INFO-VAX Wed, 11 Apr 2007 Volume 2007 : Issue 199 Contents: bugs and improvement points GNV 2.1 Re: CSWB on EV4 (21064) Error Checking in DCL using $severity Re: Error Checking in DCL using $severity Re: Error Checking in DCL using $severity Re: fortran compiler 8.1 Re: MicroVAX II chiller theatre Re: MicroVAX II chiller theatre Re: MicroVAX II chiller theatre Re: MicroVAX II chiller theatre Re: More bollocks from biggots Re: More on why Javascript is evil Re: OPCOM and TCPIP Services Re: OT: 216 Billion Americans Squirrels Are Scientifically Illiterate (Part 36) Quick Sanity Check: Itanium-II ZX2000 tcpip$ftp and tcpip$telnet uaf settings Updated VMS Information (not to big) ---------------------------------------------------------------------- Date: Wed, 11 Apr 2007 00:09:57 +0200 From: Ton van der Zwet Subject: bugs and improvement points GNV 2.1 Message-ID: <461c0b24$0$22750$e4fe514c@dreader24.news.xs4all.nl> Hi, we are compiling a list of bugs in the gnv 2.1 package. You can help us by giving information about more bugs or better yet: solutions (bug-fixes). At the same time we like to hear any improvement points (wish-list) you may have. This list will be used to improve or ask HP to improve gnv. A short summary of what we have: - broken pipe bug (cannot duplicate fd 7 to fd 0; old work-around for pipe mechanism) - redirection problem (cat >test.dat < Subject: Re: CSWB on EV4 (21064) Message-ID: "Phillip Helbig---remove CLOTHES to reply" schreef in bericht news:evd6jb$6tg$1@online.de... > I'm putting together an inventory of my machines (11 ALPHAs and 15 > VAXes) since I now have too many to keep all the details in my head. In > particular, I am hoping that a PW 433 AU might be powerful enough to run > CSWB. Now, I have a 5305 (AS 1200) as a satellite which I boot just > when I need CSWB. Thus, in the inventory I'll note how much RAM, what > CPU etc and test CSWB. > > Just to see what happens, I fired up CSWB on a Digital 3000/600, i.e. a > 21064 (EV4) first-generation ALPHA. 192 MB RAM. CSWB runs and is > actually usable, although it is slow. (On the 1200, the CSWB images are > installed, which was NOT the case on the 3000.) CPU usage was high but > not at maximum, there was no paging and memory use was high but there > was still some left (both in the modified list and in the free list). > > Quite frankly, I was surprised, especially since performance might be > even better if the images are installed. It is still too slow to use > normally, but for a quick look at a page which actually needs features > CSWB has and my other browsers (LYNX, Mosaic, Netscape) don't, it is > faster to fire up CSWB on the 3000 than booting the 1200. (The 1200 has > its own monitor; for the 3000, I set the display to a VAXstation 4000/90 > with a huge Digital colour monitor which has a better picture than the > much newer "PC-style connector" monitor I bought in 1997 with a > 255/233.) > Phillip, before you spend real money on a new video card, remember DEC's advice: buy more memory! Memory for th AS1200/DS5305 is not so expensive (US$30 for 256 MB) on eBay. Hans ------------------------------ Date: 10 Apr 2007 20:58:24 -0700 From: "ababeel" Subject: Error Checking in DCL using $severity Message-ID: <1176263904.880270.184590@o5g2000hsb.googlegroups.com> Hi I am using a DCL to create a TAR file using the vmstar command as follows.... $ vmstar /create myfile.temp [.work...]*.* /verbose and I want to check in the DCL if the vmstar completed succesfully or not. I am using the $severity symbol for that...as follows $ if .NOT. $severity $ then $ say "ERROR in VMSTAR" $ goto ZIPFAIL $ endif vmstar fails because some of the files are locked by a process (which is fine) but I want it to exit if vmstar fails..which it doesnt...it just continues on Have I done the error check correctly...??? Any help much appreciated ------------------------------ Date: Tue, 10 Apr 2007 23:14:52 -0500 (CDT) From: sms@antinode.org (Steven M. Schweda) Subject: Re: Error Checking in DCL using $severity Message-ID: <07041023145201_202002DA@antinode.org> From: "ababeel" > $ vmstar /create myfile.temp [.work...]*.* /verbose > $ if .NOT. $severity > $ then > $ say "ERROR in VMSTAR" > $ goto ZIPFAIL > $ endif > vmstar fails because some of the files are locked by a process (which > is fine) but I want it to exit if vmstar fails..which it doesnt...it > just continues on > > Have I done the error check correctly...??? Any help much appreciated The test looks ok, but it depends on VMSTAR setting a proper VMS exit code, and it may not do that. I am not familiar enough with the VMSTAR code to say much, but you might run a few experiments, and look at $STATUS to see if you get anything different when there's a problem reading a file. ------------------------------------------------------------------------ Steven M. Schweda sms@antinode-org 382 South Warwick Street (+1) 651-699-9818 Saint Paul MN 55105-2547 ------------------------------ Date: Wed, 11 Apr 2007 15:32:14 +1000 From: Jim Duff Subject: Re: Error Checking in DCL using $severity Message-ID: <461c72e1@dnews.tpgi.com.au> ababeel wrote: > Hi > I am using a DCL to create a TAR file using the vmstar command as > follows.... > > $ vmstar /create myfile.temp [.work...]