INFO-VAX Mon, 02 Jul 2007 Volume 2007 : Issue 358 Contents: Re: gSOAP on OpenVMS? VMS as Web Service *client* Re: OpenVMS - When downtime is not an option Re: OpenVMS - When downtime is not an option Re: OpenVMS - When downtime is not an option Re: Question to Kerry Main RE: Question to Kerry Main Re: Question to Kerry Main Re: Question to Kerry Main Re: Question to Kerry Main Re: Question to Kerry Main Re: SIMH networking Re: SSH newbie question Supportnow live chat support Re: TCPIP$GET_MX: getmxrr() failed Re: TCPIP$GET_MX: getmxrr() failed Re: TCPIP$GET_MX: getmxrr() failed Re: Ten years ago... Re: VMS security vulnerability (POP server) Re: VMS security vulnerability (POP server) Re: VMS security vulnerability (POP server) Re: VMS security vulnerability (POP server) Re: VMS security vulnerability (POP server) Re: VMS security vulnerability (POP server) Re: VMS security vulnerability (POP server) Re: VMS security vulnerability (POP server) Re: VMS security vulnerability (POP server) Re: VMS security vulnerability (POP server) Re: VMS security vulnerability (POP server) Re: VMS security vulnerability (POP server) Re: VMS security vulnerability (POP server) Re: VMS security vulnerability (POP server) VMSclusters and data replication Re: VMSclusters and data replication Re: VMSclusters and data replication Re: VTJ V10 ---------------------------------------------------------------------- Date: 2 Jul 2007 07:11:23 -0500 From: koehler@eisner.nospam.encompasserve.org (Bob Koehler) Subject: Re: gSOAP on OpenVMS? VMS as Web Service *client* Message-ID: <3nhwiKYevB08@eisner.encompasserve.org> In article <5epqncF38tqmfU2@mid.individual.net>, bill@cs.uofs.edu (Bill Gunshannon) writes: > That's why VMS only has uppercase. :-) If forget, what planet is he on? Back when all VAXen were 11/780 and the release number was 1.x, VMS was the first system I used where I routinely released the caps lock key. ------------------------------ Date: 2 Jul 2007 07:02:11 -0500 From: koehler@eisner.nospam.encompasserve.org (Bob Koehler) Subject: Re: OpenVMS - When downtime is not an option Message-ID: In article <5el3i1F3854s8U1@mid.individual.net>, bill@cs.uofs.edu (Bill Gunshannon) writes: > > It will if you counsel him the first time and fire him the second time. :-) No, the newhire will likley fall into the same habit. > >> If an admin needs to get to the MS >> website to look at a problem he's having with a server, is that >> "surfing"? He might be looking around other resources and >> accidentally trip over a virus. > > He shouldn't be doing it from the server. He should go back to his desk > with all the pertinent information and "surf" from there. Right, and turn a ten minute problem into an hour. >> >> And that's assuming management understands the issue well enough to >> make such a mandate. > > Weren't you the one who just told me yesterday that when you speak, > management listens? Something like that. And often they respond with a statement that they don't understand the technical issues and won't make a decision. I don't blame them for knowing thier limitations. >> >> Poor quality in Microsoft's product is a Microsoft problem and a >> problem for each of thier products, the only fault on the part of >> management is failing to block its use. > > Bull crap. Just because some people have an axe to grind doesn't mean > the fault is all MS's. It's not bull. It's MS crap. I know their business model and there is pressure to produce low quality products so they can sell you a replacement next year. I know their products from decades of being forced to use them and I know first hand the low quality. ------------------------------ Date: 2 Jul 2007 12:56:12 GMT From: bill@cs.uofs.edu (Bill Gunshannon) Subject: Re: OpenVMS - When downtime is not an option Message-ID: <5esavbF3a5ik2U1@mid.individual.net> In article , koehler@eisner.nospam.encompasserve.org (Bob Koehler) writes: > In article <5el3i1F3854s8U1@mid.individual.net>, bill@cs.uofs.edu (Bill Gunshannon) writes: >> >> It will if you counsel him the first time and fire him the second time. :-) > > No, the newhire will likley fall into the same habit. I don't know. It is usually pretty instructive when the an employee is told what got his predecessor canned. :-) > >> >>> If an admin needs to get to the MS >>> website to look at a problem he's having with a server, is that >>> "surfing"? He might be looking around other resources and >>> accidentally trip over a virus. >> >> He shouldn't be doing it from the server. He should go back to his desk >> with all the pertinent information and "surf" from there. > > Right, and turn a ten minute problem into an hour. What is security worth to you? How is your willingness to sacrfice security to save a few minutes a Microsoft security issue? > > >>> >>> And that's assuming management understands the issue well enough to >>> make such a mandate. >> >> Weren't you the one who just told me yesterday that when you speak, >> management listens? > > Something like that. And often they respond with a statement that > they don't understand the technical issues and won't make a decision. > I don't blame them for knowing thier limitations. Well, local management shortcomings aren't Microsoft security issues either. There are good practices and bad practices. I have (and do) worked in places where these practices are applied and all this "Windows can't be secured" crap has been disproved. Of course, the ability to run your shop in a draconian manor helps. I can not be as draconian here at the University bujt I have applied much of what I picked up on my second job and it has made a big difference. Not just with servers either. On a campus that is rampnat with virii and zombied PC's my labs and users seem yo have no problem staying immune. > >>> >>> Poor quality in Microsoft's product is a Microsoft problem and a >>> problem for each of thier products, the only fault on the part of >>> management is failing to block its use. >> >> Bull crap. Just because some people have an axe to grind doesn't mean >> the fault is all MS's. > > It's not bull. It's MS crap. I know their business model and there > is pressure to produce low quality products so they can sell you > a replacement next year. I know their products from decades of being > forced to use them and I know first hand the low quality. I am no lover of Microsoft. But there is no similarity between Windows98 and Server 2008. A lot has changed in those intervening decades and trying to claim it hasn't is just plain silly. Good practice can make MS servers every bit as secure and stable as anything else on the market today. Every incident I saw during my January in Germany (there were 3) was the result of someone