1 INFO-VAX	Mon, 29 May 2006	Volume 2006 : Issue 297       Contents: Re: ANN: VMS Mosaic 4.0 $ Re: Compaq board member sent to jailC DSL upgrade [was: Re: speeding up LAVC with switch instead of hub?] 3 Re: FTP security suggestion, and SHOW INTRUSION BUG 3 Re: FTP security suggestion, and SHOW INTRUSION BUG 3 Re: FTP security suggestion, and SHOW INTRUSION BUG 3 Re: FTP security suggestion, and SHOW INTRUSION BUG . Re: So how representative is this experience ?. Re: So how representative is this experience ?  F ----------------------------------------------------------------------  % Date: Mon, 29 May 2006 04:07:00 -0400 - From: JF Mezei <jfmezei.spamnot@teksavvy.com>   Subject: Re: ANN: VMS Mosaic 4.0, Message-ID: <447AAB6E.FBD7C5B6@teksavvy.com>  K First and foremost,  THANK YOU VERY MUCH for your continued work on MOSAIC.        Found a "bug" ...    https://accesd.desjardins.com   - On mosaic 3.8, it goes into an infinite loop. C On Mosaic 4.0, it seems to handle better and tries to redirect to a : "sorry you need javascript" page, but then mosaic crashes.  H Those pages are illformed from an HTML standard point of view. (NetscapeE 4.7 has to wait for some timeout to happen before it displays what it A got since what it got is missing a <body> or something like that.   D Mosaic 3.8 doesn't complain about soke SSL certtificates, Mosaic 4.0H does. "SSL Error: self signed certificate in certificate chain, Continue ?". What does this mean ?       G BTW, the compile, on a VAX node without MMS/MMK went fine. No problems.   F And one thing I really forgot to mention: for multi-line text input inH forms, you should really use the world-wrap attribute in the text widgetA (but you need to turn off horizontal scrolling for this to work).     E And one last thing: when starting Mosaic on a VAX, it complains about E the LiteClue: Shape extension not supported by XServer  / Turning off  shaped extension"   G While I understand this because VAX has ancient X software,  is there a G way to prevent this message from appearing ? (when starting Mosaic from C the session manager, any such outpout creates a window to show that 0 error message and I like to avoid these things).   ------------------------------  % Date: Mon, 29 May 2006 18:20:07 +0200 / From: Paul Sture <paul.sture.nospam@hispeed.ch> - Subject: Re: Compaq board member sent to jail : Message-ID: <90139$447b1f38$50db5015$8186@news.hispeed.ch>   JF Mezei wrote:  > Paul Sture wrote:  > I >>Sentencing is planned for September 11; meanwhile Lay is out on bail of 
 >>$5 million.  >  >  > J > Wow, I can smell friendly politics here. On september 11, the media willF > be on a wild frienzy to report the 5th anniversary of 9-11 and won'tH > spend much time reporting on Lay's sentence.  I smell a short sentenceB > coming  la Martha Stewart with the 5 million in bail going as a4 > political donation once it the funds are released.  F My thought was the opposite; that it might concentrate the sentencing 9 judge(s) on just how serious an economic disaster it was.    ------------------------------   Date: 29 May 2006 10:24:39 GMT/ From: Thierry Dussuet <thierry@dussuet.lugs.ch> L Subject: DSL upgrade [was: Re: speeding up LAVC with switch instead of hub?]0 Message-ID: <slrne7liv7.14n.thierry@MARS.Family>  = On 2006-05-27, JF Mezei <jfmezei.spamnot@teksavvy.com> wrote:  > Paul Sture wrote: K >> If the telco does upgrade, make sure you ask for it. I say this since my J >> cable company has just upgraded their standard package to 3000/256 kbs,I >> and my latest bill says that's what I'm on, but my connection is still / >> only giving me the previous. slower, speeds.  > J > With DSL, upgrades are done by changing the config at the central officeI > and as soon as they do this, the modems at the CO and homes renegotiate A > the speed to the new setting. So the actual upgrades have to be J > staggered. And they work from CO to CO. The problem with DSL is that notH > all customers are technically able to get the upgrade so it requires aF > bit more finesse with their scripts to upgrade only those whose line > quality is good enough.   L Then you mix in some marketing and too much traffic for the telco equipment,K and customers can see that their line WOULD have the quality for the higher J speed, but "somehow" they won't get more while still paying for the higherK speed.  And on top of it, they opened the pipes and put in software traffic 8 shapers, so you can't be sure of where the problem lies.  E But then again I guess this is typical behaviour for telco companies.    Thierry    ------------------------------  + Date: Mon, 29 May 2006 01:36:43 -0500 (CDT) * From: sms@antinode.org (Steven M. Schweda)< Subject: Re: FTP security suggestion, and SHOW INTRUSION BUG2 Message-ID: <06052901364301_2020743C@antinode.org>  - From: JF Mezei <jfmezei.spamnot@teksavvy.com>   " > [...]  Some guy really wanted toJ > get into my system with "Administrator" as username. (he was from Texas)  E    Which gets logged in some places as "Administrato", because of the + VMS 12-character limit on user name length.   F > It would be really nice if the TCPIP software (TELNET, FTP at least)I > would use some of the LGI intrusion SYSGEN parameters and automatically I > block all connection attempts from the intruding IP for a random number 