*.* /verbose > > and I want to check in the DCL if the vmstar completed succesfully or > not. I am using the $severity symbol for that...as follows > > $ if .NOT. $severity > $ then > $ say "ERROR in VMSTAR" > $ goto ZIPFAIL > $ endif > > vmstar fails because some of the files are locked by a process (which > is fine) but I want it to exit if vmstar fails..which it doesnt...it > just continues on > > Have I done the error check correctly...??? Any help much appreciated > Your error checking is fine. Unfortunately, VMSTAR's latest version (3.4-1) returns a success status, even when an error occurs which causes the processing to stop prematurely. For example: $ copy nl: a.txt $ copy nl: b.txt $ copy nl: c.txt $ open/read/write in b.txt $ vmstar -cvf test.tar *.txt Apr 11 15:19:47 2007 0 ./a.txt tar: error opening input file MY_DISK:[000000]B.TXT;1 tar: error copying MY_DISK:[000000]B.TXT;1 $ show sym $status $STATUS == "%X00000001" $ show sym $severity $SEVERITY == "1" $ close in This could (and should) be fixed in someone's copious free time. Even worse (IMHO) is the fact that it stops processing after reporting the error, and doesn't process c.txt. One workaround would be to define sys$output to a file (yes, sys$output, VMSTAR doesn't use fprintf to stderr) and see if there is any output in the file (obviously, without using -v). For example: $ if f$search ("tar_errors.txt") .nes. "" $ then $ deletex/nolog tar_errors.txt;* $ endif $ define/user sys$output tar_errors.txt $ vmstar -cf test.tar *.txt $ if f$search ("tar_errors.txt") .nes. "" $ then $ write sys$output "Unexpected output from TAR!" $! You may or may not want to delete the tar_error.txt file here $ goto zipfail $ endif HTH Jim. -- www.eight-cubed.com ------------------------------ Date: 10 Apr 2007 14:07:25 -0700 From: "Hein RMS van den Heuvel" Subject: Re: fortran compiler 8.1 Message-ID: <1176239245.372524.173040@v33g2000cwv.googlegroups.com> On Apr 10, 3:09 pm, John Reagan wrote: > Don.Z...@gmail.com wrote: > > Hi Folks, > > > Just upgraded my fortran compiler from 8.0 to 8.1. But ran into a problem : > > %F90-E-ERROR, Cannot open include file '($FDVDEF)/LIST' : > I'll guess that the upgrade to Fortran 8.1 put a new FORSYSDEF.TLB on > your system. That essentially removed the $FDVDEF module that was > inserted by the FMS installation. I'd try reinstalling FMS. Or... find a prior version of FORSYSDEF.TLB on this or an other system or a backup, extract the module and insert into the current FORSYSDEF.TLB $LIBR/EXTR=$FDVDEF/OUT=FDV.FOR old-FORSYSDEF.TLB $LIBR/INS sys$library:FORSYSDEF.TLB FDV.FOR Hein. > > -- > John Reagan > HP Pascal/{A|I}MACRO/COBOL for OpenVMS Project Leader > Hewlett-Packard Company- Hide quoted text - > > - Show quoted text - ------------------------------ Date: Tue, 10 Apr 2007 22:42:12 GMT From: Curtis Rempel Subject: Re: MicroVAX II chiller theatre Message-ID: <8pUSh.18468$hO2.5797@edtnps82> JF Mezei wrote: > Curtis Rempel wrote: >>> 1: M7606-AF: KA630 with 1 MB memory >>> 2: NS630: Nat Semi memory (unknown size) >>> 3: NS638: Nat Semi memory 8 MB >>> 4: M7504: DEQNA-AA (AB half) and M7546: TQK50-AA (CD half) >>> 5: M8639: RQDX2 > Not sure of your deqna and tqk50 are configured properly, perhaps they > cause some conflict on your q-bus. You might wish to remove them and > plug the RQDX2 into slot 4 AB. This way, if it works, you would know > that it is the config of your other boards which may conflict. Slots look like this now: 1: M7606-AF: KA630 with 1 MB memory 2: NS630: Nat Semi memory (unknown size) 3: NS638: Nat Semi memory 8 MB 4: M8639: RQDX2 Power on and boot DUA0: KA630-A.V1.2 1) Dansk 7) Nederlands 2) Deutsch 8) Norsk 3) English 9) Portugu� 4) Espan� 10) Suomi 5) Fran�is 11) Svenska 6) Italiano (1..11): 3 Performing normal system tests. 