DEFCON 16 and Hacking OpenVMS - VMS

This is a discussion on DEFCON 16 and Hacking OpenVMS - VMS ; In article , bugs@signedness.org writes: > It is funny you should mention SUID 0.. Yes great care must be taken > when you give a "user controlled" process euid 0.. But you have the > same problem with VMS don't ...

+ Reply to Thread
Page 35 of 35 FirstFirst ... 25 33 34 35
Results 681 to 691 of 691

Thread: DEFCON 16 and Hacking OpenVMS

  1. Re: Loose Cannon-dian

    In article , bugs@signedness.org writes:

    > It is funny you should mention SUID 0.. Yes great care must be taken
    > when you give a "user controlled" process euid 0.. But you have the
    > same problem with VMS don't you? Only there the privs are called
    > BYPASS, SETPRV, CMKRL, SYSPRV etc but essentially those and a few more
    > mean the same thing as uid/euid 0 - complete control over the system.
    > Even HP acknowledges this although I can't find the link right now.


    That's the point. If you need to do something on UNIX you typically
    SUID 0 and right away all kinds of little exploits are wide open.
    If you need to do something on VMS you give only what is needed, and
    while some of these can be used to gain full control it's not trivial
    to get there, and it's easier to make sure it's not possible through
    the expoised interface.

    Making security easy to get right is an important part of system design.

    > If you want to be in denial about security flaws in VMS that is your
    > choice, and you'll be glad to hear we don't have any more conferences
    > planned so we don't have to update our slides and are unlikely to look
    > for more bugs in VMS unless a client asks us.


    I'm not in denial. I was one of the first to post here, that yes,
    you found something. It's you're attititude that quality is
    impossible that I won't swallow.


  2. Re: Loose Cannon-dian

    In article , Michael Kraemer writes:
    >
    > with the same logic we could abolish exams for students.
    > They just would have to show how many text books they own
    > in their shelf and that would be enough to graduate.


    There is a legitimate reason for students to take exams, and a
    legitimate reason for security standards and certification.

    But while there are lots of ways to put pressure on a teacher to
    give students exams, there is no pressure on security certification
    writers to address low volume systems with a reputation for high
    security until after they've addressed exceedinly common systems
    with low reputations.

    > And my question is still unanswered,
    > which certified security level does VMS reach to put it
    > ahead of Unix ?


    And the question is still unanswerable soley because no on has
    bothered to put those issues into a certification.


  3. Re: Loose Cannon-dian

    Bob Koehler schrieb:

    > And the question is still unanswerable


    of course it is.

    > soley because no on has
    > bothered to put those issues into a certification.


    Of course people have bothered.
    Issues of common interest are covered by suites like the
    (now obsolete) Orange Book or the more recent Common Criteria
    (E1 .. E6).
    So where on that scale is VMS ?
    Simple question, simple answer.


  4. Re: Loose Cannon-dian

    On Sep 17, 8:22 am, Michael Kraemer wrote:
    > Bob Koehler schrieb:
    >
    > > And the question is still unanswerable

    >
    > of course it is.
    >
    > > soley because no on has
    > > bothered to put those issues into a certification.

    >
    > Of course people have bothered.
    > Issues of common interest are covered by suites like the
    > (now obsolete) Orange Book or the more recent Common Criteria
    > (E1 .. E6).
    > So where on that scale is VMS ?
    > Simple question, simple answer.


    Well, the real answer isn't simple.

    Please read the following article completely at the Government
    Computer News.

    http://www.gcn.com/print/26_21/44857-1.html#

    I think you will then understand that the situation with these
    certifications is more complex. There is a lot of politics and
    business interests playing are role here, and much less of a straight-
    forward scientifically-based process.

    First of all these are not really security ratings at all in the sense
    of telling you how hard it would be to compromise a product's
    security. It is not even a rating of the effectiveness of the
    product's security features. It is more an evaluation of the vendor's
    development processes. There is no attempt to provide a comparison
    rating of the security architecture and features of a product compared
    with any another product.

    Even if a person correctly understands what is being evaluated, one
    should still have a healthy skepticism over the the ratings given to
    any one product. The details of the evaluations are closed to the
    public, supposedly to protect intellectual property. And, it appears
    that a vendor can simply shop around to find a lab that gives the
    desired rating.