violating specific instructions. Two of them happened before the individual even got here and were discovered by the mandatory check that all machines had to go thru before even being allowed on any of our networks. None of them affected any more than the individuals machine. Oh yeah, I should mention the third as well. That was the Female French soldier who was discovered in a secure area rocking to her Ipod even though all personal electronic gear was prohibited. I wonder if they wiped it clean before they gave it back to her? :-) On another note, I do have to admit the female French soldiers looked pretty good in their spandex camo uniforms. Especially from behind. :-) Can't imagine they work as well in combat as ours do, though. bill -- Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves bill@cs.scranton.edu | and a sheep voting on what's for dinner. University of Scranton | Scranton, Pennsylvania | #include ------------------------------ Date: Mon, 2 Jul 2007 17:41:47 +0000 (UTC) From: david20@alpha2.mdx.ac.uk Subject: Re: OpenVMS - When downtime is not an option Message-ID: In article , Bill Todd writes: >JF Mezei wrote: >> Bill Todd wrote: >>> Please explain exactly how a virus, trojan, or worn can infect a >>> server via any legitimate use of email on that server. >> >> Over the years, there have been plenty of pathces issued to prevent such >> things from happening on many of the unix SMTP servers. (think buffer >> overflow with a TO FROM etc that are way too long and contain code). > >You're as welcome as Paul is to provide a *specific* example of such an >exposure in a current Windows environment, JF. Otherwise, stop blowing >the same kind of hot air that Kerry so often does: it's not responsive >to the challenge that I posed (but then hot air never is, is it). > Since in this instance we are talking SMTP servers the Microsoft equivalent is Exchange. The last such vulnerability was in May. See http://www.microsoft.com/technet/security/bulletin/ms07-026.mspx in particular the MIME decoding vulnerability CVE-2007-0213 Note. That particular patch also fixes a couple of denial of services vulnerabilities in IMAP and the calendar service. The calendar services works by sending emails with vCal or iCal properties and that had a critical remotely exploitable vulnerability in May 2006 see http://www.microsoft.com/technet/security/bulletin/ms06-019.mspx Of course this only affects you if your server is running Exchange. Similarly MS07-029 only affects you if you have the DNS service running (which it quite often is on domain controllers) see http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx However Microsoft fairly often has more general vulnerabilities such as http://www.microsoft.com/technet/security/bulletin/ms06-070.mspx http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx and http://www.microsoft.com/technet/security/bulletin/ms06-035.mspx which you can protect against by blocking TCP ports 139 and 445 at the firewall which is fine when you are protecting against attack from outside but may cause problems if the attack comes from inside your organisation. Although prioritising these wormable bugs for patching is probably the best way of dealing with the flood of Microsoft vulnerabilities relying on people not using browsers on servers is not a good long term option hence all those other server patches still need to be applied it's just that you can spend a bit more time planning and testing. David Webb Security team leader CCSS Middlesex University >- bill ------------------------------ Date: Mon, 02 Jul 2007 01:26:05 -0700 From: IanMiller Subject: Re: Question to Kerry Main Message-ID: <1183364765.992197.210520@57g2000hsv.googlegroups.com> On Jul 1, 9:54 pm, "Paul Raulerson" wrote: > > I'm not sure in my mind about Itanium yet; I am thinking that porting VMS to > x86 may well be the way of the future, but HP has chosen Itanium for > (presumably) very good reasons. What do you think about the platform choice? > > -Paul I notice that some in the trade press are starting to think Itanium has a future. http://www.techworld.com/opsys/features/index.cfm?featureID=3503 "The Itanium is great, it's got a future, and it's selling pretty well -- considering. This is Intel's latest war-cry, as it bids to resurrect the fortunes of a chip that many IT industry observers have all but written off." ... "So Itanium is gaining share in a slow-growing market, and the roadmap is back on track, re the key messages that Intel was keen to put over. The sub-text, not so hidden beneath the surface, was that the chip vendor won't be putting the Itanium out to grass anytime soon, and that software vendors, hardware OEMs and -- most importantly -- end users needn't fear for the future of Itanium-based systems." ------------------------------ Date: 2 Jul 2007 08:12:12 -0500 From: Kilgallen@SpamCop.net (Larry Kilgallen) Subject: RE: Question to Kerry Main Message-ID: In article , "Main, Kerry" writes: > What happens on c.o.v. is a microism of the real world business > environment. The real business world is actually exponentially worse. > Can you imagine if we had passionate Linux vs Windows vs UNIX > discussions on c.o.v. as well as the OpenVMS discussions? > > Now that would be an interesting newsgroup ... course, the signal to > noise ratio would go through the roof. By my estimate, the signal to noise ratio would plummet. Did you do your s/n calculation on Windows ? > :-) ------------------------------ Date: Mon, 02 Jul 2007 14:11:12 +0000 From: "Paul Raulerson" Subject: Re: Question to Kerry Main Message-ID: ----=_vm_0011_W8529022370_19926_1183385472 Content-Type: multipart/alternative; boundary="--=_vm_0016_W8529022370_19926_1183385472" ----=_vm_0016_W8529022370_19926_1183385472 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable I read that article as well. I think I agree with it, at least in part. T= he Itanium seems to be an evolutionary step for Intel, and the chip does = have some mainframe-like qualities to it. And of course, HP gear, like IB= M gear, seems to last forever. I guess that is also what makes me nervous, there is little history behin= d the processor, and it could be abandoned very quickly if it does not co= ntinue to grow. HP is hanging out there alone with it. Of course, with gr= eat risc comes great potentional profit. (Pun intended.) -Paul ----=_vm_0016_W8529022370_19926_1183385472 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable

I read that article as well. I think I agree with it, at least i= n part. The Itanium seems to be an evolutionary step for Intel, and the c= hip does have some mainframe-like qualities to it. And of course, HP gear= , like IBM gear, seems to last forever. 

