INFO-VAX Wed, 13 Aug 2008 Volume 2008 : Issue 440 Contents: Re: DEFCON 16 and Hacking OpenVMS Re: Memory Usage Re: OpenVMS in the media - National Grid Control Centre, Britain from Above, 10/ Re: OpenVMS in the media - National Grid Control Centre, Britain from Above, 10/ Re: OpenVMS in the media - National Grid Control Centre, Britain from Above, 10/ Re: OpenVMS in the media - National Grid Control Centre, Britain from Above, 10 Re: OpenVMS in the media - National Grid Control Centre, Britain from Above, 10/ Re: OpenVMS in the media - National Grid Control Centre, Britain from Above, 10/ ---------------------------------------------------------------------- Date: Tue, 12 Aug 2008 19:44:55 -0500 From: patrick jankowiak Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: sampsal@gmail.com wrote: >>> 1. A format string vulnerability in the FINGER client (VAX only). The >>> example shellcode is stored on a remote system's .plan file and forces >>> the victim FINGER client to modify SYSUAF. >> Is this with DEC TCPIP services or is it something to do with the >> Multinet finger vulnerability ? > > It appears to be something separate, since it seems to have to do with > a format string > vulnerability. Basically someone puts a bunch of % strings and > shellcode in their .plan > on a remote host, fingers that user from the target host, and the > FINGER client executes > the shellcode due to the format string vulnerability in the client. > > >>> 2. A CLI buffer overflow on Alphas. Basically any input over 511 >>> characters causes an overflow, it seems to be possible to have a >>> privileged process execute arbitrary code. >> Can you explain this one in a bit more detail ? >> Is this an attack against DCL itself, images installed with privileges >> or something else ? > > I think this might be a DCL issue, it seems to work across a number of > different images. Not had a chance to play with this as my own VMS > box is down at the moment. > > Sampsa I would have thought a CLI overflow to have been tried by at least a few at DEFCON9 because the system automagically created service-rich user accounts with of course DCL which the hackers were then free to abuse. We were not scrutinizing buffers however and any such overflow may in our case have done nothing harmful (by luck or design). I think it was version 7.1-? if it makes a difference. Did the gentleman specify any versions? Patrick J ------------------------------ Date: Tue, 12 Aug 2008 21:08:30 -0500 From: Michael Austin Subject: Re: Memory Usage Message-ID: James J. O'Shea wrote: > What is the best way to find out memory usage on an > OpenVMS machine? > > I'm currently using f$getsiy("free_pages") but was > wondering if I could use the MONITOR tool to record a > works worth of data. What command would I use in > that case? > > Thanks, > Jim O'Shea > Chicago, IL > I would also recommend it. If you are having problems, it is very easy to modify it to capture < 1minute data (done in short durations due to resources) to see problems while they are happening. I used to manage over 250+ Alpha servers from DS10's to GS1280's with the tool and stored it on a SAN device connected to a DS10L that I used as the T4Chart web-based utility to display results from any one of the systems. My application managers could use this site to view performance on their individual servers and if necessary request the data during a performance problem. I could then analyze it to see what exactly was happening. All of the systems had that late night, early morning spike when backups kicked off... but the tool was very good for day to day and problem management of the systems. Trending months of data when necessary... HTH. ------------------------------ Date: Tue, 12 Aug 2008 12:06:20 -0700 (PDT) From: johnwallace4@yahoo.co.uk Subject: Re: OpenVMS in the media - National Grid Control Centre, Britain from Above, 10/ Message-ID: <97773d08-1c63-4ab1-aee8-607189f82b78@f36g2000hsa.googlegroups.com> On Aug 12, 6:29 pm, Ashley Shepherd wrote: > Where to start? > > I worked for a regional electricity company in the 90's. Everything > technical was based on VMS, all the inter-company and national grid > billing, all of the planning and strategy of supply & demand, and of > course the control of the ENTIRE grid network was managed by....... > PDP11's. And old ones at that. The year 2K planning was interesting, > when I said "are these Y2K compliant" there was just silence. When I > pushed it was a case of "well, the programs were written 20-30 years > ago, nothing was documented and we suspect all the programmers have > died of old age, certainly we know of none of them. All we know is > that it all works, even though we don't know how. If your can boil > your kettle on New Years Day, you'll know everything was Y2K > compliant!" It was a classic case of "if it ain't broke, don't fix > it" > > As for today, I suspect VMS is still embedded in the electricity > companies, for the very same reason it was chosen. In 5 years (except > for when an over zealous system admin typed DEL *.