    The following segment is from the article linked above...
    --------------
    “The problem is, there are 20 countries in this, and some of the labs
    in other countries are making a fortune doing evaluations because they
    are easier than the U.S. labs,” Paller said.

    “I don’t think the labs per se are the problem,” Shapiro said. “It’s
    who pays, and can the results be confirmed? At the moment, vendors are
    negotiating with evaluators and walking down the street to a second
    evaluator when the first evaluator will not give them what they want.
    This is not hypothetical. The behavior is being observed in the wild.”

    Under the scheme, everyone accepts one lab’s results, and under the
    opaque evaluation process, results cannot be easily confirmed.
    --------------

    Please note that a LOT of euphemism is being used in this article.
    Most of the people being quoted in this article from a government-
    oriented magazine do have a lingering interest to have the expensive
    program seen in a positive light.

    For me it was already clear that if MS Windows NT already received an
    equal rating to OpenVMS, then the evaluations were clearly flawed in
    any sense of rating security design or features. The ratings are next
    to useless for anyone except FUD-slinging salesmen.

    Consequently, I must agree with Bob Koehler that the effectiveness and
    comprehensiveness of OS security capabilities have never been
    officially evaluated by any organization in any straight-forward
    scientifically-based comparative process.

    In my opinion performing such an evaluation in a fair and reasonable
    way would first require that field of Computer Science first grow-up
    (as did the field of Structural Engineering to provide safe buildings
    and bridges) to at least provide "quality metrics" of software
    implementation and "design" that wasn't completely dependent on
    empirical evaluation. This is necessary since nobody can completely
    test empirically all possible code paths of a complex product (with
    the possible limited exception of using mathematically verifiable pure-
    functional programming of small, very clearly defined programs; which
    excludes something of the general usefulness and complexity of an OS).
    Since the security attained by a product is never more that it's
    weakest feature, comprehensiveness is a necessary requisite of a fair
    and accurate security evaluation.

    As in Structural Engineering does with buildings and bridges we can
    come closer to a predictable quality of software by standardizing the
    "quality metrics" of the methods and materials used for design,
    features and implementation, but we don't even have an agreement yet
    in the industry of what the design, features and methods should
    include, or how to rate the quality of their integration.

    Cheers!

    Keith Cayemberg


  5. Re: Loose Cannon-dian

    Michael Kraemer wrote:
    > Bob Koehler schrieb:
    >
    >> And the question is still unanswerable

    >
    > of course it is.
    >
    >> soley because no on has
    >> bothered to put those issues into a certification.

    >
    > Of course people have bothered.
    > Issues of common interest are covered by suites like the
    > (now obsolete) Orange Book or the more recent Common Criteria
    > (E1 .. E6).
    > So where on that scale is VMS ?
    > Simple question, simple answer.
    >


    The question and the answer may both be simple but the process of
    arriving at the answer could be complex and time consuming. So how many
    of the thousands or tens of thousands of pages of the "Common Criteria"
    must one read in order to find out how to determine if a system is in
    compliance?



  6. Re: Loose Cannon-dian

    In article , Michael Kraemer writes:
    >
    > Of course people have bothered.
    > Issues of common interest are covered by suites like the
    > (now obsolete) Orange Book or the more recent Common Criteria
    > (E1 .. E6).
    > So where on that scale is VMS ?


    Security people don't reguard the VMS approach to security as a
    common interest, and asking the question won't force them to.


  7. Re: Loose Cannon-dian

    On Sep 17, 11:45 am, Keith Cayemberg wrote:
    > On Sep 17, 8:22 am, Michael Kraemer wrote:
    >
    > > Bob Koehler schrieb:

    >
    > > > And the question is still unanswerable

    >
    > > of course it is.

    >
    > > > soley because no on has
    > > > bothered to put those issues into a certification.

    >
    > > Of course people have bothered.
    > > Issues of common interest are covered by suites like the
    > > (now obsolete) Orange Book or the more recent Common Criteria
    > > (E1 .. E6).
    > > So where on that scale is VMS ?
    > > Simple question, simple answer.