I guess that is also what makes me nervous, there is little history be= hind the processor, and it could be abandoned very quickly if it does not= continue to grow. HP is hanging out there alone with it. Of course, with= great risc comes great potentional profit. (Pun intended.)

-Paul

----=_vm_0016_W8529022370_19926_1183385472-- ----=_vm_0011_W8529022370_19926_1183385472 Content-Type: message/rfc822 Content-Transfer-Encoding: 8bit Content-Disposition: attachment From: "IanMiller" To: Info-VAX@Mvb.Saic.Com Message-ID: <1183364765.992197.210520@57g2000hsv.googlegroups.com> Date: Mon, 2 Jul 2007 08:26:00 +0000 Received: (qmail 4029 invoked by uid 78); 2 Jul 2007 08:41:06 -0000 Received: from unknown (HELO ns-mr4.netsolmail.com) (10.49.16.163) by 0 with SMTP; 2 Jul 2007 08:41:06 -0000 Received: from MVB.SAIC.COM (mvb.saic.com [198.151.12.104]) by ns-mr4.netsolmail.com (8.13.6/8.13.6) with SMTP id l628f5i2024367 for ; Mon, 2 Jul 2007 04:41:05 -0400 X-Newsgroups: comp.os.vms Organization: http://groups.google.com Lines: 25 X-Trace: posting.google.com 1183364766 5603 127.0.0.1 (2 Jul 2007 08:26:06 GMT) X-Complaints-To: groups-abuse@google.com NNTP-Posting-Date: Mon, 2 Jul 2007 08:26:06 +0000 (UTC) In-Reply-To: <001401c7bc22$154ce7a0$3fe6b6e0$@com> User-Agent: G2/1.0 X-HTTP-UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4,gzip(gfe),gzip(gfe) Complaints-To: groups-abuse@google.com Injection-Info: 57g2000hsv.googlegroups.com; posting-host=204.104.55.241; posting-account=tdB79gwAAAAOJewI0DNul19QkKhOUVDj X-Gateway-Source-Info: USENET Subject: Re: Question to Kerry Main MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Jul 1, 9:54 pm, "Paul Raulerson" wrote: > > I'm not sure in my mind about Itanium yet; I am thinking that porting VMS to > x86 may well be the way of the future, but HP has chosen Itanium for > (presumably) very good reasons. What do you think about the platform choice? > > -Paul I notice that some in the trade press are starting to think Itanium has a future. http://www.techworld.com/opsys/features/index.cfm?featureID=3503 "The Itanium is great, it's got a future, and it's selling pretty well -- considering. This is Intel's latest war-cry, as it bids to resurrect the fortunes of a chip that many IT industry observers have all but written off." .. "So Itanium is gaining share in a slow-growing market, and the roadmap is back on track, re the key messages that Intel was keen to put over. The sub-text, not so hidden beneath the surface, was that the chip vendor won't be putting the Itanium out to grass anytime soon, and that software vendors, hardware OEMs and -- most importantly -- end users needn't fear for the future of Itanium-based systems." ----=_vm_0011_W8529022370_19926_1183385472-- ------------------------------ Date: Mon, 02 Jul 2007 07:49:48 -0700 From: "Tom Linden" Subject: Re: Question to Kerry Main Message-ID: On Mon, 02 Jul 2007 07:11:12 -0700, Paul Raulerson wrote: > I read that article as well. I think I agree with it, at least in part. > The Itanium seems to be an evolutionary step for Intel, and the chip > does have some mainframe-like qualities to it. And of course, HP gear, > like IBM gear, seems to last forever. The difference is, however, that IBM remains backward compatible for the last 40 years. > I guess that is also what makes me nervous, there is little history > behind the processor, and it could be abandoned very quickly if it does > not continue to grow. HP is hanging out there alone with it. Of course, > with great risc comes great potentional profit. (Pun intended.) > -Paul > The risk is not risc it is epic. -- PL/I for OpenVMS www.kednos.com ------------------------------ Date: Mon, 02 Jul 2007 15:12:13 +0000 From: "Paul Raulerson" Subject: Re: Question to Kerry Main Message-ID: ----=_vm_0011_W890671416_28008_1183389133 Content-Type: multipart/alternative; boundary="--=_vm_0016_W890671416_28008_1183389133" ----=_vm_0016_W890671416_28008_1183389133 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit So you are saying there is no RISC in this EPIC journey to Itanium? MMm... ----=_vm_0016_W890671416_28008_1183389133 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable So you are saying there is no RISC in this EPIC journey to Itanium?= MMm... ----=_vm_0016_W890671416_28008_1183389133-- ----=_vm_0011_W890671416_28008_1183389133 Content-Type: message/rfc822 Content-Transfer-Encoding: 8bit Content-Disposition: attachment From: "Tom Linden" To: Info-VAX@Mvb.Saic.Com Message-ID: Date: Mon, 2 Jul 2007 14:49:00 +0000 Received: (qmail 13100 invoked by uid 78); 2 Jul 2007 14:56:12 -0000 Received: from unknown (HELO ns-mr31.netsolmail.com) (10.49.16.189) by 0 with SMTP; 2 Jul 2007 14:56:12 -0000 Received: from MVB.SAIC.COM (mvb.saic.com [198.151.12.104]) by ns-mr31.netsolmail.com (8.13.6/8.13.6) with SMTP id l62EuBxa025580 for ; Mon, 2 Jul 2007 10:56:11 -0400 X-Newsgroups: comp.os.vms Organization: Kednos Lines: 26 X-Trace: individual.net rWGMndjFD1YURCBH7A1B8QtD2Ci8ninw1SqvrfDnE/bVEQPnhc Cancel-Lock: sha1:vOfxH4bwEuEv/KLzr7y8h+SHe3Y= User-Agent: Opera Mail/9.01 (Win32) X-Gateway-Source-Info: USENET Subject: Re: Question to Kerry Main MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit On Mon, 02 Jul 2007 07:11:12 -0700, Paul Raulerson wrote: > I read that article as well. I think I agree with it, at least in part. > The Itanium seems to be an evolutionary step for Intel, and the chip > does have some mainframe-like qualities to it. And of course, HP gear, > like IBM gear, seems to last forever. The difference is, however, that IBM remains backward compatible for the last 40 years. > I guess that is also what makes me nervous, there is little history > behind the