05:23:53 -0700 $ From: "AEF" <spamsink2001@yahoo.com>/ Subject: Re: The possibility of vms opening up? B Message-ID: <1152102233.524057.62890@a14g2000cwb.googlegroups.com>   geletine wrote:  > AEF wrote: > > I > > I cannot understand this sentence due to its grammar. Allow me to try G > > again: Consider DEF-CON. Some claim that VMS won only because it is K > > obscure and hackers aren't familiar with it. So obscurity helps. No one J > > broke in. So some can claim that's not a good test of VMS. Fine. But a8 > > good test of VMS would *still* find it to be secure. > > F > It was a unfair security test at DEF-CON , as nobody knew the system > inside out, as you do.  < I said some people claim that and I said that that was fine.   >  > J > > Hey, which is more likely to get hack attempts? A well-known Web site,H > > or an obscure Web site. Assume each has the same security otherwise., > > Which is more likely to get broken into? > F > you assume each has the same security, out of interest what made you > say that?   E I am setting up a hypothetical situation here to make a point. That's  what "assume" means.   >  > K > > OK, so you're saying, or implying, that obscurity is good for data, but  > > bad for OSes. OK.  > > G > exactly, where as your saying obscurity is good for data and good for  > Oses.   E Well, I'm open on this (no pun intended!). Windows and VMS and Mac OS C are somewhat closed source, but the security on VMS is great and on F Windows is lousy and I assume on Mac is great. I am less familiar withB open source stuff, so I'll keep reading and make up my mind later.  E But I still think that a bank shouldn't publish the inner workings of  its security systems.   % Thanks for your input on this thread.    AEF    ------------------------------  # Date: Wed, 05 Jul 2006 12:26:26 GMT 5 From: rdeininger@mindspringdot.com (Robert Deininger) / Subject: Re: The possibility of vms opening up? [ Message-ID: <rdeininger-0507060826230001@dialup-4.233.173.230.dial1.manchester1.level3.net>   A In article <1152098294.466135.58430@j8g2000cwa.googlegroups.com>, ) "geletine" <adaviscg1@hotmail.com> wrote:    >David J. Dachtera wrote:  >> >P >> In order for there to be any security you must always have something which isG >> hidden. For an OS having hidden passwords (or something similar ) is 	 necessary C >> even though how the OS itself handles logins need not be hidden.  >>H >Thats right, unix tends to use shadowed passwords, which cannot be seen >with any text editor. > G >> The classic example is cryptography. It is generally accepted that a O >> cryptographic algorithm should not be secret it should be open for people to O >> review. You want to know as quickly as possible when there are problems with H >> the algorithm. However the actual keys someone uses with a particular5 >> cryptographic algorithm had better be kept secret. L >> (with public-private key algorithms only the private key needs to be kept
 >> secret) > F >This is along the same lines i am trying to get accross by suggestingH >the possibility and benefits to opening up vms. I am glad somebody sees! >the same vision or idea as i do.   G You're doing an awful job of making your case.  You seem to know little H about VMS, and you've set up bogus straw men and used them as criticisms of the way VMS is done now.   I You keep mentioning "opening up" VMS, but you haven't specified what this / would entail in any detail. Are you suggesting: 2 1. Making the VMS source available?  In what form?J 2. Altering the license terms so that VMS can be copied, built and used by  anyone who wants it, at no cost?J 3. In addition to 2, also providing a build environment so that anyone whoJ feels like it can build a custom VMS with little effort?  Do you want this at no cost as well? H 4. ... Feel free to add items as necessary to explain your vision of how VMS should be done....  J Can you provide a single concrete example of how your suggestion (whateverF it is) might improve the security of VMS?  Your banalities so far have contained little substance.   J You might want to browse through the VMS Guide to System Security to get a starting point.   G >University is a great example of open source, the original unix gained F >its reputation through the famous bsd unix, which is still maintained >in its differnt flavours.F >Opposed to vms,. which i am not denying is secure, but took the "keep& >it secret" rake in the cash approach.  D As several folks have pointed out VMS isn't "secret" and hasn't beenI secret for most of its existence.  Your credibility will diminish further  each time you repeat this myth.    ------------------------------   Date: 5 Jul 2006 07:20:51 -0500 - From: Kilgallen@SpamCop.net (Larry Kilgallen) / Subject: Re: The possibility of vms opening up? 3 Message-ID: <frK$zf6f8Epl@eisner.encompasserve.org>   J In article <e8g1uu$j72$1@news.mdx.ac.uk>, david20@alpha2.mdx.ac.uk writes:k > In article <44AACF38.73C1E274@spam.comcast.net>, "David J. Dachtera" <djesys.no@spam.comcast.net> writes:   F >>Then, let's answer a question with a question: how likely is it thatA >>hackers/crackers/script-kiddies/etc. will launch an attack on a ' >>vulnerability they do not know about?  >>J >>....or, stated another way, if a system lacks common vulnerabilities, is: >>it wise to publish the measures taken to eliminate them? >>< > The answer from the security community is to publish them.O > What it comes down to is whether you want to know where your measures fail so A > you can fix them or whether you only want the hackers to know.    E That logic depends on the presumption that the weakness will be first I discovered by a bad guy.  From the few examples with which I am familiar,  that is typically not the case.   