RE: Wonderful things happen to an OS when it has an internal champion - VMS

This is a discussion on RE: Wonderful things happen to an OS when it has an internal champion - VMS ; Comments below > -----Original Message----- > From: David J Dachtera [mailto:djesys.no@spam.comcast.net] > Sent: Thursday, August 09, 2007 8:04 PM > To: Info-VAX@Mvb.Saic.Com > Subject: Re: Wonderful things happen to an OS when it has an internal > champion > > ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: RE: Wonderful things happen to an OS when it has an internal champion

  1. RE: Wonderful things happen to an OS when it has an internal champion

    Comments below

    > -----Original Message-----
    > From: David J Dachtera [mailto:djesys.no@spam.comcast.net]
    > Sent: Thursday, August 09, 2007 8:04 PM
    > To: Info-VAX@Mvb.Saic.Com
    > Subject: Re: Wonderful things happen to an OS when it has an internal
    > champion
    >
    > Paul Raulerson wrote:
    > >
    > > > > > If VMS ran on industry standard x86-64 or on Power then just

    > maybe
    > > > IBM might be
    > > > > > interested for the right price. But running on Itanic ?
    > > > >
    > > > > This concept has come up before but never really been asnwered.

    > Why
    > > > > would IBM want to see anything other than the final death of VMS?
    > > >
    > > > To open those doors which remain tightly locked by UN*X's inherent

    > lack
    > > > of
    > > > security?

    > >
    > > To answer just this little snippet, UNIX security is not bad, and is

    > roughly
    > > on par with VMS.
    > > You probably do not like to hear that, but it is. Most Unix break ins

    > occur
    > > on Linux running
    > > on PC's operated by hobbyists.

    >
    > We're not talking about overflow type attacks, etc. since those simply
    > result in
    > an accvio on VMS and then a deleted process - no exposure.
    >
    > We're talking about internal security and break-in detection/evasion.
    >


    Yep- we are. I am also talking about software defect that allow buffer
    overflows,
    and other methods. And about logical security, such as protecting access to
    priv'ed accounts.

    > > Not of data center machines. And to make that
    > > more specific, most
    > > Linux security breaches are centered around web services or

    > disgruntled
    > > employees, not around
    > > virus issues and what not.

    >
    > However, the same vulnerabilities exist, regardless of scale. VMS
    > retains its
    > security at all scales. If, however, an application or a SIP introduces
    > a
    > security issue, that is not VMS's fault.
    >


    We disagree. An OS is responsible for security, and for managing any
    applications
    it allows to run. Also, scale makes a huge difference; a vulnerability that
    may
    engender little or no risk on a 50 user machine, can be magnified easily
    into a
    critical problem on a machine with 60,000 active users.


    > > In regard to the IBM question: IBM would not be interested in VMS

    > because,
    > > to be brutally honest,
    > > VMS does not have anything IBM already does not have. And IBM has a

    > lot that
    > > VMS does not have. A
    > > powerful lot indeed. If it ran on zSeries hardware they would snap it

    > up
    > > though, because that is
    > > one more powerful mainframe operating system they could run.

    >
    > Hence, the statement:
    >
    > David J Dachtera wrote:
    > >
    > > Now - to flip that coin over:
    > >
    > > What could IBM bring to VMS that it currently lacks?
    > >
    > > - A return to virtualization (LPARS)
    > > - A return to marketing
    > > - A return to profitability
    > > - A return to a respectable market share
    > >
    > > Seems a marriage made in heaven!

    >
    > I'm trying to improve my communication; so, if you can show me where I
    > left the
    > ambiguity, it would help me avoid that mistake in the future.
    >


    You just missed what I said; IBM has all that already, and they own it lock,
    stock,
    and middleware. It would be of vast benefit to VMS, but not much, if any
    benefit
    to IBM.

    HP is a much better home for VMS, in my opinion.



    > > VMS can, and should, be a powerful competitor to IBM,

    >
    > Well, no, not really, but mostly because "IBM" covers a lot more ground
    > than
    > "VMS". Rather like equating HP with UX - HP does a lot more than UX,
    > they just
    > don't know that themselves.
    >


    What does VMS do that IBM doesn't?

    Penetrate small markets with reasonably priced gear and a high
    quality OS. HP does penetrate well with this combination because
    they insist on "partnering" with other parties to do the middleware
    and third party work.

    I sense a reluctance to do in the VMS world, and I very much approve
    of that same reluctance.