processor, and it could be abandoned very quickly if it does > not continue to grow. HP is hanging out there alone with it. Of course, > with great risc comes great potentional profit. (Pun intended.) > -Paul > The risk is not risc it is epic. -- PL/I for OpenVMS www.kednos.com ----=_vm_0011_W890671416_28008_1183389133-- ------------------------------ Date: Mon, 02 Jul 2007 13:49:33 -0400 From: JF Mezei Subject: Re: Question to Kerry Main Message-ID: <7e3a9$46893ad7$cef8887a$16516@TEKSAVVY.COM> IanMiller wrote: > http://www.techworld.com/opsys/features/index.cfm?featureID=3503 That article doesn't mention loss of applications on VMS though, does it ? What this article states is that the product manager for IA64 at Intel is still trying to spin the product positively. Still no mention of IA64 going from being in the red to being profitable. And that is a very important metric. > "So Itanium is gaining share in a slow-growing market, and the roadmap > is back on track, Yep, but this is a slowed down roadmap from the original one, at the same time as the 8086 has gotten an faster roadmap due to competition from AMD. ------------------------------ Date: 2 Jul 2007 07:09:12 -0500 From: koehler@eisner.nospam.encompasserve.org (Bob Koehler) Subject: Re: SIMH networking Message-ID: <4h97qCamnHBm@eisner.encompasserve.org> In article <1183202358.161191.144550@m36g2000hse.googlegroups.com>, sampsal@gmail.com writes: > > The problem is that the VAX can talk to ANY other machine on both the > 192.168.77.* network as well as the outside world just fine EXCEPT for > the hosting OS X box. That is, I can ping the PIX from the VAX and > vice versa, but not the iMac from the VAX or the VAX from the iMac. To the IP stack both systems map to the same ethernet address. To get around this generally you need two NICs. ------------------------------ Date: 2 Jul 2007 08:16:48 -0500 From: Kilgallen@SpamCop.net (Larry Kilgallen) Subject: Re: SSH newbie question Message-ID: In article , helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) writes: > In article , JF Mezei > writes: > >> Phillip Helbig---remove CLOTHES to reply wrote: >> > When you telnet into your router (presumably from outside your LAN), >> > everything echoed on your screen is potentially available. >> >> From the outside, one can only reach one machine (a vms box). The >> router is not reacheable from the outside, nor is the mac or any other >> machine from a telnet point of view. > > And from the outside, access is via SSH rather than TELNET? If the > former, OK; if the latter, then you are still vulnerable. Not necessarily. Consider login via SecureID tokens. Then it depends on the value of the information transmitted during the session. ------------------------------ Date: Mon, 02 Jul 2007 08:03:34 -0700 From: FabMahesh Subject: Supportnow live chat support Message-ID: <1183388614.924177.134890@c77g2000hse.googlegroups.com> Try Supportnow they provide operators 24/7 to address such issues. Live human operators assist by assisting online queries. visit www.supportnow.biz. They are pretty cheap as well. ------------------------------ Date: Mon, 02 Jul 2007 08:55:56 +0200 From: "P. Sture" Subject: Re: TCPIP$GET_MX: getmxrr() failed Message-ID: In article , helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) wrote: > In article , JF Mezei > writes: > > > Phillip Helbig---remove CLOTHES to reply wrote: > > > getmxrr: name = 87.139.7.213]) > > > getmxrr: res_search() failed > > > TCPIP$GET_MX: getmxrr() failed > > > > Do you have any idea to whom this IP belongs to ? > > No. > > > This part of a > > Deutsche Telekom block. But it has no reverse transation. And it would > > then become impossible to find the MX record since you can't find the > > host name from the IP. > > > > Is this the IP of a sender or your own IP ? > > It's not my own IP nor is it the IP of anything I use (nameserver or > whatever). Do you use Deutsche Telekom anywhwere? Or perhaps the question should be, "Does your ISP use 'em?". -- Paul Sture ------------------------------ Date: Mon, 2 Jul 2007 10:08:15 +0000 (UTC) From: helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) Subject: Re: TCPIP$GET_MX: getmxrr() failed Message-ID: In article , "P. Sture" writes: > In article , > helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to > reply) wrote: > > > In article , JF Mezei > > writes: > > > > > Phillip Helbig---remove CLOTHES to reply wrote: > > > > getmxrr: name = 87.139.7.213]) > > > > getmxrr: res_search() failed > > > > TCPIP$GET_MX: getmxrr() failed > > > > > > Do you have any idea to whom this IP belongs to ? > > > > No. > > > > > This part of a > > > Deutsche Telekom block. But it has no reverse transation. And it would > > > then become impossible to find the MX record since you can't find the > > > host name from the IP. > > > > > > Is this the IP of a sender or your own IP ? > > > > It's not my own IP nor is it the IP of anything I use (nameserver or > > whatever). > > Do you use Deutsche Telekom anywhwere? Or perhaps the question should > be, "Does your ISP use 'em?". Yes. My ISP is 1&1. Legally, my internet connection has nothing to do with Deutsche Telekom, but behind the scenes the DSL connection from 1&1 is a "resell" connection from Deutsche Telekom. The question is, what does the error mean? And why the funny format with "])" at the end? Since everything appears to be working, what effects does the error have? Has anyone else seen this? ------------------------------ Date: Mon, 02 Jul 2007 13:29:04 -0400 From: JF Mezei Subject: Re: TCPIP$GET_MX: getmxrr() failed Message-ID: <43b64$46893609$cef8887a$14076@TEKSAVVY.COM> Phillip Helbig---remove CLOTHES to reply wrote: >> > > Phillip Helbig---remove CLOTHES to reply wrote: >> > > > getmxrr: name = 87.139.7.213]) > The question is, what does the error mean? And why the funny format Well, it is pretty obvious: SMTP cannot obtain the mx record (DNS) for ip 87.139.7.213 Is it alwasy the same IP mentioned ? Is it always present no matter what the sender is ? Is your mail routed to some forwarding SMTP server before getting to you ? Would that IP belong to that forwarding SMTP server ? ------------------------------ Date: Mon, 02 Jul 2007 02:08:13 -0400 From: JF Mezei Subject: Re: Ten years ago... Message-ID: <2523$46889676$cef8887a$28977@TEKSAVVY.COM> BTW, BBC is reporting this in their business news as a fairly high importance item. They also claim it is the biggest leveraged buyout ever in the world. They also mention that Telus might still jump in with a sweeter offer. But since it is just holding companies that are buying Bell, I don't think you will see massive changes. For Sabia to support it, he must have gotten a very sweet deal and garantee to not be fired for at least 8-12 months. These equity firms like to buy such companies because they can then use their cash and borrow against assets to buy more companies. But the pension fun would have a different mentality since they need constant reliable revenus to fund retirement plans. Not sure if they would make radical changes to Bell. Now, if Telus had bought Bell, we might really benefit since Telus has the software that allows competitive DSL services without that atrocious hack that is PPPoE. By removing PPPoE from Bell'S DSL network, it would remove one major overhead layer that is a pain due to routing and different MTUs. ------------------------------ Date: Mon, 02 Jul 2007 02:00:44 -0400 From: JF Mezei Subject: Re: VMS security vulnerability (POP server) Message-ID: Michael Moroney wrote: > That is a nasty one, since much of what makes VMS resistant to such > attacks is the ability to sense a breakin attempt and deny access from > the breakin source even when it gets the password correct. > > Did the attempt seem to target VMS or was it a script kiddie hacking at > a Windoze box or Unix box (accounts like administrator or root being > tried) Brute force. And VMS is even worse: $ telnet/port=110 chain %TELNET-I-TRYING, Trying ... 10.0.0.11 %TELNET-I-SESSION, Session 01, host chain, port 110 +OK TCPIP POP server V5.6-9, OpenVMS V8.3 Alpha at chain.vaxination.ca, up sinc> USER canada -ERR No such user "canada" USER system +OK Password required for "system" PASS chocolate -ERR password supplied for "system" is incorrect. %TELNET-S-REMCLOSED, Remote connection closed -TELNET-I-SESSION, Session 01, host chain, port 110 So by checking whether the USER command returns an -ERR or +OK, you can narrow down which usernames are valid, and then proceed to guess their passwords by brute force. ------------------------------ Date: Mon, 02 Jul 2007 07:16:41 GMT From: Chris Sharman Subject: Re: VMS security vulnerability (POP server) Message-ID: JF Mezei wrote: > Brute force. And VMS is even worse: > > $ telnet/port=110 chain > %TELNET-I-TRYING, Trying ... 10.0.0.11 > %TELNET-I-SESSION, Session 01, host chain, port 110 > +OK TCPIP POP server V5.6-9, OpenVMS V8.3 Alpha at chain.vaxination.ca, > up sinc> > USER canada > -ERR No such user "canada" > USER system > +OK Password required for "system" > PASS chocolate > -ERR password supplied for "system" is incorrect. > %TELNET-S-REMCLOSED, Remote connection closed > -TELNET-I-SESSION, Session 01, host chain, port 110 > > > So by checking whether the USER command returns an -ERR or +OK, you can > narrow down which usernames are valid, and then proceed to guess their > passwords by brute force. Good job IUPOP3 does intrusion detection, and is easily available & installable - I'd often wondered whether I ought to ditch it in favour of the latest ucx/tcpip offering, but hadn't got around to it. You make a convincing case for IUPOP3. It's source code, too, so if it allows checking of user names in isolation, that would be easily fixable. Chris ------------------------------ Date: Mon, 02 Jul 2007 09:45:52 +0200 From: Joseph Huber Subject: Re: VMS security vulnerability (POP server) Message-ID: Chris Sharman wrote: > Good job IUPOP3 does intrusion detection, and is easily available & > installable - I'd often wondered whether I ought to ditch it in favour > of the latest ucx/tcpip offering, but hadn't got around to it. > > You make a convincing case for IUPOP3. It's source code, too, so if it > allows checking of user names in isolation, that would be easily fixable. I some time ago also switched from IUPOP3 to TCPIP services, because it serves the SSL port, and our domain requests that for outside connections. I know one could tunnel SSL POP (using e.g. STUNNEL, which I do for IMAP in my aging TCPIP 5.3), but this has the ugly effect of being one connection at a time (and others get connection timeout and have to retry). Although TCPIP services POP implementation seems to be based on IUPOP3, is there a newer IUPOP3 implementation serving the SSL port ? -- Joseph Huber - http://www.huber-joseph.de ------------------------------ Date: Mon, 02 Jul 2007 01:17:49 -0700 From: IanMiller Subject: Re: VMS security vulnerability (POP server) Message-ID: <1183364269.328754.176690@g4g2000hsf.googlegroups.com> "(All my users are either on the LAN or coming in over encrypted VPN connections, no WAN access to POP, and they are all company employees with privileged VMS accounts anyway, so it doesn't worry me very much.) " This means that the usernames and passwords for privileged vms accounts are going over your corporate LAN unencrypted. You may wish to reconsider