H There are people who have given up posting to this newsgroup who do takeG such things quite seriously and report vulnerabilities to the VMS team. ( They just don't get to do it very often.   ------------------------------   Date: 5 Jul 2006 07:41:54 -0500 - From: Kilgallen@SpamCop.net (Larry Kilgallen) / Subject: Re: The possibility of vms opening up? 3 Message-ID: <sUvoG+R+Pz5s@eisner.encompasserve.org>   n In article <1152097041.896473.286080@a14g2000cwb.googlegroups.com>, "geletine" <adaviscg1@hotmail.com> writes: > davidc@montagar.com wrote:  F >> 3) Deliniation of privileges.  Unix and other systems have a prettyH >> much "root" or "not-root" division of privilege.  OpenVMS has lots ofH >> different privileges that can provide a fine-tuned approach to givingE >> sensitive code access to things, without always giving the keys to = >> everything, thus decreasing the potential for exploiting a  >> vulnerability, if exists. >> > A > Have you not heard of group indentifiers in unix type operating H > systems? There is more than root and non-root, its possible to have as > many as you wish.   @ If you think someone as experienced as David Cathey has not everA heard of Unix group identifiers, then you are woefully unequipped A to discuss such things with him.  In fact, they are quite similar F to VMS General Identifiers (and quite dissimilar from VMS UIC groups).  = But what uses are there for Unix group identifiers other than A discretionary access control over security Objects (files, ports, " devices, database records, etc.) ?  > Which of the Unix group identifiers control built-in operating? system _operations_ such as changing to an inner mode, allowing ? one to create a new receiving network socket, crash the system, = create a process under another identity, map address space to = particular physical IO space, create in-machine communication > ports that will persist beyond the termination of the process,: access _any_ unaccessed object on the system, access _any_9 unaccessed object on the system but only for read, access < nominally unshareable devices even though they are currently= accessed by another process, alter process priority above the < nominal process quota, make network connections, control the$ auditing system, exceed disk quota ?  < And across which unix type operating systems are those group identifiers uniformly honored ?    ------------------------------  $ Date: Wed, 5 Jul 2006 09:19:25 -0400' From: "Main, Kerry" <Kerry.Main@hp.com> / Subject: RE: The possibility of vms opening up? T Message-ID: <FA60F2C4B72A584DBFC6091F6A2B8684016B00C8@tayexc19.americas.cpqcorp.net>   > -----Original Message-----2 > From: geletine [mailto:adaviscg1@hotmail.com]=20 > Sent: July 5, 2006 7:48 AM > To: Info-VAX@Mvb.Saic.Com 1 > Subject: Re: The possibility of vms opening up?  >=20 > Main, Kerry wrote: >=20D > > Having stated this, my concerns on security with open source are > > primarily: > > B > > 1. The notion of open systems security is based on having veryD > > knowledgeable resources on the Internet that not only understandE > > security, but also security from the point of view of clustering, E > > threading, kernel mechanisms and increasingly complex application  > > environments.  > > A > open source clustering information can be found at least at the  > following web pages  > http://www.linux-ha.org/ > http://www.beowulf.org/ # > http://openmosix.sourceforge.net/  >=20 >=20 >=20@ > > However, while a very small number of these knowledgeable=20 > resources are B > > dedicated resources, most of the open source advocates have=20 > day jobs andH > > they do open source reviews when they get a chance. Over time, since? > > this majority are not being paid for these code reviews,=20  > they may lose H > > interest in constantly reviewing the hundreds of open source modules > > being updated every day. > > > > Since Novell have entered the linux market, alot of there=20 > employers get D > paid to work on open source solutions. Lets not forget red hat and > osdl. D > theo who maintains openbsd as a full time job and as anybody knowsG > there is proberly nobody in this planet who is passionate as security 	 > as him.  >=20  F Do the folks at Novell and RH review source code for drivers, modules,D network code the many other companies and-or individuals that submit code?=20  E As I stated in my earlier response, there are some very knowledgeable F resources out here working on open source code. However, they are onlyF human and hence will only focus on the code that most directly impacts them.     E > > 2. If a security patch does get released, at the local level, who A > > ensures the patch does not break clustering, forward-backward < > > compatibility or other specific configs like an older=20 > version of the OS 7 > > ? The responsibility for testing and ensuring OS=20  > compatibility with all? > > of the other OS and layered product patches falls on the=20  > shoulder of the > > > local IT person. For some shops with very knowledgeable=20 > technical staff, > > that may be acceptable.  > > @ > If you look at the linux kernel for instance, all fixes are=20
 > released in C > patches and support the older kernels for backward compatibility. G > Freebsd is another example , where two versions are maintainted , the  > older 5.x and the newer 6x.  >=20  H And what about older versions - as I am sure you know, many Customers doA not keep up with the current and -1 versions that vendors like to E promote Customers keep current with. In production environments, they F can not upgrade on the vendors schedule, but rather their own as theirD business dictates. As an example, how does a Customer get support on
