DEFCON 16 and Hacking OpenVMS - VMS

This is a discussion on DEFCON 16 and Hacking OpenVMS - VMS ; On Tue, 09 Sep 2008 09:54:53 -0700, Bill Gunshannon wrote: > In article , > "Tom Linden" writes: >> On Tue, 09 Sep 2008 06:55:43 -0700, Bob Koehler >> wrote: >> >>> In article , "Tom >>> Linden" >>> writes: ...

+ Reply to Thread
Page 33 of 35 FirstFirst ... 23 31 32 33 34 35 LastLast
Results 641 to 660 of 691

Thread: DEFCON 16 and Hacking OpenVMS

  1. Re: Loose Cannon-dian

    On Tue, 09 Sep 2008 09:54:53 -0700, Bill Gunshannon
    wrote:

    > In article ,
    > "Tom Linden" writes:
    >> On Tue, 09 Sep 2008 06:55:43 -0700, Bob Koehler
    >> wrote:
    >>
    >>> In article , "Tom
    >>> Linden"
    >>> writes:
    >>>> On Tue, 09 Sep 2008 05:17:28 -0700, wrote:
    >>>>
    >>>>> While there is much in what you say, your case is not helped by
    >>>>> demonstrably dubious claims such as "There is nothing to show that
    >>>>> "security" was the underlying principle in everything VMS did any
    >>>>> more
    >>>>> than that Unix didn't consider it at all". There's plenty of evidence
    >>>>> if you look with open eyes. Native VMS code's widespread use of
    >>>>> descriptors for varying-length items encourages careful programming
    >>>>> and has no equivalent in Windows or any Unix I've seen (since V7, Sys
    >>>>> V, and BSD4.1, I've seen a few).
    >>>>
    >>>> Descriptors are not part of the OS but a feature of the compilers, and
    >>>> the
    >>>> concept really came out of languages like PL/I and Algol, we call them
    >>>> dope vectors.
    >>>
    >>> The use of descriptors for many of the OS APIs is part of the OS.
    >>>

    >> Don't wish to nitpick, but it is the selection of compilers supporting
    >> such
    >> constructs that is part of the OS. Languages deficient in such
    >> constructs
    >> were enhanced to provide that capability. OS's like Multics, Primos,
    >> VOS,
    >> MVS-z/os Burroughs were written in languages in which such constructs
    >> are
    >> an integral part of the language.
    >>

    > Primos? A bunch of that was written in Fortran IV. :-)

    That is true, but from 18 on forward it moistly all PLP
    >
    > bill
    >




    --
    PL/I for OpenVMS
    www.kednos.com

  2. Re: Loose Cannon-dian

    On Tue, 09 Sep 2008 09:53:33 -0700, Bill Gunshannon
    wrote:

    > It's a poor workman who blames his tools.


    It is a diletante that uses inferior tools

    --
    PL/I for OpenVMS
    www.kednos.com

  3. Re: Loose Cannon-dian

    On Tue, 09 Sep 2008 15:44:41 -0700, Michael Kraemer
    wrote:

    > Bob Koehler schrieb:
    >> In article , Michael Kraemer
    >> writes:
    >>
    >>> johnwallace4@yahoo.co.uk schrieb:
    >>>
    >>>
    >>>> If you want to compare OSes not in common use then maybe comparing an
    >>>> SELinux setup with a VMS setup is appropriate, but that still leaves
    >>>> VMS mostly ahead (others may obviously disagree).
    >>>
    >>> AFAIK:
    >>> Ordinary VMS has C2 security. SEVMS (sp ?) has B1.
    >>> Ordinary Unices have C2. Their "Trusted" variants have B1.
    >>>
    >>> So where's the difference ?

    >> Where C2 and B1 don't go.
    >>

    >
    > That's pretty much nowhere land.
    > Are there widely accepted certifications beyond
    > orange book ?
    >

    Yes, the Common Criteria E1 thru E6



    --
    PL/I for OpenVMS
    www.kednos.com

  4. Re: Loose Cannon-dian

    Michael Kraemer skrev:
    > johnwallace4@yahoo.co.uk schrieb:
    >
    >> Do you want to expand on that a little? Maybe you're not aware that
    >> null terminated strings aren't the only area where descriptors apply,
    >> but you surely must be aware that null terminated and corresponding
    >> buffer overflows and security vulnerabilities aren't exactly uncommon.

