INFO-VAX Thu, 04 Sep 2008 Volume 2008 : Issue 485 Contents: Re: Archive strategy Re: Archive strategy Re: Archive strategy Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS HP TestDrive systems to be shutdown Re: HP TestDrive systems to be shutdown Re: Loose Cannon-dian Re: Loose Cannon-dian Re: Loose Cannon-dian Re: Note to Island Computers customers OT: Carly speeks at convetion Re: OT: Carly speeks at convetion Re: OT: Carly speeks at convetion Re: OT: Carly speeks at convetion Re: OT: Carly speeks at convetion Re: OT: Carly speeks at convetion Re: OT: Flying with Diabetes (was RE: SMGRTL patch available on ITRC ftp site) Re: OT: Flying with Diabetes (was RE: SMGRTL patch available on ITRC ftp site) f Re: OT: SYSMAN Equiv. on AIX? Re: SSH and SFTP configuration Re: SSH and SFTP configuration Re: SSH and SFTP configuration RE: SSH and SFTP configuration Re: SSH and SFTP configuration Re: SSH and SFTP configuration Re: VAXstation 4000-90 and SCA disks Re: VAXstation 4000-90 and SCA disks Re: VAXstation 4000-90 and SCA disks Re: VAXstation 4000-90 and SCA disks Re: [RBL] Current status? Re: [RBL] Current status? Re: [RBL] Current status? ---------------------------------------------------------------------- Date: Thu, 4 Sep 2008 01:01:46 -0700 (PDT) From: vaxinf@chemie.uni-konstanz.de Subject: Re: Archive strategy Message-ID: <62fdf21e-7eed-4d0b-abed-8027d364f77e@p31g2000prf.googlegroups.com> On 3 Sep., 18:25, tadamsmar wrote: > I ask about putting a DVD on an Alphaserver DS10 runing 7.2-1. > > Never did get a clear answer on that. =A0I am not sure anyone can point > me to the software and hardware I need to get, at least not explicitly > like a recipe in a cookbook. > > But, now I am thinking about some sort of removable disk solution. =A0An > external SCSI enclosure that can hold at least 2 removal disks. =A0Got > any suggestions on that? > > I figure removable disks are easier to recheck periodically since they > should have a higher capacity than a DVD. If you prefer a solution with disks I would recommend the following: get a cheap IDE- or SATA-drive. Add a SCSI-IDE/SATA- converter. Be aware of some max size restrictions of OVMS or of the converter. Create virtual disks and use showing to copy the online data storage onto the "removable" disk. Power off the IDE disk if the shadowing process is complete and the archiv disk is dismounted regularly. It's allowed to exchange the archiv disk on the fly. It might be better to add a SCSI-controller for the archiv disk. Is this a clear answer? Eberhard ------------------------------ Date: Thu, 4 Sep 2008 05:49:29 -0700 (PDT) From: tadamsmar Subject: Re: Archive strategy Message-ID: <1074e60f-b35a-4171-be80-a386f83fb14e@25g2000prz.googlegroups.com> On Sep 3, 9:55=A0pm, David J Dachtera wrote: > tadamsmar wrote: > > > I ask about putting a DVD on an Alphaserver DS10 runing 7.2-1. > > > Never did get a clear answer on that. =A0I am not sure anyone can point > > me to the software and hardware I need to get, at least not explicitly > > like a recipe in a cookbook. > > Well, no, no "cookbook". However, to summarize, and see Eberhard's post > in the other thread: > > Most any SCSI DVD burner MIGHT do - it's difficult to be certain without > polling others for their experience. V7.2-1 lacks the necessary IDE > support, so it's gotta be SCSI. > > Eberhard says that DVDRECORD covers everything from CD-R through DVD/RW. > It might still be freeware. Check wih him - see the other thread for his > address. > > > But, now I am thinking about some sort of removable disk solution. =A0A= n > > external SCSI enclosure that can hold at least 2 removal disks. =A0Got > > any suggestions on that? > > An outfit called Castlewood once had a circa. 2GB removeable cartridge > hard disk ("orb drive"), but I believe they've gone belly up. Iomega may > have moved on past the Jaz drives and such. Dunno - haven't looked at > that for some time now. > > > I figure removable disks are easier to recheck periodically since they > > should have a higher capacity than a DVD. > > ...and should have a longer shelf life. That said, hot-swappable might > be a good substitute for removeable. > > That's your call, of course. > > FWIW... > > D.J.D. Thanks. I think people often screw up archive systems. There seem to be two basic requirements: 1. Data in at least two locations for disaster recovery. 2. The ability to periodically reconfirm that the data is sound. And you don't want this reconfirmation to be labor intensive. Yet the knee-jerk reaction is that you should put the data on "permanent" media and store it away somewhere. Often, such solutions are less effective than just storing it on disks and making regular tape backups stored offsite. In other words, the non-archive is better than the archive at meeting the requirements of an archive. That's the impression I get from analyzing our past archival systems, looking at how the "unarchived" data is managed now, and looking at the consequences of using DVDs for archiving. ------------------------------ Date: Thu, 4 Sep 2008 08:35:18 -0700 (PDT) From: tadamsmar Subject: Re: Archive strategy Message-ID: <729c5ebc-a6ae-4de6-9aae-a4bd707763e5@p10g2000prf.googlegroups.com> On Sep 4, 8:49=A0am, tadamsmar wrote: > On Sep 3, 9:55=A0pm, David J Dachtera > wrote: > > > > > > > tadamsmar wrote: > > > > I ask about putting a DVD on an Alphaserver DS10 runing 7.2-1. > > > > Never did get a clear answer on that. =A0I am not sure anyone can poi= nt > > > me to the software and hardware I need to get, at least not explicitl= y > > > like a recipe in a cookbook. > > > Well, no, no "cookbook". However, to summarize, and see Eberhard's post > > in the other thread: > > > Most any SCSI DVD burner MIGHT do - it's difficult to be certain withou= t > > polling others for their experience. V7.2-1 lacks the necessary IDE > > support, so it's gotta be SCSI. > > > Eberhard says that DVDRECORD covers everything from CD-R through DVD/RW= . > > It might still be freeware. Check wih him - see the other thread for hi= s > > address. > > > > But, now I am thinking about some sort of removable disk solution. = =A0An > > > external SCSI enclosure that can hold at least 2 removal disks. =A0Go= t > > > any suggestions on that? > > > An outfit called Castlewood once had a circa. 2GB removeable cartridge > > hard disk ("orb drive"), but I believe they've gone belly up. Iomega ma= y > > have moved on past the Jaz drives and such. Dunno - haven't looked at > > that for some time now. > > > > I figure removable disks are easier to recheck periodically since the= y > > > should have a higher capacity than a DVD. > > > ...and should have a longer shelf life. That said, hot-swappable might > > be a good substitute for removeable. > > > That's your call, of course. > > > FWIW... > > > D.J.D. > > Thanks. > > I think people often screw up archive systems. =A0 There seem to be two > basic requirements: > > 1. =A0Data in at least two locations for disaster recovery. > > 2. =A0The ability to periodically reconfirm that the data is sound. =A0An= d > you don't want this reconfirmation to be labor intensive. > > Yet the knee-jerk reaction is that you should put the data on > "permanent" media and store it away somewhere. =A0Often, such solutions > are less effective than just storing it on disks and making regular > tape backups stored offsite. =A0In other words, the non-archive is > better than the archive at meeting the requirements of an archive. > > That's the impression I get from analyzing our past archival systems, > looking at how the "unarchived" data is managed now, and looking at > the consequences of using DVDs for archiving.- Hide quoted text - > > - Show quoted text - Well, I proposed to my management that we simply institute a periodic (monthly) tape backup of the archive. Turns out the archive was always on hard disk as well as on the defunct optical media. They accepted that idea. No need for a DVD or removable disk. The assumption is that the act of backing up the disk confirms that the disk is good. Any comments to improve this plan? We only have a dozen gigs or so to worry about. ------------------------------ Date: Thu, 04 Sep 2008 09:19:07 +0200 From: Johnny Billquist Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: Hi, John. Finally someone more who knows how a PDP-11 works. Wonderful. :-) John Santos skrev: > 64 bytes is awfully fine granularity, especially when you only > have 8 grains. I don't know how other O/S's managed it, but > RSTS/E used the high APRs to map run-time systems and the low > APRs to map user programs and data, expanding upward on request > (but no higher than the base of the RTS.) It mapped (and > managed) memory in 1KW (2048 byte) chunks, and didn't allow > programs to have holes in there memory space (except between > low-mem and the RTS.) On I&D machines, I think the high APRs, > where the RTS lives, was mapped to the same physical addresses, > thus effectively disabling I&D separation, but low memory could > be mapped to different physical memory. The user could *not* > ask to be mapped to specific physical addresses; the O/S decided > where to put things. (On RSX, privileged tasks could ask to be > mapped at specified addresses, thus allowing memory sharing and > user-mode access to the I/O page, but the task had to be installed > to do this. Normal non-privileged processes couldn't do this.) Just to expand shortly on RSX here. In RSX, a non-privileged task can also request mapping changes. There is nothing magical or privileged about it. Also, RSX do allow you to have holes in the memory, and manages memory down to the 64 byte granularity. However, neither unprivileged, nor privileged tasks can ask for mappings to arbitrary addresses. You can only ask for mapping changes into memory regions which you have attached to. A memory