  2. RE: Wonderful things happen to an OS when it has an internal champion

    In article <009601c7db12$8338cae0$89aa60a0$@com>, "Paul Raulerson" writes:

    >> From: David J Dachtera [mailto:djesys.no@spam.comcast.net]


    >> We're not talking about overflow type attacks, etc. since those simply
    >> result in
    >> an accvio on VMS and then a deleted process - no exposure.
    >>
    >> We're talking about internal security and break-in detection/evasion.
    >>

    >
    > Yep- we are. I am also talking about software defect that allow buffer
    > overflows,
    > and other methods. And about logical security, such as protecting access to
    > priv'ed accounts.


    As in any other computer system, that logical security can be achieved
    by logical people following logical rules. Rules abound, and if you
    follow the recommendations in the Guide to OpenVMS Security you will
    do well. For overall guidance (including people issues) I recommend
    NIST 800-53. The _only_ flaw I have seen when applying it to a VMS
    system is that it suggests minimum password lifetimes. Obviously the
    authors have been overly influenced by inferior operating systems.

    >> However, the same vulnerabilities exist, regardless of scale. VMS
    >> retains its
    >> security at all scales. If, however, an application or a SIP introduces
    >> a
    >> security issue, that is not VMS's fault.
    >>

    >
    > We disagree. An OS is responsible for security, and for managing any
    > applications
    > it allows to run.


    By default, VMS does that, but when someone with David's background
    talks about "applications" he means something installed by the system
    manager and granted certain privileges to become part of the Trusted
    Computing Base.

    David is _not_ talking about a piece of software imported by some
    unprivileged user to run under their own username.

    > Also, scale makes a huge difference; a vulnerability that
    > may
    > engender little or no risk on a 50 user machine, can be magnified easily
    > into a
    > critical problem on a machine with 60,000 active users.


    Unprivileged users on VMS cannot introduce "critical problems" by
    bringing in software.

  3. Re: Wonderful things happen to an OS when it has an internal champion

    On Aug 10, 7:39 am, Kilgal...@SpamCop.net (Larry Kilgallen) wrote:
    [...]
    >
    > As in any other computer system, that logical security can be achieved
    > by logical people following logical rules. Rules abound, and if you
    > follow the recommendations in the Guide to OpenVMS Security you will
    > do well. For overall guidance (including people issues) I recommend
    > NIST 800-53. The _only_ flaw I have seen when applying it to a VMS
    > system is that it suggests minimum password lifetimes. Obviously the
    > authors have been overly influenced by inferior operating systems.


    Hi Larry!

    My apologies in advance if this is a stupid question.

    What is the motivations for having a minimum password lifetime? Please
    feel free to give a detailed answer.

    Thanks!

    [...]

    AEF


  4. Re: Wonderful things happen to an OS when it has an internal champion

    >
    > My apologies in advance if this is a stupid question.
    >
    > What is the motivations for having a minimum password lifetime? Please
    > feel free to give a detailed answer.
    >



    Minimum password lifetimes are to stop flip-flops.

    Some priv'ed users used to exctract encoded pw, change the pw on a
    user account, send embarasing email with the account, then reset the
    password with the encrypted value.

    The other flip-flop is users with a favorite password. Dictionary
    depth will stop them from using it for 3-5 password changes. So, when
    a user had an industry favorite password:

    Eunics_the_os_that_cannot_breed

    They would simply change their password 5 times back to back in order
    to get that password back.



  5. Re: Wonderful things happen to an OS when it has an internal champion

    In article <1186753503.685906.257590@i38g2000prf.googlegroups. com>, AEF writes:
    >
    > What is the motivations for having a minimum password lifetime? Please
    > feel free to give a detailed answer.


    On systems which do not implement a password history it keeps the
    user from changing an expired password and immediately putting it
    back to what it was before. The security geek hopes that this will
    force the user to learn the new password and leave it changed.

    And then there are systems like Windows that implement a password
    history incorrectly. Sigh.

    Which leaves me wondering whether anyone out there is sure that
    thier UNIX or Linux implements a password history correctly. The
    last one I looked into was digital UNIX and it didn't have a
    password history. I'm fairly sure Solaris and Linux have password
    histories but I don't know if they're correctly done.

    I expect someone here knows for sure.


  6. Re: Wonderful things happen to an OS when it has an internal champion

    In article <1186753503.685906.257590@i38g2000prf.googlegroups. com>, AEF writes:

    > What is the motivations for having a minimum password lifetime? Please
    > feel free to give a detailed answer.