    >
    > A null-terminated string is usually nothing you would write into.
    > It's read-only.
    > And, BTW, my first contact with null-terminated strings wasn't
    > on generic Unix, but on RSX-11 (ASCIZ data type).
    > So RXS-11 should be viewed as crap too ?


    You do know that there is nothing in RSX proper that uses NUL-terminated strings?
    Just because the macro assembler can create them don't mean the OS use it.
    Outside the kernel, there are one library function I know of which use
    NUL-terminated strings, and then of course, you can write your own code any way
    you want to.

    Just as a comment on RSX here... :-)

    Oh, and I do agree that NUL-terminated strings are a big problem from a security
    point of view. But they are damn convenient. :-)

    Johnny

    --
    Johnny Billquist || "I'm on a bus
    || on a psychedelic trip
    email: bqt@softjar.se || Reading murder books
    pdp is alive! || tryin' to stay hip" - B. Idol

  5. Re: Loose Cannon-dian

    Tom Linden schrieb:

    > Yes, the Common Criteria E1 thru E6


    And where on that scale is VMS ?


  6. Re: Loose Cannon-dian

    In article , Michael Kraemer writes:
    >
    > That's pretty much nowhere land.
    > Are there widely accepted certifications beyond
    > orange book ?


    Nowhere? C2, B1, ..., all were written by some folks based on thier
    limited knowledge and thier specific needs. There are a lot of other
    legitimate security concerns.

    For example, Windows got a C2 rating at one time, based on
    limitations like no network, no floppies, ...

    So what good is a system if you can't enter or retrive data?


  7. Re: Loose Cannon-dian

    In article ,
    "Tom Linden" writes:
    > On Tue, 09 Sep 2008 09:53:33 -0700, Bill Gunshannon
    > wrote:
    >
    >> It's a poor workman who blames his tools.

    >
    > It is a diletante that uses inferior tools


    Tell that to all the people using Java. :-)

    bill


    --
    Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
    billg999@cs.scranton.edu | and a sheep voting on what's for dinner.
    University of Scranton |
    Scranton, Pennsylvania | #include

  8. Re: Loose Cannon-dian

    In article ,
    "Tom Linden" writes:
    > On Tue, 09 Sep 2008 09:54:53 -0700, Bill Gunshannon
    > wrote:
    >
    >> In article ,
    >> "Tom Linden" writes:
    >>> On Tue, 09 Sep 2008 06:55:43 -0700, Bob Koehler
    >>> wrote:
    >>>
    >>>> In article , "Tom
    >>>> Linden"
    >>>> writes:
    >>>>> On Tue, 09 Sep 2008 05:17:28 -0700, wrote:
    >>>>>
    >>>>>> While there is much in what you say, your case is not helped by
    >>>>>> demonstrably dubious claims such as "There is nothing to show that
    >>>>>> "security" was the underlying principle in everything VMS did any
    >>>>>> more
    >>>>>> than that Unix didn't consider it at all". There's plenty of evidence
    >>>>>> if you look with open eyes. Native VMS code's widespread use of
    >>>>>> descriptors for varying-length items encourages careful programming
    >>>>>> and has no equivalent in Windows or any Unix I've seen (since V7, Sys
    >>>>>> V, and BSD4.1, I've seen a few).
    >>>>>
    >>>>> Descriptors are not part of the OS but a feature of the compilers, and
    >>>>> the
    >>>>> concept really came out of languages like PL/I and Algol, we call them
    >>>>> dope vectors.
    >>>>
    >>>> The use of descriptors for many of the OS APIs is part of the OS.
    >>>>
    >>> Don't wish to nitpick, but it is the selection of compilers supporting
    >>> such
    >>> constructs that is part of the OS. Languages deficient in such
    >>> constructs
    >>> were enhanced to provide that capability. OS's like Multics, Primos,
    >>> VOS,
    >>> MVS-z/os Burroughs were written in languages in which such constructs
    >>> are
    >>> an integral part of the language.
    >>>

    >> Primos? A bunch of that was written in Fortran IV. :-)

    > That is true, but from 18 on forward it moistly all PLP


    Not really. I maintained Rev 19 systems and we still had FTN and PMA.
    I used to have a copy but it is long gone now. I never got to work with
    Rev 20 so I can't say if they redid all of it by that point.