region also have an owner and a protection mask, meaning that all tasks might not be allowed to attach to it. But once attached, you can map in anywhere in your address space, and to anywhere within that region. A region might typically be a shared library, or a data common, but it can also be another task, or the I/O page, or something else. Regions can be created by the INSTALL command (which is typical if you want a shared library, for instance) or a region can be created on the fly by a task through a system call. (I suspect that this might not be totally different from how it works in VMS.) Johnny -- Johnny Billquist || "I'm on a bus || on a psychedelic trip email: bqt@softjar.se || Reading murder books pdp is alive! || tryin' to stay hip" - B. Idol ------------------------------ Date: Thu, 04 Sep 2008 09:21:57 +0200 From: Johnny Billquist Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: Roger Ivie skrev: > On 2008-09-03, Johnny Billquist wrote: >> or that parallell interface I never can remember the name of (DR780?). > > DR780, indeed. Fun device. It looked things up in the page tables, so > you could give it user-space addresses. I thought there were manuals > over at bitsavers, but I'm sure not finding them. There was also a VAXBI > equivalent called the DRB32, but I never dealt with that one. > > In my case, we had some custom hardware run by a PDP-11/23 hanging off the > end of a DR-780. I did some user-level programming of the DR-780 for > diagnostic purposes and the embedded code on the 11/23; the final > customer did the operational software for the DR-780. I liked the > interface so much that I patterned a later VAXBI device after it; in > that case, it was a Z-80 looking things up in the VAX page table. > > I have seen the odd reference every now and then to a DR70, a PDP-11/70 > equivalent to the DR-780, but I never encountered one of those. Where would you have installed that??? There is no slots in the CPU box for anything else/more. All you have is the Unibus. The RH70 controllers have dedicated slots, and there is four of those. I could imagine that you might be able to graft something into one of those slots, but they'd have to behave like a RH70 in that case (from the electrical point of view). Johnny -- Johnny Billquist || "I'm on a bus || on a psychedelic trip email: bqt@softjar.se || Reading murder books pdp is alive! || tryin' to stay hip" - B. Idol ------------------------------ Date: 4 Sep 2008 08:53:03 -0500 From: koehler@eisner.nospam.encompasserve.org (Bob Koehler) Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: In article , Johnny Billquist writes: > > Implemented in RAM? How do you mean that? Are you saying that they were at some > fixed address in physical address space? > > I just checked the VAX-7000 machines, which have the NVAX+ CPU, and SBR, SLR, > P0BR, P0LR, P1BR and P1LR are all still internal registers accessed by the > MTPR/MFPR instructions. (Sitting with the KA7AA CPU Technical Manual in front of > me.) OK, the P0 and P1 related registers may not be ones that moved. They TOY clock register certinaly did. ------------------------------ Date: 4 Sep 2008 08:53:45 -0500 From: koehler@eisner.nospam.encompasserve.org (Bob Koehler) Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: In article , Johnny Billquist writes: > > Is there no one else but me who actually reads the manuals? Are all people here > just sitting around and guessing??? I just read the manual. ------------------------------ Date: 4 Sep 2008 08:58:34 -0500 From: koehler@eisner.nospam.encompasserve.org (Bob Koehler) Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: In article , Johnny Billquist writes: > > On the NVAX+, there is no S0 and S1 space. There is only system space, which is > laid out by SBR and SLR. And so, that table can grow to twice the size of old... > Presto, 2 Gig of system space, for a total of 4 Gig of addressable space. Except > for the very last page... Sorry about that. :-( I know it's been more than 24 hours since I read the manuals, but I think the I/O space after S0 space is 512MB, not a page. (Why it's half a GB I don't know, other than it probably makes aranging the base addresses of lots of I/O bus adapaters easier.) So you get 4GB of addressable space, 3 1/2 of which can map to RAM, and 4GB of RAM. And my first 11/780 only had 1MB (that was the minumum for VMS 1.5 or 1.6 or whatever we had). ------------------------------ Date: 4 Sep 2008 09:09:18 -0500 From: koehler@eisner.nospam.encompasserve.org (Bob Koehler) Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: In article , John Santos writes: > > Anyway, the bottom line is (with a reasonable operating system > that didn't do pathological things to the APRs) PDP-11's had > true, if tiny and coarsely-segmented, virtual memory. OK, I'll buy that you've seen something on an -11 that I haven't. But with the APRs being privileged registers I assume that the overlay supervisor had to be supported by kernel mode services. And I always wondered if that was attack-able. Going from disk resident overlays on an 11/34 to memory resident overlays on an 11/44 was such a pleasure. But I was glad some other fellow had to work out the overlay to begin with. VAX/VMS spoiled me. Even when we ran out of 18 bit memory on my PDP-10, the models I had implemented extended memory and all we had to do was recompile /extended (or some such FORTRAN-20 qualifier). ------------------------------ Date: 4 Sep 2008 09:18:47 -0500 From: koehler@eisner.nospam.encompasserve.org (Bob Koehler) Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: In article , Roger Ivie writes: > > DR780, indeed. Fun device. It looked things up in the page tables, so > you could give it user-space addresses. I thought there were manuals > over at bitsavers, but I'm sure not finding them. There was also a VAXBI > equivalent called the DRB32, but I never dealt with that one. We had array processors from APS hung off of DR780. So I learned about DR780 and was impressed that it could handle a potentionaly infinite I/O chain. Reminded me very much of the I/O channels IBM used on its mainframes, in terms of features and capcity. But I'm glad DEC didn't try to hang all the serial lines off it. Those IBM terminal 3270 interfaces are big, expensive, and can't handle byte interrupt concepts needed for a decent text editor. ------------------------------ Date: 4 Sep 2008 09:22:06 -0500 From: koehler@eisner.nospam.encompasserve.org (Bob Koehler) Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: In article , Johnny Billquist writes: > Where would you have installed that??? There is no slots in the CPU box for > anything else/more. All you have is the Unibus. > The RH70 controllers have dedicated slots, and there is four of those. I could > imagine that you might be able to graft something into one of those slots, but > they'd have to behave like a RH70 in that case (from the electrical point of view). You could expand the SBI and CPU cabinet. We had 11/780 with DR780, three UNIBUSes, and three or four MASSBUSes. But then we had other 11/780 with two or more UNIBUSes and eight MASSBUSes, which wasn't supported but did work. Inlcuding the UNIBUS expansion chassis cabinets, the things were about sixteen feet long. ------------------------------ Date: Thu, 04 Sep 2008 16:24:54 GMT From: Roger Ivie Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: On 2008-09-04, Johnny Billquist wrote: > Roger Ivie skrev: >> I have seen the odd reference every now and then to a DR70, a PDP-11/70 >> equivalent to the DR-780, but I never encountered one of those. > > Where would you have installed that??? No idea. Like I said, I never ran into one. And I only saw a couple of references (possibly as few as one; it was a *really* long time ago)) to it in really obscure manuals; I don't recall which. -- roger ivie rivie@ridgenet.net ------------------------------ Date: 4 Sep 2008 17:24:22 GMT From: billg999@cs.uofs.edu (Bill Gunshannon) Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: <6iaju6Fpl207U1@mid.individual.net> In article , koehler@eisner.nospam.encompasserve.org (Bob Koehler) writes: > In article , Roger Ivie writes: >> >> DR780, indeed. Fun device. It looked things up in the page tables, so >> you could give it user-space addresses. I thought there were manuals >> over at bitsavers, but I'm sure not finding them. There was also a VAXBI >> equivalent called the DRB32, but I never dealt with that one. > > We had array processors from APS hung off of DR780. I watched one of those, brand new, still fastened to the pallet, get thrown in a dumpster. Sure wish I could have got my hands on it. I'm sure I could have found a way to hook it up to one of my PDP-11's or even a VAX. :-) bill -- Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves billg999@cs.scranton.edu | and a sheep voting on what's for dinner. University of Scranton | Scranton, Pennsylvania | #include ------------------------------ Date: Thu, 04 Sep 2008 09:20:30 -0700 From: Marty Kuhrt Subject: HP TestDrive systems to be shutdown Message-ID: When logging into the TestDrive cluster the other day to do the IA64 portion of cURL, I ran across the following message. Since the exact same message is on a publically available HP page, http://www.testdrive.hp.com/ , I'm assuming it is OK for public consumption. ######## TESTDRIVE SHUTDOWN NOTICE ######## This note is intended to inform you about changes to the free developer access program called TestDrive. TestDrive has been providing valuable support to partners across the globe for more than 10 years. As with most products or services, there comes a time when an offering must end to make way for new developments. Effective September 30, 2008 HP will be shutting down the TestDrive program. The main reason for the closure of TestDrive is to focus more on