Hi,

A recent ITRC posting: -
http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId=1346612
got me wondering just what Firewall capabilities were currently available
for VMS.

You may recall the TCP/IP Services engineer's quote: -
"BTW, delivery of IPSEC also provides host-based firewall capability, which
is another important feature that would also be delayed if IPSEC is further
delayed."

So I'm just wondering what everyone is using today for their VMS firewalls?

Please advise.

Regards Richard Maher

Richard Maher wrote:
> A recent ITRC posting: -
> http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId=1346612
> got me wondering just what Firewall capabilities were currently available
> for VMS.
> 
> You may recall the TCP/IP Services engineer's quote: -
> "BTW, delivery of IPSEC also provides host-based firewall capability, which
> is another important feature that would also be delayed if IPSEC is further
> delayed."
> 
> So I'm just wondering what everyone is using today for their VMS firewalls?

For servers you usually have a dedicated firewall (called "hardware
firewall") in front of the servers - no matter if it is VMS, Unix,
Linux, Windows, Z/OS or foobar.

For desktop PC's among users that don't know how to disable network
services it is quite popular to run some firewall software (called
"software firewall") om the box itself.

I can not imagine the last being relevant for VMS.

The "hardware firewall" ofcourse also runs software but
usually a hardended *BSD or something. I guess VMS could
be used for such, but no vendor has gone that route.

Arne

On Jun 12, 9:49=A0am, "Richard Maher" <maher...@hotspamnotmail.com>
wrote:
> Hi,
>
> A recent ITRC posting: -http://forums13.itrc.hp.com/service/forums/questi=
onanswer.do?threadId...
> got me wondering just what Firewall capabilities were currently available
> for VMS.
>
> You may recall the TCP/IP Services engineer's quote: -
> "BTW, delivery of IPSEC also provides host-based firewall capability, whi=
ch
> is another important feature that would also be delayed if IPSEC is furth=
er
> delayed."
>
> So I'm just wondering what everyone is using today for their VMS firewall=
s?
>
> Please advise.
>
> Regards Richard Maher

Most commercial software firewalls designed to protect the system they
run on are toys.  They can provide some useful monitoring and logging
services, but they're still toys.  This does not include setups like a
Linux (or even in days past, a wintel) box running dedicated
firewalling software on a dedicated server; we used to run the
Altavista firewall 98 on a wintel box, and it was adequate.  I don't
know enough about IPSec to have an opinion on its firewall
capabilities or applicability.

DEC actually made a VMS software firewall at one time, but dropped
it.  It required dual ethernet interfaces so I never tried it (all I
had was two VAXstations at the time) so I have no idea of its
capabilities but it was apparently intended as a 'site' or border
firewall, not 'defend the VMS system I'm running on'.  For curiosity's
sake:  http://h18000.www1.hp.com/info/SP5626/SP5626PF.PDF?jumpid=3Dreg_R100=
2_USEN

We use, and are overall happy with, Sonicwall firewalls.  At home I
have a Soho 3/25 and a TELE 2/10, pretty old but they do all I need
since there are no wintel boxes to protect there; just Macs and VMS.
I also scatter older retired units around to friends and family as
they come available; even the antiques are much better than not having
anything.

We have larger/newer boxes that do 'deep packet inspection' (which
makes the boxes "network security appliances" instead of mere
firewalls per the marketeers) at work and at customers, use the
Sonicwall-based IPSec VPN tunneling for customer support/access, and
the built in virus/malware scanning as an additional security layer to
help protect the petri-dish windows boxes from getting a nasty toenail
fungus.  Unfortunately, despite the 'standardization' of IPSec and the
PKI infrastructure, cross-vendor tunnel compatibility is hit-or-miss
to this day.  Plus I can't tunnel in with my iPhone.

It would be interesting to see if something could be made to work with
VMS IPSec and the Sonicwall tunnels... I had indicated that we wanted
IPSec on the recent poll (for application and specific needs) but the
ability to tunnel a VMS system to a Sonicwall via IPSec would be
another, and even more useful reason to have it in our case.

In article <h0tpqf$fjb$1@news-01.bur.connect.com.au>, "Richard Maher" <maher_rj@hotspamnotmail.com> writes:
>Hi,
>
>A recent ITRC posting: -
>http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId=1346612
>got me wondering just what Firewall capabilities were currently available
>for VMS.
>
>You may recall the TCP/IP Services engineer's quote: -
>"BTW, delivery of IPSEC also provides host-based firewall capability, which
>is another important feature that would also be delayed if IPSEC is further
>delayed."
>
>So I'm just wondering what everyone is using today for their VMS firewalls?

Eets VMS!  We dunt need no steenkin' firewalls.

-- 
VAXman- A Bored Certified VMS Kernel Mode Hacker    VAXman(at)TMESIS(dot)ORG

  http://www.quirkfactory.com/popart/asskey/eqn2.png
  
  "Well my son, life is like a beanstalk, isn't it?"

Richard Maher wrote:
> Hi,
> 
> A recent ITRC posting: -
> http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId=1346612
> got me wondering just what Firewall capabilities were currently available
> for VMS.
> 
> You may recall the TCP/IP Services engineer's quote: -
> "BTW, delivery of IPSEC also provides host-based firewall capability, which
> is another important feature that would also be delayed if IPSEC is further
> delayed."
> 
> So I'm just wondering what everyone is using today for their VMS firewalls?
> 
> Please advise.
> 
> Regards Richard Maher
> 
> 

All systems, no matter what O/S have a dedicated firewall between them
and the Internet. They provide all IPsec capabilities we use for all
systems so I really don't understand the big deal about OpenVMS not
having IPsec. I can't see how we would use it even if it was there.


Jeff Coffield
www.digitalsynergyinc.com

> > So I'm just wondering what everyone is using today for their VMS firewalls?
>

Both MultiNet and TCPware support packet filtering for firewall
capabilities
on VMS.  Our corporate firewall is a VAX running TCPware and its
packet
filtering.

In addition, a new feature, IPS, allows applications such as TELNET
and FTP
to automatically create packet filter rules during Denial of Service
attacks
or based upon other events as determined by the system administrator.

Hunter
-------
Hunter Goatley, Process Software, http://www.process.com/
PreciseMail Anti-Spam for OpenVMS, Linux, Solaris, and Tru64

Richard Maher wrote:
> Hi,
> 
> A recent ITRC posting: -
> http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId=1346612
> got me wondering just what Firewall capabilities were currently available
> for VMS.
> 
> You may recall the TCP/IP Services engineer's quote: -
> "BTW, delivery of IPSEC also provides host-based firewall capability, which
> is another important feature that would also be delayed if IPSEC is further
> delayed."
> 
> So I'm just wondering what everyone is using today for their VMS firewalls?
> 
> Please advise.
> 
> Regards Richard Maher
> 
> 

LinkSys BEFSR81.  It's a router plus an eight port switch.  It will not 
allow any connection to be initiated from the public side.  This has 
proven adequate to protect our PCs, plus VMS and Solaris systems.

If I had to allow connections to be initiated from outside, things would 
get a lot more complicated!

On Jun 12, 9:34=A0pm, "Richard B. Gilbert" <rgilber...@comcast.net>
wrote:
> Richard Maher wrote:
> > Hi,
>
> > A recent ITRC posting: -
> >http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId...
> > got me wondering just what Firewall capabilities were currently availab=
le
> > for VMS.
>
> > You may recall the TCP/IP Services engineer's quote: -
> > "BTW, delivery of IPSEC also provides host-based firewall capability, w=
hich
> > is another important feature that would also be delayed if IPSEC is fur=
ther
> > delayed."
>
> > So I'm just wondering what everyone is using today for their VMS firewa=
lls?
>
> > Please advise.
>
> > Regards Richard Maher
>
> LinkSys BEFSR81. =A0It's a router plus an eight port switch. =A0It will n=
ot
> allow any connection to be initiated from the public side. =A0This has
> proven adequate to protect our PCs, plus VMS and Solaris systems.
>
> If I had to allow connections to be initiated from outside, things would
> get a lot more complicated!


running a firewall on a VMS system seems to me a waste of resouirces.
I would rather my VMS system was doing something useful and have a
dedicated firewall system. At home I have a NetGear firewall/router/
modem combo which is fine.

At work there are dedicated network boxes that do firewall, routing
and so on.
If a secure link is needed then a dedicated box doing IPSEC is
deployed rather than the host system having to deal with that.

IanMiller wrote:
> On Jun 12, 9:34 pm, "Richard B. Gilbert" <rgilber...@comcast.net>
> wrote:
>> LinkSys BEFSR81.  It's a router plus an eight port switch.  It will not
>> allow any connection to be initiated from the public side.  This has
>> proven adequate to protect our PCs, plus VMS and Solaris systems.
>>
>> If I had to allow connections to be initiated from outside, things would
>> get a lot more complicated!
> 
> running a firewall on a VMS system seems to me a waste of resouirces.
> I would rather my VMS system was doing something useful and have a
> dedicated firewall system. At home I have a NetGear firewall/router/
> modem combo which is fine.

 >At work there are dedicated network boxes that do firewall, routing
 >and so on.

LinkSys, NetGear, D-Link etc. are fine for home.

For a VMS production system I would expect something a couple
of classes higher like one of the Cisco ASA models.

Arne

Hi Ian,

> running a firewall on a VMS system seems to me a waste of resouirces.
So I guess frugal you is not running any of the (not 1, not 2, not 3, but
*FOUR*) web-browsers on VMS either?

But I agree that a Firewall should be on a dedicated box; it's just a shame
that you have automatically and deliberately excluded VMS from that
function. (Yes, for those without TCPware or Multinet) Or perhaps you think
Hunter Goatley some sort of misguided peanut?

> If a secure link is needed then a dedicated box doing IPSEC is
> deployed rather than the host system having to deal with that.

Good. So we won't be needing any of that silly SSL stuff then either! Once
you're inside the firewall, just send everything around in the clear; Ian
Miller said it's OK.

Cheers Richard Maher

PS. I bet you're using your ambassadorship to protest most strongly at the
continued employment of those in TCP/IP services that have squandered
millions on IPsec? Can't let any decisions like that sneak through again!
But aren't we all gagging for clusters over IP - not.

"IanMiller" <gxys@uk2.net> wrote in message
news:9478daab-c2f7-4483-a920-b84c226841a1@c36g2000yqn.googlegroups.com...
On Jun 12, 9:34 pm, "Richard B. Gilbert" <rgilber...@comcast.net>
wrote:
> Richard Maher wrote:
> > Hi,
>
> > A recent ITRC posting: -
> >http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId...
> > got me wondering just what Firewall capabilities were currently
available
> > for VMS.
>
> > You may recall the TCP/IP Services engineer's quote: -
> > "BTW, delivery of IPSEC also provides host-based firewall capability,
which
> > is another important feature that would also be delayed if IPSEC is
further
> > delayed."
>
> > So I'm just wondering what everyone is using today for their VMS
firewalls?
>
> > Please advise.
>
> > Regards Richard Maher
>
> LinkSys BEFSR81. It's a router plus an eight port switch. It will not
> allow any connection to be initiated from the public side. This has
> proven adequate to protect our PCs, plus VMS and Solaris systems.
>
> If I had to allow connections to be initiated from outside, things would
> get a lot more complicated!


running a firewall on a VMS system seems to me a waste of resouirces.
I would rather my VMS system was doing something useful and have a
dedicated firewall system. At home I have a NetGear firewall/router/
modem combo which is fine.

At work there are dedicated network boxes that do firewall, routing
and so on.
If a secure link is needed then a dedicated box doing IPSEC is
deployed rather than the host system having to deal with that.

On Jun 13, 2:25=A0am, "Richard Maher" <maher...@hotspamnotmail.com>
wrote:
> Hi Ian,
>
> > running a firewall on a VMS system seems to me a waste of resouirces.
>
> So I guess frugal you is not running any of the (not 1, not 2, not 3, but
> *FOUR*) web-browsers on VMS either?
>
> But I agree that a Firewall should be on a dedicated box; it's just a sha=
me
> that you have automatically and deliberately excluded VMS from that
> function. (Yes, for those without TCPware or Multinet) Or perhaps you thi=
nk
> Hunter Goatley some sort of misguided peanut?
>
> > If a secure link is needed then a dedicated box doing IPSEC is
> > deployed rather than the host system having to deal with that.
>
> Good. So we won't be needing any of that silly SSL stuff then either! Onc=
e
> you're inside the firewall, just send everything around in the clear; Ian
> Miller said it's OK.
>
> Cheers Richard Maher
>
> PS. I bet you're using your ambassadorship to protest most strongly at th=
e
> continued employment of those in TCP/IP services that have squandered
> millions on IPsec? Can't let any decisions like that sneak through again!
> But aren't we all gagging for clusters over IP - not.
>
> "IanMiller" <g...@uk2.net> wrote in message
>
> news:9478daab-c2f7-4483-a920-b84c226841a1@c36g2000yqn.googlegroups.com...
> On Jun 12, 9:34 pm, "Richard B. Gilbert" <rgilber...@comcast.net>
> wrote:
>
>
>
> > Richard Maher wrote:
> > > Hi,
>
> > > A recent ITRC posting: -
> > >http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId.=
...
> > > got me wondering just what Firewall capabilities were currently
> available
> > > for VMS.
>
> > > You may recall the TCP/IP Services engineer's quote: -
> > > "BTW, delivery of IPSEC also provides host-based firewall capability,
> which
> > > is another important feature that would also be delayed if IPSEC is
> further
> > > delayed."
>
> > > So I'm just wondering what everyone is using today for their VMS
> firewalls?
>
> > > Please advise.
>
> > > Regards Richard Maher
>
> > LinkSys BEFSR81. It's a router plus an eight port switch. It will not
> > allow any connection to be initiated from the public side. This has
> > proven adequate to protect our PCs, plus VMS and Solaris systems.
>
> > If I had to allow connections to be initiated from outside, things woul=
d
> > get a lot more complicated!
>
> running a firewall on a VMS system seems to me a waste of resouirces.
> I would rather my VMS system was doing something useful and have a
> dedicated firewall system. At home I have a NetGear firewall/router/
> modem combo which is fine.
>
> At work there are dedicated network boxes that do firewall, routing
> and so on.
> If a secure link is needed then a dedicated box doing IPSEC is
> deployed rather than the host system having to deal with that.


Personally I don't run any web browsers on VMS but that's just me.
Some do. Perhaps the development of the web browsers helps with
something else.

There are lots of people wanting clusters over ip and shadow sets with
more than three members.
There are some people that want IPSEC. Even some who want IPV6

On Jun 12, 6:17=A0pm, VAXman-  @SendSpamHere.ORG wrote:
> In article <h0tpqf$fj...@news-01.bur.connect.com.au>, "Richard Maher" <ma=
her...@hotspamnotmail.com> writes:
>
> >Hi,
>
> >A recent ITRC posting: -
> >http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId...
> >got me wondering just what Firewall capabilities were currently availabl=
e
> >for VMS.
>
> >You may recall the TCP/IP Services engineer's quote: -
> >"BTW, delivery of IPSEC also provides host-based firewall capability, wh=
ich
> >is another important feature that would also be delayed if IPSEC is furt=
her
> >delayed."
>
> >So I'm just wondering what everyone is using today for their VMS firewal=
ls?
>
> Eets VMS! =A0We dunt need no steenkin' firewalls.
>
> --
> VAXman- A Bored Certified VMS Kernel Mode Hacker =A0 =A0VAXman(at)TMESIS(=
dot)ORG
>
> =A0http://www.quirkfactory.com/popart/asskey/eqn2.png
>
> =A0 "Well my son, life is like a beanstalk, isn't it?"

Though not exactly a firewall, one of my VMS systems is configured on
the ADSL router as the destination node to which all inbound requests
are sent that were targeted at the outside IP address.
If the system is on line it logs a couple of telnet, ftp and
occasional http requests per week. Although the frequency seems to
increase slowly but steadily.
The system has been running that way for several years now and I've
yet to see the first succesful attempt to log on.
Hans

H Vlems wrote:

> If the system is on line it logs a couple of telnet, ftp and
> occasional http requests per week. Although the frequency seems to
> increase slowly but steadily.


If you enable SSH, you will find a huge amount of connection attempts.
People don't bother with telnet break in attempts because so few sites
have telnet enabled.

H Vlems wrote:
> [...snip...]
> 
> Though not exactly a firewall, one of my VMS systems is configured on
> the ADSL router as the destination node to which all inbound requests
> are sent that were targeted at the outside IP address.
> If the system is on line it logs a couple of telnet, ftp and
> occasional http requests per week. Although the frequency seems to
> increase slowly but steadily.
> The system has been running that way for several years now and I've
> yet to see the first successful attempt to log on.

If you have 2 (or more) Ethernet adapters, consider running
a Teergrube ("tar pit").

I do this occasionally ... such fun :-)

On Jun 12, 4:34=A0pm, "Richard B. Gilbert" <rgilber...@comcast.net>
wrote:
> Richard Maher wrote:
> > Hi,
>
> > A recent ITRC posting: -
> >http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId...
> > got me wondering just what Firewall capabilities were currently availab=
le
> > for VMS.
>
> > You may recall the TCP/IP Services engineer's quote: -
> > "BTW, delivery of IPSEC also provides host-based firewall capability, w=
hich
> > is another important feature that would also be delayed if IPSEC is fur=
ther
> > delayed."
>
> > So I'm just wondering what everyone is using today for their VMS firewa=
lls?
>
> > Please advise.
>
> > Regards Richard Maher
>
> LinkSys BEFSR81. =A0It's a router plus an eight port switch. =A0It will n=
ot
> allow any connection to be initiated from the public side. =A0This has
> proven adequate to protect our PCs, plus VMS and Solaris systems.
>
> If I had to allow connections to be initiated from outside, things would
> get a lot more complicated!