    >
    > Well, the real answer isn't simple.
    >
    > Please read the following article completely at the Government
    > Computer News.
    >
    > http://www.gcn.com/print/26_21/44857-1.html#
    >
    > I think you will then understand that the situation with these
    > certifications is more complex. There is a lot of politics and
    > business interests playing are role here, and much less of a straight-
    > forward scientifically-based process.
    >
    > First of all these are not really security ratings at all in the sense
    > of telling you how hard it would be to compromise a product's
    > security. It is not even a rating of the effectiveness of the
    > product's security features. It is more an evaluation of the vendor's
    > development processes. There is no attempt to provide a comparison
    > rating of the security architecture and features of a product compared
    > with any another product.
    >
    > Even if a person correctly understands what is being evaluated, one
    > should still have a healthy skepticism over the the ratings given to
    > any one product. The details of the evaluations are closed to the
    > public, supposedly to protect intellectual property. And, it appears
    > that a vendor can simply shop around to find a lab that gives the
    > desired rating.
    >
    > The following segment is from the article linked above...
    > --------------
    > “The problem is, there are 20 countries in this, and some of the labs
    > in other countries are making a fortune doing evaluations because they
    > are easier than the U.S. labs,” Paller said.
    >
    > “I don’t think the labs per se are the problem,” Shapiro said. “It’s
    > who pays, and can the results be confirmed? At the moment, vendors are
    > negotiating with evaluators and walking down the street to a second
    > evaluator when the first evaluator will not give them what they want.
    > This is not hypothetical. The behavior is being observed in the wild.”
    >
    > Under the scheme, everyone accepts one lab’s results, and under the
    > opaque evaluation process, results cannot be easily confirmed.
    > --------------
    >
    > Please note that a LOT of euphemism is being used in this article.
    > Most of the people being quoted in this article from a government-
    > oriented magazine do have a lingering interest to have the expensive
    > program seen in a positive light.
    >
    > For me it was already clear that if MS Windows NT already received an
    > equal rating to OpenVMS, then the evaluations were clearly flawed in
    > any sense of rating security design or features. The ratings are next
    > to useless for anyone except FUD-slinging salesmen.
    >
    > Consequently, I must agree with Bob Koehler that the effectiveness and
    > comprehensiveness of OS security capabilities have never been
    > officially evaluated by any organization in any straight-forward
    > scientifically-based comparative process.
    >
    > In my opinion performing such an evaluation in a fair and reasonable
    > way would first require that field of Computer Science first grow-up
    > (as did the field of Structural Engineering to provide safe buildings
    > and bridges) to at least provide "quality metrics" of software
    > implementation and "design" that wasn't completely dependent on
    > empirical evaluation. This is necessary since nobody can completely
    > test empirically all possible code paths of a complex product (with
    > the possible limited exception of using mathematically verifiable pure-
    > functional programming of small, very clearly defined programs; which
    > excludes something of the general usefulness and complexity of an OS).
    > Since the security attained by a product is never more that it's
    > weakest feature, comprehensiveness is a necessary requisite of a fair
    > and accurate security evaluation.
    >
    > As in Structural Engineering does with buildings and bridges we can
    > come closer to a predictable quality of software by standardizing the
    > "quality metrics" of the methods and materials used for design,
    > features and implementation, but we don't even have an agreement yet
    > in the industry of what the design, features and methods should
    > include, or how to rate the quality of their integration.
    >
    > Cheers!
    >
    > Keith Cayemberg


    Wise words, and an interesting article. Software (and systems design)
    in general is a *long* way from being a proper engineering subject. In
    many cases and in many places and with all due respect to CMMI etc
    it's barely risen beyond the craft stage, and from time to time it
    falls even further back, to being a fashion industry, except the
    "fashion victims" here can be out of pocket for $millions if the
    project doesn't work out right.

    > "it was already clear that if MS Windows NT already received an
    > equal rating to OpenVMS, then the evaluations were clearly flawed in
    > any sense of rating security design or features. The ratings are next
    > to useless for anyone except FUD-slinging salesmen.


    Useful to FUD-slinging salespeople, and also the many MS-dependent
    people and organisations in the Windows-centric monoculture.