programs such as HP's Partner Virtualization Program (PVP) which offers a more flexible and robust service than TestDrive and we expect that you will be pleased with the support and features available through this program. One of the benefits of this new program is the ability for secure and privileged access to your own dedicated virtual systems. HP PVP is one of many technical benefits and services available to HP's Developer & Solution Partner Program (DSPP) company members. HP PVP has Integrity virtual servers running HP-UX, Linux (Red Hat), and Windows. SuSE Linux will be added in August and OpenVMS will be available the first half of 2009. Both Windows and Linux (Red Hat and SuSE) are currently offered on ProLiant virtual servers. HP PVP provides the latest and greatest state of the art HP BladeSystems technology (BL870c Integrity, BL460c quad core Xeon) as hosts for your dedicated virtual machines. http://www.hp.com/go/pvp For more information on how to join HP's DSPP program to continue to have access to HP system resources, visit the following link. http://www/hp.com/go/dspp Join the HP DSPP program today and give HP PVP a TestDrive! The following is the shutdown plan for TestDrive - Any user that is registered for an OpenVMS account in TestDrive at the end of September may keep their account and access to the OpenVMS cluster in TestDrive until we can add OpenVMS as an option in HP PVP. - There will be no plans for HP9000 server (PA-Risc) availability following TestDrive shutdown since HP9000 servers are not supported by HP Integrity VM. - TestDrive will shutdown on September 30, 2008. Access to system resources will be limited to the OpenVMS cluster as well as through HP PVP via the DSPP partner portal. We hope you will look to the HP PVP program to support your needs for access to HP resources. We have many new features planned over the next year and we look forward continuing to support your testing and development needs. ######## END TESTDRIVE SHUTDOWN NOTICE ####### So do you think this means that there will be an HP blessed VM (or PVP in their parlance)? Could I run OpenVMS in a VM on my dual quad core Xeon Mac? That would be neat. ------------------------------ Date: Thu, 4 Sep 2008 10:11:25 -0700 (PDT) From: Rich Jordan Subject: Re: HP TestDrive systems to be shutdown Message-ID: <330fd1e0-2414-4987-9602-d345f3d37f6a@n33g2000pri.googlegroups.com> On Sep 4, 11:20=A0am, Marty Kuhrt wrote: > When logging into the TestDrive cluster the other day to do the IA64 > portion of cURL, I ran across the following message. Since the exact > same message is on a publically available HP page,http://www.testdrive.hp= .com/, I'm assuming it is OK for public consumption. > > ######## TESTDRIVE SHUTDOWN NOTICE ######## > > This note is intended to inform you about changes to the free > developer access program called TestDrive. TestDrive has been > providing valuable support to partners across the globe for > more than 10 years. =A0As with most products or services, there > comes a time when an offering must end to make way for new > developments. =A0Effective September 30, 2008 HP will be shutting > down the TestDrive program. > > The main reason for the closure of TestDrive is to focus more > on programs such as HP's Partner Virtualization Program (PVP) > which offers a more flexible and robust service than TestDrive > and we expect that you will be pleased with the support and > features available through this program. One of the benefits of > this new program is the ability for secure and privileged access > to your own dedicated virtual systems. > > HP PVP is one of many technical benefits and services available > to HP's Developer & Solution Partner Program (DSPP) company > members. =A0HP PVP has Integrity virtual servers running HP-UX, > Linux (Red Hat), and Windows. =A0SuSE Linux will be added in > August and OpenVMS will be available the first half of 2009. > Both Windows and Linux (Red Hat and SuSE) are currently offered > on ProLiant virtual servers. =A0HP PVP provides the latest and > greatest state of the art HP BladeSystems technology (BL870c > Integrity, BL460c quad core Xeon) as hosts for your dedicated > virtual machines. > > http://www.hp.com/go/pvp > > For more information on how to join HP's DSPP program to continue > to have access to HP system resources, visit the following link. > > http://www/hp.com/go/dspp > > Join the HP DSPP program today and give HP PVP a TestDrive! > > The following is the shutdown plan for TestDrive > > - Any user that is registered for an OpenVMS account in TestDrive > =A0 =A0at the end of September may keep their account and access to the > =A0 =A0OpenVMS cluster in TestDrive until we can add OpenVMS as an > =A0 =A0option in HP PVP. > - There will be no plans for HP9000 server (PA-Risc) availability > =A0 =A0following TestDrive shutdown since HP9000 servers are not > =A0 =A0supported by HP Integrity VM. > - TestDrive will shutdown on September 30, 2008. =A0Access to system > =A0 =A0resources will be limited to the OpenVMS cluster as well as > =A0 =A0through HP PVP via the DSPP partner portal. > > We hope you will look to the HP PVP program to support your needs > for access to HP resources. =A0 We have many new features planned > over the next year and we look forward continuing to support your > testing and development needs. > > ######## END TESTDRIVE SHUTDOWN NOTICE ####### > > So do you think this means that there will be an HP blessed VM (or PVP > in their parlance)? =A0Could I run OpenVMS in a VM on my dual quad core > Xeon Mac? =A0That would be neat. Well at least they are maintaining VMS access for the interim. First glance looked like there would just be a window of non-availability. We don't use the test drive systems; got our own boxes for the most part, and so far have not needed a 'spare' or 'test' itanium. ------------------------------ Date: 4 Sep 2008 14:37:05 GMT From: billg999@cs.uofs.edu (Bill Gunshannon) Subject: Re: Loose Cannon-dian Message-ID: <6iaa4hFp5tmdU1@mid.individual.net> In article , John Santos writes: > Bill Gunshannon wrote: >> In article <48be1d20$0$9641$c3e8da3@news.astraweb.com>, >> JF Mezei writes: >> >>>bugs@signedness.org wrote: >>> >>> >>>>trouble of finding all the relevant dates, I estimate that HP had a >>>>patch linked around 6 weeks before it was even clear to the majority >>>>of comp.os.vms that it was a real issue and exploitable. >>> >>>You need to wonder why HP would have sat on that patch so long without >>>telling you the problem was fixed and without releasing the patch. Is it >>>really a coincidence that it was released very shortly after people on >>>C.O.V. were given proper details to understand *and reproduce* this >>>serious vulnerability ? >>> >>>I'd be willing to bet there was nobody from the VMS group at the DEFCON >>>conference. So the fact that you published a vulnerability there would >>>not have made a difference. >>> >>> >>>The VMS community knows very well that the "newer" software like the >>>TCPIP stack or anything ported from Unix is riddled with bugs and buffer >>>overflow risks because it is not really "native" VMS software. The >>>POP/IMAP and XDM servers do not honour VMS intrusion detection for >>>instance. That is a serious security weakness since it allows >>>brute-force attacks that do not generate alarms. Anbd this has been >>>present for years. >> >> >> Oh, cut the crap. It isn't Unix's fault that there are bugs in VMS. >> One of the reported exploits is in SMG which is pure VMS. Not only >> that, it was written in Bliss, not C. No language or OS is immune >> to bad programming. > > Since this was exactly the point JF made in the next paragraph, in what > way was it crap? Did you respond without reading the entire post? Or > do you just like crowing about it? I wasn't responding to the next paragraph but to the comment above that. like is done here frequently, he once again refered to "anything ported from Unix" and described it as "riddled with bugs and buffer overflow risks because it is not really 'native' VMS software". I was merely pointing out that SMG , while not "ported from Unix" and "really 'native' VMS software" was found to have "bugs and buffer overflow risks". > > >> >> >>>Your vulnerability surprised many because it affected software that >>>dates back to the glory days of VMS when software quality and security >>>was job #1 at Digital and Digital really prided itself on having >>>experienced coders that wouldn't make such mistakes (especially since >>>most system services provide buffer limits to prevent buffer overflows). >> >> >> Or maybe it just destroyed that myth, too. Programmers are programmers. >> Some are good and some are bad and any idea that DEC never hired a bad >> programmer is just plain ludicrous. The fact that these bugs remnained >> (apparently) undetected just further proves how long ago VMS became >> insignificant in the IT world and thus never saw the scrutiny other >> systems saw. >> > > It's not a myth. It's checks and balances. DEC never just trusted that > they would hire good programmers and then everything would work. There > were code reviews, walk-throughs, programming standards (including > relatively safe languages and safe programming techniques such as string > descriptors as opposed to null-terminated strings), regression testing, > field testing, and many eyes. The system isn't (or wasn't) perfect; this > is proof. But it's still dozens or hundreds of times better than the > typical Unix method, and thousands of times better than M$. That remains to be seen. Because they have never been reported or tracked by any outside source (look at the reluctance to trport any of these recent discoveries to CERT) there really is no way of knowing how many problems of the same type as found in Unix have been quietly fixed and rolled