    But I was being very toungue-in-cheek. It was mostly PL/I code (PLP and
    PL/I Subset G) and a lot of fun to work with. It is as much a shame that
    Primos didn't really survive as it will be when VMS fades away. I expect
    both to experience the same fate. That is, just as Primos is still in use
    this long after its demise, so will VMS continue to be used long after
    its owners have given up the ghost. One can only hope that there will
    be someone to pick up the ball and run with it when that time comes as
    was the case with Primos.

    bill

    --
    Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
    billg999@cs.scranton.edu | and a sheep voting on what's for dinner.
    University of Scranton |
    Scranton, Pennsylvania | #include

  9. Re: Loose Cannon-dian

    In article ,
    Michael Kraemer writes:
    > Bob Koehler schrieb:
    >> In article , Michael Kraemer writes:
    >>
    >>>johnwallace4@yahoo.co.uk schrieb:
    >>>
    >>>
    >>>>If you want to compare OSes not in common use then maybe comparing an
    >>>>SELinux setup with a VMS setup is appropriate, but that still leaves
    >>>>VMS mostly ahead (others may obviously disagree).
    >>>
    >>>AFAIK:
    >>>Ordinary VMS has C2 security. SEVMS (sp ?) has B1.
    >>>Ordinary Unices have C2. Their "Trusted" variants have B1.
    >>>
    >>>So where's the difference ?


    The difference should be obvious. More people prefer Unix. :-)

    >>
    >>
    >> Where C2 and B1 don't go.
    >>

    >
    > That's pretty much nowhere land.
    > Are there widely accepted certifications beyond
    > orange book ?


    The rainbow books are being replaced by things like Common Criteria.
    Checkout sites like NIST and DISA for information on modern security
    requirements. DISA is a very good source as they even have papers
    and scripts to make securing systems, even Windows, very doable.


    bill

    --
    Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
    billg999@cs.scranton.edu | and a sheep voting on what's for dinner.
    University of Scranton |
    Scranton, Pennsylvania | #include

  10. Re: Loose Cannon-dian

    In article ,
    Michael Kraemer writes:
    > Tom Linden schrieb:
    >
    >> Yes, the Common Criteria E1 thru E6

    >
    > And where on that scale is VMS ?


    Unless things have changed, VMS's owners have made no attempt to get
    rated according to Common Criteria.

    bill


    --
    Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
    billg999@cs.scranton.edu | and a sheep voting on what's for dinner.
    University of Scranton |
    Scranton, Pennsylvania | #include

  11. Re: Loose Cannon-dian

    In article ,
    koehler@eisner.nospam.encompasserve.org (Bob Koehler) writes:
    > In article , Michael Kraemer writes:
    >>
    >> That's pretty much nowhere land.
    >> Are there widely accepted certifications beyond
    >> orange book ?

    >
    > Nowhere? C2, B1, ..., all were written by some folks based on thier
    > limited knowledge and thier specific needs. There are a lot of other
    > legitimate security concerns.
    >
    > For example, Windows got a C2 rating at one time, based on
    > limitations like no network, no floppies, ...
    >
    > So what good is a system if you can't enter or retrive data?


    Those ratings are for operational systems. What need is there for a
    network connection or floppies on a system running a power plant?

    One can take the system offline, connect a floppy, load and install
    needed upgrades and then remove the floppy, recertify and return to
    production as a C2 system.

    When one looks at things in terms of IS's instead of just a Windows
    box this stuff makes a lot more sense. But then, when you are so
    totally biased against MS, you become blind to reality.

    bill


    --
    Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
    billg999@cs.scranton.edu | and a sheep voting on what's for dinner.
    University of Scranton |
    Scranton, Pennsylvania | #include

  12. Re: Loose Cannon-dian

    On Wed, 10 Sep 2008 06:14:49 -0700, Bill Gunshannon
    wrote:

