INFO-VAX Thu, 10 Jul 2008 Volume 2008 : Issue 382 Contents: Re: Another BIND vulnerability (cache poisoning) Re: Another BIND vulnerability (cache poisoning) Re: OT: ATM PIN code theft Re: Quasi-push technologies Re: Quasi-push technologies Re: Symbol Substitution Mystery Re: Symbol Substitution Mystery Re: Tru64 file system source code now open source Re: Why did process quota go down? ---------------------------------------------------------------------- Date: Wed, 9 Jul 2008 12:32:10 -0700 (PDT) From: IanMiller Subject: Re: Another BIND vulnerability (cache poisoning) Message-ID: <73bbb49b-bb4e-4b03-9c46-7cbb67baa53d@s50g2000hsb.googlegroups.com> On 9 Jul, 17:54, johnwalla...@yahoo.co.uk wrote: > On Jul 9, 9:35 am, JF Mezei wrote: > > > > > JF Mezei wrote: > > > Slashdot article: > > >http://it.slashdot.org/article.pl?sid=08/07/08/195225 > > > > Offfical CERT article: > > >http://www.kb.cert.org/vuls/id/800113 > > > Test can be made atwww.doxpara.com > > > Essentially, what it does is cause a number of separate DNS requests to > > be made to their own DNS server and they check if each DNS request was > > made FROM a different port or not. If they all come from the same port, > > it deems the DNS server to be vulnerable. > > > I used wireshark to trace the VMS TCPIP Services 5.6 (Bind 9) server > > while running this test and the 5 requests all came from the same port. > > > My ISP has already patched their Linux servers. > > > Anyone know if a patch is/will be available for TCPIP Services 5.6 ? > > > Or is this something that the remaining VMS installed based doesn't care > > much about because they are enterprise systems not connected to the > > internet ? > > I'm not sure why being "not connected to the internet" helps in this > case (or in many other cases) as there too many uncontrolled leakage > paths to the Internerd in many corporates these days anyway (and there > often were even before the days of 3G phones and widespread laptops). > > Anyway, if I've understood right, this is an instance of "defective by > design" in BIND. an error in BIND which djb (of djbdns and qmail fame) > first talked about with CERT back in 2002, and first discussed in > public by djb himself in 2001:http://cr.yp.to/djbdns/forgery.html > > As of December 2007 djbdns is in the public domain, so managers of > commodity OSes on commodity hardware may well have an easy BIND- > independent fix. No idea whether a VMS version is available. Note that the MS patch for this breaks zonealarm. So you have a choice. remove this patch or turn down the security settings on zonealarm. I expect a fix from MS or Zonealarm will be along shortly. ------------------------------ Date: Wed, 9 Jul 2008 17:25:13 -0600 From: "Michael D. Ober" Subject: Re: Another BIND vulnerability (cache poisoning) Message-ID: "IanMiller" wrote in message news:73bbb49b-bb4e-4b03-9c46-7cbb67baa53d@s50g2000hsb.googlegroups.com... > On 9 Jul, 17:54, johnwalla...@yahoo.co.uk wrote: >> On Jul 9, 9:35 am, JF Mezei wrote: >> >> >> >> > JF Mezei wrote: >> > > Slashdot article: >> > >http://it.slashdot.org/article.pl?sid=08/07/08/195225 >> >> > > Offfical CERT article: >> > >http://www.kb.cert.org/vuls/id/800113 >> >> > Test can be made atwww.doxpara.com >> >> > Essentially, what it does is cause a number of separate DNS requests to >> > be made to their own DNS server and they check if each DNS request was >> > made FROM a different port or not. If they all come from the same port, >> > it deems the DNS server to be vulnerable. >> >> > I used wireshark to trace the VMS TCPIP Services 5.6 (Bind 9) server >> > while running this test and the 5 requests all came from the same port. >> >> > My ISP has already patched their Linux servers. >> >> > Anyone know if a patch is/will be available for TCPIP Services 5.6 ? >> >> > Or is this something that the remaining VMS installed based doesn't >> > care >> > much about because they are enterprise systems not connected to the >> > internet ? >> >> I'm not sure why being "not connected to the internet" helps in this >> case (or in many other cases) as there too many uncontrolled leakage >> paths to the Internerd in many corporates these days anyway (and there >> often were even before the days of 3G phones and widespread laptops). >> >> Anyway, if I've understood right, this is an instance of "defective by >> design" in BIND. an error in BIND which djb (of djbdns and qmail fame) >> first talked about with CERT back in 2002, and first discussed in >> public by djb himself in 2001:http://cr.yp.to/djbdns/forgery.html >> >> As of December 2007 djbdns is in the public domain, so managers of >> commodity OSes on commodity hardware may well have an easy BIND- >> independent fix. No idea whether a VMS version is available. > > Note that the MS patch for this breaks zonealarm. So you have a > choice. remove this patch or turn down the security settings on > zonealarm. I expect a fix from MS or Zonealarm will be along shortly. > Since this vulnerability was known back in 2002, I wouldn't blame MS for breaking Zonealarm. As a security product, Zonealarm should have fixed their product a long time ago. Mike. ------------------------------ Date: Wed, 09 Jul 2008 16:12:31 -0700 From: Joe Hunt Subject: Re: OT: ATM PIN code theft Message-ID: <8dha74h55g8nqpbajhqbivvj5ur3spi4bq@4ax.com> This blog article, with an earlier date, contains more information. http://blog.wired.com/27bstroke6/2008/06/fbi-arrests-six.html ------------------------------ Date: Wed, 09 Jul 2008 18:31:11 -0700 From: "Jeffrey H. Coffield" Subject: Re: Quasi-push technologies Message-ID: Richard Maher wrote: > Hi Jeffrey, > > Thanks for the reply. > >> I can't easily tell if this is the same concept, but look at >> www.monex.com. That ticker simply reads a file every few minutes that is >> updated by the trading system which is an OpenVMS cluster. > > Interesting; you wouldn't happen to know if it's a periodic refresh, or Ajax > or a hidden iFrame would you? (Or something else?) > > It's just that I have the Java console turned on for Applets and it popped > up on that page, and I couldn't see an obvious Applet Object def (that > wasn't buried in son included .JS file) and was just curious as to which bit > the Java was controlling. > > Cheers Richard Maher > > PS. I'm currently very interested in various "push" technologies. (Used > mainly in conjunction with Tier3 client/server request/response mechanisms) > > "Jeffrey H. Coffield" wrote in message > news:nJXck.13044$jI5.11126@flpi148.ffdc.sbc.com... >> >> Richard Maher wrote: >>> Hi, >>> >>> "Jan-Erik Söderholm" wrote in message >>> news:5CHck.777$U5.393@newsb.telia.net... >>>> See http://www.sgx.com/ >>>> Click "SGX moves to new securities trading engine". >>>> >>>> Or see : http://tinyurl.com/5zpm8k for a >>>> less-capable-browser-version... >>> Great news! Especially as this is after the Nasdaq OMX acquisition. >>> >>> Cheers Richard Maher >>> >>> PS. If anyone knows (or bothers to work out) what the Java Applet is for > on >>> that page then please let me know. (Live ticker "push" technology?) >>> >>> >> I can't easily tell if this is the same concept, but look at >> www.monex.com. That ticker simply reads a file every few minutes that is >> updated by the trading system which is an OpenVMS cluster. >> >> Jeff Coffield >> www.digitalsynergyinc.com > > Originally the ticker on the Monex site was an applet, but it got replaced by flash when the site was overhauled. The only "push" technology I know of is either Comet (Ajax with a persistent connection) or some form of Java (that again has a persistent connection). Otherwise you have to have something timed that periodically checks for updates. Jeff C. ------------------------------ Date: Wed, 09 Jul 2008 18:37:03 -0700 From: "Jeffrey H. Coffield" Subject: Re: Quasi-push technologies Message-ID: Richard Maher wrote: > PS. I'm currently very interested in various "push" technologies. (Used > mainly in