7..6..5..4..3.. Tests completed. >>> BOOT DUA0 2.. ?4C DEVINACT, DUA0 ?06 HLT INST PC = 00000E0A Failure. >>> The RQDX2 is jumpered to 772150 default setting. So, maybe it is dead after all. > Can you hear the arm move, or just the disk spin ? With the above BOOT command, it spins and you can hear the arm move. The Ready light flashes twice quickly and this corresponds to the arm movement sounds. It pauses for a couple of seconds, then repeats the arm movement and light flashing. This goes on for about a minute and then ?4C DEVINACT. > In terms of the TK50, how long does it huff and puff before it gives up > ? It could be that the unit is unable to read the tape and gives up with > a message similar to "there is no tape in here". About the same amount of time as the disk above. Still am wondering about those two jumpers side by side on the RQDX2 and not labelled. Can't find any reference to them anywhere. ------------------------------ Date: Tue, 10 Apr 2007 19:40:07 -0500 From: Chris Scheers Subject: Re: MicroVAX II chiller theatre Message-ID: <461C2E67.4050607@applied-synergy.com> Curtis Rempel wrote: > JF Mezei wrote: > >> Curtis Rempel wrote: >>>> 1: M7606-AF: KA630 with 1 MB memory >>>> 2: NS630: Nat Semi memory (unknown size) >>>> 3: NS638: Nat Semi memory 8 MB >>>> 4: M7504: DEQNA-AA (AB half) and M7546: TQK50-AA (CD half) >>>> 5: M8639: RQDX2 > >> Not sure of your deqna and tqk50 are configured properly, perhaps they >> cause some conflict on your q-bus. You might wish to remove them and >> plug the RQDX2 into slot 4 AB. This way, if it works, you would know >> that it is the config of your other boards which may conflict. > > Slots look like this now: > > 1: M7606-AF: KA630 with 1 MB memory > 2: NS630: Nat Semi memory (unknown size) > 3: NS638: Nat Semi memory 8 MB > 4: M8639: RQDX2 > > Power on and boot DUA0: > > KA630-A.V1.2 > > 1) Dansk 7) Nederlands > 2) Deutsch 8) Norsk > 3) English 9) Portugu� > 4) Espan� 10) Suomi > 5) Fran�is 11) Svenska > 6) Italiano > > (1..11): 3 > > > > Performing normal system tests. > > 7..6..5..4..3.. > > Tests completed. > > >>>> BOOT DUA0 > > 2.. > ?4C DEVINACT, DUA0 > ?06 HLT INST > PC = 00000E0A > Failure. Assuming that you have a BA23 chassis, the Q-bus is a serpentine bus. I don't remember for sure where the serpentine starts (I think it is slot 3), but it weaves up and down between the top and bottom of the slots. If you put in a full height board, you don't need to worry about it as the board should have continuity circuitry for both the top (AB) and bottom (CD) of the slot. But if you have a half height board alone in a slot (even the last slot you use), you need to have a grant card in the other half of the slot (if not the last slot) or make sure the card is in the right part (top or bottom) if in the last slot. The most common failure mode for an RD53 is what I call the spin up/spin down problem. The RD53 will try to spin up and after about 20 seconds it is not quite up to speed and then spins itself back down. This may or may not repeat. You mentioned repetitive disk activity. Does this occur in response to the BOOT command or do you still observe it when waiting at the prompt? If at the prompt, the drive is probably spinning itself up and down. Such a drive needs to be replaced or repaired. If the activity is in response to the BOOT command, the drive may be good. Good luck! > The RQDX2 is jumpered to 772150 default setting. > > So, maybe it is dead after all. > >> Can you hear the arm move, or just the disk spin ? > > With the above BOOT command, it spins and you can hear the arm move. The > Ready light flashes twice quickly and this corresponds to the arm movement > sounds. It pauses for a couple of seconds, then repeats the arm movement > and light flashing. This goes on for about a minute and then ?4C DEVINACT. > >> In terms of the TK50, how long does it huff and puff before it gives up >> ? It could be that the unit is unable to read the tape and gives up with >> a message similar to "there is no tape in here". > > About the same amount of time as the disk above. > > Still am wondering about those two jumpers side by side on the RQDX2 and not > labelled. Can't find any reference to them anywhere. -- ----------------------------------------------------------------------- Chris Scheers, Applied Synergy, Inc. Voice: 817-237-3360 Internet: chris@applied-synergy.com Fax: 817-237-3074 ------------------------------ Date: Wed, 11 Apr 2007 02:59:10 GMT From: Curtis Rempel Subject: Re: MicroVAX II chiller theatre Message-ID: <2aYSh.63769$__3.53153@edtnps90> Curtis Rempel wrote: > For laughs, I built a TK50 STABACKIT on another system and the TK50 comes > to life when I boot from it indicating that the TQK50 is alive, just as > the DEQNA, however, it also fails with DEVOFFLINE after spinning the tape > a bit: > >>>> boot mua0 > > 2.. > ?4D DEVOFFLINE, MUA0 > ?06 HLT INST > PC = 00000E0A > Failure. >>>> > > It's curious that both _DUA0_ and MUA0 result in DEVOFFLINE when booting. > > I was about ready to declare the RD53 dead, but after seeing this, I'm not > so sure any more. As