 > of minutes.   G    And SSH.  The common "Administrato[r]" attack on FTP has _very_ many G more attempts per incident, but I see many more break-in attempts using 
 SSH than FTP.   F    On the bright side, the "Administrato[r]" attack is doomed to fail," while an SSH attack could succeed.  H ------------------------------------------------------------------------  3    Steven M. Schweda               sms@antinode-org 4    382 South Warwick Street        (+1) 651-699-9818    Saint Paul  MN  55105-2547    ------------------------------  % Date: Mon, 29 May 2006 11:24:37 -0400 3 From: "Richard B. Gilbert" <rgilbert88@comcast.net> < Subject: Re: FTP security suggestion, and SHOW INTRUSION BUG: Message-ID: <CaCdnSG_APaoj-bZnZ2dnUVZ_vGdnZ2d@comcast.com>   JF Mezei wrote: # > VAX VMS 7.2, TCPIP Services 5.3-2  > E > In the days of VMS's creation, 100 baud accoustic couplers were the C > primary remote access to VMS boxes, and the terminal driver would J > automatically drop the connection after a number of connection attempts.H > This greatly limited the number of attempts one could make because theI > time to hangup, redial, wait for modems to renegotiate would be greater , > than the time needed to make the attempst. > E > But today, with the internet, one can rack up passowrd attemps very I > quickly.  I went out to get a snack in the kitchen, and upon my return, H > I was hearing "beep beep" from the console.  Some guy really wanted toJ > get into my system with "Administrator" as username. (he was from Texas) >  > C > SHOW INRTRUSION was already showing *** in the number of attemps. F > Perhaps SHOW INTRUSION should be updated to be able to display up toG > 9999 attempts insteads of its 1960s' assumption that 999 was way more  > than needed. >  > J > In such cases, I have to extract ther IP address of the hacker from logsE > (netstat is the better one since OPCOM is just constantly scrolling J > about 10 minutes behind in its buffer), then telnet to the router to add$ > a dynamic filter to block that IP. >  > F > It would be really nice if the TCPIP software (TELNET, FTP at least)I > would use some of the LGI intrusion SYSGEN parameters and automatically I > block all connection attempts from the intruding IP for a random number 
 > of minutes.   I I think this is a bad idea.  At my last job, we used Citrix thin clients  I and servers running Windows Terminal Server Edition.  So thirty or forty  H legitimate users could be coming from the same IP address.  Locking out G that address would have brought down twenty percent of our users until  3 somebody could straighten it out.  Not good at all.    ------------------------------    Date: 29 May 2006 09:02:33 -0700; From: "johnhreinhardt@yahoo.com" <johnhreinhardt@yahoo.com> < Subject: Re: FTP security suggestion, and SHOW INTRUSION BUGC Message-ID: <1148918553.459058.310340@j73g2000cwa.googlegroups.com>    Richard B. Gilbert wrote:  > JF Mezei wrote: % > > VAX VMS 7.2, TCPIP Services 5.3-2  > > G > > In the days of VMS's creation, 100 baud accoustic couplers were the E > > primary remote access to VMS boxes, and the terminal driver would L > > automatically drop the connection after a number of connection attempts.J > > This greatly limited the number of attempts one could make because theK > > time to hangup, redial, wait for modems to renegotiate would be greater . > > than the time needed to make the attempst. > > G > > But today, with the internet, one can rack up passowrd attemps very K > > quickly.  I went out to get a snack in the kitchen, and upon my return, J > > I was hearing "beep beep" from the console.  Some guy really wanted toL > > get into my system with "Administrator" as username. (he was from Texas) > >  > > E > > SHOW INRTRUSION was already showing *** in the number of attemps. H > > Perhaps SHOW INTRUSION should be updated to be able to display up toI > > 9999 attempts insteads of its 1960s' assumption that 999 was way more  > > than needed. > >  > > L > > In such cases, I have to extract ther IP address of the hacker from logsG > > (netstat is the better one since OPCOM is just constantly scrolling L > > about 10 minutes behind in its buffer), then telnet to the router to add& > > a dynamic filter to block that IP. > >  > > H > > It would be really nice if the TCPIP software (TELNET, FTP at least)K > > would use some of the LGI intrusion SYSGEN parameters and automatically K > > block all connection attempts from the intruding IP for a random number  > > of minutes.  > J > I think this is a bad idea.  At my last job, we used Citrix thin clientsJ > and servers running Windows Terminal Server Edition.  So thirty or fortyI > legitimate users could be coming from the same IP address.  Locking out H > that address would have brought down twenty percent of our users until5 > somebody could straighten it out.  Not good at all.   @ The same would apply if you were using any Telnet based terminalE server.  It's probably the reason that it is set the way it is.  Only < one person can connect from any given modem/serial line, butC potentially 10's or even 100's could connect from one IP.  It might G work to flag an IP/Port combination - at least until some timeout value , or until the telnet session is disconnected.   ------------------------------  + Date: Mon, 29 May 2006 11:10:50 -0500 (CDT) * From: sms@antinode.org (Steven M. Schweda)< Subject: Re: FTP security suggestion, and SHOW INTRUSION BUG2 Message-ID: <06052911105014_2020743C@antinode.org>  3 From: "Richard B. Gilbert" <rgilbert88@comcast.net>   H > > It would be really nice if the TCPIP software (TELNET, FTP at least)K > > would use some of the LGI intrusion SYSGEN parameters and automatically K > > block all connection attempts from the intruding IP for a random number  > > of minutes.   K > I think this is a bad idea.  At my last job, we used Citrix thin clients  K > and servers running Windows Terminal Server Edition.  So thirty or forty  J > legitimate users could be coming from the same IP address.  Locking out I > that address would have brought down twenty percent of our users until  5 > somebody could straighten it out.  Not good at all.   ?    Well, duh.  "Needing explicit enablement and/or a (separate) D manager-adjustable parameter" and "Not good at all" are not the same thing.  H ------------------------------------------------------------------------  3    Steven M. Schweda               sms@antinode-org 4    382 South Warwick Street        (+1) 651-699-9818    Saint Paul  MN  55105-2547    ------------------------------  % Date: Mon, 29 May 2006 02:52:18 -0400 ' From: Dave Froble <davef@tsoft-inc.com> 7 Subject: Re: So how representative is this experience ? / Message-ID: <wYednUfE3bHZBOfZRVn-sg@libcom.com>    Bill Gunshannon wrote:3 > In article <e5d9jn$19o$1@news-02.connect.com.au>, 8 > 	"Richard Maher" <maher_rj@hotspamnotmail.com> writes: >> Hi, >> >>> and the 9 >>> problems caused by compilers optimisations were vast. 3 >> Any more details on this? To help other porters.  >>N >> Let me guess, VMS Engineering's (or the public face of) response was "Oooh,G >> I wouldn't have done it that way" or "If I was trying to get there I @ >> certainly wouldn't start from here" or "During the war. . .". >>A >>> As a result they decided it would be easier and less risky to ) >>> re-impliment from scratch on Windows. M >> Is this not really just someone's political agend to seize the opportunity N >> to change architecture? That is, Windows would look better on their CV, VMSL >> is perceived as legacy, yadda, yadda, yadda (Same stuff for last 15 years >> :-) > J > Didfn't sound like it.  They tried moving to Itanium and it didn't work.  I Just because one group failed in this effort in no way defines anything.  I   There could have been real problems, or, there could have been a bunch  * of incompentents, or, anywhere in between.  I However, that a group did fail, should give others the idea that perhaps  H more research is called for, and trying to determine why a group failed E would also be called for.  If you don't learn from other's mistakes,  ! then you'll possibly repeat them.   K >> I'm sure if the right people in HP new of the specific problems then the 0 >> FACTS could make it harder to justify a move. >> >>> less riskyO >> Yep re-implementing from stratch is a walk in the park! How risky could that M >> be? (Good news is they'll never fully replace the functionality of the old 