    > In article ,
    > "Tom Linden" writes:
    >> On Tue, 09 Sep 2008 09:54:53 -0700, Bill Gunshannon
    >>
    >> wrote:
    >>
    >>> In article ,
    >>> "Tom Linden" writes:
    >>>> On Tue, 09 Sep 2008 06:55:43 -0700, Bob Koehler
    >>>> wrote:
    >>>>
    >>>>> In article , "Tom
    >>>>> Linden"
    >>>>> writes:
    >>>>>> On Tue, 09 Sep 2008 05:17:28 -0700,
    >>>>>> wrote:
    >>>>>>
    >>>>>>> While there is much in what you say, your case is not helped by
    >>>>>>> demonstrably dubious claims such as "There is nothing to show that
    >>>>>>> "security" was the underlying principle in everything VMS did any
    >>>>>>> more
    >>>>>>> than that Unix didn't consider it at all". There's plenty of
    >>>>>>> evidence
    >>>>>>> if you look with open eyes. Native VMS code's widespread use of
    >>>>>>> descriptors for varying-length items encourages careful programming
    >>>>>>> and has no equivalent in Windows or any Unix I've seen (since V7,
    >>>>>>> Sys
    >>>>>>> V, and BSD4.1, I've seen a few).
    >>>>>>
    >>>>>> Descriptors are not part of the OS but a feature of the compilers,
    >>>>>> and
    >>>>>> the
    >>>>>> concept really came out of languages like PL/I and Algol, we call
    >>>>>> them
    >>>>>> dope vectors.
    >>>>>
    >>>>> The use of descriptors for many of the OS APIs is part of the OS.
    >>>>>
    >>>> Don't wish to nitpick, but it is the selection of compilers supporting
    >>>> such
    >>>> constructs that is part of the OS. Languages deficient in such
    >>>> constructs
    >>>> were enhanced to provide that capability. OS's like Multics, Primos,
    >>>> VOS,
    >>>> MVS-z/os Burroughs were written in languages in which such constructs
    >>>> are
    >>>> an integral part of the language.
    >>>>
    >>> Primos? A bunch of that was written in Fortran IV. :-)

    >> That is true, but from 18 on forward it moistly all PLP

    >
    > Not really. I maintained Rev 19 systems and we still had FTN and PMA.
    > I used to have a copy but it is long gone now. I never got to work with
    > Rev 20 so I can't say if they redid all of it by that point.
    >
    > But I was being very toungue-in-cheek. It was mostly PL/I code (PLP and
    > PL/I Subset G) and a lot of fun to work with. It is as much a shame that
    > Primos didn't really survive as it will be when VMS fades away. I expect
    > both to experience the same fate. That is, just as Primos is still in
    > use
    > this long after its demise, so will VMS continue to be used long after
    > its owners have given up the ghost. One can only hope that there will
    > be someone to pick up the ball and run with it when that time comes as
    > was the case with Primos.


    Does anyone maintain it?

    >
    > bill
    >




    --
    PL/I for OpenVMS
    www.kednos.com

  13. Re: Loose Cannon-dian

    In article <6ipv70Frs1niU2@mid.individual.net>, billg999@cs.uofs.edu (Bill Gunshannon) writes:
    >In article ,
    > "Tom Linden" writes:
    >> On Tue, 09 Sep 2008 09:53:33 -0700, Bill Gunshannon
    >> wrote:
    >>
    >>> It's a poor workman who blames his tools.

    >>
    >> It is a diletante that uses inferior tools

    >
    >Tell that to all the people using Java. :-)


    Can I use this for a .sig?

    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    .... pejorative statements of opinion are entitled to constitutional protection
    no matter how extreme, vituperous, or vigorously expressed they may be. (NJSC)

    Copr. 2008 Brian Schenkenberger. Publication of _this_ usenet article outside
    of usenet _must_ include its contents in its entirety including this copyright
    notice, disclaimer and quotations.