a followup to my own posting, I took the TK50 apart after it decided not to let go of the tape. Handy little hole in the PCB for a screwdriver to unwind a stuck TK50! Anyway, after cleaning the tape path, I decided to boot s/a backup again and this time it worked (almost): >>> BOOT MUA0 2..1..0.. OpenVMS (TM) VAX Version V7.3 Major version id = 1 Minor version id = 0 %WBM-I-WBMINFO Write Bitmap has successfully completed initialization. PLEASE ENTER DATE AND TIME (DD-MMM-YYYY HH:MM) 10-APR-2007 19:48 Configuring devices . . . Now configuring HSC, RF, and MSCP-served devices . . . Please check the names of the devices which have been configured, to make sure that ALL remote devices which you intend to use have been configured. If any device does not show up, please take action now to make it available. Available device DUA0: device type RD53 Available device MUA0: device type TK50 Enter "YES" when all needed devices are available: YES %BACKUP-I-IDENT, Stand-alone BACKUP T7.2; the date is 10-APR-2007 19:50:09.05 $ BACKUP/IMAGE DUA0: MUA0:DUA0.BCK/SAVE_SET %BACKUP-F-NOINDEXF, no valid index file header found on DUA0: -SYSTEM-F-VOLINV, volume is not software enabled If you do not want to perform another standalone BACKUP operation, use the console to halt the system. If you do want to perform another standalone BACKUP operation, ensure the standalone application volume is online and ready. Enter "YES" to continue: So, VMS sees DUA0: alright but complains that it can't back it up. Maybe there is nothing on the disk and the disk is actually working after all. The same repetitive brief flashing of the Ready light and arm motion sounds happen as they do when trying to boot DUA0. Seems as though the Q-bus is operating correctly now that I moved the cards up one slot and set the RQDX2 back to factory. The DEQNA works (at least as far as to be refused into a cluster) and the TK50 is alive now. VMS sees the RD53 via s/a backup so I would think at this point the RD53 is either unstructured or has a hardware fault. Are there any diags I could run to figure out which? I don't have any TK50 diag media. If all else fails, I suppose I could just turn it into an academic exercise (and forego any potential winning lottery numbers on the drive) to see if the drive is alive by trying to restore something via s/a backup to it and see what happens. :-) ------------------------------ Date: Tue, 10 Apr 2007 21:34:31 -0500 (CDT) From: sms@antinode.org (Steven M. Schweda) Subject: Re: MicroVAX II chiller theatre Message-ID: <07041021343109_2020ED38@antinode.org> From: Curtis Rempel > ?4C DEVINACT, DUA0 "Failed to initialize boot device." So, it's believed to exist, but it's not responding as expected. > The RQDX2 is jumpered to 772150 default setting. Good. > So, maybe it is dead after all. > > > Can you hear the arm move, or just the disk spin ? > > With the above BOOT command, it spins and you can hear the arm move. The > Ready light flashes twice quickly and this corresponds to the arm movement > sounds. It pauses for a couple of seconds, then repeats the arm movement > and light flashing. This goes on for about a minute and then ?4C DEVINACT. I'd expect it to spin up at power-on, and stay spinning. A common failure mode for these drives is a repeated spin-up--spin-down cycling after power-on. If it's doing that, it's probably a goner. > Still am wondering about those two jumpers side by side on the RQDX2 and not > labelled. Can't find any reference to them anywhere. Those should be the ones labeled W3 and W4 in the book, which shows them installed (like W2 and W1, near the A12 jumper). > ?41 DEVASSIGN, DUB0 "Device is not present." this should be no surprise, as it's DUA0. And, whatever you do, don't type the colon on the boot device name. > >>> boot mua0 > > 2.. > ?4D DEVOFFLINE, MUA0 Suspicious, I'll admit, but dead TK50 drives (and/or TQK50 cards) are not unusual, either. Q-bus gaps could explain that, if you still had any, but you seem not to. There're more Q-bus jumper data on my server near the stuff already cited, but I haven't seen any gross errors in the stuff posted here (except for the extended RQDX3 digression). Because you have only one of each peripheral type, the default settings for the RQDX3, DEQNA (ptui!), and TQK50 should be just fine. You may need more known-good junk to substitute for testing purposes. From: Chris Scheers > Assuming that you have a BA23 chassis, the Q-bus is a serpentine bus. I > don't remember for sure where the serpentine starts (I think it is slot > 3), but it weaves up and down between the top and bottom of the slots. Pay attention: > http://antinode.org/dec/qbus_serpentine.html ------------------------------------------------------------------------ Steven M. Schweda sms@antinode-org 382 South Warwick Street (+1) 651-699-9818 Saint Paul MN 55105-2547 ------------------------------ Date: Wed, 11 Apr 2007 07:56:39 +0800 From: "Richard Maher" Subject: Re: More bollocks from biggots Message-ID: Hi Arne, Thanks for the reply (I've only just noticed it) and also for the other one a while back. > It is a vulnerability in web sites that: > - uses cookies for session maintenance : : : : > It is not a HTTP problem. My point was that if a more stateful, connection-oriented, and context-rich protocol was deployed then most of the band-aids, fencing-wire, and duct-tape, required to shoe-horn HTTP into the role of application middlware protocol would be made redundant. That is, if you don't have to cache a password, substitute a cookie for a password, or just leave the barn door open, then the scope for exploitation will have been somewhat reduced. Given your explanation of the vulnerability in this particular case, it looks like no one was doing themselves any favours on the security front, but I'm guessing that your definition of the vulnerability requirements was a tad on the narrow side. Is it not fair to say that if you choose to execute uploaded Javascript then that Javascript will always be able to assume any user's active network-wide persona(e)? (whether that takes the form of Session-IDs, or cookies, or domain pre-authorization(s), or anything else) In other words, if you don't close, disconnect, void, expire, *all* credentials, connections, and any other protectable resources *before* you leave trusted-page are you not *inevitably* courting trouble? (Let alone data loss/theft) > [Best] workaround: > - use XML as transport God help us! > It is a way of doing a client application. > > It is quite popular. So's McDonalds; and for a lot of the same reasons. (*Please* don't bring up a McDonalds-bashing thread to go with the Global-Warning and Guerrilla-philately threads! I eat a big-mac every now and then (and am quite partial to a B&E McMuffin on the way to the beach) it's just that McDonalds is what it is and so is HTTP) > That bugs are found rarely kills a concept (very little IT would > exist if that were the case). Agreed, but no one talks long distance through two soup cans an a piece o' string anymore do they? Things progress. Maybe a better analogy is to AJAX and flicker-free partial updates; are any tree-huggers gonna cling deperately to the Submit button? Things move on. Analogue TVs, Phones. . .another pointless analogy :-) > Your app is not at risk for this problem. Aaah, but how will you know for sure unless you test it :-) Thanks again. Cheers Richard Maher "Arne Vajhøj" wrote in message news:4615b04f$0$90271$14726298@news.sunsite.dk... > Richard Maher wrote: > > "JF Mezei" wrote in message > > news:8cbf4$46119806$cef8887a$29108@TEKSAVVY.COM... > >> More info on why Javascript is an evil security liability. > >> > >> http://news.com.com/2061-10789_3-6172582.html?tag=nefd.aof > > > > For anyone else who has the time to look this up (it's about five pages > > before they start to tell you what they're talking about :-() can you please > > give me an english version of the exact vulnerability scenario? "Evaluated > > in the context of the malicious page" How? Only in one of these "mashup"s? > > "Cross-site scripting" only? "JSON" only? "Client<--JavaScript-->Server" > > only? > > As I read it then it works as follows. > > It is a vulnerability in web sites that: > - uses cookies for session maintenance > - uses AJAX > - support HTTP GET for AJAX requests > - has known URL's for AJAX requests either because it is > a public web site or because someone has inside knowledge > - use JSON as transport format instead of XML (then it is > really AJAJ and not AJAX but ...) > - does not "protect" the JSON > > It works like: > - innocent user login into the vulnerable web site and > get a valid session > - after that he goes to a malicious web site > - the malicious web site send a page with some JavaScript > - that JavaScript: > - hook in some code to run if an object with a > field name "x" is created > - insert a SCRIPT tag in the HTML pointing to an AJAX request > URL in the vulnerable web site > - the browsers requests the URL and executes it because it is a > SCRIPT tag > - as part of that execution an object is created > - because the object has a field "x" the hook code is executed > and send a copy of the data to the malicious web site > > Best workaround: > - use XML as transport > > Second best workaround: > - "protect" the JSON data so it can not be executed by a > SCRIPT tag > > > How is the malicious JavaScript staying in memory and o/riding