this. ------------------------------ Date: Mon, 02 Jul 2007 01:18:52 -0700 From: IanMiller Subject: Re: VMS security vulnerability (POP server) Message-ID: <1183364332.049628.249130@m36g2000hse.googlegroups.com> Orginally the UCX POP3 server was based on IUPOP3. I wonder if it still is. ------------------------------ Date: Mon, 02 Jul 2007 10:18:02 +0200 From: "J.Jansen" Subject: Re: VMS security vulnerability (POP server) Message-ID: <44342$4688b597$915e511b$27752@news2.tudelft.nl> Joseph Huber wrote: > Chris Sharman wrote: >> Good job IUPOP3 does intrusion detection, and is easily available & >> installable - I'd often wondered whether I ought to ditch it in favour >> of the latest ucx/tcpip offering, but hadn't got around to it. >> >> You make a convincing case for IUPOP3. It's source code, too, so if it >> allows checking of user names in isolation, that would be easily fixable. > > I some time ago also switched from IUPOP3 to TCPIP services, because it > serves the SSL port, and our domain requests that for outside connections. > I know one could tunnel SSL POP (using e.g. STUNNEL, which I do for IMAP > in my aging TCPIP 5.3), but this has the ugly effect of being one > connection at a time (and others get connection timeout and have to retry). > > Although TCPIP services POP implementation seems to be based on IUPOP3, > is there a newer IUPOP3 implementation serving the SSL port ? > No idea at all where to download, since Indiana University closed the IUPOP3 web-page. So I do not expect any new development. Anyone any idea where to get the latest version? Jouk ------------------------------ Date: Mon, 02 Jul 2007 12:19:43 +0400 From: "Ruslan R. Laishev" Subject: Re: VMS security vulnerability (POP server) Message-ID: Hello! Have a look to http://starlet.deltatel.ru/~laishev/work/pop3/ I wrote this as replacement of the IUpop3 and other POP3 server supplied with IP-package. Intrusion detection, TLS support and so on... JF Mezei wrote: > OK, it has been a couple of weeks and haven't heard anything back from HP). > > When a pop client requests access to the VMS POP server (Alpha VMS 8.3, > TCPIP Services 5.6) and provides incorrect username/password, this event > is not logged in the audit server. A simple message is sent to OPCOM. > This message does not contain any clue on the origin of the request. > > So overnight, it becomes possible to run brute force attempts on > usernames via POP since no intrusion detection/evasion is made, and > short of many messages in operator.log, there is nothing in AnA/AUDIT > and no information on the IP address of the client that made those > attempts. > > (I got such an attack with thousands of attempts). > > The whole intrusion detection scheme needs to apply to ALL services > which grant access to VMS via user/password combination and all such > application should comply to whateer calling standards to ensure that > all attempts with invalid credentials are properly logged, including IP > address and the username that was attempted. > -- + WBR, OpenVMS [Sys|Net] HardWorker ............. Skype: SysMan-One + Delta Telecom JSC, IMT-MC-450(CDMA2000) cellular operator Russia,191119,St.Petersburg,Transportny per. 3 Cel: +7 (812) 716-3222 +http://starlet.deltatelecom.ru ............. Frying on OpenVMS only + ------------------------------ Date: Mon, 02 Jul 2007 09:10:07 GMT From: John Santos Subject: Re: VMS security vulnerability (POP server) Message-ID: IanMiller wrote: > "(All my users are either on the LAN or > coming in over encrypted VPN connections, no WAN access to POP, and > they > are all company employees with privileged VMS accounts anyway, so it > doesn't worry me very much.) " > > This means that the usernames and passwords for privileged vms > accounts are going over your corporate LAN unencrypted. You may wish > to reconsider this. > You're wrong, because you are making incorrect assumptions. I won't say any more. -- John Santos Evans Griffiths & Hart, Inc. 781-861-0670 ext 539 ------------------------------ Date: Mon, 02 Jul 2007 06:24:37 -0700 From: "Tom Linden" Subject: Re: VMS security vulnerability (POP server) Message-ID: On Sun, 01 Jul 2007 23:00:44 -0700, JF Mezei = wrote: > Michael Moroney wrote: >> That is a nasty one, since much of what makes VMS resistant to such = >> attacks is the ability to sense a breakin attempt and deny access fro= m >> the breakin source even when it gets the password correct. >> Did the attempt seem to target VMS or was it a script kiddie hacking= at >> a Windoze box or Unix box (accounts like administrator or root being = = >> tried) > > > Brute force. And VMS is even worse: > > $ telnet/port=3D110 chain > %TELNET-I-TRYING, Trying ... 10.0.0.11 > %TELNET-I-SESSION, Session 01, host chain, port 110 > +OK TCPIP POP server V5.6-9, OpenVMS V8.3 Alpha at chain.vaxination.ca= , = > up sinc> > USER canada > -ERR No such user "canada" > USER system > +OK Password required for "system" > PASS chocolate > -ERR password supplied for "system" is incorrect. > %TELNET-S-REMCLOSED, Remote connection closed > -TELNET-I-SESSION, Session 01, host chain, port 110 > > > So by checking whether the USER command returns an -ERR or +OK, you ca= n = > narrow down which usernames are valid, and then proceed to guess their= = > passwords by brute force. > What happens if you disable telnet and only allow ssh? -- = PL/I for OpenVMS www.kednos.com ------------------------------ Date: 2 Jul 2007 15:43:04 GMT From: bill@cs.uofs.edu (Bill Gunshannon) Subject: Re: VMS security vulnerability (POP server) Message-ID: <5esko8F39mk0sU1@mid.individual.net> In article , "Tom Linden" writes: > On Sun, 01 Jul 2007 23:00:44 -0700, JF Mezei = > > wrote: > >> Michael Moroney wrote: >>> That is a nasty one, since much of what makes VMS resistant to such = > >>> attacks is the ability to sense a breakin attempt and deny access fro= > m >>> the breakin source even when it gets the password correct. >>> Did the attempt seem to target VMS or was it a script kiddie hacking= > at >>> a Windoze box or Unix box (accounts like administrator or root being = > = > >>> tried) >> >> >> Brute force. And VMS is even worse: >> >> $ telnet/port=3D110 chain >> %TELNET-I-TRYING, Trying ... 