 FreeBSD V3.x?    >=20> > > Unfortunately, most large shops will understandably not=20 > introduce any OSB > > security patches without some degree of application testing=20
 > first. This H > > means a great deal of additional effort is required to do all of theE > > monthly QA compatibility testing of applications. With Linux (and A > > Windows) releasing 7-20 *security* (not bug fixes) patches=20  > per month,9 > > this QA testing impact is huge in terms of people,=20  > equipment, puttingF > > new app testing on hold while OS security compatibility testing is > > completed. > > D > This is why to give two examples novell and red hat exist, to makeA > maintaining a linux system easy, with full support when needed.  >=20  D At 7-20 *security* Linux patches per month, per system, what processC would you recommend Customers use to do all of their QA application 5 testing for all of these monthly security patches?=20   G Keep in mind that security patches will get moved into production until H verified with their applications. This is especially true when they haveF loads of custom code to maintain e.g. what open source typically means at the local site.  ? > > The same testing effort applies to OpenVMS, but the very=20  > high rate atE > > which these monthly security patches occur on Linux (and Windows) E > > platforms makes this issue much larger. See RH security web site: = > > https://www.redhat.com/archives/enterprise-watch-list/=20  > (click on thread# > > for each month and add them up)  >=20G > No system is inherently secure without fixes, aless you restrict what = > services are to be run, which is turn would make the system  > featureless.: > ie any system not on the internet is secure , as from=20 > external attacks, E > but that user does not have e-mail, usenet, a web server , ssh, irc 
 > ,,etc...F > One has to take risk otherwise the internet would never exist in the  > first place beyond say DARPA . >=20  G You missed the point I was making. I was not saying some systems do not @ need occasional security patches. OpenVMS occasionally has these security patches as well.   H The point is the rate at which these security patches appear is a directH influence on the impact of the Customers QA monthly testing cycles. ThisC is a huge, huge cost that is typically not well understood. Most IT H shops take a lot of heat from the business for being behind in releasingB new application functionality - the outstanding change requests is5 usually extremely high in many large IT environments.   G When security patches get released, most Cust's want to get these in as B quick as possible, hence new app functionality and changes testingB requested by the business gets moved to the back burner while this security patch testing is done.   = Now, what do you think the impact is in terms of reducing the H outstanding change requests by the business when the platform chosen has. 7-20 *security* patches released per month?=20  D And by the way, the business usually has zero sympathy for why IT is/ behind in reducing their change requests queue.    >=20< > > 3. Most large companies are moving big time away from=20 > having their IT 9 > > staff twiddle in the OS weeds with custom OS level=20  > patching. In their; > > mgmts view, that is why they pay vendors for support=20  > contracts. The IT ; > > Staffing costs typically dwarf any support contracts=20  > (usually 50-60% ofF > > IT budget), so the cost of support contracts is not as big as someH > > promoters of open source would like everyone to believe. These large< > > Cust Managers would rather have their senior IT folks=20 > looking at ways to; > > better integrate their applications and or otherwise=20  > provide added value  > > to the business. > > A > I never said open source cannot live without vendors support=20  > contracts.D > Of course a buisness does wants whats best for his buisness . openH > source or closed source, having said that, some closed source licencesC > are so astronomically high, buisness have no choice but to choose D > cheaper options and open source quite often is chosen in favour of > closed source. >=20  A There is a certain Cust profile which leads itself to open source H adoption. Imho, it is a Cust environment whereby they have a high amountH of very technical OS expertise on staff who do not mind and perhaps even+ enjoy coding and tweaking OS level code.=20   G For this type of Cust profile, if that is the model their Mgmt wants to F adopt, then that is certainly fine. It is working for them and that is great.  D There are other Cust profiles which are of the opinion that IT StaffG reflects 50-60% of their IT budget and they want to reduce this as much E as possible. That is why consolidation is such a hot topic today. The G biggest savings is typically in terms of head count reductions, so this F Cust profile wants their IT folks working as close to the business andG enhancing application integration as possible - not tweaking, patching, ) maintaining and testing OS level code.=20    Regards   