  14. Re: Loose Cannon-dian

    In article ,
    "Tom Linden" writes:
    > On Wed, 10 Sep 2008 06:14:49 -0700, Bill Gunshannon
    > wrote:
    >
    >> In article ,
    >> "Tom Linden" writes:
    >>> On Tue, 09 Sep 2008 09:54:53 -0700, Bill Gunshannon
    >>>
    >>> wrote:
    >>>
    >>>> In article ,
    >>>> "Tom Linden" writes:
    >>>>> On Tue, 09 Sep 2008 06:55:43 -0700, Bob Koehler
    >>>>> wrote:
    >>>>>
    >>>>>> In article , "Tom
    >>>>>> Linden"
    >>>>>> writes:
    >>>>>>> On Tue, 09 Sep 2008 05:17:28 -0700,
    >>>>>>> wrote:
    >>>>>>>
    >>>>>>>> While there is much in what you say, your case is not helped by
    >>>>>>>> demonstrably dubious claims such as "There is nothing to show that
    >>>>>>>> "security" was the underlying principle in everything VMS did any
    >>>>>>>> more
    >>>>>>>> than that Unix didn't consider it at all". There's plenty of
    >>>>>>>> evidence
    >>>>>>>> if you look with open eyes. Native VMS code's widespread use of
    >>>>>>>> descriptors for varying-length items encourages careful programming
    >>>>>>>> and has no equivalent in Windows or any Unix I've seen (since V7,
    >>>>>>>> Sys
    >>>>>>>> V, and BSD4.1, I've seen a few).
    >>>>>>>
    >>>>>>> Descriptors are not part of the OS but a feature of the compilers,
    >>>>>>> and
    >>>>>>> the
    >>>>>>> concept really came out of languages like PL/I and Algol, we call
    >>>>>>> them
    >>>>>>> dope vectors.
    >>>>>>
    >>>>>> The use of descriptors for many of the OS APIs is part of the OS.
    >>>>>>
    >>>>> Don't wish to nitpick, but it is the selection of compilers supporting
    >>>>> such
    >>>>> constructs that is part of the OS. Languages deficient in such
    >>>>> constructs
    >>>>> were enhanced to provide that capability. OS's like Multics, Primos,
    >>>>> VOS,
    >>>>> MVS-z/os Burroughs were written in languages in which such constructs
    >>>>> are
    >>>>> an integral part of the language.
    >>>>>
    >>>> Primos? A bunch of that was written in Fortran IV. :-)
    >>> That is true, but from 18 on forward it moistly all PLP

    >>
    >> Not really. I maintained Rev 19 systems and we still had FTN and PMA.
    >> I used to have a copy but it is long gone now. I never got to work with
    >> Rev 20 so I can't say if they redid all of it by that point.
    >>
    >> But I was being very toungue-in-cheek. It was mostly PL/I code (PLP and
    >> PL/I Subset G) and a lot of fun to work with. It is as much a shame that
    >> Primos didn't really survive as it will be when VMS fades away. I expect
    >> both to experience the same fate. That is, just as Primos is still in
    >> use
    >> this long after its demise, so will VMS continue to be used long after
    >> its owners have given up the ghost. One can only hope that there will
    >> be someone to pick up the ball and run with it when that time comes as
    >> was the case with Primos.

    >
    > Does anyone maintain it?


    Yes. As a matter of fact, I donated my home Prime system to one of the
    people who is still licensed to maintain Primos. That was several years
    ago and he drove out here from Ohio to get it. I still keep in touch
    with a handful of the Prime people. It was a very nice machine although
    a little strange sometimes.

    bill

    --
    Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
    billg999@cs.scranton.edu | and a sheep voting on what's for dinner.
    University of Scranton |
    Scranton, Pennsylvania | #include

  15. Re: Loose Cannon-dian

    On Sep 10, 2:23 pm, billg...@cs.uofs.edu (Bill Gunshannon) wrote:
    > In article ,
    > koeh...@eisner.nospam.encompasserve.org (Bob Koehler) writes:
    >
    > > In article , Michael Kraemer writes:

    >
    > >> That's pretty much nowhere land.
    > >> Are there widely accepted certifications beyond
    > >> orange book ?

    >
    > > Nowhere? C2, B1, ..., all were written by some folks based on thier
    > > limited knowledge and thier specific needs. There are a lot of other
    > > legitimate security concerns.

    >
    > > For example, Windows got a C2 rating at one time, based on
    > > limitations like no network, no floppies, ...

    >
    > > So what good is a system if you can't enter or retrive data?

    >
    > Those ratings are for operational systems. What need is there for a
    > network connection or floppies on a system running a power plant?
    >
    > One can take the system offline, connect a floppy, load and install
    > needed upgrades and then remove the floppy, recertify and return to
    > production as a C2 system.
    >
    > When one looks at things in terms of IS's instead of just a Windows
    > box this stuff makes a lot more sense. But then, when you are so
    > totally biased against MS, you become blind to reality.
    >
    > bill
    >
    > --
    > Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
    > billg...@cs.scranton.edu | and a sheep voting on what's for dinner.
    > University of Scranton |
    > Scranton, Pennsylvania | #include


    Power plants are more networked than you seem to think, in order to
    (for example) automate the process of matching electricity generation
    against electricity demand in something approaching real time (this
    kind of thing used to be done by phone but the PHBs prefer things like
    this to be automated). And then there's also the wandering contractor
    with a potentially-infected laptop connected to the (maybe isolated)
    plant network on one side, and (maybe) via a 3G phone to the Internerd
    on the other side.