10.0.0.11 >> %TELNET-I-SESSION, Session 01, host chain, port 110 >> +OK TCPIP POP server V5.6-9, OpenVMS V8.3 Alpha at chain.vaxination.ca= > , = > >> up sinc> >> USER canada >> -ERR No such user "canada" >> USER system >> +OK Password required for "system" >> PASS chocolate >> -ERR password supplied for "system" is incorrect. >> %TELNET-S-REMCLOSED, Remote connection closed >> -TELNET-I-SESSION, Session 01, host chain, port 110 >> >> >> So by checking whether the USER command returns an -ERR or +OK, you ca= > n = > >> narrow down which usernames are valid, and then proceed to guess their= > = > >> passwords by brute force. >> > What happens if you disable telnet and only allow ssh? He is using TELNET from the source end. The destination is POP. If he disables TELNET he can't get out of his box. :-) Somehow, I don't think that will solve a problem with incoming POP connections. bill -- Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves bill@cs.scranton.edu | and a sheep voting on what's for dinner. University of Scranton | Scranton, Pennsylvania | #include ------------------------------ Date: Mon, 02 Jul 2007 08:50:14 -0700 From: myth@null.net Subject: Re: VMS security vulnerability (POP server) Message-ID: <1183391414.470636.208290@n60g2000hse.googlegroups.com> On Jul 2, 2:00 am, JF Mezei wrote: > So by checking whether the USER command returns an -ERR or +OK, you can > narrow down which usernames are valid, and then proceed to guess their > passwords by brute force. Yes, but that behavior is up to the system manager. Messages generated by the POP server can be either FRIENDLY or SECURE. For example, if you don't want a potential attacker to be able to tell whether or not a particular username exists, you can do: $ DEFINE /SYSTEM /EXECUTIVE_MODE TCPIP$POP_SECURITY SECURE Of course, you'll also want to make appropriate settings around other ways to scan for valid usernames, such as SMTP, FINGER, FTP, and other services you have enabled. Otherwise, the attacker who wants to know whether user JONES exists will just try sending mail and see whether it bounces. For the POP server, the source of all access attempts (whether successful or not) is captured in the file: SYS$SYSDEVICE:[TCPIP$POP]TCPIP$POP_RUN.LOG If the target username exists, the login failure count is also incremented so that the user will be notified of the failures upon the next valid login. - Mark ------------------------------ Date: Mon, 02 Jul 2007 09:14:52 -0700 From: "Tom Linden" Subject: Re: VMS security vulnerability (POP server) Message-ID: On Mon, 02 Jul 2007 08:43:04 -0700, Bill Gunshannon = wrote: > In article , > "Tom Linden" writes: >> On Sun, 01 Jul 2007 23:00:44 -0700, JF Mezei =3D >> >> wrote: >> >>> Michael Moroney wrote: >>>> That is a nasty one, since much of what makes VMS resistant to such= =3D >> >>>> attacks is the ability to sense a breakin attempt and deny access f= ro=3D >> m >>>> the breakin source even when it gets the password correct. >>>> Did the attempt seem to target VMS or was it a script kiddie hacki= ng=3D >> at >>>> a Windoze box or Unix box (accounts like administrator or root bein= g =3D >> =3D >> >>>> tried) >>> >>> >>> Brute force. And VMS is even worse: >>> >>> $ telnet/port=3D3D110 chain >>> %TELNET-I-TRYING, Trying ... 10.0.0.11 >>> %TELNET-I-SESSION, Session 01, host chain, port 110 >>> +OK TCPIP POP server V5.6-9, OpenVMS V8.3 Alpha at chain.vaxination.= ca=3D >> , =3D >> >>> up sinc> >>> USER canada >>> -ERR No such user "canada" >>> USER system >>> +OK Password required for "system" >>> PASS chocolate >>> -ERR password supplied for "system" is incorrect. >>> %TELNET-S-REMCLOSED, Remote connection closed >>> -TELNET-I-SESSION, Session 01, host chain, port 110 >>> >>> >>> So by checking whether the USER command returns an -ERR or +OK, you = ca=3D >> n =3D >> >>> narrow down which usernames are valid, and then proceed to guess the= ir=3D >> =3D >> >>> passwords by brute force. >>> >> What happens if you disable telnet and only allow ssh? > > He is using TELNET from the source end. The destination is POP. > If he disables TELNET he can't get out of his box. :-) Somehow, I > don't think that will solve a problem with incoming POP connections. > > bill > What I meant was, can ssh be similarly exploited to attempt breakin? -- = PL/I for OpenVMS www.kednos.com ------------------------------ Date: Mon, 2 Jul 2007 11:27:52 -0500 (CDT) From: sms@antinode.org (Steven M. Schweda) Subject: Re: VMS security vulnerability (POP server) Message-ID: <07070211275193_202222BA@antinode.org> From: "Tom Linden" > What I meant was, can ssh be similarly exploited to attempt breakin? SSH seems to say the right things. For example: [...] Security alarm (SECURITY) and security audit (SECURITY) on ALP, system id: 1119 Auditable event: Network breakin detection Event time: 1-JUL-2007 12:45:50.89 PID: 20221942 Process name: TCPIP$SS_BG4356 Username: ROOT Password: Remote node fullname: SSH_PASSWORD:202.79.4.57 Remote username: ROOT(LOCAL) Status: %LOGIN-F-EVADE, break-in evasion in effect [...] ------------------------------------------------------------------------ Steven M. Schweda sms@antinode-org 382 South Warwick Street (+1) 651-699-9818 