 Kerry Main Senior Consultant  HP Services Canada Voice: 613-592-4660  Fax: 613-591-4477  kerryDOTmainAThpDOTcom (remove the DOT's and AT)=20  4 OpenVMS - the secure, multi-site OS that just works.   ------------------------------   Date: 5 Jul 2006 08:17:21 -0500 ; From: koehler@eisner.nospam.encompasserve.org (Bob Koehler) / Subject: Re: The possibility of vms opening up? 3 Message-ID: <Mhb251J1WQBR@eisner.encompasserve.org>   k In article <44a7d4a3$0$67257$157c6196@dreader2.cybercity.dk>, Karsten Nyblad <nospam@nospam.nospam> writes:   H > Actually you can buy a source license for VMS, but it is so expensive 1 > that people only buy it if they really need it.   H    The last time I priced source listings, both VMS and HP-UX were aboutG    $2K.  That's expensive compared to downloading the source for Linux, C    but not too much for a commercial shop that actually needs them.    ------------------------------   Date: 5 Jul 2006 08:22:02 -0500 - From: Kilgallen@SpamCop.net (Larry Kilgallen) / Subject: Re: The possibility of vms opening up? 3 Message-ID: <sLCuU6z3GhPu@eisner.encompasserve.org>   m In article <1152100090.638589.133370@75g2000cwc.googlegroups.com>, "geletine" <adaviscg1@hotmail.com> writes:  > Main, Kerry wrote:  D >> 2. If a security patch does get released, at the local level, who@ >> ensures the patch does not break clustering, forward-backwardJ >> compatibility or other specific configs like an older version of the OSJ >> ? The responsibility for testing and ensuring OS compatibility with allK >> of the other OS and layered product patches falls on the shoulder of the K >> local IT person. For some shops with very knowledgeable technical staff,  >> that may be acceptable. >>I > If you look at the linux kernel for instance, all fixes are released in C > patches and support the older kernels for backward compatibility.   : The issue is not the _intentions_ regarding compatibility.  @ The question was "who ensures the patch does not break...".  The@ average single contributor does not have the resources to test aB patch in all environments, particularly on large SMP machines withC particular hardware devices.  In some cases we are talking machines ) that cost in excess of a million dollars.    ------------------------------   Date: 5 Jul 2006 08:24:18 -0500 - From: Kilgallen@SpamCop.net (Larry Kilgallen) / Subject: Re: The possibility of vms opening up? 3 Message-ID: <ahQfmOAVRFu5@eisner.encompasserve.org>    In article <rdeininger-0507060802510001@dialup-4.233.173.230.dial1.manchester1.level3.net>, rdeininger@mindspringdot.com (Robert Deininger) writes:   L > VMS is NOT "closed source", since the source is widely available.  It justI > isn't free of cost.  Making the source available free of cost would not  > necessarily improve security.   ? People value things they pay for more than those that are free.   C Also, VMS development has a gauge of how many people are interested D in the source code - something that would be unknown if they gave it away.    ------------------------------   Date: 5 Jul 2006 14:05:25 GMT 1 From: bill@triangle.cs.uofs.edu (Bill Gunshannon) / Subject: Re: The possibility of vms opening up? , Message-ID: <4h1v95F1o4n29U1@individual.net>  3 In article <Mhb251J1WQBR@eisner.encompasserve.org>, > 	koehler@eisner.nospam.encompasserve.org (Bob Koehler) writes:m > In article <44a7d4a3$0$67257$157c6196@dreader2.cybercity.dk>, Karsten Nyblad <nospam@nospam.nospam> writes:  > I >> Actually you can buy a source license for VMS, but it is so expensive  2 >> that people only buy it if they really need it. > J >    The last time I priced source listings, both VMS and HP-UX were aboutI >    $2K.  That's expensive compared to downloading the source for Linux, E >    but not too much for a commercial shop that actually needs them.   F Correct me if I'm wrong, but I think one other difference is that withG VMS you are not getting "source listings" in the same sense as Linux or I BSD.  You can't take what you get from HP and actually build VMS from it. H In fact, I seem to remember someone (the last time this subject came up,B sigh....) stating that all of the source is not contained in those	 listings.    bill   --  J Bill Gunshannon          |  de-moc-ra-cy (di mok' ra see) n.  Three wolvesD bill@cs.scranton.edu     |  and a sheep voting on what's for dinner. University of Scranton   |A Scranton, Pennsylvania   |         #include <std.disclaimer.h>       ------------------------------   Date: 5 Jul 2006 07:47:59 -0700 ( From: "geletine" <adaviscg1@hotmail.com>/ Subject: Re: The possibility of vms opening up? C Message-ID: <1152110879.433206.256100@v61g2000cwv.googlegroups.com>    Larry Kilgallen wrote: > ? > But what uses are there for Unix group identifiers other than C > discretionary access control over security Objects (files, ports, $ > devices, database records, etc.) ?  C mandatory access control , this feature involves denying users full D control over the access to resources that they create. This model is' implemented in SELinux and some others.  http://www.nsa.gov/selinux/      > @ > Which of the Unix group identifiers control built-in operatingA > system _operations_ such as changing to an inner mode, allowing A > one to create a new receiving network socket, crash the system, ? > create a process under another identity, map address space to ? > particular physical IO space, create in-machine communication @ > ports that will persist beyond the termination of the process,< > access _any_ unaccessed object on the system, access _any_; > unaccessed object on the system but only for read, access > > nominally unshareable devices even though they are currently? > accessed by another process, alter process priority above the > > nominal process quota, make network connections, control the& > auditing system, exceed disk quota ?  : Similar to my last answer , but i provide a differnet link http://www.grsecurity.net/   > > > And across which unix type operating systems are those group! > identifiers uniformly honored ? & its work on any linux and bsd project.   ------------------------------   Date: 5 Jul 2006 08:23:12 -0700 ( From: "geletine" <adaviscg1@hotmail.com>/ Subject: Re: The possibility of vms opening up? C Message-ID: <1152112992.485609.185760@p79g2000cwp.googlegroups.com>    Main, Kerry wrote:H > Do the folks at Novell and RH review source code for drivers, modules,F > network code the many other companies and-or individuals that submit > code?  > @ I do not work for either companies, it would be unfair for me toD comment, it is well known that red hat do patch the kernel , meaningG that everything has to be checked to make sure the os runs smoothly, if 3 you really want a true answer, i would e-mail them.   G > As I stated in my earlier response, there are some very knowledgeable H > resources out here working on open source code. However, they are onlyH > human and hence will only focus on the code that most directly impacts > them. D surely this must go for any large scale os? nobody can check through6 100000000s of lines of code, even if they never slept. >  > G > > > 2. If a security patch does get released, at the local level, who C > > > ensures the patch does not break clustering, forward-backward ; > > > compatibility or other specific configs like an older  > > version of the OS D The job of  a tester determines if the security patch does not brakeG something in the working system. Backward compatibility is area in open  source that is taken serious. B Take the linux kernel as an example that i have already mentioned. http://www.kernel.org/G The 2.4.x tree is still being maintained, and patches are applied where 
 necessary.  6 > > > ? The responsibility for testing and ensuring OS > > compatibility with all> > > > of the other OS and layered product patches falls on the > > shoulder of the = > > > local IT person. For some shops with very knowledgeable  > > technical staff, > > > that may be acceptable.  > > > ? > > If you look at the linux kernel for instance, all fixes are  > > released in E > > patches and support the older kernels for backward compatibility. I > > Freebsd is another example , where two versions are maintainted , the  > > older 5.x and the newer 6x.  > >  > J > And what about older versions - as I am sure you know, many Customers doC > not keep up with the current and -1 versions that vendors like to G > promote Customers keep current with. In production environments, they H > can not upgrade on the vendors schedule, but rather their own as theirF > business dictates. As an example, how does a Customer get support on > FreeBSD V3.x?  > F There may be security patches for this release, ive not looked myself.B The 3.x tree finsihed 5 years or so ago. You do not have to wipe aE freebsd installation of a hardisk to upgrade to the newest system, so 0 upgrading to the latest release is in fact easy.A If a company insist on using 3.x system i am sure their technical B department would maintain it , however they wish. Its a subjective
 question.. Does microsoft support 3.x ?   > > = > > > Unfortunately, most large shops will understandably not  > > introduce any OSA > > > security patches without some degree of application testing  > > first. This J > > > means a great deal of additional effort is required to do all of theG > > > monthly QA compatibility testing of applications. With Linux (and @ > > > Windows) releasing 7-20 *security* (not bug fixes) patches > > per month,8 > > > this QA testing impact is huge in terms of people, > > equipment, puttingH > > > new app testing on hold while OS security compatibility testing is > > > completed. > > > F > > This is why to give two examples novell and red hat exist, to makeC > > maintaining a linux system easy, with full support when needed.  > >  > F > At 7-20 *security* Linux patches per month, per system, what processE > would you recommend Customers use to do all of their QA application 4 > testing for all of these monthly security patches? > E I take for granted that you mean customers who use commerical version 	 of linux. A Thats another question I cannot answer as i do not work for them. C The reason commerical version of linux exist is to address problems  that you ask me.    I > Keep in mind that security patches will get moved into production until J > verified with their applications. This is especially true when they haveH > loads of custom code to maintain e.g. what open source typically means > at the local site. > > > > > The same testing effort applies to OpenVMS, but the very > > high rate atG > > > which these monthly security patches occur on Linux (and Windows) G > > > platforms makes this issue much larger. See RH security web site: < > > > https://www.redhat.com/archives/enterprise-watch-list/ > > (click on thread% > > > for each month and add them up)  > > I > > No system is inherently secure without fixes, aless you restrict what ? > > services are to be run, which is turn would make the system  > > featureless.9 > > ie any system not on the internet is secure , as from  > > external attacks, G > > but that user does not have e-mail, usenet, a web server , ssh, irc  > > ,,etc...H > > One has to take risk otherwise the internet would never exist in the" > > first place beyond say DARPA . > >  > I > You missed the point I was making. I was not saying some systems do not B > need occasional security patches. OpenVMS occasionally has these > security patches as well.  > J > The point is the rate at which these security patches appear is a directJ > influence on the impact of the Customers QA monthly testing cycles. ThisE > is a huge, huge cost that is typically not well understood. Most IT J > shops take a lot of heat from the business for being behind in releasingD > new application functionality - the outstanding change requests is7 > usually extremely high in many large IT environments.  > I > When security patches get released, most Cust's want to get these in as D > quick as possible, hence new app functionality and changes testingD > requested by the business gets moved to the back burner while this! > security patch testing is done.  > ? > Now, what do you think the impact is in terms of reducing the J > outstanding change requests by the business when the platform chosen has- > 7-20 *security* patches released per month? G Buisneses expand according to thier workflow, it  becomes a race to get A work completed. Open source has got bigger than anyone would have ; expected 10 years ago, so buisness adapt if they choose to.    > F > And by the way, the business usually has zero sympathy for why IT is1 > behind in reducing their change requests queue.  >  > > ; > > > 3. Most large companies are moving big time away from  > > having their IT 8 > > > staff twiddle in the OS weeds with custom OS level > > patching. In their: > > > mgmts view, that is why they pay vendors for support > > contracts. The IT : > > > Staffing costs typically dwarf any support contracts > > (usually 50-60% ofH > > > IT budget), so the cost of support contracts is not as big as someJ > > > promoters of open source would like everyone to believe. These large; > > > Cust Managers would rather have their senior IT folks  > > looking at ways to: > > > better integrate their applications and or otherwise > > provide added value  > > > to the business. > > > @ > > I never said open source cannot live without vendors support > > contracts.F > > Of course a buisness does wants whats best for his buisness . openJ > > source or closed source, having said that, some closed source licencesE > > are so astronomically high, buisness have no choice but to choose F > > cheaper options and open source quite often is chosen in favour of > > closed source. > >  > C > There is a certain Cust profile which leads itself to open source J > adoption. Imho, it is a Cust environment whereby they have a high amountJ > of very technical OS expertise on staff who do not mind and perhaps even* > enjoy coding and tweaking OS level code. > I > For this type of Cust profile, if that is the model their Mgmt wants to H > adopt, then that is certainly fine. It is working for them and that is > great. > F > There are other Cust profiles which are of the opinion that IT StaffI > reflects 50-60% of their IT budget and they want to reduce this as much G > as possible. That is why consolidation is such a hot topic today. The I > biggest savings is typically in terms of head count reductions, so this H > Cust profile wants their IT folks working as close to the business andI > enhancing application integration as possible - not tweaking, patching, ( > maintaining and testing OS level code. >   B You have some very good valid points, I am not so sure that its anD issue that is effecting open source and not effecting closed source,F I hope i have answered your questions to the best as possible and thatG some understanding is being made than when i started this thread it was  patchy and unclear perhaps.    thanks   ------------------------------   Date: 5 Jul 2006 08:34:56 -0700 ( From: "geletine" <adaviscg1@hotmail.com>/ Subject: Re: The possibility of vms opening up? C Message-ID: <1152113696.778671.282890@b68g2000cwa.googlegroups.com>    Robert Deininger wrote: K > You keep mentioning "opening up" VMS, but you haven't specified what this 1 > would entail in any detail. Are you suggesting: 4 > 1. Making the VMS source available?  In what form?! releasing the code source in full   L > 2. Altering the license terms so that VMS can be copied, built and used by" > anyone who wants it, at no cost?F The licence could be dual-licensed, like mysql , under the gpl and sayE the vms licence where if a company does not want to contribute back .   L > 3. In addition to 2, also providing a build environment so that anyone whoL > feels like it can build a custom VMS with little effort?  Do you want this > at no cost as well? E The gpl version of vms would allow the user to do what they wish with F the code, as long as they contribute back, which means vms can benefit% without paying someone to write code. B the licensed version is differnt, in that the company pays for the3 source code , but does not have to contribute back.   J > 4. ... Feel free to add items as necessary to explain your vision of how > VMS should be done.... > L > Can you provide a single concrete example of how your suggestion (whateverH > it is) might improve the security of VMS?  Your banalities so far have > contained little substance.   E The only way anybody is going to know if open source is benificial to G vms is to try, if it fails, then at least we tried. I only suggested it A from the beginning, its not something written in stone, that must  happen or the world blows up.  > L > You might want to browse through the VMS Guide to System Security to get a > starting point.  > I > >University is a great example of open source, the original unix gained H > >its reputation through the famous bsd unix, which is still maintained > >in its differnt flavours.H > >Opposed to vms,. which i am not denying is secure, but took the "keep( > >it secret" rake in the cash approach. > F > As several folks have pointed out VMS isn't "secret" and hasn't beenK > secret for most of its existence.  Your credibility will diminish further ! > each time you repeat this myth.   C The design and ideas are not a secret, i was refering to the source C code, of course with the design and ideas one could replicate a vms ' clone, apart from freevms , nobody has.  I wondering why, thats all.    ------------------------------   Date: 5 Jul 2006 08:42:27 -0700 ( From: "geletine" <adaviscg1@hotmail.com>/ Subject: Re: The possibility of vms opening up? C Message-ID: <1152114147.435274.212580@m79g2000cwm.googlegroups.com>   