    Depending on the technologies used, this can make them more vulnerable
    than you seem to think, and almost certainly more vulnerable than they
    were prior to Windows monoculture. If the plant network is designed to
    be isolated when operational, it will likely still have essential
    Window boxes on it in places, so where will those boxes get their
    daily AV updates, monthly Windows updates, occasional application
    updates? A network connection or a removable media sneakernet,
    perhaps? Isolated but out of date (and requiring downtime for each
    update), or up to date and vulnerable. Take your pick.

    Perhaps you missed the GAO report in May this year which had 92
    specific suggestions for IT/SCADA security improvements at the
    Tennessee Valley Authority (you've heard of them?) and recommendations
    for "best practice" elsewhere?

    GAO report: http://www.gao.gov/new.items/d08526.pdf
    Sample "IT" media coverage: http://www.theregister.co.uk/2008/05...id_vulnerable/

  16. Re: Loose Cannon-dian

    In article ,
    johnwallace4@yahoo.co.uk writes:
    > On Sep 10, 2:23 pm, billg...@cs.uofs.edu (Bill Gunshannon) wrote:
    >> In article ,
    >> koeh...@eisner.nospam.encompasserve.org (Bob Koehler) writes:
    >>
    >> > In article , Michael Kraemer writes:

    >>
    >> >> That's pretty much nowhere land.
    >> >> Are there widely accepted certifications beyond
    >> >> orange book ?

    >>
    >> > Nowhere? C2, B1, ..., all were written by some folks based on thier
    >> > limited knowledge and thier specific needs. There are a lot of other
    >> > legitimate security concerns.

    >>
    >> > For example, Windows got a C2 rating at one time, based on
    >> > limitations like no network, no floppies, ...

    >>
    >> > So what good is a system if you can't enter or retrive data?

    >>
    >> Those ratings are for operational systems. What need is there for a
    >> network connection or floppies on a system running a power plant?
    >>
    >> One can take the system offline, connect a floppy, load and install
    >> needed upgrades and then remove the floppy, recertify and return to
    >> production as a C2 system.
    >>
    >> When one looks at things in terms of IS's instead of just a Windows
    >> box this stuff makes a lot more sense. But then, when you are so
    >> totally biased against MS, you become blind to reality.

    >
    > Power plants are more networked than you seem to think, in order to
    > (for example) automate the process of matching electricity generation
    > against electricity demand in something approaching real time (this
    > kind of thing used to be done by phone but the PHBs prefer things like
    > this to be automated).


    I just used that as an example as it is one that shows up here. If,
    as you say, networking is required then obviously t either wouldn't
    be C2 or wouldn't be Windows. I was just trying to show that not having
    those things in production did not mean they could not be available in
    a C2 rated IS.


    > And then there's also the wandering contractor
    > with a potentially-infected laptop connected to the (maybe isolated)
    > plant network on one side,


    The statement was C2 + Windows = "no network" so, not a problem. Obviously,
    a lot more goes into maintaining C2 systems than your home PC but it is done
    every day.

    > and (maybe) via a 3G phone to the Internerd
    > on the other side.
    >
    > Depending on the technologies used, this can make them more vulnerable
    > than you seem to think, and almost certainly more vulnerable than they
    > were prior to Windows monoculture. If the plant network is designed to
    > be isolated when operational, it will likely still have essential
    > Window boxes on it in places, so where will those boxes get their
    > daily AV updates, monthly Windows updates, occasional application
    > updates?


    You missed the most important point. "No Network". Obviously, C2 rated
    systems do not get "daily AV updates, monthly Windows updates, occasional
    application updates" in the same manner as your home PC. Tell me something?
    Can you get to any of the PC's currently being used by the military in Iraq?
    Do you think they are not running Windows? Do you think they don't get kept
    up to date for things like AV and Windows Updates?