into the next upgrade rather than making them public and sending out very visible patches. The apparent age of some of these recent vulnerabilities belies the idea that DEC's "checks and balances" and "code reviews, walk-throughs, programming standards" were any better than anyone elses. VMS just has a much lower visibility profile. And, as for "safe languages", someone has already stated that the offending SMG code is Bliss. Or was that a mistake? Surely it wasn't C all those years ago on the VAX? > > If you really think there are just as many undiscovered exploits in VMS > as there are in Unix, then you must think there is no value at all to > any of these things. Sheesh! I think no one outside of DEC/Compaq/HP has any idea how many exploits equivalent to those found in Unix have or still exist in VMS. It's a matter of visibility and not code quality. Every little bug in Unix (most of which are in external programs rather then Unix itself) gets reported publicly and usually loudly. Even these recent ones have seen no mention outside of a very small group of VMS users. I am going to give our VMS System Manager a call in just a couple of minutes. What do you think the odds are that he is aware of any of these? Or the existence of a MUP to fix them? I know he doesn't read c.o.v!! I'll let you know. > > >> >>>And since the "legacy" portions of VMS such as SMG haven't been actively >>>developped/improved in over a decade, so we would have still expected >>>this software to date back to the days of the high quality standards. >> >> >> And yet, there they are. Bugs, just like in everything else. Go figure! >> > > Innumeracy. bill -- Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves billg999@cs.scranton.edu | and a sheep voting on what's for dinner. University of Scranton | Scranton, Pennsylvania | #include ------------------------------ Date: Thu, 4 Sep 2008 09:47:40 -0700 (PDT) From: DaveG Subject: Re: Loose Cannon-dian Message-ID: <3fb2f945-2d70-48d5-b527-aff6497d99d3@a3g2000prm.googlegroups.com> On Sep 4, 9:37=A0am, billg...@cs.uofs.edu (Bill Gunshannon) wrote: > In article , > =A0 =A0 =A0 =A0 John Santos writes: > > > > > > > Bill Gunshannon wrote: > >> In article <48be1d20$0$9641$c3e8...@news.astraweb.com>, > >> =A0 =A0 =A0 =A0JF Mezei writes: > > >>>b...@signedness.org wrote: > > >>>>trouble of finding all the relevant dates, I estimate that HP had a > >>>>patch linked around 6 weeks before it was even clear to the majority > >>>>of comp.os.vms that it was a real issue and exploitable. > > >>>You need to wonder why HP would have sat on that patch so long without > >>>telling you the problem was fixed and without releasing the patch. Is = it > >>>really a coincidence that it was released very shortly after people on > >>>C.O.V. were given proper details to understand *and reproduce* this > >>>serious vulnerability ? > > >>>I'd be willing to bet there was nobody from the VMS group at the DEFCO= N > >>>conference. So the fact that you published a vulnerability there would > >>>not have made a difference. > > >>>The VMS community knows very well that the "newer" software like the > >>>TCPIP stack or anything ported from Unix is riddled with bugs and buff= er > >>>overflow risks because it is not really "native" VMS software. The > >>>POP/IMAP and XDM servers do not honour VMS intrusion detection for > >>>instance. That is a serious security weakness since it allows > >>>brute-force attacks that do not generate alarms. Anbd this has been > >>>present for years. > > >> Oh, cut the crap. =A0It isn't Unix's fault that there are bugs in VMS. > >> One of the reported exploits is in SMG which is pure VMS. =A0Not only > >> that, it was written in Bliss, not C. =A0No language or OS is immune > >> to bad programming. > > > Since this was exactly the point JF made in the next paragraph, in what > > way was it crap? =A0Did you respond without reading the entire post? = =A0Or > > do you just like crowing about it? > > I wasn't responding to the next paragraph but to the comment above that. > like is done here frequently, he once again refered to "anything ported > from Unix" and described it as "riddled with bugs and buffer overflow > risks because it is not really 'native' VMS software". =A0I was merely > pointing out that SMG , while not "ported from Unix" and "really 'native' > VMS software" was found to have "bugs and buffer overflow risks". > > > > > > > > >>>Your vulnerability surprised many because it affected software that > >>>dates back to the glory days of VMS when software quality and security > >>>was job #1 at Digital and Digital really prided itself on having > >>>experienced coders that wouldn't make such mistakes (especially since > >>>most system services provide buffer limits to prevent buffer overflows= ). > > >> Or maybe it just destroyed that myth, too. =A0Programmers are programm= ers. > >> Some are good and some are bad and any idea that DEC never hired a bad > >> programmer is just plain ludicrous. =A0The fact that these bugs remnai= ned > >> (apparently) undetected just further proves how long ago VMS became > >> insignificant in the IT world and thus never saw the scrutiny other > >> systems saw. > > > It's not a myth. =A0It's checks and balances. =A0DEC never just trusted= that > > they would hire good programmers and then everything would work. =A0The= re > > were code reviews, walk-throughs, programming standards (including > > relatively safe languages and safe programming techniques such as strin= g > > descriptors as opposed to null-terminated strings), regression testing, > > field testing, and many eyes. =A0The system isn't (or wasn't) perfect; = this > > is proof. =A0But it's still dozens or hundreds of times better than the > > typical Unix method, and thousands of times better than M$. > > That remains to be seen. =A0Because they have never been reported or trac= ked > by any outside source (look at the reluctance to trport any of these rece= nt > discoveries to CERT) there really is no way of knowing how many problems > of the same type as found in Unix have been quietly fixed and rolled into > the next upgrade rather than making them public and sending out very visi= ble > patches. =A0The apparent age of some of these recent vulnerabilities beli= es > the idea that DEC's "checks and balances" and "code reviews, walk-through= s, > programming standards" were any better than anyone elses. =A0VMS just has= a > much lower visibility profile. =A0And, as for "safe languages", someone > has already stated that the offending SMG code is Bliss. =A0Or was that a > mistake? =A0Surely it wasn't C all those years ago on the VAX? > > > > > If you really think there are just as many undiscovered exploits in VMS > > as there are in Unix, then you must think there is no value at all to > > any of these things. =A0Sheesh! > > I think no one outside of DEC/Compaq/HP has any idea how many exploits > equivalent to those found in Unix have or still exist in VMS. =A0It's a > matter of visibility and not code quality. =A0Every little bug in Unix > (most of which are in external programs rather then Unix itself) gets > reported publicly and usually loudly. =A0Even these recent ones have seen > no mention outside of a very small group of VMS users. =A0I am going to > give our VMS System Manager a call in just a couple of minutes. =A0What d= o > you think the odds are that he is aware of any of these? =A0Or the existe= nce > of a MUP to fix them? =A0I know he doesn't read c.o.v!! =A0I'll let you k= now. > > > > >>>And since the "legacy" portions of VMS such as SMG haven't been active= ly > >>>developped/improved in over a decade, so we would have still expected > >>>this software to date back to the days of the high quality standards. > > >> And yet, there they are. =A0Bugs, just like in everything else. =A0Go = figure! > > > Innumeracy. > > bill > > -- > Bill Gunshannon =A0 =A0 =A0 =A0 =A0| =A0de-moc-ra-cy (di mok' ra see) n. = =A0Three wolves > billg...@cs.scranton.edu | =A0and a sheep voting on what's for dinner. > University of Scranton =A0 | > Scranton, Pennsylvania =A0 | =A0 =A0 =A0 =A0 #include = =A0- Hide quoted text - > > - Show quoted text -- Hide quoted text - > > - Show quoted text - We (or at least I) would be interested to know what you learn from your VMS System Manager. And if most would see a >600 note thread, complete with the usual detours, they would IMO most likely move on to smaller and better things. ------------------------------ Date: 4 Sep 2008 17:55:17 GMT From: billg999@cs.uofs.edu (Bill Gunshannon) Subject: Re: Loose Cannon-dian Message-ID: <6ialo4Fpnrc8U1@mid.individual.net> In article <3fb2f945-2d70-48d5-b527-aff6497d99d3@a3g2000prm.googlegroups.com>, DaveG writes: > > We (or at least I) would be interested to know what you learn from > your VMS System Manager. And if most would see a >600 note thread, > complete with the usual detours, they would IMO most likely move on to > smaller and better things. OK, here goes. And, we had a chance to talk for a while so I got a lot more skinny than just on the recent patches. First, he was totally unaware of either the vulnerabilities or any recent patches. And, yes, we are still under full support. So, I wonder how many more sites are sitting out there vulnerable since the whole thing is searchable on Google? More important, I guess, would be knowing what percentage of systems are still vulnerable. But that would require knowing not only the number of vulnerable machines but also the true value of the VMS Constant. A totally unknown quantity. As some here may (or may not) remember, we are a VMS/Oracle/Banner site. I mentioned once before that I had heard from Banner that they were in the process of moving to Windows. The good news is that plan is pretty much dead. However, they are moving to Linux. My contact mentioned