Saint Paul MN 55105-2547 ------------------------------ Date: Mon, 02 Jul 2007 13:38:00 -0400 From: JF Mezei Subject: Re: VMS security vulnerability (POP server) Message-ID: myth@null.net wrote: > > For the POP server, the source of all access attempts (whether > successful or not) is captured in the file: > > SYS$SYSDEVICE:[TCPIP$POP]TCPIP$POP_RUN.LOG From my examples posted yesterday: > 2007-07-02 01:59:23 thread 0: sys$getuai: %RMS-E-RNF, record not found > 2007-07-02 01:59:23 thread 0: User account "canada" is invalid. > 2007-07-02 01:59:23 thread 0: No such user "canada" > 2007-07-02 01:59:40 thread 0: password supplied for "system" is incorrect. > 2007-07-02 01:59:40 thread 0: Max # of authentication attempts exceeded. > 2007-07-02 04:05:51 thread 0: read iosb: %SYSTEM-F-LINKDISCON, network partner d > isconnected logical link > 2007-07-02 04:05:52 thread 0: abnormal disconnect Where is the source of the attempt ? I see no IP address there. > If the target username exists, the login failure count is also > incremented so that the user will be notified of the failures upon the > next valid login. Not in my universe: Username: SYSTEM Owner: Jean-François Mezei Account: SYSTEM UIC: [1,4] ([SYSTEM]) CLI: DCL Tables: DCLTABLES <...> Expiration: (none) Pwdminimum: 5 Login Fails: 0 Pwdlifetime: (none) Pwdchange: 5-OCT-2006 01:02 Last Login: 25-JUN-2007 03:23 (interactive), 24-JUN-2007 00:31 (non-interactive) ------------------------------ Date: Mon, 02 Jul 2007 09:55:39 -0700 From: "mb301@hotmail.com" Subject: VMSclusters and data replication Message-ID: <1183395339.692659.35560@c77g2000hse.googlegroups.com> Using OpenVMS 7.3-2 Looking for ways to replicate lots of data across from London To New York Would any sort of SAN software do the job? I guess having nodeA in NY and nodeB in London In a cluster just isn't going to work? What about host based raid or volume shadoing? Any ideas about the network pipe you can get? ------------------------------ Date: Mon, 02 Jul 2007 13:31:10 -0400 From: "Richard B. Gilbert" Subject: Re: VMSclusters and data replication Message-ID: <4689365E.5090208@comcast.net> mb301@hotmail.com wrote: > Using OpenVMS 7.3-2 > > Looking for ways to replicate lots of data across from London To New > York > Would any sort of SAN software do the job? > I guess having nodeA in NY and nodeB in London In a cluster just isn't > going to work? > What about host based raid or volume shadoing? > Any ideas about the network pipe you can get? > Put it on an airplane and fly it across! Seriously, you are talking about a minimum 3000 mile path and bandwidth that would cost you a fortune if it were available which it probably is not! The latency will almost certainly preclude volume shadowing even if you could afford the bandwidth. And I hate to think about how a cluster might perform with nodes 3000 miles apart. OTOH, you can put a 300 GB disk in a FedEx (or equivalent) box and get it across the pond for a fairly reasonable price and at a fairly reasonable speed. ------------------------------ Date: Mon, 02 Jul 2007 17:53:19 GMT From: "Colin Butcher" Subject: Re: VMSclusters and data replication Message-ID: Just how deep are your (or your employers) pockets? Long distance low-latency high-bandwidth networks are not cheap. At those distances the latency will kill a cluster / and host-based volume shadowing. The latency will kill array based synchronous data replication. It's not just latency per se - it's also the variation of latency with respect to time. Wildly varying latency is a very bad problem to deal with. You're probably stuck with asynchronous data replication at array controller level (if it's only a small amount of data that changes) or else you're going to be intermittently copying files, or flying them across. Just how much data do you need to shift and what kind of time lag can your applications tolerate between sites? In general it's best to minimise what you have to shift and devise some cunning mechanism within the applications at each end that shifts the absolute minimum you can get away with as quickly as you can afford. Expecting to do it at system platform level with a load of COTS software over the top isn't going to hack it. If you need design help then I'm sure that several people here (including me) would be prepared to assist. -- Cheers, Colin. Legacy = Stuff that works properly! ------------------------------ Date: Mon, 2 Jul 2007 13:16:52 -0400 From: "warren sander" Subject: Re: VTJ V10 Message-ID: Ok, I created a new ps file. I ran it through a viewer for PS I found here http://view.samurajdata.se/ just to make sure it worked. and that viewer got it looking ok so I'm going to assume it's ok. I used the 'generic postscript driver' from adobe. I'm going to also ask paul for some help but he is out until next monday. -warren "Paul Anderson" wrote in message news:paul.anderson-E238EE.12191629062007@usenet01.boi.hp.com... > Bart.Zorn@gmail.com wrote: > >> The PostScript version of the VTJ does not print on a HP8100 Series >> printer using DCPS V2.5. > >> It hangs somewhere around page 11. We had to power cylcle the printer >> to get it operational again. > > Some printers have trouble printing this file, hanging after page 10. > > The file printed for me on a LaserJet 2300, 3052, 8150, 9000 and > 9055mfp, and even a DEClaser 3500, but failed on a LaserJet 1320, P2015 > and 8000. > > It doesn't matter what type of queue is used. DCPS Raw, DCPS LPD, > TCP/IP LPD and Telnet queues all failed when printing to certain > printers. > > Paul > > -- > Paul Anderson > OpenVMS Engineering > Hewlett-Packard Company ------------------------------ End of INFO-VAX 2007.358 ************************