    > A network connection or a removable media sneakernet,
    > perhaps? Isolated but out of date (and requiring downtime for each
    > update), or up to date and vulnerable. Take your pick.


    If it is not connected to the outside world in any way and it only runs
    one task, vulnerable to what? You guys really need to change your mindset
    and accept that there are secure Windows Systems running all over the world.
    I know, I just had to go back to school (again) to have my skills refreshed
    on how this is being done.

    >
    > Perhaps you missed the GAO report in May this year which had 92
    > specific suggestions for IT/SCADA security improvements at the
    > Tennessee Valley Authority (you've heard of them?) and recommendations
    > for "best practice" elsewhere?


    Don't know anything about TVA but I doubt C2 is one of their requirements
    for an IS. And that was what was being discussed.

    >
    > GAO report: http://www.gao.gov/new.items/d08526.pdf
    > Sample "IT" media coverage: http://www.theregister.co.uk/2008/05...id_vulnerable/


    bill

    --
    Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
    billg999@cs.scranton.edu | and a sheep voting on what's for dinner.
    University of Scranton |
    Scranton, Pennsylvania | #include

  17. Re: Loose Cannon-dian (was: Re: DEFCON 16 and Hacking OpenVMS)

    bugs@signedness.org wrote:
    > I was hoping someone could tell us if there is a better place to
    > report them at HP than the security-alert email address since they
    > just stopped replying and ended all communications with us last time
    > we reported something there..


    HP is a big company, so most things go sloooow...

    They published a security bulletin yesterday [1] containing the sentence

    The Hewlett-Packard Company thanks bugs@signedness.org for reporting
    this vulnerability to security-alert@hp.com.

    I guess that's the most you'll get from them.

    cu,
    Martin

    BTW: The bulletin isn't complete in the sense that it doesn't list the
    ECOs for OpenVMS VAX 6.2 and 7.3. So for the official HP, VAX doesn't
    exist any more?! ;-)

    [1] http://www.itrc.hp.com/service/cki/d...r_na-c01539423
    ITRC Login required
    --
    One OS to rule them all | Martin Vorlaender | OpenVMS rules!
    One OS to find them | work: mv@pdv-systeme.de
    One OS to bring them all | http://vms.pdv-systeme.de/users/martinv/
    And in the Darkness bind them.| home: martin.vorlaender@t-online.de

  18. Re: Loose Cannon-dian

    Bob Koehler schrieb:
    > In article , Michael Kraemer writes:
    >
    >>That's pretty much nowhere land.
    >>Are there widely accepted certifications beyond
    >>orange book ?

    >
    >
    > Nowhere? C2, B1, ..., all were written by some folks based on thier
    > limited knowledge and thier specific needs. There are a lot of other
    > legitimate security concerns


    and which certification suite addresses these concerns
    and what is VMS's ranking in this context ?

    > For example, Windows got a C2 rating at one time, based on
    > limitations like no network, no floppies, ...


    The competition for VMS in this respect are the various Unices.
    As for the Orange Book criteria they are on par (C2/B1).
    What's the ranking within the more recent Common Criteria ?


  19. RE: Loose Cannon-dian

    > -----Original Message-----
    > From: Bill Gunshannon [mailto:billg999@cs.uofs.edu]
    > Sent: Wednesday, September 10, 2008 9:24 AM
    > To: Info-VAX@Mvb.Saic.Com
    > Subject: Re: Loose Cannon-dian
    >
    > In article ,
    > koehler@eisner.nospam.encompasserve.org (Bob Koehler) writes:
    > > In article , Michael Kraemer

    > writes:
    > >>
    > >> That's pretty much nowhere land.
    > >> Are there widely accepted certifications beyond
    > >> orange book ?

    > >
    > > Nowhere? C2, B1, ..., all were written by some folks based on

    > thier
    > > limited knowledge and thier specific needs. There are a lot of

    > other
    > > legitimate security concerns.
    > >
    > > For example, Windows got a C2 rating at one time, based on
    > > limitations like no network, no floppies, ...
    > >
    > > So what good is a system if you can't enter or retrive data?

    >
    > Those ratings are for operational systems. What need is there for a
    > network connection or floppies on a system running a power plant?
    >


    On the network piece, you are kidding, right?

    If not, do you understand how a power plant works? With all of its
    wireless devices, worker laptops, remote sensing devices etc. It's
    all one big "system".