just recently coming back from a Banner conference where they wer all told that Banner was migrating away from VMS. Numbers given were that a couple of years ago Banner was nearly 90% VMS. Now is about 20-30%. And expects in the next coupld of years that will drop to about 2%. Our pepole here, who have looked at Itanium and VMS running on it have already made the decision that VMS goes with the last Alpha and that goes when HP support stops. He said something about 2011 but maybe people here know more about when HP's drop-dead dagte for Alpha Systems is. So, it looks like VMS has lost not only the Academic world but also the administrative side of the academic world. Somneone mentioned the loss of Cerner meaning a likely loss of the medical world. I have already mentioned that, based on the comments from DISA, there are not likely to be any new VMS IS's in government. Feel free to tell me how all of this is somehow unimportant or totally irelevant. I wonder what the chances are that I can lay my hands on some of the Alphas when this place moves to Linux (Yes, that was the direction he said they were going. And for those who think that killing VMS was going to make previous VMS users refuse to deal with HP in the future, they are specifically going with HP because HP has excellent Linux support. "Much better than RedHat". His words, not mine. bill -- Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves billg999@cs.scranton.edu | and a sheep voting on what's for dinner. University of Scranton | Scranton, Pennsylvania | #include ------------------------------ Date: Thu, 4 Sep 2008 07:11:12 -0700 (PDT) From: DaveG Subject: Re: Note to Island Computers customers Message-ID: On Sep 3, 8:32=A0pm, David J Dachtera wrote: > David wrote: > > > THANKS FOR THE CORRECTION > > I had to look that up afterwards > > How solid is the cell phone service? > > D.J.D. From what I've read, and not from personal experience, cell service is one of the first casualities during a big storm. Amateur radio groups help out as best they can. Often better than other agencies. ARES (amatur radio emergency services) is one and RACES (radio amateur civil emergency service) is another. ------------------------------ Date: Thu, 04 Sep 2008 04:38:05 -0400 From: JF Mezei Subject: OT: Carly speeks at convetion Message-ID: <48bf9ea0$0$9647$c3e8da3@news.astraweb.com> La Carly may have lost the VP job to a younger female, but she still got to speak at the religious extremist convention. Her speech is at: http://portal.gopconvention2008.com/speech/details.aspx?id=47 Perhaps she'll get the job of Post-Mistress to the General ? I wonder if she may get back at her former employer by getting the government to stop buying from HP. BTW, I wonder if Carly's not so great reputation in computer newsgroups/forums would have impacted her non-selection as VP. ------------------------------ Date: Thu, 04 Sep 2008 11:18:37 GMT From: VAXman- @SendSpamHere.ORG Subject: Re: OT: Carly speeks at convetion Message-ID: <00A7F1E6.E986D3D5@SendSpamHere.ORG> In article <48bf9ea0$0$9647$c3e8da3@news.astraweb.com>, JF Mezei writes: >La Carly may have lost the VP job to a younger female, but she still got >to speak at the religious extremist convention. The religious extremists held a convention? My B.A.C.K. neo-socialist step-father didn't go. -- VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM ... pejorative statements of opinion are entitled to constitutional protection no matter how extreme, vituperous, or vigorously expressed they may be. (NJSC) Copr. 2008 Brian Schenkenberger. Publication of _this_ usenet article outside of usenet _must_ include its contents in its entirety including this copyright notice, disclaimer and quotations. ------------------------------ Date: Thu, 4 Sep 2008 07:02:19 -0700 (PDT) From: DaveG Subject: Re: OT: Carly speeks at convetion Message-ID: On Sep 4, 3:38=A0am, JF Mezei wrote: > La Carly may have lost the VP job to a younger female, but she still got > to speak at the religious extremist convention. > > Her speech is at: > > http://portal.gopconvention2008.com/speech/details.aspx?id=3D47 > > Perhaps she'll get the job of Post-Mistress to the General ? > > I wonder if she may get back at her former employer by getting the > government to stop buying from HP. > > BTW, I wonder if Carly's not so great reputation in computer > newsgroups/forums would have impacted her non-selection as VP. I doubt very much that newsgroup chatter was a factor. Not having a crystal ball, I will speculate that **if** Sarah and her running mate get crowned in November, Carly may be in for a cabinet position. Time will tell. It always does. ------------------------------ Date: Thu, 04 Sep 2008 09:32:29 -0700 From: David Mathog Subject: Re: OT: Carly speeks at convetion Message-ID: JF Mezei wrote: > La Carly may have lost the VP job to a younger female, but she still got > to speak at the religious extremist convention. You mean the "American White People's Party"? My kids and I watched the Palin speech and played "count the minority members" during the crowd shots. Final score, 3 Blacks, 1 probable Hispanic, and an unverified sighting by one kid of a single Asian. We looked for, and did not see Condie or Alan Keyes. We did see Ann Curry, but didn't count her as half an Asian, since she was there reporting and not as a party member. Conspiracy theory: Karl Rove personally supervised the application of the superglue which held together the hands of Bristol Palin and her boyfriend. Never have I seen a couple hold hands for so long, yet sit or stand so far apart. Regards, David Mathog ------------------------------ Date: Thu, 4 Sep 2008 09:52:18 -0700 (PDT) From: DaveG Subject: Re: OT: Carly speeks at convetion Message-ID: On Sep 4, 11:32=A0am, David Mathog wrote: > JF Mezei wrote: > > La Carly may have lost the VP job to a younger female, but she still go= t > > to speak at the religious extremist convention. > > You mean the "American White People's Party"? =A0My kids and I watched th= e > Palin speech and played "count the minority members" during the crowd > shots. =A0Final score, 3 Blacks, 1 probable Hispanic, and an unverified > sighting by one kid of a single Asian. =A0We looked for, and did not see > Condie or Alan Keyes. We did see Ann Curry, but didn't count her as half > an Asian, since she was there reporting and not as a party member. > > Conspiracy theory: Karl Rove personally supervised the application of > the superglue which held together the hands of Bristol Palin and her > boyfriend. =A0Never have I seen a couple hold hands for so long, yet sit > or stand so far apart. > > Regards, > > David Mathog Thanks for that summary David. Amazing isn't it. Straw hats and Johnny Walker (white label?) for everyone!! ------------------------------ Date: 4 Sep 08 13:21:21 EDT From: cook@wvnvms.wvnet.edu (George Cook) Subject: Re: OT: Carly speeks at convetion Message-ID: In article , David Mathog writes: > JF Mezei wrote: >> La Carly may have lost the VP job to a younger female, but she still got >> to speak at the religious extremist convention. > > You mean the "American White People's Party"? My kids and I watched the > Palin speech and played "count the minority members" during the crowd > shots. Final score, 3 Blacks, 1 probable Hispanic, and an unverified > sighting by one kid of a single Asian. We looked for, and did not see > Condie or Alan Keyes. We did see Ann Curry, but didn't count her as half > an Asian, since she was there reporting and not as a party member. It was too bad Michael Steele's (a Black) speech couldn't be fit into prime time. I suspect whatever leftest media outlet you were watching failed to even mention he spoke not long before Rudi. FWIW, I checked MSNBC (aka the far left network) right after Palin's speech. Cris (a shiver down my leg) Matthews looked absolutely shell shocked and was somewhat incoherent. George Cook ------------------------------ Date: Thu, 04 Sep 2008 11:13:47 GMT From: VAXman- @SendSpamHere.ORG Subject: Re: OT: Flying with Diabetes (was RE: SMGRTL patch available on ITRC ftp site) Message-ID: <00A7F1E6.3C91623E@SendSpamHere.ORG> In article , "Peter Weaver" writes: >> > Lucky you. =A0You can fly even though you can't see. =A0After = >spending what >> > seemed like a small fortune, I was told that I would never be = >allowed to >> > fly on my own, let alone possess a pilot's license because of = >diabetes. >> > It was fun while it lasted. >>=20 >> Not necessarily the case. I know two pilots with diabetes that >> actively fly (certified, not experimental or LSA). There's more >> paperwork involved, but it can be done. You need to find the right >> AME that has been through it already. AOPA is a great resource for >> getting that stuff figured out as well. > >Way off-topic but... > >I'm in Canada so none of this applies to people outside Canada but... > >Two weeks ago I went for my aviation medical. I could still read the >smallest print in the book and the eye chart test gave me 20/15-2 so = >things >were looking good. But then the doctor said "What treatment are you on = >for >your diabetes?" After he saw the look on my face he said "Oh, by the = >way, >you have diabetes." > >He said that since diabetic people could pass out while flying and since >Transport Canada does not like that happening he was going to hold my >medical until I had more detailed blood work done. He also added that if = >I >had a commercial license then it would be gone even without the detailed >blood work but as a private pilot I may get to keep my license "After = >much >letter writing." The risk of "passing out" is from hypoglycemia (low blood sugar), not from hyperglycemia (high blood sugar). The use of medication to treat the hyperglycemia can often lead to hypoglycemia. >Luckily the detailed blood work came back with