conjunction with Tier3 client/server request/response mechanisms) We (Digital Synergy) have developed a Java to RMS connector that I am working toward releasing open source. Since it doesn't use SQL or JDBC, it is capable of having the server push content to the client app. It also allows Java clients to call OpenVMS legacy code. If you are interested, look at http://www.digitalsynergyinc.com/JavaRMS.html. Jeff Coffield ------------------------------ Date: Wed, 9 Jul 2008 16:40:54 -0700 (PDT) From: AEF Subject: Re: Symbol Substitution Mystery Message-ID: <8564d50d-2667-4311-8088-d1faec004b9c@d77g2000hsb.googlegroups.com> On Jul 8, 7:13 am, VAXman- @SendSpamHere.ORG wrote: > In article , AEF writes: > [...] > > >Now how about this one! > > >DCL> WSO ""/"" > >2147483647 > >DCL> WSO "/" > >/ > >DCL> WSO / > >%DCL-W-NOKEYW, qualifier name is missing - append the name to the > >slash > >DCL> > > >Yes, I recognize the first result as 2**31-1, but why that? > > >Anyone? > > $ WRITE SYS$OUTPUT 1/1 > 1 > $ WRITE SYS$OUTPUT 1/0 > 2147483647 > $ WRITE SYS$OUTPUT 0/0 > 2147483647 Division! Of course! Doh! (\8-)) DCL> WSO ""5/2"" 2 DCL> > > It's the largest number DCL can express without being negative. From a > pure mathematics POV, division by 0 is undefined (or infinity) but many > integer calculators tend to return the largest value possible. Yes, that makes sense -- especially if division is performed by repeatedly subtracting the subtrahend from the minuend until the difference is less than the subtrahend and then counting the number of subtractions performed and applying the appropriate sign based on the signs of the two numbers. (If that's not how it's done I'm all ears.) That would even explain the 0/0 result! I would have hoped that division by zero would have been special-cased. Oh well. > > -- > VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM [...] AEF ------------------------------ Date: Wed, 09 Jul 2008 20:19:40 -0500 From: David J Dachtera Subject: Re: Symbol Substitution Mystery Message-ID: <487563AC.54DEAE61@spam.comcast.net> AEF wrote: > [snip] > DCL> TYPE AEFGEN:SHOW-INTEGER.COM > $ SYMBOL = 'P1' > $ SH SYM SYMBOL > $ EXIT Adding this line to the top of the proc. should be enlightening and/or entertaining: $ SHOW SYMBOL P1 > DCL> SI F$INTEGER("") > SYMBOL = 0 Hex = 00000000 Octal = 00000000000 > DCL> SI F$STRING("") > SYMBOL = "" > DCL> SI F$INTEGER("""") > SYMBOL = 0 Hex = 00000000 Octal = 00000000000 > DCL> SI F$STRING("""") > SYMBOL = """ > DCL> SI F$INTEGER("""""") > SYMBOL = 0 Hex = 00000000 Octal = 00000000000 > DCL> SI F$STRING("""""") > SYMBOL = """" > DCL> D.J.D. ------------------------------ Date: Wed, 09 Jul 2008 21:08:49 GMT From: Antonio Carlini Subject: Re: Tru64 file system source code now open source Message-ID: ChrisQ wrote in news:0tw9k.207380$M63.111047 @newsfe13.ams2: > design of either to comment - I used ufs in the tru64 days. There are > very few original ideas around and most designers borrow bits or > concepts from a variety of sources to build new products, or just to > stimulate the creative process. It wouldn't surprise me at all to learn > that Sun had a good hard look at AdvFs internals during the zfs design > phase... I'm a little late chiming in here, but Sun had a good hard look at WAFS (amongst others). I don't know how the NetApp-Sun lawsuit is progressing right now. Antonio ------------------------------ Date: Wed, 9 Jul 2008 16:05:54 -0700 (PDT) From: AEF Subject: Re: Why did process quota go down? Message-ID: On Jul 8, 3:17 pm, tadamsmar wrote: > I had a detached process that exceeded a quota: > > "-SYSTEM-F-EXBYTLM, exceeded byte count" quota > > and started to not work right. > > show proc/quota showed that it's Buffered I/O byte count quota had > gone from ~98000 to ~980. Why would that happen? Any way to prevent > that? You used it up! Don't run it. Really, you need to give us some info. AEF ------------------------------ End of INFO-VAX 2008.382 ************************