    One can only guess what the NIST motivations might be, as they do not
    explain. One guess is that some operating systems do not have the
    protection VMS affords against a user repeatedly changing their own
    password to overflow the history buffer and thus be able to choose the
    same password again, effectively not changing their password.

    Note that VMS had that defect in the Field Test version at which
    password history was introduced (4.X, about 20 years ago) but it
    was remedied for the production release by throwing the user into
    generated password mode if their history buffer was full.

  7. Re: Wonderful things happen to an OS when it has an internal champion

    In article <1186753503.685906.257590@i38g2000prf.googlegroups. com>, AEF writes:
    >On Aug 10, 7:39 am, Kilgal...@SpamCop.net (Larry Kilgallen) wrote:
    >[...]
    >>
    >> As in any other computer system, that logical security can be achieved
    >> by logical people following logical rules. Rules abound, and if you
    >> follow the recommendations in the Guide to OpenVMS Security you will
    >> do well. For overall guidance (including people issues) I recommend
    >> NIST 800-53. The _only_ flaw I have seen when applying it to a VMS
    >> system is that it suggests minimum password lifetimes. Obviously the
    >> authors have been overly influenced by inferior operating systems.

    >
    >Hi Larry!
    >
    >My apologies in advance if this is a stupid question.
    >
    >What is the motivations for having a minimum password lifetime? Please
    >feel free to give a detailed answer.
    >

    The password history list on some OSs is so small (or non-existent) that there
    is a risk of a user keeping a favourite password forever by simply changing
    the password enough times and then changing it back to the original password.
    Hence these OSs implement a minimum password lifetime which means that after
    changing the password the user cannot change it again for a day or two.
    This has the unfortunate security consequence that if a user thinks that
    someone saw them typing in the new password when they changed it then they have
    to go to an administrator to change it again (or more probably to think -
    Did fred really see my password ? If he did I have to go to see my Manager ?
    No I'm sure he didn't.
    )


    David Webb
    Security team leader
    CCSS
    Middlesex University



    >Thanks!
    >
    >[...]
    >
    >AEF
    >


  8. Re: Wonderful things happen to an OS when it has an internal champion

    In article , david20@alpha2.mdx.ac.uk writes:

    > The password history list on some OSs is so small (or non-existent) that there
    > is a risk of a user keeping a favourite password forever by simply changing
    > the password enough times and then changing it back to the original password.


    The VMS system manager can make the password history list quite short,
    with a number like 3, but the user still will not be able to use that
    trick. Those who attempt it will be thrown into generated password mode.

  9. Re: Wonderful things happen to an OS when it has an internal champion

    Larry Kilgallen wrote:

    > In article , david20@alpha2.mdx.ac.uk
    > writes:
    >
    >> The password history list on some OSs is so small (or non-existent) that
    >> there is a risk of a user keeping a favourite password forever by simply
    >> changing the password enough times and then changing it back to the
    >> original password.

    >
    > The VMS system manager can make the password history list quite short,
    > with a number like 3, but the user still will not be able to use that
    > trick. Those who attempt it will be thrown into generated password mode.


    Which will mean that he will write down the password. Password security need
    to be balanced very carefully. If you tighten it to much then users won't
    be able to memorise there passwords any more they will start to write them
    down.

    Martin

    --
    mailto://krischik@users.sourceforge.net
    Ada programming at: http://ada.krischik.com

  10. Re: Wonderful things happen to an OS when it has an internal champion

    On 08/12/07 13:56, Martin Krischik wrote:
    > Larry Kilgallen wrote:
    >
    >> In article , david20@alpha2.mdx.ac.uk
    >> writes:
    >>
    >>> The password history list on some OSs is so small (or non-existent) that
    >>> there is a risk of a user keeping a favourite password forever by simply
    >>> changing the password enough times and then changing it back to the
    >>> original password.

    >> The VMS system manager can make the password history list quite short,
    >> with a number like 3, but the user still will not be able to use that
    >> trick. Those who attempt it will be thrown into generated password mode.

    >
    > Which will mean that he will write down the password. Password security need
    > to be balanced very carefully. If you tighten it to much then users won't
    > be able to memorise there passwords any more they will start to write them
    > down.


    I use a "password manager" with SecureCRT. Actually, it's just a
    ..vbs script that has all the passwords to all the hosts that I deal
    with at work.

    So I choose that host from the drop-down list, and, viola, 15
    seconds later, I'm at a $ prompt. *Very* handy.

    --
    Ron Johnson, Jr.
    Jefferson LA USA

    Give a man a fish, and he eats for a day.
    Hit him with a fish, and he goes away for good!

+ Reply to Thread