True but that is a very old product. I use a LinkSys WRT300N and it
will allow you to open connections from the public side.

NSR

In article
<9f2e3bfe-16f5-4e63-811c-252da8716720@k38g2000yqh.googlegroups.com>,
IanMiller <gxys@uk2.net> writes: 

> Personally I don't run any web browsers on VMS but that's just me.
> Some do. Perhaps the development of the web browsers helps with
> something else.

It's nice to have a web browser on the VMS system so that one can cut 
and paste into/from DECterms, save or upload files from the local disk 
etc.

> There are lots of people wanting clusters over ip and shadow sets with
> more than three members.

Very interesting developments which I'm sure many people will make use 
of.

> There are some people that want IPSEC. Even some who want IPV6

:-)

I don't really see the point of running a firewall on VMS.  If the 
alternative were having to run another "computer" with "OS", then, yes, 
I see the point, but most firewalls are integrated into routers etc and 
need to be upgraded etc much less often than "real" computers.

On Jun 12, 8:47=A0pm, Arne Vajh=F8j <a...@vajhoej.dk> wrote:
> IanMiller wrote:
> > On Jun 12, 9:34 pm, "Richard B. Gilbert" <rgilber...@comcast.net>
> > wrote:
> >> LinkSys BEFSR81. =A0It's a router plus an eight port switch. =A0It wil=
l not
> >> allow any connection to be initiated from the public side. =A0This has
> >> proven adequate to protect our PCs, plus VMS and Solaris systems.
>
> >> If I had to allow connections to be initiated from outside, things wou=
ld
> >> get a lot more complicated!
>
> > running a firewall on a VMS system seems to me a waste of resouirces.
> > I would rather my VMS system was doing something useful and have a
> > dedicated firewall system. At home I have a NetGear firewall/router/
> > modem combo which is fine.
>
> =A0>At work there are dedicated network boxes that do firewall, routing
> =A0>and so on.
>
> LinkSys, NetGear, D-Link etc. are fine for home.
>
> For a VMS production system I would expect something a couple
> of classes higher like one of the Cisco ASA models.
>
> Arne

True but back in the day, a base-model PIX Firewall from Cisco would
cost around $6k. At that same time, Linksys was bringing out products
20 times cheaper ($300). Cisco wanted to stay in this business so
purchased Linksys then got them to manufacture a broader ranger of
firewall applicances.

NSR

In article
<037da27d-462b-453b-96b2-c93da57df5d6@r33g2000yqn.googlegroups.com>, H
Vlems <hvlems@freenet.de> writes: 

> Though not exactly a firewall, one of my VMS systems is configured on
> the ADSL router as the destination node to which all inbound requests
> are sent that were targeted at the outside IP address.
> If the system is on line it logs a couple of telnet, ftp and
> occasional http requests per week. Although the frequency seems to
> increase slowly but steadily.
> The system has been running that way for several years now and I've
> yet to see the first succesful attempt to log on.

Same here.  I used to have all ports closed by default to connections 
originating from outside, opening up only those that I needed.  When I 
had to replace a failed router quickly, I just set up my TCPIP cluster 
alias as the "exposed host".  No problems.  Yes, I see the occasional 
login attempt, but usually via channels I want open so that I can log in 
from outside, so a firewall wouldn't fix that.

What a firewall would do would stop the requests to ports on which 
nothing is listening from coming through at all.  That would reduce the 
load on my machines, but that is not an issue.  Also, if the port is 
blocked at the router, some scripts might just move on rather than 
sending more junk.

In article <0014c692$0$6100$c3e8da3@news.astraweb.com>, JF Mezei
<jfmezei.spamnot@vaxination.ca> writes: 

> H Vlems wrote:
> 
> > If the system is on line it logs a couple of telnet, ftp and
> > occasional http requests per week. Although the frequency seems to
> > increase slowly but steadily.
> 
> If you enable SSH, you will find a huge amount of connection attempts.

Yes, I see these as well.  More than in the past.  Still see telnet and 
ftp attempts as well.

On Jun 13, 7:05=A0am, JF Mezei <jfmezei.spam...@vaxination.ca> wrote:
> H Vlems wrote:
> > If the system is on line it logs a couple of telnet, ftp and
> > occasional http requests per week. Although the frequency seems to
> > increase slowly but steadily.
>
> If you enable SSH, you will find a huge amount of connection attempts.
> People don't bother with telnet break in attempts because so few sites
> have telnet enabled.

True. I am seeing SSH dictionary attacks coming from all over the
world (this week they came from Brazil and China)

Neil Rieck
Kitchener/Waterloo/Cambridge,
Ontario, Canada.
http://www3.sympatico.ca/n.rieck/

In article <h0uv3a$l9r$1@news-01.bur.connect.com.au>, "Richard Maher" <maher_rj@hotspamnotmail.com> writes:
>Hi Ian,
>
>> running a firewall on a VMS system seems to me a waste of resouirces.
>So I guess frugal you is not running any of the (not 1, not 2, not 3, but
>*FOUR*) web-browsers on VMS either?
>
>But I agree that a Firewall should be on a dedicated box; it's just a shame
>that you have automatically and deliberately excluded VMS from that
>function. (Yes, for those without TCPware or Multinet) Or perhaps you think
>Hunter Goatley some sort of misguided peanut?
>
>> If a secure link is needed then a dedicated box doing IPSEC is
>> deployed rather than the host system having to deal with that.
>
>Good. So we won't be needing any of that silly SSL stuff then either! Once
>you're inside the firewall, just send everything around in the clear; Ian
>Miller said it's OK.

I do everything ssh these days -- inside and out.  No accounts on my
systems have /REMOTE and telnet doesn't run on my boxes.  Save for a
few things I may copy across the intranet from VMS to VMS with DECnet
copy, everything is secure ssh and or sftp.

Systems that must share data over the internet tunnel that data via
ssh tunnels setup with hostkeys so that a scripted login can instan-
tiate the necessary tunnels.  No plain-text passwords stored in any
files, scripts or procedures.

While intranets may be securer than internet (and in my cases, it's
mostly only me on the intranet), I'd still use the secure protocols
whenever possible.

One nice thing about sftp is that I can "put" a binary file without
having to remember to set mode to image or binary.  I can't tell you
how many times I've transferred an image (photo) and forgot to set 
mode to binary.

-- 
VAXman- A Bored Certified VMS Kernel Mode Hacker    VAXman(at)TMESIS(dot)ORG

  http://www.quirkfactory.com/popart/asskey/eqn2.png
  
  "Well my son, life is like a beanstalk, isn't it?"

In article <0014c692$0$6100$c3e8da3@news.astraweb.com>, JF Mezei <jfmezei.spamnot@vaxination.ca> writes:
>H Vlems wrote:
>
>> If the system is on line it logs a couple of telnet, ftp and
>> occasional http requests per week. Although the frequency seems to
>> increase slowly but steadily.
>
>
>If you enable SSH, you will find a huge amount of connection attempts.
>People don't bother with telnet break in attempts because so few sites
>have telnet enabled.

D'oh! DO NOT RUN SSH ON THE DEFAULT PORT 22!!!

For TCPIP Services:

$ TCPIP DISABLE SERVICE SSH
$ DEFINE SYS$INPUT SYS$COMMAND
$ TCPIP SET NOSERVICE SSH
$ TCPIP SET SERVICE SSH/PORT={not port 22/PROCESS=TCPIP$SSH/USER=TCPIP$SSH-
  /FILE=TCPIP$SYSTEM:TCPIP$SSH_RUN.COM/PROTOCOL=TCP [/LIMIT={some limit}]
$ TCPIP ENABLE SERVICE SSH

The optional /LIMIT={some limit} will stop the generation of ssh processes
if there is a port scan that triggers them.  A minor inconvenience if you
need to login at that moment but it sure saves system resources for those
users and processes already running on the system.

-- 
VAXman- A Bored Certified VMS Kernel Mode Hacker    VAXman(at)TMESIS(dot)ORG

  http://www.quirkfactory.com/popart/asskey/eqn2.png
  
  "Well my son, life is like a beanstalk, isn't it?"

In article <h1033g$4h5$3@online.de>,
 helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to 
 reply) wrote:

> In article <0014c692$0$6100$c3e8da3@news.astraweb.com>, JF Mezei
> <jfmezei.spamnot@vaxination.ca> writes: 
> 
> > H Vlems wrote:
> > 
> > > If the system is on line it logs a couple of telnet, ftp and
> > > occasional http requests per week. Although the frequency seems to
> > > increase slowly but steadily.
> > 
> > If you enable SSH, you will find a huge amount of connection attempts.
> 
> Yes, I see these as well.  More than in the past.  Still see telnet and 
> ftp attempts as well.

Incidentally, once I stopped running my Alpha as a webserver with a 
publicly advertised address, the number of attempts dropped off.  When 
my DHCP address changed (which doesn't happen very often) they dropped 
off dramatically.

Pity the Dreambox owner who got my old dyndns name ...

-- 
Paul Sture

In article <00A8CF8C.DECFB7E5@SendSpamHere.ORG>,
 VAXman-  @SendSpamHere.ORG wrote:

> In article <0014c692$0$6100$c3e8da3@news.astraweb.com>, JF Mezei 
> <jfmezei.spamnot@vaxination.ca> writes:
> >H Vlems wrote:
> >
> >> If the system is on line it logs a couple of telnet, ftp and
> >> occasional http requests per week. Although the frequency seems to
> >> increase slowly but steadily.
> >
> >
> >If you enable SSH, you will find a huge amount of connection attempts.
> >People don't bother with telnet break in attempts because so few sites
> >have telnet enabled.
> 
> D'oh! DO NOT RUN SSH ON THE DEFAULT PORT 22!!!
> 
> For TCPIP Services:
> 
> $ TCPIP DISABLE SERVICE SSH
> $ DEFINE SYS$INPUT SYS$COMMAND
> $ TCPIP SET NOSERVICE SSH
> $ TCPIP SET SERVICE SSH/PORT={not port 22/PROCESS=TCPIP$SSH/USER=TCPIP$SSH-
>   /FILE=TCPIP$SYSTEM:TCPIP$SSH_RUN.COM/PROTOCOL=TCP [/LIMIT={some limit}]
> $ TCPIP ENABLE SERVICE SSH
> 
> The optional /LIMIT={some limit} will stop the generation of ssh processes
> if there is a port scan that triggers them.  A minor inconvenience if you
> need to login at that moment but it sure saves system resources for those
> users and processes already running on the system.

I'll second that advice, which VAXman gave me several years ago, so I 
can say that it is effective.

-- 
Paul Sture

H Vlems wrote:
> On Jun 12, 6:17 pm, VAXman-  @SendSpamHere.ORG wrote:
>> In article <h0tpqf$fj...@news-01.bur.connect.com.au>, "Richard Maher" <maher...@hotspamnotmail.com> writes:
>>
>>> Hi,
>>> A recent ITRC posting: -
>>> http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId...
>>> got me wondering just what Firewall capabilities were currently available
>>> for VMS.
>>> You may recall the TCP/IP Services engineer's quote: -
>>> "BTW, delivery of IPSEC also provides host-based firewall capability, which
>>> is another important feature that would also be delayed if IPSEC is further
>>> delayed."
>>> So I'm just wondering what everyone is using today for their VMS firewalls?
>> Eets VMS!  We dunt need no steenkin' firewalls.
>>
>> --
>> VAXman- A Bored Certified VMS Kernel Mode Hacker    VAXman(at)TMESIS(dot)ORG
>>
>>  http://www.quirkfactory.com/popart/asskey/eqn2.png
>>
>>   "Well my son, life is like a beanstalk, isn't it?"
> 
> Though not exactly a firewall, one of my VMS systems is configured on
> the ADSL router as the destination node to which all inbound requests
> are sent that were targeted at the outside IP address.
> If the system is on line it logs a couple of telnet, ftp and
> occasional http requests per week. Although the frequency seems to
> increase slowly but steadily.
> The system has been running that way for several years now and I've
> yet to see the first succesful attempt to log on.
> Hans

My router logs at least three connection attempts per minute, hour after 
hour and day after day.  Since none of them is a response to anything 
sent out, they wind up in the bit bucket.

I suppose some of them are just fumble fingers.  I'd bet that most of 
them are "distributed port scans" a term I just coined.  Rather than 
attempting to connect to the same IP address with ports 1, 2, 3, 4, ...
they try port 1 on a thousand IP addresses, then port 2 on the same 
list, port 3, . . . .

Neil Rieck wrote:
> On Jun 12, 4:34 pm, "Richard B. Gilbert" <rgilber...@comcast.net>
> wrote:
>> Richard Maher wrote:
>>> Hi,
>>> A recent ITRC posting: -
>>> http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId...
>>> got me wondering just what Firewall capabilities were currently available
>>> for VMS.
>>> You may recall the TCP/IP Services engineer's quote: -
>>> "BTW, delivery of IPSEC also provides host-based firewall capability, which
>>> is another important feature that would also be delayed if IPSEC is further
>>> delayed."
>>> So I'm just wondering what everyone is using today for their VMS firewalls?
>>> Please advise.
>>> Regards Richard Maher
>> LinkSys BEFSR81.  It's a router plus an eight port switch.  It will not
>> allow any connection to be initiated from the public side.  This has
>> proven adequate to protect our PCs, plus VMS and Solaris systems.
>>
>> If I had to allow connections to be initiated from outside, things would
>> get a lot more complicated!
> 
> True but that is a very old product. I use a LinkSys WRT300N and it
> will allow you to open connections from the public side.
> 

Remind me not to buy one!

I've had the BEFSR81 for several years now, since I first got broadband 
cable.  I even have a spare!

I suppose I could spend a lot of money and get something better but I 
can't see any point; what I have gets the job done!

I don't understand what all the fuss is about.

Like Hans, For many years I have been running the same setup which
he outlined, using cheap commodity routers on both a VAX and
an Integrity server. Both Telnet and FTP ports have been open for
external access and although I have often seen breakin attempts
none were ever successful. We did not run any web or mailserver
facilities (All breakin attempts were trying to login using typical
Windows/Linux credentials e.g. Username ADMINISTRATOR).
Don't forget we are dealing with OpenVMS here, not windows.

In my opinion, even a naked OpenVMS system is much more
secure than the best fortified Windows or Linux platform. Lets not
forget that the current generation of hackers and scriptkiddies have
no idea what OpenVMS is about. Attacks focus on Windows
and Linux platforms. When it comes to servers, it pays to be
unpopular......

JohnC

On Jun 13, 6:27=A0am, H Vlems <hvl...@freenet.de> wrote:
> On Jun 12, 6:17=A0pm, VAXman- =A0@SendSpamHere.ORG wrote:
>
>
>
>
>
> > In article <h0tpqf$fj...@news-01.bur.connect.com.au>, "Richard Maher" <=
maher...@hotspamnotmail.com> writes:
>
> > >Hi,
>
> > >A recent ITRC posting: -
> > >http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId.=
...
> > >got me wondering just what Firewall capabilities were currently availa=
ble
> > >for VMS.
>
> > >You may recall the TCP/IP Services engineer's quote: -
> > >"BTW, delivery of IPSEC also provides host-based firewall capability, =
which
> > >is another important feature that would also be delayed if IPSEC is fu=
rther
> > >delayed."
>
> > >So I'm just wondering what everyone is using today for their VMS firew=
alls?
>
> > Eets VMS! =A0We dunt need no steenkin' firewalls.
>
> > --
> > VAXman- A Bored Certified VMS Kernel Mode Hacker =A0 =A0VAXman(at)TMESI=
S(dot)ORG
>
> > =A0http://www.quirkfactory.com/popart/asskey/eqn2.png
>
> > =A0 "Well my son, life is like a beanstalk, isn't it?"
>
> Though not exactly a firewall, one of my VMS systems is configured on
> the ADSL router as the destination node to which all inbound requests
> are sent that were targeted at the outside IP address.
> If the system is on line it logs a couple of telnet, ftp and
> occasional http requests per week. Although the frequency seems to
> increase slowly but steadily.
> The system has been running that way for several years now and I've
> yet to see the first succesful attempt to log on.
> Hans

JC schrieb:
> I don't understand what all the fuss is about.
> 
> Like Hans, For many years I have been running the same setup which
> he outlined, using cheap commodity routers on both a VAX and
> an Integrity server. Both Telnet and FTP ports have been open for
> external access and although I have often seen breakin attempts
> none were ever successful. 

Or they went unnoticed.

> We did not run any web or mailserver
> facilities (All breakin attempts were trying to login using typical
> Windows/Linux credentials e.g. Username ADMINISTRATOR).
> Don't forget we are dealing with OpenVMS here, not windows.

In this case, they would have used FIELD or SYSTEST, no?

> In my opinion, even a naked OpenVMS system is much more
> secure than the best fortified Windows or Linux platform. 

So what is VMS' current security certification,
compared to Linux/Windows?

> Lets not
> forget that the current generation of hackers and scriptkiddies have
> no idea what OpenVMS is about. Attacks focus on Windows
> and Linux platforms. When it comes to servers, it pays to be
> unpopular......

Well, depends. Being unpopular to hackers means being unpopular
to the rest of the IT world as well.