 >> system  > & > On what do you base this little gem?  ? I'll add some weight to that concept.  From actual experience.  I Applications that grow over time usually have more capabilities than can  D be determined in the short time a group doing a total re-write will H usually devote to such.  Their product will have some missing features, D will have new bugs, and may or may not serve the needs of the users.  F Note that some omitted capabilities are no longer required.  Some may 3 not be in use now, but may be needed in the future.   D I've participated in these things.  At best it's a horizontal move. H Much more often it's backsliding.  That's just how things have actually  occured.  ? >>        and will end up having to upgrade to itanium anyway.    ' Now I don't see how that is determined.   K > And how do you dras this conclusion?  They moved to Windows which doesn't $ > now and never will run in Itanium. >  > bill >      --  4 David Froble                       Tel: 724-529-0450> Dave Froble Enterprises, Inc.      E-Mail: davef@tsoft-inc.com DFE Ultralights, Inc.  170 Grimplin Road  Vanderbilt, PA  15486    ------------------------------  % Date: Mon, 29 May 2006 07:10:41 -0700 # From: "Tom LINDEN" <tom@kednos.com> 7 Subject: Re: So how representative is this experience ? ) Message-ID: <op.tabgb30blvpiaf@hyrrokkin>   I On Sun, 28 May 2006 20:57:31 -0700, Main, Kerry <Kerry.Main@hp.com> wrot=  e:   >  >  >> -----Original Message----- ( >> From: mas [mailto:mas769@hotmail.com] >> Sent: May 28, 2006 11:58 AM >> To: Info-VAX@Mvb.Saic.Com6 >> Subject: So how representative is this experience ? >>C >> http://www.aceshardware.com/forums/read_post.jsp?id=3D115165893&  >> forumid=3D1 >> >> "I >> Well I can tell you of one company I know off who have decided NOT to=   G >> go with Itanuim. It is a company that I used to work for (its in the F >> FTSE 100) who currently has thousands of Alphas (some the new, someE >> old), and a few old VAX system worldwide that need to be upgraded.  >>; >> The software was ported from VAX/VMS to Alpha/VMS in the  >> 90's, this was A >> typically done very poorly, but it worked and gave significant  >> performance increases.  >>F >> After spending a few months in attempts to port to Itanium/VMS theyG >> decided that the problems were far to great. The problems being that I >> the performance was lower (significantly) than the system they needed=   E >> to replace (ie: lastest Alphs ES40, ES45, and a few ES47), and the 8 >> problems caused by compilers optimisations were vast. >>@ >> As a result they decided it would be easier and less risky to( >> re-impliment from scratch on Windows. >> > 7 > Less risky than re-writing from scratch - not likely.  > I > From most of the Customers I have heard from, the porting from Alpha t=  o G > IA64 is far, far easier than VAX to Alpha as the 32bit to 64 bit code , > issues have mostly been already addressed.  G Yes, but the subset of VMS-Alpha is probably smaller than VMS-VAX (was) 5 and Alpha had less software avaialble (third parties)  > G > Certainly, the feedback from the VMS IA64 porting workshops and other ( > Customers has been extremely positive. > I > On the mid range side, the feedback I have heard is that most App code=   E > with recent versions of VMS (8.2-1) with recent mid range Integrity D > servers is faster that ES45-ES47 in many areas, but there are some$ > things that are not quite as fast. > F > Given the comments about significantly slower, I rather suspect thatE > they may have been using older versions of VMS (8.2 perhaps) and-or  > compilers. > < >> On a side note: The original versons on Windows ran quite >> poorly on theI >> 2.8Ghz Xeon' (4 CPU's) in that they were still slower than the lastes=  t = >> Alpha's, although much closer than the IPF ever came. They  >> eventualy go E >> managment to try dual socket, dual-core opterons and instantly got F >> double the perfromance, at nearly half the system cost and half theI >> power usage. These platforms then quickly became the standard for all=   I >> new x86 servers throughout the company. Luckerly for HP they still ge=  t I >> the proviode the Opteron boxes, but at about 20% the price of the old=    >> Alpha systems.  >> " > F > Dont forget that OpenVMS Integrity is quite a bit cheaper than AlphaI > OpenVMS as well e.g. one example - unlimited user licensing in base VM=  S 
 > OS on IA64.  > F > Oh - and the comment about Windows being half the system cost.. DoesB > this include the monthly testing of all the Apps for the monthlyA > security patches. The QA folks will love this part of their new I > environment as I am sure they do not have new app functionality to tes=  t,I > but would rather spend their time testing their apps with these monthl=  y  > OS security patches. >  > :-)  > 	 > Regards  >  > Kerry Main > Senior Consultant  > HP Services Canada > Voice: 613-592-4660  > Fax: 613-591-4477  > kerryDOTmainAThpDOTcom > (remove the DOT's and AT)  > 6 > OpenVMS - the secure, multi-site OS that just works.       -- =  E Using Opera's revolutionary e-mail client: http://www.opera.com/mail/    ------------------------------   End of INFO-VAX 2006.297 ************************