  8. Re: Loose Cannon-dian

    In article <9a0133d0-24dd-4bb0-aac8-4a57d6dd95bd@f36g2000hsa.googlegroups.com>,
    johnwallace4@yahoo.co.uk writes:
    > On Sep 17, 11:45 am, Keith Cayemberg wrote:
    >>
    >> "it was already clear that if MS Windows NT already received an
    >> equal rating to OpenVMS, then the evaluations were clearly flawed in
    >> any sense of rating security design or features. The ratings are next
    >> to useless for anyone except FUD-slinging salesmen.

    >
    > Useful to FUD-slinging salespeople, and also the many MS-dependent
    > people and organisations in the Windows-centric monoculture.


    You make statements like this and accuse others of FUD? Just because
    you have a bias against MS doesn't mean any of the crap you spout about
    its security are actually true. Just because your Gramma's WindowsME
    got hacked doesn't mean there are no serious Windows Servers running
    securely.

    bill

    --
    Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
    billg999@cs.scranton.edu | and a sheep voting on what's for dinner.
    University of Scranton |
    Scranton, Pennsylvania | #include

  9. Re: Loose Cannon-dian

    In article <6jd269F2n1bdU1@mid.individual.net>, billg999@cs.uofs.edu (Bill Gunshannon) writes:
    >
    > You make statements like this and accuse others of FUD? Just because
    > you have a bias against MS doesn't mean any of the crap you spout about
    > its security are actually true. Just because your Gramma's WindowsME
    > got hacked doesn't mean there are no serious Windows Servers running
    > securely.


    ROTFLOL.


  10. Re: DEFCON 16 and Hacking OpenVMS

    On Sep 9, 3:46*am, Volker Halle wrote:
    > On 8 Sep., 14:56, IanMiller wrote:
    >
    > > VAXSMGRMUP01_062, ECO Kit has been announced. This fixesSMGRTLfor
    > > VAX/VMSV6.2.

    >
    > > Keep watching for more announcements.

    >
    > Note that you may not be able to expand this kit on OpenVMS VAXV6.2:
    >
    > $ run VAXSMGRMUP01_062.ZIPEXE
    > %DCL-W-ACTIMAGE, error activating image VAXSMGRMUP01_062.ZIPEXE
    > -CLI-E-IMGNAME, image file DSA10:VAXSMGRMUP01_062.ZIPEXE;1
    > -SYSTEM-F-BADIMGHDR, bad image header
    >
    > Expanding the kit on OpenVMS VAX V7.3 works fine, as well as
    > installation onV6.2
    >
    > Volker.


    Engineering has replaced the v6.2 ZIPEXE module on ITRC with
    VAXSMGRMUP01_062.A-DCX_VAXEXE (dated 17-SEP-2008) ... and since
    I actually have a v6.2 system, I downloaded it and can state that
    the DCX image will run and unpack correctly on 6.2 :-)


    Verne

  11. Re: Loose Cannon-dian

    bugs@signedness.org skrev:
    > On Sep 15, 5:42 pm, koeh...@eisner.nospam.encompasserve.org (Bob
    > Koehler) wrote:
    >> In article <1cddb0fc-c644-4c38-9d33-0825a9a4b...@s50g2000hsb.googlegroups.com>, b...@signedness.org writes:
    >>
    >>
    >>
    >>> So let me ask you what mechanisms VMS have in place to make it harder/
    >>> prevent buggy programs from being exploited?

    >> On VMS, even if you have a fully priviledges account, you don't
    >> automagically get to exhaust any resource other than disk space.
    >> For all the others you have to add code to raise your limits.
    >>

    >
    > Well obviously you can do that on UNIX too (change root's resource
    > allocation)..


    The resource allocation control you have in Unix is nothing like in VMS.
    There is a lot of things that you can't limit in Unix. The two are in fact not
    even comparable in this aspect.

    Johnny

    --
    Johnny Billquist || "I'm on a bus
    || on a psychedelic trip
    email: bqt@softjar.se || Reading murder books
    pdp is alive! || tryin' to stay hip" - B. Idol

+ Reply to Thread
Page 35 of 35 FirstFirst ... 25 33 34 35