On Jun 13, 1:26=A0pm, "R.A.Omond" <Roy.Om...@BlueBubble.UK.Com> wrote:
> H Vlems wrote:
> > [...snip...]
>
> > Though not exactly a firewall, one of my VMS systems is configured on
> > the ADSL router as the destination node to which all inbound requests
> > are sent that were targeted at the outside IP address.
> > If the system is on line it logs a couple of telnet, ftp and
> > occasional http requests per week. Although the frequency seems to
> > increase slowly but steadily.
> > The system has been running that way for several years now and I've
> > yet to see the first successful attempt to log on.
>
> If you have 2 (or more) Ethernet adapters, consider running
> a Teergrube ("tar pit").
>
> I do this occasionally ... such fun :-)

There's a book on computer security with a case study where a couple
of system administrators did do that.
IIRC the hacker was called Berferd and he tried to get into a unix
system (at AT&T !). The admins had great fun but got
a tap on the wrist because playing with unwelcome visitors was not
nice...

On Jun 13, 2:53=A0pm, VAXman-  @SendSpamHere.ORG wrote:
> In article <0014c692$0$6100$c3e8...@news.astraweb.com>, JF Mezei <jfmezei=
..spam...@vaxination.ca> writes:
>
> >H Vlems wrote:
>
> >> If the system is on line it logs a couple of telnet, ftp and
> >> occasional http requests per week. Although the frequency seems to
> >> increase slowly but steadily.
>
> >If you enable SSH, you will find a huge amount of connection attempts.
> >People don't bother with telnet break in attempts because so few sites
> >have telnet enabled.
>
> D'oh! DO NOT RUN SSH ON THE DEFAULT PORT 22!!!
>
> For TCPIP Services:
>
> $ TCPIP DISABLE SERVICE SSH
> $ DEFINE SYS$INPUT SYS$COMMAND
> $ TCPIP SET NOSERVICE SSH
> $ TCPIP SET SERVICE SSH/PORT=3D{not port 22/PROCESS=3DTCPIP$SSH/USER=3DTC=
PIP$SSH-
> =A0 /FILE=3DTCPIP$SYSTEM:TCPIP$SSH_RUN.COM/PROTOCOL=3DTCP [/LIMIT=3D{some=
 limit}]
> $ TCPIP ENABLE SERVICE SSH
>
> The optional /LIMIT=3D{some limit} will stop the generation of ssh proces=
ses
> if there is a port scan that triggers them. =A0A minor inconvenience if y=
ou
> need to login at that moment but it sure saves system resources for those
> users and processes already running on the system.
>
> --
> VAXman- A Bored Certified VMS Kernel Mode Hacker =A0 =A0VAXman(at)TMESIS(=
dot)ORG
>
> =A0http://www.quirkfactory.com/popart/asskey/eqn2.png
>
> =A0 "Well my son, life is like a beanstalk, isn't it?"

My days of innocence are over.... Up to now all I used internally was
LAT and occasionally telnet.
The above example suits me fine, I'll switch to ssh.
Thanks Brian!

On Jun 13, 6:10=A0pm, JC <thecook...@gmail.com> wrote:
> I don't understand what all the fuss is about.
>
> Like Hans, For many years I have been running the same setup which
> he outlined, using cheap commodity routers on both a VAX and
> an Integrity server. Both Telnet and FTP ports have been open for
> external access and although I have often seen breakin attempts
> none were ever successful. We did not run any web or mailserver
> facilities (All breakin attempts were trying to login using typical
> Windows/Linux credentials e.g. Username ADMINISTRATOR).
> Don't forget we are dealing with OpenVMS here, not windows.
>
> In my opinion, even a naked OpenVMS system is much more
> secure than the best fortified Windows or Linux platform. Lets not
> forget that the current generation of hackers and scriptkiddies have
> no idea what OpenVMS is about. Attacks focus on Windows
> and Linux platforms. When it comes to servers, it pays to be
> unpopular......
>
> JohnC
>
> On Jun 13, 6:27=A0am, H Vlems <hvl...@freenet.de> wrote:
>
>
>
> > On Jun 12, 6:17=A0pm, VAXman- =A0@SendSpamHere.ORG wrote:
>
> > > In article <h0tpqf$fj...@news-01.bur.connect.com.au>, "Richard Maher"=
 <maher...@hotspamnotmail.com> writes:
>
> > > >Hi,
>
> > > >A recent ITRC posting: -
> > > >http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadI=
d...
> > > >got me wondering just what Firewall capabilities were currently avai=
lable
> > > >for VMS.
>
> > > >You may recall the TCP/IP Services engineer's quote: -
> > > >"BTW, delivery of IPSEC also provides host-based firewall capability=
, which
> > > >is another important feature that would also be delayed if IPSEC is =
further
> > > >delayed."
>
> > > >So I'm just wondering what everyone is using today for their VMS fir=
ewalls?
>
> > > Eets VMS! =A0We dunt need no steenkin' firewalls.
>
> > > --
> > > VAXman- A Bored Certified VMS Kernel Mode Hacker =A0 =A0VAXman(at)TME=
SIS(dot)ORG
>
> > > =A0http://www.quirkfactory.com/popart/asskey/eqn2.png
>
> > > =A0 "Well my son, life is like a beanstalk, isn't it?"
>
> > Though not exactly a firewall, one of my VMS systems is configured on
> > the ADSL router as the destination node to which all inbound requests
> > are sent that were targeted at the outside IP address.
> > If the system is on line it logs a couple of telnet, ftp and
> > occasional http requests per week. Although the frequency seems to
> > increase slowly but steadily.
> > The system has been running that way for several years now and I've
> > yet to see the first succesful attempt to log on.
> > Hans- Hide quoted text -
>
> - Show quoted text -

Occasionally I run ACCOUNTING and look for login failures. All of them
(beside my own typos) have no usercode listed.
I've always assumed they're simple port scans, i.e. a range of ip
addresses is scanned for activity on one port only.

JF Mezei <jfmezei.spamnot@vaxination.ca> writes:

>H Vlems wrote:

>> If the system is on line it logs a couple of telnet, ftp and
>> occasional http requests per week. Although the frequency seems to
>> increase slowly but steadily.


>If you enable SSH, you will find a huge amount of connection attempts.
>People don't bother with telnet break in attempts because so few sites
>have telnet enabled.

Actually I saw a large increase in telnet attempts starting about a month
ago.  They always timed out rather than actually tried to log in (the
'bot couldn't grok a Username: prompt, apparently) so I put up a very
primitive honeypot that prompts login: .  So far all I got was attempts
to log in as root/admin.

VAXman-  @SendSpamHere.ORG writes:

>In article <0014c692$0$6100$c3e8da3@news.astraweb.com>, JF Mezei <jfmezei.spamnot@vaxination.ca> writes:
>>H Vlems wrote:
>>
>>> If the system is on line it logs a couple of telnet, ftp and
>>> occasional http requests per week. Although the frequency seems to
>>> increase slowly but steadily.
>>
>>
>>If you enable SSH, you will find a huge amount of connection attempts.
>>People don't bother with telnet break in attempts because so few sites
>>have telnet enabled.

>D'oh! DO NOT RUN SSH ON THE DEFAULT PORT 22!!!

I did things differently.  I wrote a program that monitors the audit 
server mailbox, and when there is a breakin attempt via SSH, FTP or 
TELNET, it disables the IP address it comes from temporarily (until the 
next reboot, which could be a while)

In the past, I've seen 15,000 attempts in a 24 hour period.  Nowadays, I
usually see 6, 12 or 18 total attempts per day.

In article
<e5eede01-78c9-4e36-a7b0-f12059293485@q16g2000yqg.googlegroups.com>,
Neil Rieck <n.rieck@sympatico.ca> writes: 

Folks, please don't post quoted-printable garbage.

> > LinkSys BEFSR81. It's a router plus an eight port switch. It will not
> > allow any connection to be initiated from the public side.

It can be configured to do so, though.

> True but that is a very old product. I use a LinkSys WRT300N and it
> will allow you to open connections from the public side.

In article <h10qp7$h64$00$1@news.t-online.com>, Michael Kraemer
<M.Kraemer@gsi.de> writes: 

> > Like Hans, For many years I have been running the same setup which
> > he outlined, using cheap commodity routers on both a VAX and
> > an Integrity server. Both Telnet and FTP ports have been open for
> > external access and although I have often seen breakin attempts
> > none were ever successful. 
> 
> Or they went unnoticed.

I'm certain that, on my machines, none were successful.

> > We did not run any web or mailserver
> > facilities (All breakin attempts were trying to login using typical
> > Windows/Linux credentials e.g. Username ADMINISTRATOR).
> > Don't forget we are dealing with OpenVMS here, not windows.
> 
> In this case, they would have used FIELD or SYSTEST, no?

How many years---or decades---has it been since these are no longer 
enabled by default and no longer have default passwords?

> So what is VMS' current security certification,
> compared to Linux/Windows?

Whose security certification?  Nobody goes around, for free, checking 
all systems for their security.  Most VMS system managers probably don't 
give a monkey's uncle about some certification from the Windows/Unix 
world.

> Well, depends. Being unpopular to hackers means being unpopular
> to the rest of the IT world as well.

Why can't we think of VMS as the Porsche of operating systems?  I don't 
think most Porsche drivers care that most people drive other types of 
cars.

Richard B. Gilbert wrote:

> I suppose I could spend a lot of money and get something better but I 
> can't see any point; what I have gets the job done!

I have a very old router. I may have to change it if the CRTC uses its
teeth to force Bell Canada to comply with a previous ruling and offer
the same ADSl speeds to other ISPs as it does to itself. When this
happens, the 10mbps ethernet link of the router may not cut it anymore :-)

What is important to me is familiarity with the router. When you get a
POP/IMAP or other attack on a vulnerable VMS portion, I like to quickly
get onto that router and block the ip making that attack.

When I have old legacy PPPoE connection problems, I want to be able to
go into the router and trace the packets to see exactly what is
happening (is it Bell that is not responding, is the connection between
Bell and my ISP failed or is the ISP not responding etc etc).

Buying a new router means learning all of this. But it also requires
that before I buy it, that I ensure the new one has the same
capabilities and then need to document those steps that are needed
during an attack or how to debug that crap PPPoE thing. In the later
case, it doesn't happen, so you don't necessarily remember the commands.

H Vlems wrote:

> Occasionally I run ACCOUNTING and look for login failures. All of them
> (beside my own typos) have no usercode listed.
> I've always assumed they're simple port scans, i.e. a range of ip
> addresses is scanned for activity on one port only.

Accounting doesn't give you this. I think that ana/audit does, but it
doesn't give you the password. Seeing the password would be trememdously
 advantageous to see how the hackers are trying to get in. (brute force,
or some dictionary or are the passwords dangerously close to what you have).

In article <002d0027$0$29042$c3e8da3@news.astraweb.com>, JF Mezei
<jfmezei.spamnot@vaxination.ca> writes: 

> I have a very old router. I may have to change it if the CRTC uses its
> teeth to force Bell Canada to comply with a previous ruling and offer
> the same ADSl speeds to other ISPs as it does to itself. When this
> happens, the 10mbps ethernet link of the router may not cut it anymore :-)

I now have all in one box: router, modem, switch, VOIP.  I used to have 
them in four separate boxes.  I had to switch when increasing speed 
meant my old modem couldn't cut it anymore.

I agree with the familiarity.  I don't like the graphical-only interface 
to the Fritz!Box.  Older stuff had an ASCII menu and even a command to 
escape to the command line.  On the other hand, my ISP officially 
supports this, so if there is a problem, they can't say that, because of 
my complicated setup, they can't detect where it lies.  When a box 
stopped working, they replaced it---with the current model, which has 
considerably more features---for free.

JF Mezei <jfmezei.spamnot@vaxination.ca> writes:

>H Vlems wrote:

>> Occasionally I run ACCOUNTING and look for login failures. All of them
>> (beside my own typos) have no usercode listed.
>> I've always assumed they're simple port scans, i.e. a range of ip
>> addresses is scanned for activity on one port only.

>Accounting doesn't give you this. I think that ana/audit does, but it
>doesn't give you the password. Seeing the password would be trememdously
> advantageous to see how the hackers are trying to get in. (brute force,
>or some dictionary or are the passwords dangerously close to what you have).

ANA/AUDIT does give passwords for breakin attempts.  However, HP's TCPIP
services don't provide the password to auditing for SSH, TELNET or FTP
attempts (I've examined the audit server messages), which I consider a
flaw in HP's TCPIP services.  So you won't see passwords from ANA/AUDIT
for TCPIP breakin attempts.  I don't know if the other TCPIP stacks for
VMS do this (log the password on breakin attempts) or not.

Phillip Helbig---remove CLOTHES to reply wrote:

> I'm certain that, on my machines, none were successful.


There is a british series called Spooks. (think about a smart "24" based
in London).  In one episode,  some terrorists are threathening to
detonate a bomb every 10 hours in very public places. MI5 has so far
manmaged to find and defuse bombs 2 and 3. The bomber says to his
accomplices who are disapointed that the last 2 bombs failed:

"Remember, MI5 has to be succesful 100% of the time, we only need to be
succesful once".


So, it only takes one sucessful attempt by the bad guys to penetrate
your system and do a lot of damage. DELETE [0000...]*.*;*  is very
noticeable. But making a subtle change to your system that you dont
notice but which lets them do nasty deeds would go undetected for a long
time.  (think something is the line of enablying SMTP relaying and then
using your systen to send billions and billions of spam messages).


> Why can't we think of VMS as the Porsche of operating systems?  I don't 
> think most Porsche drivers care that most people drive other types of 
> cars.

The number of vulnerabilities with VMS is high. Consider that POP and
IMAP and, unless they fixed it years ago, XDM allow unlimited password
tests on accounts.


Granted, VMS may be superior to others, but it is far from perfect
anymore.

Phillip Helbig---remove CLOTHES to reply wrote:
> In article
> <e5eede01-78c9-4e36-a7b0-f12059293485@q16g2000yqg.googlegroups.com>,
> Neil Rieck <n.rieck@sympatico.ca> writes: 
> 
> Folks, please don't post quoted-printable garbage.

What "quoted-printable garbage".  All I typed was English plain text. 
All I see is English plain text.

You might also offer some advice about how to not post "quoted-printable 
" garbage.

<snip>

>> Folks, please don't post quoted-printable garbage.

When quoted printable first came out, I was mad has hell. Because of my
name, messages from me would always be "quioted printable" in their
entirety just because the "from" contained the "�".

Consider that Mozilla does run on VMS. Consider that MAIL has not been
sigificantly upgraded since the last century and there isn't much of a
chance it will very be upgrade.

The internet has evolved. Binary content on newsgroups isn't uuencoded
anympore, it isn't mime encoded anymore, it now uses that yenc
thing-�-ma-jig.

Quoted printable has now been standard for probably over a decade. If
you still dont have a client that supports it, I am starting to feel
like saying "Tough luck".

JF Mezei wrote:
> Phillip Helbig---remove CLOTHES to reply wrote:
> 
>> I'm certain that, on my machines, none were successful.
> 
> 
> There is a british series called Spooks. (think about a smart "24" based
> in London).  In one episode,  some terrorists are threathening to
> detonate a bomb every 10 hours in very public places. MI5 has so far
> manmaged to find and defuse bombs 2 and 3. The bomber says to his
> accomplices who are disapointed that the last 2 bombs failed:
> 
> "Remember, MI5 has to be succesful 100% of the time, we only need to be
> succesful once".
> 
> 
> So, it only takes one sucessful attempt by the bad guys to penetrate
> your system and do a lot of damage. DELETE [0000...]*.*;*  is very
> noticeable. But making a subtle change to your system that you dont
> notice but which lets them do nasty deeds would go undetected for a long
> time.  (think something is the line of enablying SMTP relaying and then
> using your systen to send billions and billions of spam messages).
> 
> 
>> Why can't we think of VMS as the Porsche of operating systems?  I don't 
>> think most Porsche drivers care that most people drive other types of 
>> cars.
> 
> The number of vulnerabilities with VMS is high. Consider that POP and
> IMAP and, unless they fixed it years ago, XDM allow unlimited password
> tests on accounts.
> 
What release of VMS added support for "POP and IMAP".  The last time I 
looked mail was SMTP only.

Phillip Helbig---remove CLOTHES to reply schrieb:

> 
> How many years---or decades---has it been since these are no longer 
> enabled by default and no longer have default passwords?

And ? Fits nicely with the other decade-old stuff discussed here,
or still being an issue for VMS (TCP/IP comes to mind).

> 
>>So what is VMS' current security certification,
>>compared to Linux/Windows?
> 
> 
> Whose security certification? 

The old Orange Book or the more recent Common Criteria
for example.

> Nobody goes around, for free, checking 
> all systems for their security. 

Usually the vendor cares.
So what's VMS' security level?

> Most VMS system managers probably don't 
> give a monkey's uncle 
> about some certification from the Windows/Unix 
> world.

So what's their measure, security by strong belief?
And what should that be, a "certification from the Windows/Unix world"?
Common criteria are supposed to be common, i.e. for everybody.

> 
>>Well, depends. Being unpopular to hackers means being unpopular
>>to the rest of the IT world as well.
> 
> 
> Why can't we think of VMS as the Porsche of operating systems?

Because this comparison is quite a bit inappropriate?
Apart from being a bad example because Porsche is now
in the same shit as other car makers:
everybody knows Porsche - nobody knows VMS,
until recently Porsche's revenue and profit increased - VMS's declined 
big time,
etc ...