the number just on the >borderline. The doctor said that there was no risk of me passing out and >gave me back the medical with the warning that there may still be = >questions >from Transport Canada. The family doctor says that if I drop 10 kg then = >I >should be fine. Sounds like the Type II diabetes -- usually associated with obesity and older aged persons. Losing a few lbs may stave off the inevitable but once a diabetic always a diabetic. The only way to PROPERLY test for hyperglycemia is a PROPERLY administered glucose tolerance test. Fast for up to 12 hours, have a blood sugar drawn, swallow a specific amount of a glucose solution and then have a blood sugar drawn again in some length of time afterwards. >I am very happy that I got to fly yesterday but one little test cost me = >my >license for a week and could have taken it away completely. Good luck. FWIW, if you should be prescribed medication, specifically, oral meds (not the sulfonaureas), look into their history. Several of the newer anti-diabetic oral agents have been reported to have problems which may outweigh their benefits. Maybe I'll move to Canada where I can get insulin without a prescription. The powers that be here in the states require a prescription to obtain a live saving medication. I went for over a week 2 months ago without my insulin because the pharmacy hadn't received a prescription renewal for my insulin and I was going away. I lived on water and tums for 8 days to keep my blood sugar in check -- and NO BEER too. In the prople's republic of New Jermany, drug addicts can get syringes free from the state but I, as a diabetic, need a prescription to obtain them. Maybe I should take up methamphetamine. :D -- VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM ... pejorative statements of opinion are entitled to constitutional protection no matter how extreme, vituperous, or vigorously expressed they may be. (NJSC) Copr. 2008 Brian Schenkenberger. Publication of _this_ usenet article outside of usenet _must_ include its contents in its entirety including this copyright notice, disclaimer and quotations. ------------------------------ Date: Thu, 04 Sep 2008 09:04:56 -0400 From: "Richard B. Gilbert" Subject: Re: OT: Flying with Diabetes (was RE: SMGRTL patch available on ITRC ftp site) f Message-ID: <2Jydndxz-Ij6QSLVnZ2dnUVZ_sWdnZ2d@comcast.com> Peter Weaver wrote: >>> Lucky you. You can fly even though you can't see. After spending what >>> seemed like a small fortune, I was told that I would never be allowed to >>> fly on my own, let alone possess a pilot's license because of diabetes. >>> It was fun while it lasted. >> Not necessarily the case. I know two pilots with diabetes that >> actively fly (certified, not experimental or LSA). There's more >> paperwork involved, but it can be done. You need to find the right >> AME that has been through it already. AOPA is a great resource for >> getting that stuff figured out as well. > > Way off-topic but... > > I'm in Canada so none of this applies to people outside Canada but... > > Two weeks ago I went for my aviation medical. I could still read the > smallest print in the book and the eye chart test gave me 20/15-2 so things > were looking good. But then the doctor said "What treatment are you on for > your diabetes?" After he saw the look on my face he said "Oh, by the way, > you have diabetes." > > He said that since diabetic people could pass out while flying and since > Transport Canada does not like that happening he was going to hold my > medical until I had more detailed blood work done. He also added that if I > had a commercial license then it would be gone even without the detailed > blood work but as a private pilot I may get to keep my license "After much > letter writing." > > Luckily the detailed blood work came back with the number just on the > borderline. The doctor said that there was no risk of me passing out and > gave me back the medical with the warning that there may still be questions > from Transport Canada. The family doctor says that if I drop 10 kg then I > should be fine. > > I am very happy that I got to fly yesterday but one little test cost me my > license for a week and could have taken it away completely. > This sounds like "Type 2" diabetes for which you can take medication other than insulin. The available medications fall into two classes. The first stimulates insulin production. This can give you hypoglycemia with a vengeance! The second type increases your sensitivity to what insulin you can produce; hypoglycemia is still possible but the risk is MUCH lower. When your blood glucose drops below sixty you are in trouble; the lower your sugar goes below that, the deeper in trouble you are. It's called hypoglycemic shock. It can cause you to lose consciousness or even die. Even if you don't lose consciousness, you aren't functioning very well, physically or mentally. I've been there ONCE, three or four days after I was diagnosed. I had been given a prescription for oral medication, took the stuff as directed and found myself feeling shocky. I treated myself to a tall glass of real (not diet) Coca-Cola and called my doctor. When I told the receptionist why I was calling she got the doctor on line in about thirty seconds. The doctor said "Don't take any more of that stuff!" He asked for the phone number of my pharmacy and phoned in a new prescription. ------------------------------ Date: 4 Sep 2008 12:40:15 GMT From: billg999@cs.uofs.edu (Bill Gunshannon) Subject: Re: OT: SYSMAN Equiv. on AIX? Message-ID: <6ia39eFphkvoU1@mid.individual.net> In article <48BF3BB1.82DA5897@spam.comcast.net>, David J Dachtera writes: > Bill Gunshannon wrote: >> >> In article <48BDF6D4.42504333@spam.comcast.net>, >> David J Dachtera writes: >> > sol gongola wrote: >> >> >> >> David J Dachtera wrote: >> >> > "Steven M. Schweda" wrote: >> >> >> From: David J Dachtera >> >> >> >> >> >>> Is anyone aware of a SYSMAN-like utility for AIX? I need to be able to >> >> >>> execute the same command on multiple LPARs, HACMP not withstanding. >> >> >> Don't know aboit the multiple hosts part, but SMIT was the handy tool >> >> >> for system management when I was young. (Sure miss the SMIT dude >> >> >> falling on his face when a command failed.) >> >> > >> >> > Well, SMIT(TY) is whole different critter from SYSMAN. SMIT(TY) is a >> >> > screen-oriented interface to various system management task, but AFAIK >> >> > does not provide for operations within a group of nodes or a cluster. >> >> > SMITTY is the character-cell version. SMIT is the X version, but >> >> > defaults to SMITTY if X is not setup in the process environment or >> >> > otherwise not available. >> >> >> >> AIX has a slew of commands to performs the system functions that are >> >> performed by sysman. If you know the commands man files are there >> >> for you but difficult for the uninitiated. SMIT makes it easier. >> >> >> >> AIX System Management Interface Tool (SMIT) lets you build an activity >> >> through its menu interface. Before issuing the execute you can use F6 >> >> to view the command to be executed, save it and use it elsewhere. You >> >> can also look in the /smit.script file for a list of previously executed >> >> commands to copy and use elsewhere. >> > >> > Acknowledged (again). >> > >> > The hard part - and the reason for the initial post - is to execute >> > those commands on multiple LPARs so you only have one management point >> > instead of 10, 100, 1000, .... >> >> Are you limited to only things that come with AIX? CFEngine might be >> what you need but it is one of those dreaded OpenSource thingies. :-) > > If there is a binary available for WhineBloze, that would get me around > issues of vendors not wanting anything "foreign" on the system, for FDA > compliance or what-have-you. Huh?? I thought you needed a solution for AIX. There is no similarity between Windows and Unix so expecting a configuration managment program for Unix to support Windows as well is, well, kinda silly. So, are you looking for AIX software or Windows software. Ne'r the twain shall meet. :-) bill -- Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves billg999@cs.scranton.edu | and a sheep voting on what's for dinner. University of Scranton | Scranton, Pennsylvania | #include ------------------------------ Date: Thu, 04 Sep 2008 08:39:39 +0200 From: joukj Subject: Re: SSH and SFTP configuration Message-ID: <48bf82ab$0$27201$ba620dc5@text.nova.planet.nl> Skipper W. Morris wrote: > Does anyone have experience getting Host Based Authentication working > for SSH and SFTP. > > What I really want to do is use SFTP from a batch job. However SFTP is > written to make it impossible. It bombs out if you try and include the > password in a file anywhere. > > The supported alternative is Host Based Authentication. This is sorta > like DECnet proxy access, but much more complicated to setup. > > I've copied keygen files to directories, edited shost.equiv files, and > done just about everything except sacrifice a goats entrails on my > keyboard. But I *still* have to enter a password by hand. > > Suggestions appreciated. > > /Skip I only set it up with the VMS system as client and a linux system as server. But basically I had to perform the same steps as described at this page : http://h71000.www7.hp.com/doc/83final/BA548_90007/ch03s07.html So it should work for a recent version of HP-tcpip services. Are you sure you did all of this and your version of the TCP/IP stack supports the feature?. If yes and you are using the HP product, it should be reported to HP Jouk ------------------------------ Date: Thu, 4 Sep 2008 03:50:58 -0700 (PDT) From: Neil Rieck Subject: Re: SSH and SFTP configuration Message-ID: <2e9150c5-0a46-4d2e-be26-1d77f0088179@r35g2000prm.googlegroups.com> On Sep 4, 12:45=A0am, mor...