* whilst in > SYS$SYSTEM and ensured that 2,000 users had an extra half-day > holiday), we never had a single day of unplanned downtime of any > application. > > Regarding the SMS systems, I also worked for a mobile company, and VMS > is indeed embedded in those organisations too. As with most > companies, there is an edict that VMS is "non strategic" and that it > needs to be replaced, but when you get down to it, nothing else can > touch the reliability and scalability of VMS > > IMHO, if Ken Olson had the vision to release prior versions of VMS as > open source, we would see VMS everywhere that we now see Unix and > Linux. Re PDP11 and Y2K: I'm surprised the lawyers didn't force the PDP11s out. It happened at at least one well known company I was working with whose tried tested and proven but X.25-dependent solution, deployed in multiple countries around the world, had to be ditched because DEC wouldn't give them a Y2K chitty for the relevant (but long obsolete) X. 25 kit. So the DEC X.25-based kit (and its associated appplication software) was thrown out at a couple of weeks notice at the lawyers behest, to be replaced with a setup based on Cisco kit, a setup which had to be thrown together at short notice when the lawyers got involved, a setup which had approximately zero testing before it was deployed. Etc. Wrt open source or not: anyone with sufficient interest, motivation, and funds could traditionally get the VMS source listings, and pore over them. Does that still apply? Stuff like DECnet specs were (iirc) freely available. There were exceptions, like the LAT protocol, and the BI bus spec, but lots of stuff was very public. I'm not convinced that "open source" per se would actually have added much. But it would have been good for *perception* of VMS, and that would have had value of itself. What would we call it though? Open OpenVMS? Can't call it FreeVMS, that's taken. A sensible global hobbyist program could still make VMS truly affordable (currently that doesn't apply in, for example, the UK, where membership of HPUG to get the hobbyist licence is =A350+ ($100+?) per year... may not seem much, but times are hard). Open sourcing chunks of Tru64 might have been an interesting option... this week at work so far I have mostly been building a pre-emptible Linux kernel with a 1ms tick, 'cos unlike later Tru64s, many/most Linuxes still don't ship as such by default (and I have been finding that the "real time Linux" vendors like MontaVista and SuSe make it very difficult to get at their GPL-based sources without signing up for an expensive subscription, hmm does *that* comply with the GPL?). Although the work involved isn't difficult it's not minimal (or quick) either. And the week before last I was mostly trying to make sense of the gazillion incompatible and often illogical ways the non-VMS world has for (mis)representing times and dates (vs quadword time and a handful of associated feasily-understood functions). But PCs are cheap and productive and cost-effective, and VMS isn't. It must be so, Mr Gates and his mates at Intel told us it was true. ------------------------------ Date: Tue, 12 Aug 2008 13:32:48 -0700 (PDT) From: maxoutrage@gmail.com Subject: Re: OpenVMS in the media - National Grid Control Centre, Britain from Above, 10/ Message-ID: <6af7435a-69a2-44c7-ac60-c8566f838ada@79g2000hsk.googlegroups.com> On Aug 12, 2:13 pm, AEF wrote: > On Aug 12, 4:20 am, maxoutr...