contructor(s) > > between _top pages? > > It is not. > > > Or is it only in pages that write/evaluate/parse > > something > > executable from the server? > > It is in a page from a malicious web site and uses a hole in the > web app from the vulnerable web site. > > > (obviously outside of the normal html embeded > > javascript that gets loaded with the page) The top level of DOM is the > > Window isn't it? If I load a new page into window.top.location then are you > > saying that the data and functionality in it are now vulnerable to dodgy JS > > in another Window or Tab? > > Read above. > > > This particular vulnerability has been labelled "Javascript Hijacking" and > > although > > granted this is the end result, it was the hop skip and jump to get there > > that lost me. I submit to you that although the symptoms manifested as > > unpleasant JavaScript streaming out of your nostrils (and other orifaces > > (orifii?)) the actual disease was, once again, that context-devoid, > > fundamentally-flawed, piece o' shit, quasi-middleware, protocol: HTTP! (In > > this case working in combo with some JS wrapper (JSON?) > > It is not a HTTP problem. It is not a JavaScript problem. > > It is a problem with JSON. And to some extent a problem of > poor checking in the server side web app. > > > Cookies? Bogus Session IDs? Browser's caching Username/Passwords? Multiple > > Authorizations (potentially for each message)? Ajax > > XMLHttpBollocks.Abort()? XML/Javascript/HTTP up and down the network again, > > and again and again? How a multi-billion dollar/year industry can be > > whirling around this pile of pooh, honestly escapes me! A Web-Server serves > > up pages; don't expect it to be your middleware backbone anymore than > > ODBC/JDBC! > > > > It is a way of doing a client application. > > It is quite popular. > > That bugs are found rarely kills a concept (very little IT would > exist if that were the case). > > > Anyway, no one cares what I think so here's my question: - As I am now a > > huge fan of Javascript/HTML/CSS/JavaApplets I would be extremely grateful if > > someone could explain the above vulnerability (or A.N.Other) as it would > > apply to a top level web-page that contains JavaScript but only > > sends/receives > > Application Data via a (at page-display time) pre-Authorized, > > Connection-oriented, Context-Rich TCP/IP socket? No loading Javasctipt from > > the server (except what comes in the page). No XMLHttpRequest. No JSON. > > Diagrams are always good; maybe - (a) Arse (b) Elbow - and a laser pointer > > :-) > > Your app is not at risk for this problem. > > Arne ------------------------------ Date: Tue, 10 Apr 2007 17:36:56 +0000 From: Bengt Larsson Subject: Re: More on why Javascript is evil Message-ID: Mark Daniel wrote: >Agreed. Most of the the big three browsers that I'm most familiar with >(Gecko-based, MSIE, Opera) allow these first-off 'do-you-want?' with >HTTP cookies, authentication credentials, SSL certificates and the like. > I've been a little surprised at each release that a similar >fine-grained mechanism for enabling JavaScript (than the browser on/off >checkbox) has not emerged. > > +-------------------------------------------------------+ > | Site so.and.so is requesting JavaScript execution. | > | Allow JavaScript for this site? | > | [o]never [o]this time [o]always [OK] [Cancel] [Help] | > +-------------------------------------------------------+ > >This would at least selectively allow active content for 'trusted' >sites. Perhaps it's time to stop being dismayed and actually make the >suggestion to someone! Perhaps some of the more niche browsers have >this capability? Opera 9 does this (they call it site-specific preferences). www.opera.com ------------------------------ Date: Tue, 10 Apr 2007 21:15:53 -0500 From: David J Dachtera Subject: Re: OPCOM and TCPIP Services Message-ID: <461C44D9.8C508A1C@spam.comcast.net> JF Mezei wrote: > > There seem to be some variations on how varous portions of TCPIP services > generates OPCOM messages. In some cases, the IP address is treated as a 32 bit > integer, in some cases, a good IP address is displayed in dotted decimal > notation, and in other cases, a reverse translation is done of the IP address, > and in some cases, the name is truncated or otherwise unusuable. > > > %%%%%%%%%%% OPCOM 8-APR-2007 23:13:19.86 %%%%%%%%%%% > > Message from user AUDIT$SERVER on CHAIN > > Security alarm (SECURITY) and security audit (SECURITY) on CHAIN, system id: 103 > > 5 > > Auditable event: Network breakin detection > > Event time: 8-APR-2007 23:13:19.86 > > PID: 2160541C > > Process name: TCPIP$FTPC00002 > > Username: admin2 > > Remote nodename: hn.kd.dhcp > > Remote node id: 1026966587 > > Remote username: FTP_3D36443B > > Status: %LOGIN-F-NOSUCHUSER, no such user > > [snip] > > SUGGESTION: The OPCOM messages should show the real IP address in standard IP > address notation in the Remote node ID: field. (and I assume IPv6 notation for > those IPs). > > And this should apply to all of the TCPIP components that can issue OPCOM messages. I think you hit it on the head there: It's up to UCX[, Multinet, TCPware, ...] to "fill in the blanks" with useful information. OPCOM simply spits out the message it was given. -- David J Dachtera dba DJE Systems http://www.djesys.com/ Unofficial OpenVMS Marketing Home Page http://www.djesys.com/vms/market/ Unofficial Affordable OpenVMS Home Page: http://www.djesys.com/vms/soho/ Unofficial OpenVMS-IA32 Home Page: http://www.djesys.com/vms/ia32/ Unofficial OpenVMS Hobbyist Support Page: http://www.djesys.com/vms/support/ ------------------------------ Date: Tue, 10 Apr 2007 19:46:02 -0400 From: Bill Todd Subject: Re: OT: 216 Billion Americans Squirrels Are Scientifically Illiterate (Part 36) Message-ID: Dr. Dweeb wrote: ... > C02 is not a pollutant *Anything* is a pollutant when present in excess. To relate back to our own industry, haven't you ever heard of 'cache pollution' (caused by data, even though it's considered desirable to hold in cache rather than a pollutant under other circumstances)? - bill ------------------------------ Date: 10 Apr 2007 13:38:39 -0700 From: chuckmoore55@gmail.com Subject: Quick Sanity Check: Itanium-II ZX2000 Message-ID: <1176237519.633759.93550@v33g2000cwv.googlegroups.com> Hi Folks, Someone in the area nearby-to-me has one of these things for sale for $600. I'd like to hear from anyone (1) who's running OpenVMS on one and (2) if so, running COBOL or PL/1 on it: where there any problems in installing the OS or the languages ? I have an Alpha 4100 (4-CPU) with BA350 shelf which costs roughly $30.00(US)/month. I love the box, but am wondering if there's a cheaper-to-run OpenVMS platform that has roughly equivalent (batch PL/ 1 finite-difference & COBOL personal accounting) processing power. Chuck ------------------------------ Date: Tue, 10 Apr 2007 16:28:00 -0400 From: Chuck Aaron Subject: tcpip$ftp and tcpip$telnet uaf settings Message-ID: Can someone please send me what your settings are who uses these a lot and have increased them substantially from original settings? Thanks. ------------------------------ Date: 10 Apr 2007 22:16:29 -0700 From: "Sue" Subject: Updated VMS Information (not to big) Message-ID: <1176268589.858882.36940@y5g2000hsa.googlegroups.com> Dear Newsgroup Here is a brief OpenVMS Update for you since I will be away on business until April 23rd. This may be brief VMS Update but we have some very cool information. If you have a few minutes to spare can you check out the VMS Audio casts on www.openvms.org and provide feedback, this is a second request. Many thanks to the ten folks that responded to the first request. On Friday this week the Dutch Police will be celebrating a 10 year anniversary of their VMS Cluster, if you would like to send a note of congratulations to their managment customer here is their contact information http://www.openvms.org/stories.php?story=03/11/28/7758863 If you will be at German DECUS next week I look forward to seeing you there. Warm Regards, Sue --------------------------- GREAT NEWS Major bank deploys OpenVMS Utility Pricing The ability to pay for only the actual CPU cycles consumed is made possible with HP Instant Capacity (iCAP), which was delivered with OpenVMS 8.3 Integrity. As with all new technologies these concepts take some time to assimilate and understand within a customer's environment, especially one running business critical applications on OpenVMS. However, a major bank has become the first OpenVMS customer to order iCAP and Temporary iCAP licenses (TiCAP) to reduce the cost- of-ownership of Montecito based CPUs, and to be able to respond instantly to increased demand precisely when needed. A similar capability also exists for OpenVMS Leased systems called Pay per use - PPU. --------------------------- Index 1.0 Boot Camp Update 2.0 From VMS Engineering HP OPC TRANSPORT T1.0 FOR OPENVMS INTEGRITY SERVERS HP COBOL V2.9 field test 3.0 From our Partners - Parsec 4.0 Sue's Fav's ---------------------------------- 1.0 OpenVMS Advanced Technical Boot Camp Update and notes http://h71000.www7.hp.com/symposium/index.html Please register as soon as possible and make your hotel reservations. The hotel room rate is only good until April 30 after that time the price will increase. In the next week you will see a more refined agenda and a new session by Andy Goldstein has been added - Secure Privileged Subsystems. Soon