@osmium.mv.net (Skipper W. Morris) wrote: > Does anyone have experience getting Host Based Authentication working > for SSH and SFTP. > > What I really want to do is use SFTP from a batch job. =A0However SFTP is > written to make it impossible. =A0It bombs out if you try and include the > password in a file anywhere. > > The supported alternative is Host Based Authentication. =A0This is sorta > like DECnet proxy access, but much more complicated to setup. > > I've copied keygen files to directories, edited shost.equiv files, and > done just about everything except sacrifice a goats entrails on my > keyboard. But I *still* have to enter a password by hand. > > Suggestions appreciated. > > /Skip I recently got this working with TCPware. http://www3.sympatico.ca/n.rieck/docs/openvms_notes_ssh2.html You should be able to easily adapt this information to SFTP on "TCPIP for OpenVMS". Like most security-based topics, setting up SFTP accounts to login in without a password (this is a requirement when using SFTP from non- interactive processes because the SFTP developers wanted to stop people from putting passwords in scripts) seems to be deliberately obscure. p.s. At first you will find the "no password" idea kind of shocking. But remember that SSH/SFTP security is set up by creating a key then distributing the public half to someone on the other system. This isn't too much different than a system manager on the remote system emailing you a password. Neil Rieck Kitchener/Waterloo/Cambridge, Ontario, Canada. http://www3.sympatico.ca/n.rieck/ ------------------------------ Date: Thu, 4 Sep 2008 06:56:46 -0400 From: "Ken Robinson" Subject: Re: SSH and SFTP configuration Message-ID: <7dd80f60809040356q5003161ge29f9263e041e27d@mail.gmail.com> On Thu, Sep 4, 2008 at 12:45 AM, Skipper W. Morris wrote: > Does anyone have experience getting Host Based Authentication working > for SSH and SFTP. > > What I really want to do is use SFTP from a batch job. However SFTP is > written to make it impossible. It bombs out if you try and include the > password in a file anywhere. I've been using public key authorization. Once you get the hang of it, it's quite easy. I've set up transfers between our VMS systems and UNIX, Linux, AIX, VMS, and MVS. Here are the steps I use: 1) Generate the keys for the username on VMS which is going to be used in the transfer $ ssh_keygen -t dsa 2) Make a note of the names of the keys generated. For this example I will assume the above command created the files ID_DSA_2048_A. and ID_DSA_2048_A.PUB 3) Edit the file [.ssh2]identification. (note: the extension is blank) This is a sub directory of the username's home directory. Add the following line: IdKey id_dsa_2048_a (here's where it gets a little tricky) If you're sending a file to or receiving a file from another machine and that machine is NOT running OpenVMS, find out what flavor of SSH is being run. Most other machines I've encountered run OpenSSH and need a different formatted key than VMS. If you have a Linux/Unix box available you can use that to reformat the key. You can also install cygwin on your PC and use it to convert the key. If you're sending, you have to convert the public key you created. If you're receiving, you have to convert the remote user's public key. These conversions can also be done on the remote site, but, at least in my case, I've found it easier to do the conversions myself. To convert the VMS public key to one acceptable by most other servers (OpenSSH format), transfer the key to the appropriate Unix/Linux/cygwin machine and do: $ ssh-keygen -i -f ID_DSA_2048_A.PUB > converted_dsa_key.pub Then send the converted key to the remote machine. The system admins of the remote machine should know what to do with it. (They should append the key to the appropriate .ssh/authorized_keys file). Once that is done, you should be able to enter the command: $ sftp "-B" test_sftp.com remoteuser@remote.machine.name where test_sftp.com contains ls exit If all succeeds you should see a directory listing of the remote machine. If you still have problems, do $ sftp -v -B" test_sftp.com remoteuser@remote.machine.name and look at the produced debug output. It will usually tell you the problem. If you're receiving a file, ask for the remote machines public key in IETF SECSH format. If the remote sysadmins don't know what you're talking about (high probability), just ask for the public key. Move that key to your Unix/Linux/cygwin system and do $ ssh-keygen -e -f remote-public-key.pub > converted_remote_public_key.pub Move the converted public key to the [.ssh2] directory of the receiving username and edit the file authorization. in that directory to add the line key converted_remote_public_key.pub Atfer that is done, the remote system should be able to connect to yours using $ sftp vmsusername@your.system.name I hope this helps you... Ken ------------------------------ Date: Thu, 4 Sep 2008 08:24:46 -0400 From: "Farrell, Michael" Subject: RE: SSH and SFTP configuration Message-ID: <8330CD39B64C934DBE63CB6D4CEE37D0996205@NJ103EX2.EAST.VIS.COM> Ken, I found this very interesting and helpful as we may have to be doing that here soon. But, what if you don't have access to a " Unix/Linux/cygwin system"? Can you reformat the key on VMS? TIA, Mike Farrell mfarrell@voltdelta.com -----Original Message----- From: Ken Robinson [mailto:kenrbnsn@gmail.com]=20 Sent: Thursday, September 04, 2008 6:57 AM To: Info-VAX@Mvb.Saic.Com Subject: Re: SSH and SFTP configuration On Thu, Sep 4, 2008 at 12:45 AM, Skipper W. Morris wrote: > Does anyone have experience getting Host Based Authentication working > for SSH and SFTP. > > What I really want to do is use SFTP from a batch job. However SFTP is > written to make it impossible. It bombs out if you try and include the > password in a file anywhere. I've been using public key authorization. Once you get the hang of it, it's quite easy. I've set up transfers between our VMS systems and UNIX, Linux, AIX, VMS, and MVS. Here are the steps I use: 1) Generate the keys for the username on VMS which is going to be used in the transfer $ ssh_keygen -t dsa 2) Make a note of the names of the keys generated. For this example I will assume the above command created the files ID_DSA_2048_A. and ID_DSA_2048_A.PUB 3) Edit the file [.ssh2]identification. (note: the extension is blank) This is a sub directory of the username's home directory. Add the following line: IdKey id_dsa_2048_a (here's where it gets a little tricky) If you're sending a file to or receiving a file from another machine and that machine is NOT running OpenVMS, find out what flavor of SSH is being run. Most other machines I've encountered run OpenSSH and need a different formatted key than VMS. If you have a Linux/Unix box available you can use that to reformat the key. You can also install cygwin on your PC and use it to convert the key. If you're sending, you have to convert the public key you created. If you're receiving, you have to convert the remote user's public key. These conversions can also be done on the remote site, but, at least in my case, I've found it easier to do the conversions myself. To convert the VMS public key to one acceptable by most other servers (OpenSSH format), transfer the key to the appropriate Unix/Linux/cygwin machine and do: $ ssh-keygen -i -f ID_DSA_2048_A.PUB > converted_dsa_key.pub Then send the converted key to the remote machine. The system admins of the remote machine should know what to do with it. (They should append the key to the appropriate .ssh/authorized_keys file). Once that is done, you should be able to enter the command: $ sftp "-B" test_sftp.com remoteuser@remote.machine.name where test_sftp.com contains ls exit If all succeeds you should see a directory listing of the remote machine. If you still have problems, do $ sftp -v -B" test_sftp.com remoteuser@remote.machine.name and look at the produced debug output. It will usually tell you the problem. If you're receiving a file, ask for the remote machines public key in IETF SECSH format. If the remote sysadmins don't know what you're talking about (high probability), just ask for the public key. Move that key to your Unix/Linux/cygwin system and do $ ssh-keygen -e -f remote-public-key.pub > converted_remote_public_key.pub Move the converted public key to the [.ssh2] directory of the receiving username and edit the file authorization. in that directory to add the line key converted_remote_public_key.pub Atfer that is done, the remote system should be able to connect to yours using $ sftp vmsusername@your.system.name I hope this helps you... Ken ------------------------------ Date: Thu, 4 Sep 2008 09:09:27 -0400 From: "Ken Robinson" Subject: Re: SSH and SFTP configuration Message-ID: <7dd80f60809040609w19989140w81deaf2e57419cff@mail.gmail.com> On Thu, Sep 4, 2008 at 8:24 AM, Farrell, Michael wrote: > Ken, > > I found this very interesting and helpful as we may have to be doing > that here soon. > > But, what if you don't have access to a " Unix/Linux/cygwin system"? > > Can you reformat the key on VMS? I haven't found a way to do the conversion on VMS. If the remote systems are running OpenSSH, the system admins should be able to do the conversions there. If you will be sending files to them, send them your public key and tell them they have to convert it to OpenSSH format from IETF SECSH format. If you will be receiving files, ask them to convert their public key to IETF SECSH format before sending it to you. I've just finished a 3 week project getting many diverse FTP feeds (both incoming and outgoing) converted to SFTP. The first conversions were done by trial and error and a lot of frustration. Once I got the pattern down (and learned the correct words to say) the conversions went very smoothly. BTW, if you're transferring one file at a time and don't want to create a temporary sftp batch file each time, you can use the scp (secure copy) command. Just remember that all the file paths need to be in the UNIX style. This also applies to the sftp batch file if it's not in the directory where the sftp is being run from. Ken ------------------------------ Date: Thu, 4 Sep 2008 09:00:43 -0700 (PDT) From: kiwi-red Subject: Re: SSH and SFTP configuration Message-ID: <3d6eec8a-395e-4cf7-99e9-92a6b3e9ee30@w24g2000prd.googlegroups.com> HI can you ssh between machines that you want to sftp without a password? If you can't then you haven't set up your ssh properly Just finsihed doing it myself did you remember the AUTHORIZATION. and IDENTIFICATION. files in [.ssh2] ? kiwi On Sep 4, 2:45=A0pm, mor...