>  I don't 
> think most Porsche drivers care that most people drive other types of 
> cars.

Oh, Porsche drivers certainly would care if they needed an extra
gas for which the next station is about 500 miles away.

JF Mezei wrote:

> There is a british series called Spooks.  [...]




(think about a smart "24" based
> in London).  In one episode,  some terrorists are threathening to
> detonate a bomb every 10 hours in very public places. MI5 has so far
> manmaged to find and defuse bombs 2 and 3. The bomber says to his
> accomplices who are disapointed that the last 2 bombs failed:
>
> "Remember, MI5 has to be succesful 100% of the time, we only need to be
> succesful once".
>
>
> So, it only takes one sucessful attempt by the bad guys to penetrate
> your system and do a lot of damage. DELETE [0000...]*.*;*  is very
> noticeable. But making a subtle change to your system that you dont
> notice but which lets them do nasty deeds would go undetected for a long
> time.  (think something is the line of enablying SMTP relaying and then
> using your systen to send billions and billions of spam messages).
>
>
> > Why can't we think of VMS as the Porsche of operating systems?  I don't
> > think most Porsche drivers care that most people drive other types of
> > cars.
>
> The number of vulnerabilities with VMS is high. Consider that POP and
> IMAP and, unless they fixed it years ago, XDM allow unlimited password
> tests on accounts.
>
>
> Granted, VMS may be superior to others, but it is far from perfect
> anymore.

JF Mezei wrote:

> There is a british series called Spooks.  [...]

   On PBS in the US of A, it's called "MI-5", but the end
credits do mention something like "bbc.co.uk/spooks", so I
assume that it's the same (except for some naughty-word
deletions).

Steven Schweda wrote:

>    On PBS in the US of A, it's called "MI-5", but the end
> credits do mention something like "bbc.co.uk/spooks", so I
> assume that it's the same (except for some naughty-word
> deletions).

Yep. Name change, but also deleted scenes when it was carried by A&E.
The programs are about 55 minutes in length, and &E insterted ads, so
they couldn't air all of the 55 minutes within one hour time slot. Glad
to see PBS decided to take it when A&E dropped it.

> -----Original Message-----
> From: info-vax-bounces@rbnsn.com [mailto:info-vax-bounces@rbnsn.com] On
> Behalf Of H Vlems
> Sent: June-13-09 2:27 PM
> To: info-vax@rbnsn.com
> Subject: Re: [Info-vax] Firewalls on VMS
>=20
> On Jun 13, 1:26=A0pm, "R.A.Omond" <Roy.Om...@BlueBubble.UK.Com> wrote:
> > H Vlems wrote:
> > > [...snip...]
> >
> > > Though not exactly a firewall, one of my VMS systems is configured
> on
> > > the ADSL router as the destination node to which all inbound
> requests
> > > are sent that were targeted at the outside IP address.
> > > If the system is on line it logs a couple of telnet, ftp and
> > > occasional http requests per week. Although the frequency seems to
> > > increase slowly but steadily.
> > > The system has been running that way for several years now and I've
> > > yet to see the first successful attempt to log on.
> >
> > If you have 2 (or more) Ethernet adapters, consider running
> > a Teergrube ("tar pit").
> >
> > I do this occasionally ... such fun :-)
>=20
> There's a book on computer security with a case study where a couple
> of system administrators did do that.
> IIRC the hacker was called Berferd and he tried to get into a unix
> system (at AT&T !). The admins had great fun but got
> a tap on the wrist because playing with unwelcome visitors was not
> nice...
> _______________________________________________

Fwiw, most company security analysts today do not worry about the Internet.

As others have said, firewalls handle those issues pretty well today.

Having stated this, the absolute biggest issue facing security groups are
internal issues. Something like 50-60% of all company security issues today
are internally related.

Even analyst groups like Burton Group now recommend host based firewalls
to complement the external Internet firewalls.

Just think about all those fat clients in staff hands (PDA's, phones) that=
=20
regularly go about the external world and then get plugged into internal=20
desktops. With little buggies that can now start looking for internal=20
systems that have not kept up with patches.

Internet? Heck, that=92s the least of security folks problems these days.

Just think about staff who have air cards and can connect to the external=20
Internet while they are at work over their air cards.

Disgruntled employees .. list goes on.

Hence, I always shiver when I hear Customers who say they do not keep
their internal systems up to date with patches as they believe they are
ok because they have a firewall protecting them from the Internet.


Regards

Kerry Main
Senior Consultant
HP Services Canada
Voice: 613-797-4937
Fax: 613-591-4477
kerryDOTmainAThpDOTcom
(remove the DOT's and AT)

OpenVMS - the secure, multi-site OS that simply works.

Main, Kerry wrote:

> Kerry Main
> Senior Consultant
> HP Services Canada

Mr Main,

Glad to see you are still posting from an hp.com account.

In article <Rd2dnRpcUqdejanXnZ2dnUVZ_t-dnZ2d@giganews.com>, "Richard B.
Gilbert" <rgilbert88@comcast.net> writes: 

> Phillip Helbig---remove CLOTHES to reply wrote:
> > In article
> > <e5eede01-78c9-4e36-a7b0-f12059293485@q16g2000yqg.googlegroups.com>,
> > Neil Rieck <n.rieck@sympatico.ca> writes: 
> > 
> > Folks, please don't post quoted-printable garbage.
> 
> What "quoted-printable garbage".  All I typed was English plain text. 
> All I see is English plain text.
> 
> You might also offer some advice about how to not post "quoted-printable 
> " garbage.

My guess is that whatever software you are using converts your message
into quoted-printable text.  Why should " " (ASCII 32) be rendered as
=A0?  I can sometimes see the value in encoding stuff (though not
necessarily to a text-based newsgroup) if one has characters which are
not in the 7-bit printable ASCII text, but if all characters are, then
there is absolutely no reason to encode. 

The default should be to post as plain text.  At worst, it should be 
able to set this option somewhere.  If you can't turn it off, get 
another newsreader.

In article <007b4ff3$0$5921$c3e8da3@news.astraweb.com>, JF Mezei
<jfmezei.spamnot@vaxination.ca> writes: 

> >> Folks, please don't post quoted-printable garbage.
> 
> When quoted printable first came out, I was mad has hell. Because of my
> name, messages from me would always be "quioted printable" in their
> entirety just because the "from" contained the "�".

I note that your message is NOT quoted-printable, and I see the "�" just 
fine and just entered it myself with the compose key.

> Consider that Mozilla does run on VMS. 

And is not very comfortable as a newsreader, especially if one is used 
to the capabilities of a real newsreader.  I say "right tool for the 
job", not "do it with your browser if at all possible".

> Consider that MAIL has not been
> sigificantly upgraded since the last century and there isn't much of a
> chance it will very be upgrade.

Unless someone is posting through a mail-to-news gateway, that is 
irrelevant here.

> Quoted printable has now been standard for probably over a decade. If
> you still dont have a client that supports it, I am starting to feel
> like saying "Tough luck".

You have been assimilated by the Borg.  Did it hurt?

Main, Kerry schrieb:

> 
> Fwiw, most company security analysts today do not worry about the Internet.
> 
> As others have said, firewalls handle those issues pretty well today.
> 
> Having stated this, the absolute biggest issue facing security groups are
> internal issues. Something like 50-60% of all company security issues today
> are internally related.

Not true, according to

http://www.verizonbusiness.com/products/security/risk/databreach/

74% arise from external sources.

On Jun 13, 11:36=A0am, "Richard B. Gilbert" <rgilber...@comcast.net>
wrote:
> Neil Rieck wrote:
> > On Jun 12, 4:34 pm, "Richard B. Gilbert" <rgilber...@comcast.net>
> > wrote:
> >> Richard Maher wrote:
> >>> Hi,
> >>> A recent ITRC posting: -
> >>>http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId.=
...
> >>> got me wondering just what Firewall capabilities were currently avail=
able
> >>> for VMS.
> >>> You may recall the TCP/IP Services engineer's quote: -
> >>> "BTW, delivery of IPSEC also provides host-based firewall capability,=
 which
> >>> is another important feature that would also be delayed if IPSEC is f=
urther
> >>> delayed."
> >>> So I'm just wondering what everyone is using today for their VMS fire=
walls?
> >>> Please advise.
> >>> Regards Richard Maher
> >> LinkSys BEFSR81. =A0It's a router plus an eight port switch. =A0It wil=
l not
> >> allow any connection to be initiated from the public side. =A0This has
> >> proven adequate to protect our PCs, plus VMS and Solaris systems.
>
> >> If I had to allow connections to be initiated from outside, things wou=
ld
> >> get a lot more complicated!
>
> > True but that is a very old product. I use a LinkSys WRT300N and it
> > will allow you to open connections from the public side.
>
> Remind me not to buy one!
>
> I've had the BEFSR81 for several years now, since I first got broadband
> cable. =A0I even have a spare!
>
> I suppose I could spend a lot of money and get something better but I
> can't see any point; what I have gets the job done!

My desire for a Linksys WRT300N was a practical one. I have 6
computers and a PS3 in my home which all contribute to Folding@home
and so need continuous access to the internet. Half of my machines are
not near an internet connection so I purchased some wireless PCI cards
at a local liquidator.

http://www3.sympatico.ca/n.rieck/docs/folding_at_home.html

With regards to the BEFSR81 (and 41), while it has been several years
since I configured one, I remember that options were available to
allow you to open specific ports inbound ports. Linksys also provided
a setting which (when enabled) would allow one port to be totally wide
open.

NSR

On Jun 13, 9:06=A0pm, JF Mezei <jfmezei.spam...@vaxination.ca> wrote:
> Richard B. Gilbert wrote:
> > I suppose I could spend a lot of money and get something better but I
> > can't see any point; what I have gets the job done!
>
> I have a very old router. I may have to change it if the CRTC uses its
> teeth to force Bell Canada to comply with a previous ruling and offer
> the same ADSl speeds to other ISPs as it does to itself. When this
> happens, the 10mbps ethernet link of the router may not cut it anymore :-=
)
>
> What is important to me is familiarity with the router. When you get a
> POP/IMAP or other attack on a vulnerable VMS portion, I like to quickly
> get onto that router and block the ip making that attack.
>
> When I have old legacy PPPoE connection problems, I want to be able to
> go into the router and trace the packets to see exactly what is
> happening (is it Bell that is not responding, is the connection between
> Bell and my ISP failed or is the ISP not responding etc etc).
>
> Buying a new router means learning all of this. But it also requires
> that before I buy it, that I ensure the new one has the same
> capabilities and then need to document those steps that are needed
> during an attack or how to debug that crap PPPoE thing. In the later
> case, it doesn't happen, so you don't necessarily remember the commands.

Have you looked at buying/building something based on the wide variety
of Linux-based firewall packages? As they're all Linux based and all
have mostly the same basic internals under the hood, regardless of the
underlying hardware, you can retain the much of the familiarity even
if for whatever reason you need to swap the hardware or add/remove
facilities.

At the entry level, you can buy a Linux-ready router for a few tens of
dollars (if you don't already have one) and reflash it with something
off the shelf like OpenWRT (or the many alternatives, from readymade
to DIY), or you can reuse an old PC (or laptop), take your pick.

If you need a few changes to what's readily available, you get the
source. If tinkering with it yourself isn't your thing, you can always
"ask the audience" to see if anyone is willing to help, or has already
done what you need.

Just a thought.

On Jun 13, 12:10=A0pm, JC <thecook...@gmail.com> wrote:
> I don't understand what all the fuss is about.
>
> Like Hans, For many years I have been running the same setup which
> he outlined, using cheap commodity routers on both a VAX and
> an Integrity server. Both Telnet and FTP ports have been open for
> external access and although I have often seen breakin attempts
> none were ever successful. We did not run any web or mailserver
> facilities (All breakin attempts were trying to login using typical
> Windows/Linux credentials e.g. Username ADMINISTRATOR).
> Don't forget we are dealing with OpenVMS here, not windows.
>
> In my opinion, even a naked OpenVMS system is much more
> secure than the best fortified Windows or Linux platform. Lets not
> forget that the current generation of hackers and scriptkiddies have
> no idea what OpenVMS is about. Attacks focus on Windows
> and Linux platforms. When it comes to servers, it pays to be
> unpopular......
>
> JohnC
>
> On Jun 13, 6:27=A0am, H Vlems <hvl...@freenet.de> wrote:
>
> > On Jun 12, 6:17=A0pm, VAXman- =A0@SendSpamHere.ORG wrote:
>
> > > In article <h0tpqf$fj...@news-01.bur.connect.com.au>, "Richard Maher"=
 <maher...@hotspamnotmail.com> writes:
>
> > > >Hi,
>
> > > >A recent ITRC posting: -
> > > >http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadI=
d...
> > > >got me wondering just what Firewall capabilities were currently avai=
lable
> > > >for VMS.
>
> > > >You may recall the TCP/IP Services engineer's quote: -
> > > >"BTW, delivery of IPSEC also provides host-based firewall capability=
, which
> > > >is another important feature that would also be delayed if IPSEC is =
further
> > > >delayed."
>
> > > >So I'm just wondering what everyone is using today for their VMS fir=
ewalls?
>
> > > Eets VMS! =A0We dunt need no steenkin' firewalls.
>
> > > --
> > > VAXman- A Bored Certified VMS Kernel Mode Hacker =A0 =A0VAXman(at)TME=
SIS(dot)ORG
>
> > > =A0http://www.quirkfactory.com/popart/asskey/eqn2.png
>
> > > =A0 "Well my son, life is like a beanstalk, isn't it?"
>
> > Though not exactly a firewall, one of my VMS systems is configured on
> > the ADSL router as the destination node to which all inbound requests
> > are sent that were targeted at the outside IP address.
> > If the system is on line it logs a couple of telnet, ftp and
> > occasional http requests per week. Although the frequency seems to
> > increase slowly but steadily.
> > The system has been running that way for several years now and I've
> > yet to see the first succesful attempt to log on.
> > Hans

You are 100% correct and I would like to tell you all about one unique
thing I am doing for one of my commercial customers (I can't tell you
anything about the customer for obvious reasons).

This customer has "OpenVMS platform-A" on a private intranet and
"OpenVMS platform-B" on the public internet. Both machines contain
multiple NICs which allows us to have a DECnet-only connection between
the two machines (no IP). This setup has been running since 1999 with
no successful break ins although we have logged hundreds of thousands
of attempts.

:-)

At the urging of a so-called security expert who knew nothing about
OpenVMS or cared that most of our TCPware ports were closed, last year
(2008) we installed a small hardware firewall between platform-B and
the public internet.

OK so what would happen if platform-B had been hacked? Answer: They
would have needed to know something about DECnet to go any further.
But even if a hacker was a DECnet expert, further hacking would be
difficult because many portions of the DECnet environment on platform-
B remain unconfigured. (e.g. no node names defined to only mention one
fact)

NSR

In article <h12dcc$vj0$01$1@news.t-online.com>,
 Michael Kraemer <M.Kraemer@gsi.de> wrote:

> Main, Kerry schrieb:
> 
> > 
> > Fwiw, most company security analysts today do not worry about the Internet.
> > 
> > As others have said, firewalls handle those issues pretty well today.
> > 
> > Having stated this, the absolute biggest issue facing security groups are
> > internal issues. Something like 50-60% of all company security issues today
> > are internally related.
> 
> Not true, according to
> 
> http://www.verizonbusiness.com/products/security/risk/databreach/
> 
> 74% arise from external sources.

"IT staff stealing company secrets

London, UK � More than a third of senior IT workers in the UK and US are 
snooping at work, according to a survey.

According to the third annual Cyber-Ark poll, 35 percent of IT staff 
have used their IT administration rights to snoop around networks to 
access privileged, corporate information. Most of the rest reckoned they 
could if they wanted, with 74 percent stating that they could circumvent 
the controls currently in place to prevent access to internal 
information."

http://www.tgdaily.com/content/view/42797/108/

-- 
Paul Sture

P. Sture schrieb:
> In article <h12dcc$vj0$01$1@news.t-online.com>,
>  Michael Kraemer <M.Kraemer@gsi.de> wrote:
> 
> 
>>Main, Kerry schrieb:
>>
>>
>>>Fwiw, most company security analysts today do not worry about the Internet.
>>>
>>>As others have said, firewalls handle those issues pretty well today.
>>>
>>>Having stated this, the absolute biggest issue facing security groups are
>>>internal issues. Something like 50-60% of all company security issues today
>>>are internally related.
>>
>>Not true, according to
>>
>>http://www.verizonbusiness.com/products/security/risk/databreach/
>>
>>74% arise from external sources.
> 
> 
> "IT staff stealing company secrets
> 
> London, UK � More than a third of senior IT workers in the UK and US are 
> snooping at work, according to a survey.
> 
> According to the third annual Cyber-Ark poll, 35 percent of IT staff 
> have used their IT administration rights to snoop around networks to 
> access privileged, corporate information. Most of the rest reckoned they 
> could if they wanted, with 74 percent stating that they could circumvent 
> the controls currently in place to prevent access to internal 
> information."
> 
> http://www.tgdaily.com/content/view/42797/108/
> 

And how does this contradict the Verizon study?