the abstract and bio's will be connected to all the sessions as well. Please take the time to look at the sessions as the blocks may have several different speakers. Week of May 14 (Open to boot camp attendees only and you need to send mail ASAP if you are interested in attending the sessions are very full) Alpha Crash Dump Analysis - Monday to Friday Porting Workshop Wed-Friday TCP/IP Banquet Thursday and Friday - two seats left Scholarships from HP need to be submitted by April 23rd, (see last weeks VMS Update for more information or send me mail) 2 for folks under 30 2 for folks willing to do VMS Integrity 1 hardship Scholarship from Partners (only two so far) check www.openvms.org for details 1 From Tdi 1 From Bruden Registration 7 Scholarships 84 folks registered 91 seats committed 109 seats available Countries Represented Austria - 1 Belgium - 2 Canada - 3 England - 4 Germany - 8 Greece - 1 Hungary - 1 Ireland - 1 Netherlands -5 Sweden - 9 Switzerland - 2 USA - 47 ---------------------------- 2.0 From VMS Engineering 2.1 HP OPC TRANSPORT T1.0 FOR OPENVMS INTEGRITY SERVERS HP OpenVMS Engineering is pleased to announce the field test release of OPC Transport T1.0 for OpenVMS Integrity servers. The field test kit and documentation are now available from the HP OPC Transport web site at: http://h71000.www7.hp.com/openvms/products/ips/opc/index.html . HP OPC Transport T1.0 is available on the OpenVMS Integrity server platform only. Its use is intended for OLE for Process Control (OPC) environments and is a subset of COM. Only unauthenticated COM is supported. Refer to the "Installation Guide and Release Notes" document for product prerequisites. This guide also describes how to install and configure HP OPC Transport for OpenVMS Integrity servers. Problem reports and any issues that you experience with the OPC Transport field test kit can be reported to the openvms.ebusiness@hp.com email address. Thank you for participating in the OPC Transport field test. 2.2 HP COBOL V2.9 field test HP are seeking field test sites for the next version of HP COBOL for OpenVMS Alpha and I64. Here is the request from John Reagan: "Dear Friends-of-COBOL (I know you are out there), we are getting ready for V2.9 of COBOL for OpenVMS I64 and OpenVMS Alpha. We are looking for a few sites to help us test. V2.9 contains only bug fixes, no new functionality (well, we may sneak a /VERSION qualifier on the compiler) is planned. Bug fixes include: - On I64 only, very large COBOL applications (ie, LOTS of modules, HUNDRED OF THOUSANDS of lines), may not link due to way the COBOL compiler kept asking the linker for various address constants. The sheer number of address constants would overflow the size of the short section. If you have this problem, you already know about it. The linker will just refuse to link you application. We have modified the compiler to generate code that needs fewer linker-generated address constants. - The COBOL front-end lied to the code-generator about the alignment of fields in records. The front-end got the offset correct, but told GEM the wrong alignment (normally, GEM can figure out the alignment from the offset, but COBOL is different... you don't wanna know...). GEM believed the front-end and would generate code based on the alignment knowledge. That resulted on TONS of alignment faults. On I64, that really hurts. On Alpha, not so much. We've fixed the front- end to compute the correct alignment information. I64 users in particular may see large performance increases. Alpha users might see improvement as well. - A few other bug fixes for things like Kanji currency symbols and other strange things. So if you can get a new kit from us and recompile/retest your COBOL code to make sure we didn't, er, ah, screw up. So send me email (firstname.lastname @ hp.com) and we can talk." ----------------------------- 3.0 From our Partners - Parsec PARSEC Group has created some pages on our website listing some undocumented OpenVMS features. This is a consolidation of information we have run across over the years. Some of the features are listed on other sites, some we have not been able to find anywhere else. For some interesting reading, go to http://www.parsec.com/openvms/undocumented.php. If anyone has additional information on some undocumented features, there is a link at the bottom of the page to send it to us. We will verify the information and consider adding it to the list. ------------------------------- 4.0 Sue's Fav's This is very important and should be bookmarked http://h71000.www7.hp.com/new/events.html this is an ongoing list of events where VMS will be. ------------------------------ End of INFO-VAX 2007.199 ************************