@gmail.com wrote: > > > > > This might not be too well known or in the media but over 50% of > > mobile text messages sent in the world are on OpenVMS systems. > > > --Peter. > > On Aug 11, 12:04 am, urbancamo wrote: > > > > Spotted an LK201 and an LK401 at the console of the controller at the > > > National Grid Control Centre in the programme 'Britain From Above' > > > broadcast on BBC1 in the UK on 10/08/08. > > > > The National Grid Control Centre is responsible for providing the UK's > > > electricity supply. The programme focussed on the unique problem in > > > the UK of supplying the peak demands of power required after > > > mainstream TV programmes such as East Enders. The controller had > > > direct influence at an instant over several hydroelectric power plants > > > dotted round the UK that are solely used for providing temporary extra > > > power to satisfy peak demand. The controller monitored a display > > > showing the mains frequency which required action when it dropped to > > > 49.8 Hz - the normal in the UK being 50 Hz. > > > > I found it absolutely fascinating that hydroelectric dams are opened > > > temporarily because East Enders has finished and a large portion of > > > the UK public are making a brew! > > > > OpenVMS was not mentioned in the programme but it can be assumed that > > > it is used in some major capacity at the control centre. > > > > Can anyone provide more details? > > > > Regards, > > > > Mark. > > Hi, > > I'm not challenging your claim, but it would be great if you could > provide a reference for this. > > Thanks! > > AEF I work for Acision so I know first hand how many customers we have. The original company was called CMG and created the first SMSC and sent the first text message back in the early 90's using VAX and VMS. CMG merged with Logica who were our main competition and became LogicaCMG. Logica had a competing product that was based on Unix. After the merger it was decided to proceed with the CMG / OpenVMS based product as the performance and stability were better but the Logica product was still maintained and sold to customers who still wanted it. LogicaCMG then spun off the telecoms division to become Acision last year. If you look on the Acision product page, the SMSC IP product is based on OpenVMS. It says IP now because it is possible to communicate with telecoms equipment IE STP, MSC and HLR's using IP as well as traditional means. In the US AT&T, Sprint and T-Mobile are the biggest carriers using our SMSC. The largest systems are 14 node OpenVMS clusters that can sustain 14K messages per second delivered to a handset. Now at 10-15cents/message you work out how much they make!! --Peter. ------------------------------ Date: Tue, 12 Aug 2008 14:19:19 -0700 (PDT) From: johnwallace4@yahoo.co.uk Subject: Re: OpenVMS in the media - National Grid Control Centre, Britain from Above, 10/ Message-ID: On Aug 12, 9:32 pm, maxoutr...@gmail.com wrote: > On Aug 12, 2:13 pm, AEF wrote: > > > > > On Aug 12, 4:20 am, maxoutr...@gmail.com wrote: > > > > This might not be too well known or in the media but over 50% of > > > mobile text messages sent in the world are on OpenVMS systems. > > > > --Peter. > > > On Aug 11, 12:04 am, urbancamo wrote: > > > > > Spotted an LK201 and an LK401 at the console of the controller at the > > > > National Grid Control Centre in the programme 'Britain From Above' > > > > broadcast on BBC1 in the UK on 10/08/08. > > > > > The National Grid Control Centre is responsible for providing the UK's > > > > electricity supply. The programme focussed on the unique problem in > > > > the UK of supplying the peak demands of power required after > > > > mainstream TV programmes such as East Enders. The controller had > > > > direct influence at an instant over several hydroelectric power plants > > > > dotted round the UK that are solely used for providing temporary extra > > > > power to satisfy peak demand. The controller monitored a display > > > > showing the mains frequency which required action when it dropped to > > > > 49.8 Hz - the normal in the UK being 50 Hz. > > > > > I found it absolutely fascinating that hydroelectric dams are opened > > > > temporarily because East Enders has finished and a large portion of > > > > the UK public are making a brew! > > > > > OpenVMS was not mentioned in the programme but it can be assumed that > > > > it is used in some major capacity at the control centre. > > > > > Can anyone provide more details? > > > > > Regards, > > > > > Mark. > > > Hi, > > > I'm not challenging your claim, but it would be great if you could > > provide a reference for this. > > > Thanks! > > > AEF > > I work for Acision so I know first hand how many customers we have. > > The original company was called CMG and created the first SMSC and > sent the first text message back > in the early 90's using VAX and VMS. > > CMG merged with Logica who were our main competition and became > LogicaCMG. Logica had a competing product that was based on Unix. > After the merger it was decided to proceed with the CMG / OpenVMS > based product as the performance and stability were better but the > Logica product was still maintained and sold to customers who still > wanted it. LogicaCMG then spun off the telecoms division to become > Acision last year. > > If you look on the Acision product page, the SMSC IP product is based > on OpenVMS. It says IP now because it is possible to communicate with > telecoms equipment IE STP, MSC and HLR's using IP as well as > traditional means. > > In the US AT&T, Sprint and T-Mobile are the biggest carriers using our > SMSC. The largest systems are 14 node OpenVMS clusters that can > sustain 14K messages per second delivered to a handset. Now at > 10-15cents/message you work out how much they make!! > > --Peter. Thanks for the clarification, I think I got my early Logica/CMG history wrong way wround (byteswapped?) :( Sorry. Are you also able to clarify the comment re the spinoff of Acision, along the lines of "this is now a commodity market" or words to that effect ? E.g. Is a Windows-based or Linux-based SMSC now a viable market sector, especially for the smaller Cellcos? (What you or I think makes sense matters little, it's what folks are buying that matters) ------------------------------ Date: Tue, 12 Aug 2008 13:01:31 -0700 From: "Tom Linden" Subject: Re: OpenVMS in the media - National Grid Control Centre, Britain from Above, 10 Message-ID: On Tue, 12 Aug 2008 10:29:54 -0700, Ashley Shepherd wrote: > IMHO, if Ken Olson had the vision to release prior versions of VMS as > open source, we would see VMS everywhere that we now see Unix and > Linux. I bought a 750 in early 1982, but replaced vms with BSD 4.1 as it was used for inhouse compiler development. I wrote a letter to KO that spring that he license VMS sources (we were building a VAX like computer based on the National chip) suggesting that the 10% or so of VAXes running Unix would soon be much bigger. Got a response about 2 or so months later declining. Heard later that the only supportede of the concept was Andy Knowles, who subsequently left sometime thereafter. I am sure there were plenty of other people sayoing same thing, so it isn't as if there weren't plenty of signals. -- PL/I for OpenVMS www.kednos.com ------------------------------ Date: Tue, 12 Aug 2008 13:07:03 -0700 From: "Tom Linden" Subject: Re: OpenVMS in the media - National Grid Control Centre, Britain from Above, 10/ Message-ID: On Tue, 12 Aug 2008 12:06:20 -0700, wrote: > this week at work so far I have mostly been building a pre-emptible > Linux kernel with a 1ms tick, 'cos unlike later Tru64s, many/most > Linuxes still don't ship as such by default (and I have been finding > that the "real time Linux" vendors like MontaVista and SuSe make it You may wish to have a look ay http://os.inf.tu-dresden.de/L4/ -- PL/I for OpenVMS www.kednos.com ------------------------------ Date: Tue, 12 Aug 2008 16:01:48 -0700 From: "Tom Linden" Subject: Re: OpenVMS in the media - National Grid Control Centre, Britain from Above, 10/ Message-ID: On Tue, 12 Aug 2008 13:32:48 -0700, wrote: > I work for Acision so I know first hand how many customers we have. > The original company was called CMG and created the first SMSC and > sent the first text message back > in the early 90's using VAX and VMS. > CMG merged with Logica who were our main competition and became > LogicaCMG. Logica had a competing product that was based on Unix. > After the merger it was decided to proceed with the CMG / OpenVMS > based product as the performance and stability were better but the > Logica product was still maintained and sold to customers who still > wanted it. LogicaCMG then spun off the telecoms division to become > Acision last year. > If you look on the Acision product page, the SMSC IP product is based > on OpenVMS. It says IP now because it is possible to communicate with > telecoms equipment IE STP, MSC and HLR's using IP as well as > traditional means. > In the US AT&T, Sprint and T-Mobile are the biggest carriers using our > SMSC. The largest systems are 14 node OpenVMS clusters that can > sustain 14K messages per second delivered to a handset. Now at > 10-15cents/message you work out how much they make!! > --Peter. What was the implementation language? Bliss? -- PL/I for OpenVMS www.kednos.com ------------------------------ End of INFO-VAX 2008.440 ************************