In article <h13roj$98g$03$2@news.t-online.com>,
 Michael Kraemer <M.Kraemer@gsi.de> wrote:

> P. Sture schrieb:
> > In article <h12dcc$vj0$01$1@news.t-online.com>,
> >  Michael Kraemer <M.Kraemer@gsi.de> wrote:
> > 
> > 
> >>Main, Kerry schrieb:
> >>
> >>
> >>>Fwiw, most company security analysts today do not worry about the Internet.
> >>>
> >>>As others have said, firewalls handle those issues pretty well today.
> >>>
> >>>Having stated this, the absolute biggest issue facing security groups are
> >>>internal issues. Something like 50-60% of all company security issues today
> >>>are internally related.
> >>
> >>Not true, according to
> >>
> >>http://www.verizonbusiness.com/products/security/risk/databreach/
> >>
> >>74% arise from external sources.
> > 
> > 
> > "IT staff stealing company secrets
> > 
> > London, UK - More than a third of senior IT workers in the UK and US are 
> > snooping at work, according to a survey.
> > 
> > According to the third annual Cyber-Ark poll, 35 percent of IT staff 
> > have used their IT administration rights to snoop around networks to 
> > access privileged, corporate information. Most of the rest reckoned they 
> > could if they wanted, with 74 percent stating that they could circumvent 
> > the controls currently in place to prevent access to internal 
> > information."
> > 
> > http://www.tgdaily.com/content/view/42797/108/
> > 
> 
> And how does this contradict the Verizon study?

I'm not saying it does; simply that we shouldn't ignore internal risks.

-- 
Paul Sture

On Jun 14, 9:46=A0am, Michael Kraemer <M.Krae...@gsi.de> wrote:
> Main, Kerry schrieb:
>
>
>
> > Fwiw, most company security analysts today do not worry about the Inter=
net.
>
> > As others have said, firewalls handle those issues pretty well today.
>
> > Having stated this, the absolute biggest issue facing security groups a=
re
> > internal issues. Something like 50-60% of all company security issues t=
oday
> > are internally related.
>
> Not true, according to
>
> http://www.verizonbusiness.com/products/security/risk/databreach/
>
> 74% arise from external sources.

74% of what?

According to the Verizon summary page, they seem to mean 74% of
"records compromised". Is that the same as "74% of incidents" which is
more likely what Kerry meant (subject to confirmation)? A few big
compromises could shift the numbers such that "% of records" isn't the
same as "% of incidents".

Lies, damned lies, and marketing statistics?

John Wallace wrote:
> On Jun 14, 9:46 am, Michael Kraemer <M.Krae...@gsi.de> wrote:
>> Main, Kerry schrieb:
>>
>>
>>
>>> Fwiw, most company security analysts today do not worry about the Internet.
>>> As others have said, firewalls handle those issues pretty well today.
>>> Having stated this, the absolute biggest issue facing security groups are
>>> internal issues. Something like 50-60% of all company security issues today
>>> are internally related.
>> Not true, according to
>>
>> http://www.verizonbusiness.com/products/security/risk/databreach/
>>
>> 74% arise from external sources.
> 
> 74% of what?
> 
> According to the Verizon summary page, they seem to mean 74% of
> "records compromised". Is that the same as "74% of incidents" which is
> more likely what Kerry meant (subject to confirmation)? A few big
> compromises could shift the numbers such that "% of records" isn't the
> same as "% of incidents".
> 
> Lies, damned lies, and marketing statistics?

Fun with statistics!  Did you know that more than forty percent of the 
population have subnormal intelligence?
;-)

In article <ItednWpSp6keqqvXnZ2dnUVZ_vxi4p2d@giganews.com>, "Richard B. Gilbert" <rgilbert88@comcast.net> writes:
>John Wallace wrote:
>> On Jun 14, 9:46 am, Michael Kraemer <M.Krae...@gsi.de> wrote:
>>> Main, Kerry schrieb:
>>>
>>>
>>>
>>>> Fwiw, most company security analysts today do not worry about the Internet.
>>>> As others have said, firewalls handle those issues pretty well today.
>>>> Having stated this, the absolute biggest issue facing security groups are
>>>> internal issues. Something like 50-60% of all company security issues today
>>>> are internally related.
>>> Not true, according to
>>>
>>> http://www.verizonbusiness.com/products/security/risk/databreach/
>>>
>>> 74% arise from external sources.
>> 
>> 74% of what?
>> 
>> According to the Verizon summary page, they seem to mean 74% of
>> "records compromised". Is that the same as "74% of incidents" which is
>> more likely what Kerry meant (subject to confirmation)? A few big
>> compromises could shift the numbers such that "% of records" isn't the
>> same as "% of incidents".
>> 
>> Lies, damned lies, and marketing statistics?
>
>Fun with statistics!  Did you know that more than forty percent of the 
>population have subnormal intelligence?

Are there really that many lawyers???

-- 
VAXman- A Bored Certified VMS Kernel Mode Hacker    VAXman(at)TMESIS(dot)ORG

  http://www.quirkfactory.com/popart/asskey/eqn2.png
  
  "Well my son, life is like a beanstalk, isn't it?"

In article <ItednWpSp6keqqvXnZ2dnUVZ_vxi4p2d@giganews.com>,
 "Richard B. Gilbert" <rgilbert88@comcast.net> wrote:

> John Wallace wrote:
> > On Jun 14, 9:46 am, Michael Kraemer <M.Krae...@gsi.de> wrote:
> >> Main, Kerry schrieb:
> >>
> >>
> >>
> >>> Fwiw, most company security analysts today do not worry about the 
> >>> Internet.
> >>> As others have said, firewalls handle those issues pretty well today.
> >>> Having stated this, the absolute biggest issue facing security groups are
> >>> internal issues. Something like 50-60% of all company security issues 
> >>> today
> >>> are internally related.
> >> Not true, according to
> >>
> >> http://www.verizonbusiness.com/products/security/risk/databreach/
> >>
> >> 74% arise from external sources.
> > 
> > 74% of what?
> > 
> > According to the Verizon summary page, they seem to mean 74% of
> > "records compromised". Is that the same as "74% of incidents" which is
> > more likely what Kerry meant (subject to confirmation)? A few big
> > compromises could shift the numbers such that "% of records" isn't the
> > same as "% of incidents".
> > 
> > Lies, damned lies, and marketing statistics?
> 
> Fun with statistics!  Did you know that more than forty percent of the 
> population have subnormal intelligence?
> ;-)

76.237 % of statistics are made up :-)

-- 
Paul Sture

On 2009-06-14 10:12, "Phillip Helbig---remove CLOTHES to reply" wrote:

> My guess is that whatever software you are using converts your message
> into quoted-printable text.  Why should " " (ASCII 32) be rendered as
> =A0?  [...]

"U+00A0" is the special character "no-break space (standard width)" in
Unicode as well as in ISO-8859-x so it might be of some "real" use. (Not
for news groups postings though ...)

Michael


[1] <http://www.unicode.org/charts/charindex2.html>
[2] <http://www.unicode.org/charts/PDF/U0000.pdf>
[3] <http://www.unicode.org/charts/PDF/U0080.pdf>

-- 
Real names enhance the probability of getting real answers.
My e-mail account at DECUS Munich is no longer valid.

In article <h102qi$4h5$1@online.de>, helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) writes:
> 
> It's nice to have a web browser on the VMS system so that one can cut 
> and paste into/from DECterms, save or upload files from the local disk 
> etc.

   And so one can browse with no fear of attack.

In article <h102qi$4h5$1@online.de>, helbig@astro.multiCLOTHESvax.de
(Phillip Helbig---remove CLOTHES to reply) writes:

 > It's nice to have a web browser on the VMS system so that one can cut
 > and paste into/from DECterms,...

How is that different from cut-n-paste from a browser
window into a Reflection (or any other emulator) window
on a PC ?

 > save or upload files from the local disk etc.

I have never had any problem with temporary storage
of VMS files on my local PC and then FTP'ing them
over to the target VMS system.

Michael Unger wrote:

> "U+00A0" is the special character "no-break space (standard width)" in
> Unicode as well as in ISO-8859-x so it might be of some "real" use. 

Non breaking space is used frequently in page layout software to prevent
an expression from being split in multiple lines.

For instance, say you had Open VMS , you'd want to have a non breaking
space between the Open and the VMS to ensure they always remained
together on a line and not split with VMS on the next line.

Generally, one has to press special key combinations to get it.

In article <1MwZl.9608$U5.134449@newsb.telia.net>,
 Jan-Erik S�derholm <jan-erik.soderholm@telia.com> wrote:

> In article <h102qi$4h5$1@online.de>, helbig@astro.multiCLOTHESvax.de
> (Phillip Helbig---remove CLOTHES to reply) writes:
> 
>  > It's nice to have a web browser on the VMS system so that one can cut
>  > and paste into/from DECterms,...
> 
> How is that different from cut-n-paste from a browser
> window into a Reflection (or any other emulator) window
> on a PC ?
> 
>  > save or upload files from the local disk etc.
> 
> I have never had any problem with temporary storage
> of VMS files on my local PC and then FTP'ing them
> over to the target VMS system.

Yes, but by downloading direct onto a VMS system, you can skip around 
FTP mangling of your files.

-- 
Paul Sture

Hi Bob,

"Bob Koehler" <koehler@eisner.nospam.encompasserve.org> wrote in message
news:M57U7iUXOSog@eisner.encompasserve.org...
> In article <h102qi$4h5$1@online.de>, helbig@astro.multiCLOTHESvax.de
(Phillip Helbig---remove CLOTHES to reply) writes:
> >
> > It's nice to have a web browser on the VMS system so that one can cut
> > and paste into/from DECterms, save or upload files from the local disk
> > etc.
>
>    And so one can browse with no fear of attack.

Now you're having a laugh aint' ya?

We've already seen OpenSSL on VMS being functionality releases behind (let
alone security patches) and now you're telling us that, after getting rid of
so many VMS developers, HP/VMS still has legions of nipple-peirced weirdos
ready to lower the latest versions and security patches for not 1, not 2,
not 3 but *4* web-browsers down to the long-suffering client-base? I think
not.

Still they certainly won't need IPsec down there cut-off from the rest of
the world. Yep HP/VMS has got the customers right where it wants them :-(

But keep on fooling yourself about having a secure OS until the next
pizza-faced kid comes along here and embaraces everyone.
>

Regards Richard Maher

PS. Where can I find the list of HP/VMS Itanium Workstations that you people
are your web-browsers on?

In article <0017f71e$0$6114$c3e8da3@news.astraweb.com>, JF Mezei <jfmezei.spamnot@vaxination.ca> writes:
>Michael Unger wrote:
>
>> "U+00A0" is the special character "no-break space (standard width)" in
>> Unicode as well as in ISO-8859-x so it might be of some "real" use. 
>
>Non breaking space is used frequently in page layout software to prevent
>an expression from being split in multiple lines.
>
>For instance, say you had Open VMS , you'd want to have a non breaking
>space between the Open and the VMS to ensure they always remained
>together on a line and not split with VMS on the next line.
>
>Generally, one has to press special key combinations to get it.

This special key combination has always worked for me: &nbsp;

-- 
VAXman- A Bored Certified VMS Kernel Mode Hacker    VAXman(at)TMESIS(dot)ORG

  http://www.quirkfactory.com/popart/asskey/eqn2.png
  
  "Well my son, life is like a beanstalk, isn't it?"

In article <79n6ueF1q0lvnU2@mid.individual.net>, Michael Unger
<spam.to.unger@spamgourmet.com> writes: 

> On 2009-06-14 10:12, "Phillip Helbig---remove CLOTHES to reply" wrote:
> 
> > My guess is that whatever software you are using converts your message
> > into quoted-printable text.  Why should " " (ASCII 32) be rendered as
> > =A0?  [...]
> 
> "U+00A0" is the special character "no-break space (standard width)" in
> Unicode as well as in ISO-8859-x so it might be of some "real" use. 

Right.

> (Not
> for news groups postings though ...)

Right.  It usually shows up when someone typed two spaces after a full 
stop.  The first gets rendered as a space, the second as =A0.  Certainly 
not what was intended in a newsgroup posting.

P. Sture schrieb:

> 
> I'm not saying it does; simply that we shouldn't ignore internal risks.
> 

But in this case taking risks is inevitable.
Admin staff naturally has privileges and management
simply has to trust them. Otherwise the company
has a cultural problem, not a technical one.

John Wallace schrieb:

> 
> 74% of what?
> 
> According to the Verizon summary page, they seem to mean 74% of
> "records compromised". Is that the same as "74% of incidents" which is
> more likely what Kerry meant (subject to confirmation)? A few big
> compromises could shift the numbers such that "% of records" isn't the
> same as "% of incidents".

A big compromise may have the same impact as many small ones.
I don't see why Verizon's findings (external breaches predominant)
should be less credible
than Mr. Main's (internal breaches predominant).
Both might be guided by their respective business interests.

> Lies, damned lies, and marketing statistics?

A rather silly answer, which always seems to come up
when statistics doesn't please the reader.

In article <00A8D186.203E5159@SendSpamHere.ORG>,
 VAXman-  @SendSpamHere.ORG wrote:

> In article <0017f71e$0$6114$c3e8da3@news.astraweb.com>, JF Mezei 
> <jfmezei.spamnot@vaxination.ca> writes:
> >Michael Unger wrote:
> >
> >> "U+00A0" is the special character "no-break space (standard width)" in
> >> Unicode as well as in ISO-8859-x so it might be of some "real" use. 
> >
> >Non breaking space is used frequently in page layout software to prevent
> >an expression from being split in multiple lines.
> >
> >For instance, say you had Open VMS , you'd want to have a non breaking
> >space between the Open and the VMS to ensure they always remained
> >together on a line and not split with VMS on the next line.
> >
> >Generally, one has to press special key combinations to get it.
> 
> This special key combination has always worked for me: &nbsp;

That was almost a new keyboard required here ;-)

-- 
Paul Sture

On Jun 15, 9:10=A0pm, VAXman-  @SendSpamHere.ORG wrote:
> In article <0017f71e$0$6114$c3e8...@news.astraweb.com>, JF Mezei <jfmezei=
..spam...@vaxination.ca> writes:
>
> >Michael Unger wrote:
>
> >> "U+00A0" is the special character "no-break space (standard width)" in
> >> Unicode as well as in ISO-8859-x so it might be of some "real" use.
>
> >Non breaking space is used frequently in page layout software to prevent
> >an expression from being split in multiple lines.
>
> >For instance, say you had Open VMS , you'd want to have a non breaking
> >space between the Open and the VMS to ensure they always remained
> >together on a line and not split with VMS on the next line.
>
> >Generally, one has to press special key combinations to get it.
>
> This special key combination has always worked for me: &nbsp;
>
> --
> VAXman- A Bored Certified VMS Kernel Mode Hacker =A0 =A0VAXman(at)TMESIS(=
dot)ORG
>
> =A0http://www.quirkfactory.com/popart/asskey/eqn2.png
>
> =A0 "Well my son, life is like a beanstalk, isn't it?"

Technically speaking, "&nbsp;" is called an HTML entity. Depending
upon your MIME declarations you can also use ASCII-160 or unicode "U
+00A0". Some web design tools convert ASCII-32 into ASCII-160 by
holding down either the control key or the shift key while hitting the
space bar.

NSR

In article <h16njf$j3o$1@news-01.bur.connect.com.au>, "Richard Maher" <maher_rj@hotspamnotmail.com> writes:
> Hi Bob,
> 
> "Bob Koehler" <koehler@eisner.nospam.encompasserve.org> wrote in message
> news:M57U7iUXOSog@eisner.encompasserve.org...
>> In article <h102qi$4h5$1@online.de>, helbig@astro.multiCLOTHESvax.de
> (Phillip Helbig---remove CLOTHES to reply) writes:
>> >
>> > It's nice to have a web browser on the VMS system so that one can cut
>> > and paste into/from DECterms, save or upload files from the local disk
>> > etc.
>>
>>    And so one can browse with no fear of attack.
> 
> Now you're having a laugh aint' ya?

   Nope.  None of the existing attacks can penetrate my old VMS 7.3
   system running a retired version of Mozilla.

   I won't claim you couldn't write something that would provide at
   least a DOS attack, but it's not out there.

helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) writes:

>In article <79n6ueF1q0lvnU2@mid.individual.net>, Michael Unger
><spam.to.unger@spamgourmet.com> writes: 

>Right.  It usually shows up when someone typed two spaces after a full 
>stop.  The first gets rendered as a space, the second as =A0.  Certainly 
>not what was intended in a newsgroup posting.

As others have mentioned, that's a non-breaking space.  Looks like a
space to humans but means don't split here if text processing software
reformats it.

I don't know why lots of newsgroup software does that (converts a second
space to NBSP).  If the post being quoted uses a certain character set, it
should be respected.  If no character set is specified, the default ASCII
should be used, meaning spaces are spaces.

My gripe with quoted-printable is that they should have chosen a more
obscure character than "=" for the escape character.  Less chance of
something that doesn't use non-ASCII characters but encoded with
quoted-printable format to appear as crap if viewed with something that
doesn't understand it.

In article <1MwZl.9608$U5.134449@newsb.telia.net>,
=?ISO-8859-1?Q?Jan-Erik_S=F6derholm?= <jan-erik.soderholm@telia.com>
writes: 

> In article <h102qi$4h5$1@online.de>, helbig@astro.multiCLOTHESvax.de
> (Phillip Helbig---remove CLOTHES to reply) writes:
> 
>  > It's nice to have a web browser on the VMS system so that one can cut
>  > and paste into/from DECterms,...
> 
> How is that different from cut-n-paste from a browser
> window into a Reflection (or any other emulator) window
> on a PC ?

Does the PC have a "VMS-style" keyboard?