@osmium.mv.net (Skipper W. Morris) wrote: > Does anyone have experience getting Host Based Authentication working > for SSH and SFTP. > > What I really want to do is use SFTP from a batch job. =A0However SFTP is > written to make it impossible. =A0It bombs out if you try and include the > password in a file anywhere. > > The supported alternative is Host Based Authentication. =A0This is sorta > like DECnet proxy access, but much more complicated to setup. > > I've copied keygen files to directories, edited shost.equiv files, and > done just about everything except sacrifice a goats entrails on my > keyboard. But I *still* have to enter a password by hand. > > Suggestions appreciated. > > /Skip ------------------------------ Date: Thu, 4 Sep 2008 01:36:46 -0700 (PDT) From: urbancamo Subject: Re: VAXstation 4000-90 and SCA disks Message-ID: In my discussions with other VS4000 owners I have never come across anyone who managed to get anything bigger than an 18GB drive to work, the most common 'large' drive size I've come across is 9GB. I am aware that this is an arbitrary size limit. Whether the more modern drives are not so rigourous in their narrow-scsi backwards compatibility or not, I don't know. Fujitsu drives appear to be a bit of a non-starter, I would suggest Seagate as your best bet or maybe IBM. I've only had success with 68 pin to 50 pin adapters - I've never got an 80 pin drive to work. The firmware of the VS4000 reports complete jibberish for the larger drives. My Alpha 3000/600 is less fussy about drives - I am running Quantum Atlas drives in that via 68 to 50 pin adapters. I've come to the conclusion that I could waste my life away buying drives. Why not get an external enclosure such as a BA353 or a wide variant and link it to the VAX with an 8 bit personality module (not that I've tried this but I believe it works) Feel free to correct me. Mark ------------------------------ Date: Thu, 4 Sep 2008 13:29:03 +0000 (UTC) From: helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) Subject: Re: VAXstation 4000-90 and SCA disks Message-ID: In article , urbancamo writes: > In my discussions with other VS4000 owners I have never come across > anyone who managed to get anything bigger than an 18GB drive to work, > the most common 'large' drive size I've come across is 9GB. I am aware > that this is an arbitrary size limit. Whether the more modern drives > are not so rigourous in their narrow-scsi backwards compatibility or > not, I don't know. I suspect the latter---it's probably not the size (as it is with the VAXstation-3100 1-GB limit for booting) but firmware issues. > Fujitsu drives appear to be a bit of a non-starter, > I would suggest Seagate as your best bet or maybe IBM. I've only had > success with 68 pin to 50 pin adapters - I've never got an 80 pin > drive to work. The firmware of the VS4000 reports complete jibberish > for the larger drives. At the console prompt, my VAXes report a bogus size for the 9-GB Seagate drives, but VMS reports the correct size. I suspect that the console firmware has some limit on the size of drives it can display and does some wrapping or truncation. ------------------------------ Date: Thu, 04 Sep 2008 07:14:55 -0700 From: "Tom Linden" Subject: Re: VAXstation 4000-90 and SCA disks Message-ID: On Thu, 04 Sep 2008 06:29:03 -0700, Phillip Helbig---remove CLOTHES to reply wrote: > At the console prompt, my VAXes report a bogus size for the 9-GB Seagate > drives, but VMS reports the correct size. I suspect that the console > firmware has some limit on the size of drives it can display and does > some wrapping or truncation. the 3100 did wrapping, don't know what the 4000 does. -- PL/I for OpenVMS www.kednos.com ------------------------------ Date: Thu, 4 Sep 2008 10:08:33 -0700 (PDT) From: Rich Jordan Subject: Re: VAXstation 4000-90 and SCA disks Message-ID: <03c4f5ba-e87c-4b89-bb55-a96f2f128bc5@k36g2000pri.googlegroups.com> On Sep 3, 6:38=A0pm, Antonio Carlini wrote: > s...@antinode.info (Steven M. Schweda) wrote in news:08090315061960_20200= E21 > @antinode.info: > > > =A0 =A0Start with a Seagate disk? > > I have what I have ... I'm not planning to go out and buy anything. > I only want a bigger disk so that I can image all the VMS CDs I have and > then make them available via LD DRIVER. > > Next attempt will be with a Quantum Atlas 10K (68-pin) 73GB disk. But tha= t > won't stay in there long even if it works: it sounds like a jet engine > firing up when it runs! > > Antonio > arcarl...@iee.org Antonio, I've only got one SCA-68p adapter and its in use on an Alpha with ultra-wide connectivity. It does have jumpers on it, which can set termination for all, low 8, or high 8 bits. It also jumpers for class (LCD versus SE). Does your adapter have any such configurability? Although I guess you would have tried already... I got my adapter from Compgeeks as a closeout 2 years ago. There is no identifying brand information, sorry. Nor do I have a VS4000 to test it on. Also, although you don't want to spend money on this, consider keeping an eye open on Ebay or elsewhere for a Compaq/Nemonix DS-KZCCA- BB, which is the "VAX Adapter" that provides ultra-SCSI and 100Base-T networking for the VAXstation 4000-9x workstations. It will probably improve your compatibility options for disks in addition to providing a decent speedup. Keep an eye open and you might catch a deal (though the VAXstation version of this card is the hardest to find in the aftermarket). FWIW we picked up a new DS-KZCCA-DB dirt cheap ($40!) for a customer a few years ago (VAX 4000-108) and it made a substantial difference in their disk intensive processing. Unfortunately they are not running SCA disks so I can't provide any specific info on that. ------------------------------ Date: Thu, 04 Sep 2008 13:53:16 GMT From: "John E. Malmberg" Subject: Re: [RBL] Current status? Message-ID: David J Dachtera wrote: > "John E. Malmberg" wrote: >> >> A corporate firewall should be detecting and setting off security alarms >> when a non-mail server attempts to make a direct SMTP connection through it. > > ...and there in lies the rub: too many vendor-managed proprietary > (non-Windows) systems where the vendor is unwilling to "play by the > house rules". If the system is supposed to send e-mail, then it can be let through the firewall. If it is not supposed to send e-mail, and it attempts to, don't you think someone should find out why? >> Another techique to use is a Samba Server configured to look like a >> vulnerable PC to see what systems attempt to infect it. >> >> And Corporate/Educational network owners should consider being >> suspicious of any outgoing e-mail with reply-to addresses for any of the >> free/demo e-mailers: >> >> hotmail.com, live.com, live.ca, live.co.uk, live.* >> >> aol.com, games.com, aim.com, aol.* >> >> voila.fr, myway.com, gazeta.pl >> >> yahoo.com, rocketmail.com, ymail.com, yahoo.* >> >> gmail.com, googlemail.com > > Note: "should consider being suspicious of", but should not block > arbitrarily. It depends what is more important to the business: Delivery of personal e-mails to non-business addresses through the businesses e-mail servers/firewalls or the delivery of messages/pages that are critical to the business. Or if it is important for the business to know if criminals have access to private business and personal records. -John Personal Opinion Only ------------------------------ Date: 4 Sep 2008 11:26:02 -0500 From: koehler@eisner.nospam.encompasserve.org (Bob Koehler) Subject: Re: [RBL] Current status? Message-ID: In article , "John E. Malmberg" writes: > > If it is not supposed to send e-mail, and it attempts to, don't you > think someone should find out why? We've had a lot of problems deploying COTS products that send out notifications via email, from systems that the security folks think shouldn't be "mail servers". So "supposed to" is in the eye of the beholder. ------------------------------ Date: 4 Sep 2008 17:37:15 GMT From: billg999@cs.uofs.edu (Bill Gunshannon) Subject: Re: [RBL] Current status? Message-ID: <6iakmbFpl207U2@mid.individual.net> In article , koehler@eisner.nospam.encompasserve.org (Bob Koehler) writes: > In article , "John E. Malmberg" writes: >> >> If it is not supposed to send e-mail, and it attempts to, don't you >> think someone should find out why? > > We've had a lot of problems deploying COTS products that send > out notifications via email, from systems that the security folks > think shouldn't be "mail servers". > > So "supposed to" is in the eye of the beholder. Not really. Those particular devices should be sending their email to the real mailserver which should be the only one communicating with mail servers in the the outside world. If network/system managers, in particular ISP's, followed this rule 99% of SPAM cold be dealt with in ver short order. bill -- Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves billg999@cs.scranton.edu | and a sheep voting on what's for dinner. University of Scranton | Scranton, Pennsylvania | #include ------------------------------ End of INFO-VAX 2008.485 ************************