    > One can take the system offline, connect a floppy, load and install
    > needed upgrades and then remove the floppy, recertify and return to
    > production as a C2 system.
    >
    > When one looks at things in terms of IS's instead of just a Windows
    > box this stuff makes a lot more sense. But then, when you are so
    > totally biased against MS, you become blind to reality.
    >
    > bill
    >
    >
    > --
    > Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three
    > wolves
    > billg999@cs.scranton.edu | and a sheep voting on what's for dinner.
    > University of Scranton |
    > Scranton, Pennsylvania | #include


    Bill, you seem to feel that the Internet is the big issue from a
    security perspective and that with private networks, you do not need
    to worry so much.

    In fact, security analysts will state that 60+% of security issues
    are related to internal issues. Hence, even systems/desktops on
    private networks need to apply the security patches that come out
    each and every month for Windows and Linux.



    Regards

    Kerry Main
    Senior Consultant
    HP Services Canada
    Voice: 613-254-8911
    Fax: 613-591-4477
    kerryDOTmainAThpDOTcom
    (remove the DOT's and AT)

    OpenVMS - the secure, multi-site OS that just works.





  20. Re: Loose Cannon-dian

    In article <9D02E14BC0A2AE43A5D16A4CD8EC5A593ED5FEB144@gvw1158 exb.americas.hpqcorp.net>,
    "Main, Kerry" writes:
    >> -----Original Message-----
    >> From: Bill Gunshannon [mailto:billg999@cs.uofs.edu]
    >> Sent: Wednesday, September 10, 2008 9:24 AM
    >> To: Info-VAX@Mvb.Saic.Com
    >> Subject: Re: Loose Cannon-dian
    >>
    >> In article ,
    >> koehler@eisner.nospam.encompasserve.org (Bob Koehler) writes:
    >> > In article , Michael Kraemer

    >> writes:
    >> >>
    >> >> That's pretty much nowhere land.
    >> >> Are there widely accepted certifications beyond
    >> >> orange book ?
    >> >
    >> > Nowhere? C2, B1, ..., all were written by some folks based on

    >> thier
    >> > limited knowledge and thier specific needs. There are a lot of

    >> other
    >> > legitimate security concerns.
    >> >
    >> > For example, Windows got a C2 rating at one time, based on
    >> > limitations like no network, no floppies, ...
    >> >
    >> > So what good is a system if you can't enter or retrive data?

    >>
    >> Those ratings are for operational systems. What need is there for a
    >> network connection or floppies on a system running a power plant?
    >>

    >
    > On the network piece, you are kidding, right?
    >
    > If not, do you understand how a power plant works? With all of its
    > wireless devices, worker laptops, remote sensing devices etc. It's
    > all one big "system".


    Nope, never worked in a power plant. This was just the example someone
    else had used long ago and I played on that. The discussion was over
    Windows and C2 and the statement that that meant no network and no
    floppies. I was merely trying to propose a scenario where a production
    system could be C2 and still actually work as needed.

    >
    >> One can take the system offline, connect a floppy, load and install
    >> needed upgrades and then remove the floppy, recertify and return to
    >> production as a C2 system.
    >>
    >> When one looks at things in terms of IS's instead of just a Windows
    >> box this stuff makes a lot more sense. But then, when you are so
    >> totally biased against MS, you become blind to reality.
    >>

    >
    > Bill, you seem to feel that the Internet is the big issue from a
    > security perspective and that with private networks, you do not need
    > to worry so much.


    Where did yuo draw that conclusion?

    >
    > In fact, security analysts will state that 60+% of security issues
    > are related to internal issues. Hence, even systems/desktops on
    > private networks need to apply the security patches that come out
    > each and every month for Windows and Linux.


    The whole point of all that I said was that you could have a system that,
    in production, does not have network or floppies thus able to be certified
    C2 but when in maintenance mode the level of certification is reduced.
    It is then recertified C2 and placed back in production.

    Of course, this is all moot as the rainbow books are yesterdays standard.

    bill

    --
    Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
    billg999@cs.scranton.edu | and a sheep voting on what's for dinner.
    University of Scranton |
    Scranton, Pennsylvania | #include

+ Reply to Thread
Page 33 of 35 FirstFirst ... 23 31 32 33 34 35 LastLast