 AEF wrote:G > Well, I'm open on this (no pun intended!). Windows and VMS and Mac OS E > are somewhat closed source, but the security on VMS is great and on H > Windows is lousy and I assume on Mac is great. I am less familiar withD > open source stuff, so I'll keep reading and make up my mind later. > E As you may assume mac os security is great , i would like to tell you D that Darwin , which is the unix type kernel that is used is actuallyG open source, well not mac osx it self but the kernel is released freely 2 and changes can be used in the commerical product. http://www.opendarwin.org/  G > But I still think that a bank shouldn't publish the inner workings of  > its security systems.  > F your in a better situation to tell me.. all banks in the world use vms as their security system?   ' > Thanks for your input on this thread.  > 2 I enjoy participation. We learn from each other...   ------------------------------   Date: 5 Jul 2006 10:49:31 -0500 - From: Kilgallen@SpamCop.net (Larry Kilgallen) / Subject: Re: The possibility of vms opening up? 3 Message-ID: <Sf0n+yibKJkV@eisner.encompasserve.org>   n In article <1152110879.433206.256100@v61g2000cwv.googlegroups.com>, "geletine" <adaviscg1@hotmail.com> writes: > Larry Kilgallen wrote:  A >> Which of the Unix group identifiers control built-in operating B >> system _operations_ such as changing to an inner mode, allowingB >> one to create a new receiving network socket, crash the system,@ >> create a process under another identity, map address space to@ >> particular physical IO space, create in-machine communicationA >> ports that will persist beyond the termination of the process, = >> access _any_ unaccessed object on the system, access _any_ < >> unaccessed object on the system but only for read, access? >> nominally unshareable devices even though they are currently @ >> accessed by another process, alter process priority above the? >> nominal process quota, make network connections, control the ' >> auditing system, exceed disk quota ?  > < > Similar to my last answer , but i provide a differnet link > http://www.grsecurity.net/ >  >>? >> And across which unix type operating systems are those group " >> identifiers uniformly honored ?( > its work on any linux and bsd project.  B That appears to be an add-on product rather than something one can7 depend on always being present in the operating system.   C I see nothing to indicate it is guaranteed by any vendor, much less  the operating system vendor.	    ------------------------------   Date: 5 Jul 2006 08:46:44 -0700 ( From: "geletine" <adaviscg1@hotmail.com>/ Subject: Re: The possibility of vms opening up? C Message-ID: <1152114404.745236.230180@v61g2000cwv.googlegroups.com>    Larry Kilgallen wrote:o > In article <1152100090.638589.133370@75g2000cwc.googlegroups.com>, "geletine" <adaviscg1@hotmail.com> writes:  > > Main, Kerry wrote: > F > >> 2. If a security patch does get released, at the local level, whoB > >> ensures the patch does not break clustering, forward-backwardL > >> compatibility or other specific configs like an older version of the OSL > >> ? The responsibility for testing and ensuring OS compatibility with allM > >> of the other OS and layered product patches falls on the shoulder of the M > >> local IT person. For some shops with very knowledgeable technical staff,  > >> that may be acceptable. > >>K > > If you look at the linux kernel for instance, all fixes are released in E > > patches and support the older kernels for backward compatibility.  > < > The issue is not the _intentions_ regarding compatibility. > B > The question was "who ensures the patch does not break...".  TheB > average single contributor does not have the resources to test aD > patch in all environments, particularly on large SMP machines withE > particular hardware devices.  In some cases we are talking machines + > that cost in excess of a million dollars.   E A company that has machines in excess of million dollars would have a F IT department that would do testing, alot of open source projects come> out of real work enviroments, they are not all made at home inE somebodies spare time(thats a bad misconception of open source), ibm, = sun to name two have released different open source projects.    ------------------------------   Date: 5 Jul 2006 09:00:02 -0700 ( From: "geletine" <adaviscg1@hotmail.com>/ Subject: Re: The possibility of vms opening up? C Message-ID: <1152115202.807219.182470@a14g2000cwb.googlegroups.com>    Tux Wonder-Dog wrote:  > David J. Dachtera wrote: > L > That is something I've put some thought into.  Something like VMS tends toM > attract a large community around it, of hobbyists etc., who use it on their K > own private machines if at all possible.  And likewise, the engineers who J > developed it are often fond of it and keep using it as long as they can. > ; Thanks for mentioning it ,the reason i started this thread.   K > That's two elements of a community big enough to untangle such a problem.  > J > Then you see the effects of a community dedicated enough in the likes ofJ > Groklaw.net.  I doubt that opening the source of VMS under some suitableM > license such as the MPL, would be a problem too difficult for people on the / > newsgroup and HP, working together, to solve.  > B well it looks difficult so far, agreeing if open source is good or not...  K > Of course, I suggested in the past that HP do this sort of procedure on a K > source tree too old to be commercially valuable - say three or four major L > releases into the past, so it won't compete with current releases, current > policies, and suchlike.  > E Thats an idea, as long as its publicized , otherwise users may wonder D why so and so is insecure or free software does not work ie firefox.@ I am not commiting myself to say that is how vms works, but code changes alot in any os.   