>  > save or upload files from the local disk etc.
> 
> I have never had any problem with temporary storage
> of VMS files on my local PC and then FTP'ing them
> over to the target VMS system.

Sure it can be done, but why the extra step?

Phillip Helbig---remove CLOTHES to reply wrote:
> In article <1MwZl.9608$U5.134449@newsb.telia.net>,
> =?ISO-8859-1?Q?Jan-Erik_S=F6derholm?= <jan-erik.soderholm@telia.com>
> writes: 
> 
>> In article <h102qi$4h5$1@online.de>, helbig@astro.multiCLOTHESvax.de
>> (Phillip Helbig---remove CLOTHES to reply) writes:
>>
>>  > It's nice to have a web browser on the VMS system so that one can cut
>>  > and paste into/from DECterms,...
>>
>> How is that different from cut-n-paste from a browser
>> window into a Reflection (or any other emulator) window
>> on a PC ?
> 
> Does the PC have a "VMS-style" keyboard?

Enough VMS-stylish. Has never been a problem for me.
Well, apart from some of the newer "multimeda kayboards"
where they have move some keys around. I do not use them.

> 
>>  > save or upload files from the local disk etc.
>>
>> I have never had any problem with temporary storage
>> of VMS files on my local PC and then FTP'ing them
>> over to the target VMS system.
> 
> Sure it can be done, but why the extra step?

Becuse VMS as a desktop environment sucks. I have far better
tools available on my PC. VMS job is just one bit of what
I need a desktop environment for and everything else is
handled just OK on my WinXP laptop.

And besides, *if* the extra FTP step realy was a problem,
I could easily connect a SAMBA share or something similar
and download from the PC browser directly to the VMS disk.

And finaly, my VMS work is done at two different customers,
using two different VPN solutions, both available from my
WinXP laptop. I have no reason to run desktop applications
on a production system someware far away.

> 

Jan-Erik S�derholm wrote:

> Becuse VMS as a desktop environment sucks. 

It doesn't suck because it is VMS, it doesn't suck because the kernel
can't handle interactive GUI use. It sucks because Digital the PC was
not a threath and priced itself out of the market and then Palmer just
abandonned development of desktop software.

When you look at decwrite, CDA architecture, deccalc and, of course,
All-in-1, they were way ahead of the market in their days. VMS was one a
very capable desktop, much better than what Windows 3.1 and its
primitive word processor could offer back then.

JF Mezei wrote:
> Jan-Erik S�derholm wrote:
> 
>> Becuse VMS as a desktop environment sucks. 
> 
> It doesn't suck because it is VMS, it doesn't suck because the kernel
> can't handle interactive GUI use. It sucks because Digital the PC was
> not a threath and priced itself out of the market and then Palmer just
> abandonned development of desktop software.
> 
> When you look at decwrite, CDA architecture, deccalc and, of course,
> All-in-1, they were way ahead of the market in their days. VMS was one a
> very capable desktop, much better than what Windows 3.1 and its
> primitive word processor could offer back then.

Right, it sucks *today*.
That is, in the timeframe *I* am living.

Jan-Erik S�derholm wrote:
> JF Mezei wrote:
>> Jan-Erik S�derholm wrote:
>>
>>> Becuse VMS as a desktop environment sucks. 
>>
>> It doesn't suck because it is VMS, it doesn't suck because the kernel
>> can't handle interactive GUI use. It sucks because Digital the PC was
>> not a threat and priced itself out of the market and then Palmer just
>> abandoned development of desktop software.
>>
>> When you look at decwrite, CDA architecture, deccalc and, of course,
>> All-in-1, they were way ahead of the market in their days. VMS was one a
>> very capable desktop, much better than what Windows 3.1 and its
>> primitive word processor could offer back then.
> 
> Right, it sucks *today*.
> That is, in the timeframe *I* am living.

I think that the long and short of it is that DEC charged far more for 
the same functionality than Microsoft did.  The cost of a PC plus 
Windows, a word processor and a spreadsheet was far less than the cost 
of a VAXStation/AlphaStation plus VMS, DECWrite, DECCalc and/or All-In-1.

If Digital had a clue as to how to compete in the marketplace things 
might have been very different.

Jan-Erik S�derholm wrote:

> Right, it sucks *today*.
> That is, in the timeframe *I* am living.

But it sucks because of a business decision to make it suck, not because
it can't be good on the desktop.

Linux started off as a character cell unix emulator. And today, it has a
couple of full fledged GUIs and a ton more X applications than VMS ever
had. So this shows that even a new product can grow, where there is a will.

JF Mezei schrieb:
> Jan-Erik S�derholm wrote:
> 
> 
>>Right, it sucks *today*.
>>That is, in the timeframe *I* am living.
> 
> 
> But it sucks because of a business decision to make it suck, not because
> it can't be good on the desktop.
> 
> Linux started off as a character cell unix emulator. And today, it has a
> couple of full fledged GUIs and a ton more X applications than VMS ever
> had. So this shows that even a new product can grow, where there is a will.

Maybe, but in this case I wonder why nobody has come up
in the past 15 years to create opensource clones of DECwrite etc.

Michael Kraemer wrote:
> JF Mezei schrieb:
>> Jan-Erik S�derholm wrote:
>>
>>
>>> Right, it sucks *today*.
>>> That is, in the timeframe *I* am living.
>>
>>
>> But it sucks because of a business decision to make it suck, not because
>> it can't be good on the desktop.
>>
>> Linux started off as a character cell unix emulator. And today, it has a
>> couple of full fledged GUIs and a ton more X applications than VMS ever
>> had. So this shows that even a new product can grow, where there is a 
>> will.
> 
> Maybe, but in this case I wonder why nobody has come up
> in the past 15 years to create opensource clones of DECwrite etc.
> 

I just couldn't care less what *could* have been.
I have to deal with what's available here *now*.
There are way to many here on c.o.v who seems to
still be living in some 1980's bubble... :-) :-)

And all this negativism does more harm to VMS then
anything HP does, IMHO...

Michael Kraemer wrote:
> JF Mezei schrieb:
>> Jan-Erik S�derholm wrote:
>>
>>
>>> Right, it sucks *today*.
>>> That is, in the timeframe *I* am living.
>>
>>
>> But it sucks because of a business decision to make it suck, not because
>> it can't be good on the desktop.
>>
>> Linux started off as a character cell unix emulator. And today, it has a
>> couple of full fledged GUIs and a ton more X applications than VMS ever
>> had. So this shows that even a new product can grow, where there is a 
>> will.
> 
> Maybe, but in this case I wonder why nobody has come up
> in the past 15 years to create opensource clones of DECwrite etc.
> 

Maybe no one wanted it that badly.  It's one thing when the software is 
available whether it's free or otherwise.  When you have to sit down and 
write and then debug 50,000 lines of code it's something else entirely. 
  Especially when it's not certain that you will ever be paid for your 
efforts.

You can buy a PC with Windows and a copy of Microsoft Office (Word, 
Excel and a couple of other toys) for $1000 or less.   Where is the 
incentive to create a competing product?  I think you can still buy Word 
Perfect if you can find someone who has or can get it.  I think Lotus 
1-2-3 may still be available but it's certainly not being marketed.

I've got mine!  It's old but it still works.

Jan-Erik S�derholm wrote:
> Michael Kraemer wrote:
>> JF Mezei schrieb:
>>> Jan-Erik S�derholm wrote:
>>>
>>>
>>>> Right, it sucks *today*.
>>>> That is, in the timeframe *I* am living.
>>>
>>>
>>> But it sucks because of a business decision to make it suck, not because
>>> it can't be good on the desktop.
>>>
>>> Linux started off as a character cell unix emulator. And today, it has a
>>> couple of full fledged GUIs and a ton more X applications than VMS ever
>>> had. So this shows that even a new product can grow, where there is a 
>>> will.
>>

So maybe Linux has a better "business model"!

>> Maybe, but in this case I wonder why nobody has come up
>> in the past 15 years to create opensource clones of DECwrite etc.
>>
> 
> I just couldn't care less what *could* have been.
> I have to deal with what's available here *now*.
> There are way to many here on c.o.v who seems to
> still be living in some 1980's bubble... :-) :-)
> 
> And all this negativism does more harm to VMS then
> anything HP does, IMHO...
> 

Negativism?  It's reality!  We've been screwed and I'm no happier about 
than anyone else here.  We still have to live with it.

Jan-Erik S�derholm schrieb:

> I just couldn't care less what *could* have been.
> I have to deal with what's available here *now*.
> There are way to many here on c.o.v who seems to
> still be living in some 1980's bubble... :-) :-)
> 
> And all this negativism does more harm to VMS then
> anything HP does, IMHO...

What's negative about asking why there's not much
more software available for VMS?
And why would this do harm to VMS?

Michael Kraemer wrote:
> Jan-Erik S�derholm schrieb:
> 
>> I just couldn't care less what *could* have been.
>> I have to deal with what's available here *now*.
>> There are way to many here on c.o.v who seems to
>> still be living in some 1980's bubble... :-) :-)
>>
>> And all this negativism does more harm to VMS then
>> anything HP does, IMHO...
> 
> What's negative about asking why there's not much
> more software available for VMS?
> And why would this do harm to VMS?
> 

If software is not available for VMS it's because nobody wrote it and 
distributed it.  Possible reasons for not writing, etc:
1. Perceived market too small to be profitable.
2. Owner/author lacks skills required to port it to VMS.
3. Owner/author never heard of VMS.
4. etc.

If you asked for firewalls instead of "fiewalls" there might actually be
something available.  I have the impression that most firewalls are 
dedicated special purpose boxes that block incoming traffic that doesn't 
meet certain requirements.

I believe that there are also software firewalls that could be ported to 
VMS.  ISTR something called IPTABLES or something of the sort, that came 
out of the Linux world.  You can block IP addresses, ranges of adresses, 
protocols, . . . .  You can specify that you will accept ONLY certain 
addresses and/or protocols. . . .

> I think it was Jan-Erik S�derholm who wrote:

>> And all this negativism does more harm to VMS then
>> anything HP does, IMHO...

If HP had added new features to the roadmap instead of removing some and
if Hurd himself had written a letter to confirm HP's commitment to
continued VMS development at the same or increased pace, then the
staffing changes might not have translated into thoughts of HP
increasing the speed of the winding down of VMS.

VMS is now in a retirement home where it will stay until HP declares
that it is terminally ill with no more development and 5 years of support.

There is no point in pretending that VMS has a bright future ahead. HP
chose to NOT give any warm and fuzzy feelings about this change. It used
to be that we had to read between the lines, now, HP's intention are
pretty obvious.

You can choose to live in your own little environment where you believe
that VMS has a bright future, but don't complain when you peek out and
you see people say the exact opposite.

Richard B. Gilbert schrieb:

> 
> Maybe no one wanted it that badly.  It's one thing when the software is 
> available whether it's free or otherwise.  When you have to sit down and 
> write and then debug 50,000 lines of code it's something else entirely. 
>  Especially when it's not certain that you will ever be paid for your 
> efforts.

But that's the way for example the Linux universe works.
Lots of people working without being paid, most of them at least.
Their gratis work even allows the original Unix vendors
to wind down their own products.

> You can buy a PC with Windows and a copy of Microsoft Office (Word, 
> Excel and a couple of other toys) for $1000 or less. 

That's the situtation today, not 15 years ago.

> Where is the 
> incentive to create a competing product? 

For a VMS advocate: keeping his favorite OS viable?
In Linux-land, when a product is missing, somebody comes up
and creates it.
In VMS-land, when a product is missing, people complain
and blame the respective owner, lack of marketing,
Palmer, etc.

Michael Kraemer wrote:

> In VMS-land, when a product is missing, people complain
> and blame the respective owner, lack of marketing,
> Palmer, etc.

   Some of us complain about the features which are missing
from the C run-time environment, whose absence makes it so
difficult to port some popular programs (or features within
programs) to VMS.  For example, shmget(), UNIX sockets, and so
on.

Steven Schweda wrote:

>    Some of us complain about the features which are missing
> from the C run-time environment, whose absence makes it so
> difficult to port some popular programs (or features within
> programs) to VMS.  For example, shmget(), UNIX sockets, and so
> on.

This can be turned around though.

Say "Wireshark" had been written originally by a VMS guy. It would make
use of Motif, and all sorts of VMS system run time.

It is then the Unix guys who would complain that Unix lacks the
compatible systems services and Wireshark is difficult to port to Unix.

Remember that it used to be that VMS had a much bigger software
collection than Unix. But when Digital started to signal it was
unwilling to compete and then when Palmer signaled the end of VMS, it
didn't take much time for Unix to become the predominant OS in terms of
available software.

On Jun 17, 4:13=A0pm, "Richard B. Gilbert" <rgilber...@comcast.net>
wrote:
> Michael Kraemer wrote:
> > JF Mezei schrieb:
> >> Jan-Erik S=F6derholm wrote:
>
> >>> Right, it sucks *today*.
> >>> That is, in the timeframe *I* am living.
>
> >> But it sucks because of a business decision to make it suck, not becau=
se
> >> it can't be good on the desktop.
>
> >> Linux started off as a character cell unix emulator. And today, it has=
 a
> >> couple of full fledged GUIs and a ton more X applications than VMS eve=
r
> >> had. So this shows that even a new product can grow, where there is a
> >> will.
>
> > Maybe, but in this case I wonder why nobody has come up
> > in the past 15 years to create opensource clones of DECwrite etc.
>
> Maybe no one wanted it that badly. =A0It's one thing when the software is
> available whether it's free or otherwise. =A0When you have to sit down an=
d
> write and then debug 50,000 lines of code it's something else entirely.
> =A0 Especially when it's not certain that you will ever be paid for your
> efforts.
>
> You can buy a PC with Windows and a copy of Microsoft Office (Word,
> Excel and a couple of other toys) for $1000 or less. =A0 Where is the
> incentive to create a competing product? =A0I think you can still buy Wor=
d
> Perfect if you can find someone who has or can get it.

You can get it here!

http://www.corel.com/servlet/Satellite/us/en/Product/1207676528492#tabview=
=3Dtab0

Unfortunately, there is no Mac version.

[...]

AEF

In article <001cfdc5$0$6075$c3e8da3@news.astraweb.com>,
	JF Mezei <jfmezei.spamnot@vaxination.ca> writes:
> Steven Schweda wrote:
> 
>>    Some of us complain about the features which are missing
>> from the C run-time environment, whose absence makes it so
>> difficult to port some popular programs (or features within
>> programs) to VMS.  For example, shmget(), UNIX sockets, and so
>> on.
> 
> This can be turned around though.
> 
> Say "Wireshark" had been written originally by a VMS guy. It would make
> use of Motif, and all sorts of VMS system run time.
> 
> It is then the Unix guys who would complain that Unix lacks the
> compatible systems services and Wireshark is difficult to port to Unix.
> 
> Remember that it used to be that VMS had a much bigger software
> collection than Unix. 

Can't imagine when that might have been.  Unless you mean software you
had to pay for.  :-)  People have been developing software for Unix and
giving it away since the earliest days of Unix.  As for how much was
available...  I remember someone mentioning the "Sourcebook" being an
inch thick.  The PDP-11 Sourcebook was a two volume set and was a total
of three inches thick (yes, I still have both the VMS and the PDP-11
books!)  It is rather interesting that not even a majority of the existing
PDP-11 software, which should have ported much easier than unix software,
made it to VMS.

>                        But when Digital started to signal it was
> unwilling to compete and then when Palmer signaled the end of VMS, it
> didn't take much time for Unix to become the predominant OS in terms of
> available software.

I think an ojective view would show that there have always been more
people developing software for Unix than for VMS.

bill


-- 
Bill Gunshannon          |  de-moc-ra-cy (di mok' ra see) n.  Three wolves
billg999@cs.scranton.edu |  and a sheep voting on what's for dinner.
University of Scranton   |
Scranton, Pennsylvania   |         #include <std.disclaimer.h>   

Michael Kraemer wrote:

> >    Some of us complain about the features which are missing
> > from the C run-time environment, whose absence makes it so
> > difficult to port some popular programs (or features within
> > programs) to VMS.  For example, shmget(), UNIX sockets, and so
> > on.
>
> This might be a problem if one tries a 1:1 literal translation.
> It would be better to translate into equivalent functionality.

   And getting a near-complete re-write of some program
incorporated into the main source stream by the maintainers of
that program presents another set of problems.

> Of course this requires deeper insight into the respective
> programs rather than just running the C compiler.

   Insight, knowledge, desire, time, and other scarce
resources.

Michael Kraemer wrote:
> 
> JF Mezei schrieb:
> 
> > It is then the Unix guys who would complain that Unix lacks the
> > compatible systems services and Wireshark is difficult to port to Unix.
> 
> AFAIR the major annoyances when porting Fortran or C code
> from VMS to Unix (Ultrix,AIX,...) were:
> 
> logical names in header files specs
> (logical names are about the only advantage of VMS over Unix
>   I can remember),

Probably because it was before clustering or without the use of
clustering. Combined with the "shared nothing" nature of UN*X, the lack
of SYSMAN's DO functionality is by FAR the worst bane of the VMS
person's existence in UN*X-land.

> language "extensions" going beyond the F77 standard,
> use of OS specifics in I/O statements,
> hardcoded filenames and associated fun.
> Access to VMS system services was a minor problem.
> 
> > Remember that it used to be that VMS had a much bigger software
> > collection than Unix. But when Digital started to signal it was
> > unwilling to compete and then when Palmer signaled the end of VMS, it
> > didn't take much time for Unix to become the predominant OS in terms of
> > available software.
> 
> That happened already as early as 1989 (at latest),
> when DECstations were faster, cheaper, better than VAXstations.
> Not even talking about the competition from outside DEC.
> You can't blame Palmer for all evil.

Just most of it. ;-)

D.J.D.

Hi Paul,

"P. Sture" <paul.sture.nospam@hispeed.ch> wrote in message
news:paul.sture.nospam-620819.17152913062009@mac.sture.ch...
> In article <00A8CF8C.DECFB7E5@SendSpamHere.ORG>,
>  VAXman-  @SendSpamHere.ORG wrote:
>
> > In article <0014c692$0$6100$c3e8da3@news.astraweb.com>, JF Mezei
> > <jfmezei.spamnot@vaxination.ca> writes:
> > >H Vlems wrote:
> > >
> > >> If the system is on line it logs a couple of telnet, ftp and
> > >> occasional http requests per week. Although the frequency seems to
> > >> increase slowly but steadily.
> > >
> > >
> > >If you enable SSH, you will find a huge amount of connection attempts.
> > >People don't bother with telnet break in attempts because so few sites
> > >have telnet enabled.
> >
> > D'oh! DO NOT RUN SSH ON THE DEFAULT PORT 22!!!
> >
> > For TCPIP Services:
> >
> > $ TCPIP DISABLE SERVICE SSH
> > $ DEFINE SYS$INPUT SYS$COMMAND
> > $ TCPIP SET NOSERVICE SSH
> > $ TCPIP SET SERVICE SSH/PORT={not port
22/PROCESS=TCPIP$SSH/USER=TCPIP$SSH-
> >   /FILE=TCPIP$SYSTEM:TCPIP$SSH_RUN.COM/PROTOCOL=TCP [/LIMIT={some
limit}]
> > $ TCPIP ENABLE SERVICE SSH
> >
> > The optional /LIMIT={some limit} will stop the generation of ssh
processes
> > if there is a port scan that triggers them.  A minor inconvenience if
you
> > need to login at that moment but it sure saves system resources for
those
> > users and processes already running on the system.
>
> I'll second that advice, which VAXman gave me several years ago, so I
> can say that it is effective.

Here's some more advice: - Why use SSH at all?

Just popped into your local internet caf� and thought you'd log-on for the
hell of it?

Don't want your bosses to know where you're dialing in from 'cos you like to
keep'em guessing?

It's none of their business where you're logging in from?

I tell you what, here's some advice that you're as free to ignore as much as
every other blue-blood VMS system manager in this group: -

Point A

Point B

Encrypt the fucker and enforce mutual authentication on *all* traffic
between them!

It's just so bloody complicated isn't it? You have to leave your
security-blankets of SSH, SFTP, FTPS, HTTPs, and SCP all behind you and swim
without floaties! Simple Telnet, FTP, HTTP, JDBC, ODBC, TIER3, *Anything
DECnet over IP*, all fucking secure because the plummer's been in and done
his job!

Alternatively ask each and every layered-product or bespoke package to
incorporate some insecure outdated piece o' shit version of OpenSSL - OTY.
>
> -- 
> Paul Sture

Regards Richard Maher

David J Dachtera schrieb:
> Michael Kraemer wrote:
> 

>>(logical names are about the only advantage of VMS over Unix
>>  I can remember),
> 
> Probably because it was before clustering or without the use of
> clustering. Combined with the "shared nothing" nature of UN*X, the lack
> of SYSMAN's DO functionality is by FAR the worst bane of the VMS
> person's existence in UN*X-land.

What "shared nothing" ?
Data and application software can be shared via
NFS-mounts and this satisfied the needs of
most end-users back then.
A setup of a few Unix servers
plus a bunch of client workstations was more stable
then the VMS cluster counterpart,
according to my end-user's experience.

> 
>>You can't blame Palmer for all evil.
> 
> Just most of it. ;-)
> 

Most of it has roots in the era before Palmer.
Ignoring major IT trends, too little to late,
lack of focus, etc etc.

Michael Kraemer wrote:
> David J Dachtera schrieb:
>> Michael Kraemer wrote:
>>
> 
>>> (logical names are about the only advantage of VMS over Unix
>>>  I can remember),
>>
>> Probably because it was before clustering or without the use of
>> clustering. Combined with the "shared nothing" nature of UN*X, the lack
>> of SYSMAN's DO functionality is by FAR the worst bane of the VMS
>> person's existence in UN*X-land.
> 
> What "shared nothing" ?
> Data and application software can be shared via
> NFS-mounts and this satisfied the needs of
> most end-users back then.
> A setup of a few Unix servers
> plus a bunch of client workstations was more stable
> then the VMS cluster counterpart,
> according to my end-user's experience.
> 
>>
>>> You can't blame Palmer for all evil.
>>
>> Just most of it. ;-)
>>
> 
> Most of it has roots in the era before Palmer.
> Ignoring major IT trends, too little to late,
> lack of focus, etc etc.
> 

You forgot to mention UCX!  DEC was, I believe, the LAST major player in 
the DEC market to offer a fully working TCP/IP stack for VMS!  AIRC it 
took them  until some time in 1999 to get SMTP more or less working.  It 
took still longer to get usable documentation for UCX.

Richard B. Gilbert schrieb:
> Michael Kraemer wrote:
> 

>>
>> Most of it has roots in the era before Palmer.
>> Ignoring major IT trends, too little to late,
>> lack of focus, etc etc.
>>
> 
> You forgot to mention UCX!  DEC was, I believe, the LAST major player in 
> the DEC market to offer a fully working TCP/IP stack for VMS!  AIRC it 
> took them  until some time in 1999 to get SMTP more or less working.  It 
> took still longer to get usable documentation for UCX.

Put that under the "ignoring trends" headline.
Networking was one of the megatrends from the late
1980s onwards. The sheer fact that third parties
had to jump in and deliver a TCP/IP stack for VMS
shows how out-of-focus DEC was already before Palmer
inherited the whole mess.
One would have expected sth better from the
co-inventor of ethernet.

Michael Kraemer wrote:

> 1980s onwards. The sheer fact that third parties
> had to jump in and deliver a TCP/IP stack for VMS
> shows how out-of-focus DEC was already before Palmer
> inherited the whole mess.


In defense of Olsen, one need to be reminded that back then, the "OSI"
thing was promoted as THE one networking technology that would be
embraced by everyone and which the governments would require. And
Digital was a leader in that field.

DEC failed to turn around quickly when it became obvious OSI wouldn't
catch on and go full speed ahead with IP. And it took it an eternity to
get something semi palatable. And even today, they are failing to
provide proper email infrastructure with their stack.  Maybe the newbies
who doN't know about DECnet will remove the stupid code from the SMTP
receiver that splits incoming lines that are longer than 256 bytes which
result in ill formed headers which are noticed by the IMAP/POP servers
which then promptly igore the headers and generate their own, and treat
the headers as text.

In hindsight, we can say that DEC should have ignored OSI and gone IP
right away, but back then, it wasn't so obvious. IBM and HP also had OSI
projects as I recall.

On Jun 22, 9:10=A0am, JF Mezei <jfmezei.spam...@vaxination.ca> wrote:
> Michael Kraemer wrote:
> > 1980s onwards. The sheer fact that third parties
> > had to jump in and deliver a TCP/IP stack for VMS
> > shows how out-of-focus DEC was already before Palmer
> > inherited the whole mess.
>
> In defense of Olsen, one need to be reminded that back then, the "OSI"
> thing was promoted as THE one networking technology that would be
> embraced by everyone and which the governments would require. And
> Digital was a leader in that field.
>
> DEC failed to turn around quickly when it became obvious OSI wouldn't
> catch on and go full speed ahead with IP. And it took it an eternity to
> get something semi palatable. And even today, they are failing to
> provide proper email infrastructure with their stack. =A0Maybe the newbie=
s
> who doN't know about DECnet will remove the stupid code from the SMTP
> receiver that splits incoming lines that are longer than 256 bytes which
> result in ill formed headers which are noticed by the IMAP/POP servers
> which then promptly igore the headers and generate their own, and treat
> the headers as text.
>
> In hindsight, we can say that DEC should have ignored OSI and gone IP
> right away, but back then, it wasn't so obvious. IBM and HP also had OSI
> projects as I recall.

I'll agree here; I was working for a contractor to the DOE back in the
mid-late '80s and we were told flat out that we would be moving to OSI
because the government was mandating it.  DECnet was out, and TCPIP
was going to go away over several years on all 'public' government
networks.

Rich

JF Mezei <jfmezei.spamnot@vaxination.ca> wrote:

(big snip)
 
< In hindsight, we can say that DEC should have ignored OSI and gone IP
< right away, but back then, it wasn't so obvious. IBM and HP also had OSI
< projects as I recall.

Well, IBM was Token Ring way too long, and HP went for 100baseVG
instead of TX like everyone else.  With the wrong hardware, you might
just as well have the wrong software, too.

-- glen 

JF Mezei schrieb:

> In defense of Olsen, one need to be reminded that back then, the "OSI"
> thing was promoted as THE one networking technology that would be
> embraced by everyone and which the governments would require. And
> Digital was a leader in that field.

No excuse, because the other vendors would have to
follow the same requirements.

> DEC failed to turn around quickly when it became obvious OSI wouldn't
> catch on and go full speed ahead with IP. And it took it an eternity to
> get something semi palatable. 

But the others would have had the same problem.
Plus, TCP/IP is not rocket science,
in particular if the VMS engineers are really
so ingenious as you always claim.
So again, no excuse.

> In hindsight, we can say that DEC should have ignored OSI and gone IP
> right away, but back then, it wasn't so obvious. IBM and HP also had OSI
> projects as I recall.

So IBM and HP (and all the others) managed OSI as well as TCP/IP.
Why couldn't DEC ?

glen herrmannsfeldt schrieb:
> 
> Well, IBM was Token Ring way too long, and HP went for 100baseVG
> instead of TX like everyone else.  With the wrong hardware, you might
> just as well have the wrong software, too.
> 

There was nothing "wrong" with Token Ring or 100baseVG,
they simply didn't succeed in the marketplace.
In fact one might have preferred collision-free
16Mb Token Ring over 10Mb Ethernet back then.
And both IBM and HP supported Ethernet in parallel
to their "proprietary" technologies.

On Jun 22, 3:10=A0pm, JF Mezei <jfmezei.spam...@vaxination.ca> wrote:
> Michael Kraemer wrote:
> > 1980s onwards. The sheer fact that third parties
> > had to jump in and deliver a TCP/IP stack for VMS
> > shows how out-of-focus DEC was already before Palmer
> > inherited the whole mess.
>
> In defense of Olsen, one need to be reminded that back then, the "OSI"
> thing was promoted as THE one networking technology that would be
> embraced by everyone and which the governments would require. And
> Digital was a leader in that field.
>
> DEC failed to turn around quickly when it became obvious OSI wouldn't
> catch on and go full speed ahead with IP. And it took it an eternity to
> get something semi palatable. And even today, they are failing to
> provide proper email infrastructure with their stack. =A0Maybe the newbie=
s
> who doN't know about DECnet will remove the stupid code from the SMTP
> receiver that splits incoming lines that are longer than 256 bytes which
> result in ill formed headers which are noticed by the IMAP/POP servers
> which then promptly igore the headers and generate their own, and treat
> the headers as text.
>
> In hindsight, we can say that DEC should have ignored OSI and gone IP
> right away, but back then, it wasn't so obvious. IBM and HP also had OSI
> projects as I recall.

It certainly wasn't obvious at all.

When GM and friends say "we've had enough chaos, we want
OSI" (Manufacturing Automation Protocol flavour) and Boeing and
friends say "we've had enough chaos, we want OSI" (Technical+Office
Protocol flavour)  in addition to the Governments in USA and Europe
saying "we've had enough chaos, we want OSI" (GOSIP flavours) it's a
brave vendor who choses to ignore them.

DEC had the network technology, some vendors had some applications,
but for whatever reason, it never really caught on. Back then maybe it
was just too much of a resource hog?

In DEC's case, they backed the OSI horse almost exclusively. At other
vendors I was aware of, OSI was a bit of a "token" (er, sorry)
gesture, and they stuck with their IP comfort zone for the real
business.

Michael Kraemer wrote:
> 
> David J Dachtera schrieb:
> > Michael Kraemer wrote:
> >
> 
> >>(logical names are about the only advantage of VMS over Unix
> >>  I can remember),
> >
> > Probably because it was before clustering or without the use of
> > clustering. Combined with the "shared nothing" nature of UN*X, the lack
> > of SYSMAN's DO functionality is by FAR the worst bane of the VMS
> > person's existence in UN*X-land.
> 
> What "shared nothing" ?
> Data and application software can be shared via
> NFS-mounts and this satisfied the needs of
> most end-users back then.

Back when? Fast Forward back to today and try again. FC = 4GB, 10Gig-E =
10Gbit. Not even close.

....and where's the lock management? ...distributed HBVS?

> A setup of a few Unix servers
> plus a bunch of client workstations was more stable
> then the VMS cluster counterpart,
> according to my end-user's experience.

Must not have ever been a VMScluster user, then, or used VMS but didn't
really need clustering, rather some other form of access sharing without
lock management.

> >
> >>You can't blame Palmer for all evil.
> >
> > Just most of it. ;-)
> >
> 
> Most of it has roots in the era before Palmer.
> Ignoring major IT trends, too little to late,
> lack of focus, etc etc.

...., prices out of line with competitive products and/or what corporate
IT was willing to spend, ...

(Geez! That "affordability" thing just will NEVER die, will it?)

D.J.D.

David J Dachtera schrieb:
> Michael Kraemer wrote:
> 
>>David J Dachtera schrieb:
>>
>>>Michael Kraemer wrote:
>>>
>>
>>>>(logical names are about the only advantage of VMS over Unix
>>>> I can remember),
>>>
>>>Probably because it was before clustering or without the use of
>>>clustering. Combined with the "shared nothing" nature of UN*X, the lack
>>>of SYSMAN's DO functionality is by FAR the worst bane of the VMS
>>>person's existence in UN*X-land.
>>
>>What "shared nothing" ?
>>Data and application software can be shared via
>>NFS-mounts and this satisfied the needs of
>>most end-users back then.
> 
> 
> Back when? Fast Forward back to today and try again. FC = 4GB, 10Gig-E =
> 10Gbit. Not even close.

That's hardware. What has it to do with
the way users share their data, back then
(when Unix started to replace VMS) and now?

> ...and where's the lock management? ...distributed HBVS?

NFS for example has a lock daemon, no?

> 
>>A setup of a few Unix servers
>>plus a bunch of client workstations was more stable
>>then the VMS cluster counterpart,
>>according to my end-user's experience.
> 
> 
> Must not have ever been a VMScluster user, then, or used VMS but didn't
> really need clustering, rather some other form of access sharing without
> lock management.

Well, the VMS bigots running it called their setup "cluster",
so it must have been one. But I suspect it wasn't
quite what you have mind, so at best we can say that our
mileages vary.
Anyway, its stability was nothing to write home about.

> 
>>>>You can't blame Palmer for all evil.
>>>
>>>Just most of it. ;-)
>>>
>>
>>Most of it has roots in the era before Palmer.
>>Ignoring major IT trends, too little to late,
>>lack of focus, etc etc.
> 
> 
> ..., prices out of line with competitive products and/or what corporate
> IT was willing to spend, ...
> 
> (Geez! That "affordability" thing just will NEVER die, will it?)

Probably not. It's kind of a natural law.
You only spend extra money if it pays off.

Michael Kraemer <M.Kraemer@gsi.de> wrote:
(big snip)
 
< NFS for example has a lock daemon, no?

Some say yes, others disagree.

Some years ago (SunOS days) I had a Sun system that was
spending all its time in the lock daemon for no reason at all.
Some confusion between client and server over the status of
a lock that was never going to be resolved.  I believe it
was also writing to the log file, which was a bigger problem
than the CPU used.

NFS is supposed to be a stateless protocol, but locking is stateful.

-- glen

Michael Kraemer wrote:
> 
> David J Dachtera schrieb:
> > Michael Kraemer wrote:
> >
> >>David J Dachtera schrieb:
> >>
> >>>Michael Kraemer wrote:
> >>>
> >>
> >>>>(logical names are about the only advantage of VMS over Unix
> >>>> I can remember),
> >>>
> >>>Probably because it was before clustering or without the use of
> >>>clustering. Combined with the "shared nothing" nature of UN*X, the lack
> >>>of SYSMAN's DO functionality is by FAR the worst bane of the VMS
> >>>person's existence in UN*X-land.
> >>
> >>What "shared nothing" ?
> >>Data and application software can be shared via
> >>NFS-mounts and this satisfied the needs of
> >>most end-users back then.
> >
> >
> > Back when? Fast Forward back to today and try again. FC = 4GB, 10Gig-E =
> > 10Gbit. Not even close.
> 
> That's hardware. What has it to do with
> the way users share their data, back then
> (when Unix started to replace VMS) and now?

Now? That question answers itself, does it not?

> > ...and where's the lock management? ...distributed HBVS?
> 
> NFS for example has a lock daemon, no?

Distributed lock manager?

Does Node "A" know that Node "B" holds a lock on resource NFS served by
Node "C"?