J > And third-party licensed code would simply be done without if permissionI > wasn't granted.  Filling in those gaps would be well within the average . > commpetence of the members of the newsgroup. > 0 > Just my 0.02c, heavily inflated, of course! ;) >  > Wesley Parish  > > L > > Another large obstacle is security. Some sites currently using VMS wouldH > > be rather put off by the idea of having such things become "commonly > > available".  > N > That's where my idea of using an earlier source tree might help.  If currentL > practices aren't exposed, but only previous ones, it might help reduce the > blood pressure.  >  > What do you think?  G Who knows if a older version was released in source and a fork was made A of it, it could well be interesting. perhaps may i dare say, more  secure than the closed vms. :)   ------------------------------   Date: 5 Jul 2006 09:02:57 -0700 ( From: "geletine" <adaviscg1@hotmail.com>/ Subject: Re: The possibility of vms opening up? C Message-ID: <1152115377.467913.322630@m79g2000cwm.googlegroups.com>    Larry Kilgallen wrote: > D > That appears to be an add-on product rather than something one can9 > depend on always being present in the operating system.  > E > I see nothing to indicate it is guaranteed by any vendor, much less  > the operating system vendor.  @ That is the nature of open source, i know selinux is standard in fedora. > Alot of these addons will slowly start appearing in distros...D Any IT department that is lacking this add-on can simply add it, its not difficult.   ------------------------------  % Date: Wed, 05 Jul 2006 04:14:01 -0400 - From: JF Mezei <jfmezei.spamnot@teksavvy.com> Y Subject: Re: Transitive Emulator Ports Sparc/Solaris Apps to Linux on Xeon,  Itanium  Ita , Message-ID: <44AB74AE.40C8BA4B@teksavvy.com>   Ian Miller wrote:  > F > True, although it depends what they mean by unix like. If compliance> > with posix means unix like (unlikely) then VMS is unix like.    D Note that VMS has not been POSIX compliant for years, even since theB posix shell was desupported. And as I recall, the work to make VMSH natively POSIX compliant (without some application) is not complete yet.   ------------------------------   Date: 5 Jul 2006 01:09:14 -0700   From: "Ian Miller" <ijm@uk2.net>S Subject: Re: Transitive Emulator Ports Sparc/Solaris Apps to Linux on Xeon, Itanium C Message-ID: <1152086954.461003.141880@a14g2000cwb.googlegroups.com>   D True, although it depends what they mean by unix like. If compliance< with posix means unix like (unlikely) then VMS is unix like.  E There is already binary translators and necessary environment for VMS G on Alpha and IA64 so parhaps this is the enquivilent in the unix world. G I thought it interesting they appear to be dealing with the differences A between the unixes as well as the difference between the hardware 
 platforms.   ------------------------------   Date: 5 Jul 2006 07:16:53 -0500 - From: Kilgallen@SpamCop.net (Larry Kilgallen) S Subject: Re: Transitive Emulator Ports Sparc/Solaris Apps to Linux on Xeon, Itanium 3 Message-ID: <iVfCJ4d9x5az@eisner.encompasserve.org>   f In article <1152086954.461003.141880@a14g2000cwb.googlegroups.com>, "Ian Miller" <ijm@uk2.net> writes:  F > True, although it depends what they mean by unix like. If compliance> > with posix means unix like (unlikely) then VMS is unix like.  G No.  Only those VMS programs which restrict themselves to Posix library  calls would be elegible.  F I was doing consulting work for DEC when the VEST translator was firstI being built.  For any given feature (ASTs are an egregious example) those G writing the translator needed particular cooperation from those writing H the Alpha VMS operating system.  I say writing, because that support wasE in areas that did not even exist on VAX VMS.  Consider what the image D activator has to go through to set up connections when a VESTed main5 image calls a Native shareable image, and vice versa.    ------------------------------  % Date: Wed, 05 Jul 2006 08:14:09 -0700 # From: "Tom Linden" <tom@kednos.com> S Subject: Re: Transitive Emulator Ports Sparc/Solaris Apps to Linux on Xeon, Itanium ) Message-ID: <op.tb71xvuozgicya@hyrrokkin>   6 On Wed, 05 Jul 2006 05:16:53 -0700, Larry Kilgallen  =   <Kilgallen@SpamCop.net> wrote:  I > In article <1152086954.461003.141880@a14g2000cwb.googlegroups.com>, "I=  an  =    > Miller" <ijm@uk2.net> writes:  > G >> True, although it depends what they mean by unix like. If compliance ? >> with posix means unix like (unlikely) then VMS is unix like.  > I > No.  Only those VMS programs which restrict themselves to Posix librar=  y  > calls would be elegible. > I > I was doing consulting work for DEC when the VEST translator was first=   I > being built.  For any given feature (ASTs are an egregious example) th=  ose I > writing the translator needed particular cooperation from those writin=  g I > the Alpha VMS operating system.  I say writing, because that support w=  asG > in areas that did not even exist on VAX VMS.  Consider what the image F > activator has to go through to set up connections when a VESTed main7 > image calls a Native shareable image, and vice versa.   I I am not convinced that this is not OS neutral.  Back in the 70's as the=   E minicomputer was emerging, we effectively emulated instructions in  =   	 microcode I doing so at a higher level, while maybe not as efficient, is conceptuall=  y  =   the D same and a lot easier. Digital in fact had a tool FX!32 which seems,I architecturally the same as this tool.  Of course, the difference betwee=  n & Sparc and OpenVMS is the transfer fee.   ------------------------------   End of INFO-VAX 2006.371 ************************