> >
> >>A setup of a few Unix servers
> >>plus a bunch of client workstations was more stable
> >>then the VMS cluster counterpart,
> >>according to my end-user's experience.
> >
> >
> > Must not have ever been a VMScluster user, then, or used VMS but didn't
> > really need clustering, rather some other form of access sharing without
> > lock management.
> 
> Well, the VMS bigots running it called their setup "cluster",
> so it must have been one. But I suspect it wasn't
> quite what you have mind, so at best we can say that our
> mileages vary.
> Anyway, its stability was nothing to write home about.

Hardware? VMS version?

> >
> >>>>You can't blame Palmer for all evil.
> >>>
> >>>Just most of it. ;-)
> >>>
> >>
> >>Most of it has roots in the era before Palmer.
> >>Ignoring major IT trends, too little to late,
> >>lack of focus, etc etc.
> >
> >
> > ..., prices out of line with competitive products and/or what corporate
> > IT was willing to spend, ...
> >
> > (Geez! That "affordability" thing just will NEVER die, will it?)
> 
> Probably not. It's kind of a natural law.
> You only spend extra money if it pays off.

....and neither Compaq nor HP ever could sell that whole TCO thing.

D.J.D.

David J Dachtera schrieb:

> 
> Now? That question answers itself, does it not?

No. Of course hardware got faster,
but also the amount of data to be shared.
And again, what has this to do
with the way data are shared in VMS vs Unix ?

> 
>>>...and where's the lock management? ...distributed HBVS?
>>
>>NFS for example has a lock daemon, no?
> 
> 
> Distributed lock manager?
> 
> Does Node "A" know that Node "B" holds a lock on resource NFS served by
> Node "C"?

rpc.lockd ?
NFS is not the non-plus-ultra of filesystems,
but it works fine for me, as it does for many others.
It seems you are way too obsessed with a single issue
you are trying to solve.

>>Anyway, its stability was nothing to write home about.
> 
> 
> Hardware? VMS version?

In the beginning of this subthread (porting code VMS => Unix)
I referred to the early 1990s, which means VAX hardware
and probably one of the most recent VMS versions available then.
And anticipating the usual objections
("it's history", "too old", "should have upgraded", "should have done 
this or that"): those are not the point.
It's simply that at that point in time the grass was much greener
on the Unix side than on the VMS side. And it stayed that way.

> 
> ...and neither Compaq nor HP ever could sell that whole TCO thing.
> 

You need the TCO argument only if you want to "proof" that
the new system you already have chosen for other reasons
is cheaper than the old system you want to get rid off.
Otherwise it's the price of the hardware that counts.

Michael Kraemer wrote:
> 
> David J Dachtera schrieb:
> 
> >
> > Now? That question answers itself, does it not?
> 
> No. Of course hardware got faster,
> but also the amount of data to be shared.
> And again, what has this to do
> with the way data are shared in VMS vs Unix ?

VMS = shared everything

UN*X = shared nothing - needs add-ons like NFS, as you noted.

> >
> >>>...and where's the lock management? ...distributed HBVS?
> >>
> >>NFS for example has a lock daemon, no?
> >
> >
> > Distributed lock manager?
> >
> > Does Node "A" know that Node "B" holds a lock on resource NFS served by
> > Node "C"?
> 
> rpc.lockd ?
> NFS is not the non-plus-ultra of filesystems,
> but it works fine for me, as it does for many others.
> It seems you are way too obsessed with a single issue
> you are trying to solve.

Try again. The DLM is part of the foundation of clustering.

....and no, it's not "a single issue (I am) trying to solve." It's the
whole system: tiers 2 and 3 of a three-tiered, very high transaction
volume system (electronic health record).

> >>Anyway, its stability was nothing to write home about.
> >
> >
> > Hardware? VMS version?
> 
> In the beginning of this subthread (porting code VMS => Unix)
> I referred to the early 1990s, which means VAX hardware
> and probably one of the most recent VMS versions available then.

So, you'd likely be talking anything from a uVAX-3100 Model (something)
to a VAX 6000-640. Some of the most reliable hardware of the day.
Probably VMS V5.3-1 to V5.5-2. V5.4-2 was quite stable, as I recall and
became the basis of the Alpha port. Early OpenVMS-AXP had its issues,
though.

What kind of outages were they seeing?

> And anticipating the usual objections
> ("it's history", "too old", "should have upgraded", "should have done
> this or that"): those are not the point.
> It's simply that at that point in time the grass was much greener
> on the Unix side than on the VMS side. And it stayed that way.

Hhhmmm... Sounds like they may have been trying fit the clustering
"round peg" into an application's "square hole".

> >
> > ...and neither Compaq nor HP ever could sell that whole TCO thing.
> >
> 
> You need the TCO argument only if you want to "proof" that
> the new system you already have chosen for other reasons
> is cheaper than the old system you want to get rid off.
> Otherwise it's the price of the hardware that counts.

....to the people trying to squeeze the purchase out of the current FY's
capital budget. Usually, if you can prove the case for justification
you'll get the capital dollars.

People (mostly bean counters) in need of rectal craniotomy not
withstanding, of course.

D.J.D.

In article 
<4c078241-0855-4ad2-86b5-d0d27c3b57c2@h11g2000yqb.googlegroups.com>,
 John Wallace <johnwallace4@yahoo.co.uk> wrote:

> On Jun 22, 3:10�pm, JF Mezei <jfmezei.spam...@vaxination.ca> wrote:
> > Michael Kraemer wrote:
> > > 1980s onwards. The sheer fact that third parties
> > > had to jump in and deliver a TCP/IP stack for VMS
> > > shows how out-of-focus DEC was already before Palmer
> > > inherited the whole mess.
> >
> > In defense of Olsen, one need to be reminded that back then, the "OSI"
> > thing was promoted as THE one networking technology that would be
> > embraced by everyone and which the governments would require. And
> > Digital was a leader in that field.
> >
> > DEC failed to turn around quickly when it became obvious OSI wouldn't
> > catch on and go full speed ahead with IP. And it took it an eternity to
> > get something semi palatable. And even today, they are failing to
> > provide proper email infrastructure with their stack. �Maybe the newbies
> > who doN't know about DECnet will remove the stupid code from the SMTP
> > receiver that splits incoming lines that are longer than 256 bytes which
> > result in ill formed headers which are noticed by the IMAP/POP servers
> > which then promptly igore the headers and generate their own, and treat
> > the headers as text.
> >
> > In hindsight, we can say that DEC should have ignored OSI and gone IP
> > right away, but back then, it wasn't so obvious. IBM and HP also had OSI
> > projects as I recall.
> 
> It certainly wasn't obvious at all.
> 
> When GM and friends say "we've had enough chaos, we want
> OSI" (Manufacturing Automation Protocol flavour) and Boeing and
> friends say "we've had enough chaos, we want OSI" (Technical+Office
> Protocol flavour)  in addition to the Governments in USA and Europe
> saying "we've had enough chaos, we want OSI" (GOSIP flavours) it's a
> brave vendor who choses to ignore them.
> 
> DEC had the network technology, some vendors had some applications,
> but for whatever reason, it never really caught on. Back then maybe it
> was just too much of a resource hog?

It certainly could be a resource hog on MicroVAXen, but my problem with 
it at first was the documentation, and lack of working examples in it.

From a system management point of view, DECnet Phase IV commands were 
easy to remember, especially in a typical environment where you only 
need to use it once or twice a year, to add a printer or a few new 
terminals.

The problem for me with Phase V, at least initially, was the learning 
curve for the syntax.  It did click eventually, and with later releases 
easier to manage, but without the budget for a training course it took 
time to become fluent.  More than once I did wonder if Digital were 
pushing it as a means of increasing training revenues.

> In DEC's case, they backed the OSI horse almost exclusively. At other
> vendors I was aware of, OSI was a bit of a "token" (er, sorry)
> gesture, and they stuck with their IP comfort zone for the real
> business.

-- 
Paul Sture

In article <4A42DC18.48EAAECC@spam.comcast.net>, David J Dachtera
<djesys.no@spam.comcast.net> writes:
> Michael Kraemer wrote:
> > 
> > David J Dachtera schrieb:
> > 
> > >
> > > Now? That question answers itself, does it not?
> > 
> > No. Of course hardware got faster,
> > but also the amount of data to be shared.
> > And again, what has this to do
> > with the way data are shared in VMS vs Unix ?
> 
> VMS = shared everything
> 
> UN*X = shared nothing - needs add-ons like NFS, as you noted.

Oh come on, don't get ridiculous.
NFS is an integral part of Unix systems for about two decades,
if not longer, just as TCP/IP, sockets, X11, etc.
With the same right one could call VMS clusters an add-on
because it was added several versions later than 1.0 (at least IIRC).
On Unix, I can share printers, filesystems, apps, data,
just about everything which is important to me.
Quite a bit more than "nothing".

> 
> ...and no, it's not "a single issue (I am) trying to solve." It's the
> whole system: tiers 2 and 3 of a three-tiered, very high transaction
> volume system (electronic health record).

To me, not being a DBA type, it appears to be a single issue,
which certainly can be solved also on Unix, given the fact that
the majority of all databases on this planet runs quite
well on non-VMS platforms.
But, as I've already posted, mileages may vary and what appears
of utmost importance to you doesn't mean it's of importance
to others. And vice versa of course.
  
> So, you'd likely be talking anything from a uVAX-3100 Model (something)
> to a VAX 6000-640. Some of the most reliable hardware of the day.
> Probably VMS V5.3-1 to V5.5-2. V5.4-2 was quite stable, as I recall and
> became the basis of the Alpha port. Early OpenVMS-AXP had its issues,
> though.

VAX 6000, some 8xxx, I think, plus several dozens of VS31xx desktops,
maybe a few VS4000 later. AXPs on another cluster later,
but that was after I served my sentence on VMS :-)
 
> What kind of outages were they seeing?

It wasn't only "they", it was "us" users
who suffered. Typically, for no apparent reason,
the whole cluster thingy went down. 
Black screen of death, everything rebooting.
One had to login, restore all desktop apps that were running,
restart/repeat aborted interactive stuff etc.
For a particular user,
it could have taken hours until he could proceed with normal work.
If it happened early friday afternoon, one could as well leave
for the weekend.
It certainly didn't happen on a weekly basis,
but often enough to be annoying, at least during the few
years I had to use VMS on a regular basis.

I don't know if they ever found the real reason
(I switched to greener pastures), but I suspect
the network to be clustering's Achilles heel,
rather than hardware or plain OS failures,
because *all* boxes went down, whereas non-VMS
on the same network was not (or less) affected, AFAICR.
I never observed that kind of blackout on Unix boxes.
 
> > And anticipating the usual objections
> > ("it's history", "too old", "should have upgraded", "should have done
> > this or that"): those are not the point.
> > It's simply that at that point in time the grass was much greener
> > on the Unix side than on the VMS side. And it stayed that way.
> 
> Hhhmmm... Sounds like they may have been trying fit the clustering
> "round peg" into an application's "square hole".

I don't know what should be "round pegs" or "square holes"
in this context, the described cluster setup wasn't
unusual in technical computing at that time,
in fact it was probably more common than pure DB installations.
And the people in charge weren't dummies 
but had close to ten years VMS experience
and would rather have worked extra night shifts than to
admit that their cluster runs worse than Unix.
So it must have been something not easily to be fixed.

John Wallace wrote:
> 
> [snip]
> In DEC's case, they backed the OSI horse almost exclusively. At other
> vendors I was aware of, OSI was a bit of a "token" (er, sorry)
> gesture, and they stuck with their IP comfort zone for the real
> business.

Hhhmmm... I thought "OSI" was a more generic reference, not a specific
protocol.

DECnet-V was built built around the OSI 7-layer model. You can see that
in NCL.

TCP/IP is often discussed in terms of the 7-layer OSI model.

So, now I'm confused.

Has the 7-layer model been abandoned? ...genericised? ...?

D.J.D.

Michael Kraemer wrote:
> 
> In article <4A42DC18.48EAAECC@spam.comcast.net>, David J Dachtera
> <djesys.no@spam.comcast.net> writes:
> > Michael Kraemer wrote:
> > >
> > > David J Dachtera schrieb:
> > >
> > > >
> > > > Now? That question answers itself, does it not?
> > >
> > > No. Of course hardware got faster,
> > > but also the amount of data to be shared.
> > > And again, what has this to do
> > > with the way data are shared in VMS vs Unix ?
> >
> > VMS = shared everything
> >
> > UN*X = shared nothing - needs add-ons like NFS, as you noted.
> 
> Oh come on, don't get ridiculous.
> NFS is an integral part of Unix systems for about two decades,

That's like saying DECnet is an "integral part of" VMS just because it's
no longer installed as a SIP, it's an install option in the base kit and
is not required for normal cluster functioin.

> if not longer, just as TCP/IP, sockets, X11, etc.
> With the same right one could call VMS clusters an add-on
> because it was added several versions later than 1.0 (at least IIRC).

One major difference is that SCS runs quite happily with no other
network stack loaded. Can't say the same for NFS since that's an IP
sub-protocol with TCP layered into the mix.

> On Unix, I can share printers, filesystems, apps, data,
> just about everything which is important to me.

Really? How do you that? (Remember again that we're talking 100's of
printers, 1000's of TPS and tens of thousands of I/Os per second.)

> Quite a bit more than "nothing".
> 
> >
> > ...and no, it's not "a single issue (I am) trying to solve." It's the
> > whole system: tiers 2 and 3 of a three-tiered, very high transaction
> > volume system (electronic health record).
> 
> To me, not being a DBA type, it appears to be a single issue,

Nuff said.

> [snip]
> 
> > What kind of outages were they seeing?
> 
> It wasn't only "they", it was "us" users
> who suffered. Typically, for no apparent reason,
> the whole cluster thingy went down.
> Black screen of death, everything rebooting.

Did anyone ever mention "CLUEXIT"?

> One had to login, restore all desktop apps that were running,
> restart/repeat aborted interactive stuff etc.
> For a particular user,
> it could have taken hours until he could proceed with normal work.
> If it happened early friday afternoon, one could as well leave
> for the weekend.
> It certainly didn't happen on a weekly basis,
> but often enough to be annoying, at least during the few
> years I had to use VMS on a regular basis.
> 
> I don't know if they ever found the real reason
> (I switched to greener pastures), but I suspect
> the network to be clustering's Achilles heel,
> rather than hardware or plain OS failures,
> because *all* boxes went down, whereas non-VMS
> on the same network was not (or less) affected, AFAICR.
> I never observed that kind of blackout on Unix boxes.

Well, scant details; however, those symptoms are consistent with cluster
communications issues. Had the network people been trained on networking
and not just on TCP/IP, it could probably have been resolved without
anything as draconian as a platform migration.

> > > And anticipating the usual objections
> > > ("it's history", "too old", "should have upgraded", "should have done
> > > this or that"): those are not the point.
> > > It's simply that at that point in time the grass was much greener
> > > on the Unix side than on the VMS side. And it stayed that way.
> >
> > Hhhmmm... Sounds like they may have been trying fit the clustering
> > "round peg" into an application's "square hole".
> 
> I don't know what should be "round pegs" or "square holes"
> in this context, the described cluster setup wasn't
> unusual in technical computing at that time,
> in fact it was probably more common than pure DB installations.
> And the people in charge weren't dummies
> but had close to ten years VMS experience
> and would rather have worked extra night shifts than to
> admit that their cluster runs worse than Unix.
> So it must have been something not easily to be fixed.

Indeed - likely network (cluster communications) issues which, if TCP/IP
is all one has been trained on, can be a bit like sending construction
electricians to diagnose and repair a diesel-electromotive unit with a
failed prime mover.

D.J.D.

David J Dachtera schrieb:

> That's like saying DECnet is an "integral part of" VMS just because it's
> no longer installed as a SIP, it's an install option in the base kit and
> is not required for normal cluster functioin.

Let's not get nitpicking here, right?
 From my practical point of view:
whatever is on the installation CD(s) is part of the OS,
even if it has been added only later in an OS's history.
I have no problem accepting DECnet as part of VMS,
even though its installation might be optional.

> One major difference is that SCS runs quite happily with no other
> network stack loaded. Can't say the same for NFS since that's an IP
> sub-protocol with TCP layered into the mix.

"Different" doesn't mean "better" or "worse".
Connections to the outside world are just handled (layered)
differently in VMS than in Unix, so what's the point?

> 
>>On Unix, I can share printers, filesystems, apps, data,
>>just about everything which is important to me.
> 
> 
> Really? How do you that? (Remember again that we're talking 100's of
> printers, 

smitty - Print Spooling.
(Admittedly, configuration is clumsy, IMHO)
ISTR some 50 or more printers served by AIX in the mid-90s.
Nowadays maybe hundreds of them are served by one or two
Linux-boxen. Where's the problem ?

> 1000's of TPS and tens of thousands of I/Os per second.)

Not my cup of tea, but aren't IBM and HP leap-frogging
with their TPC benchmarks on AIX and HP-UX, respectively?

> Nuff said.

Fine with me, but somehow I suspect you assume
that running a big DB with a lot of transactions
is the only acceptable usage for a computer.

> 
>>[snip]
>>
>>
>>>What kind of outages were they seeing?
>>
>>It wasn't only "they", it was "us" users
>>who suffered. Typically, for no apparent reason,
>>the whole cluster thingy went down.
>>Black screen of death, everything rebooting.
> 
> 
> Did anyone ever mention "CLUEXIT"?

Feel free to enter a time warp next
to you and send your wisdom back ca 18 years.

> Well, scant details; however, those symptoms are consistent with cluster
> communications issues. Had the network people been trained on networking
> and not just on TCP/IP, it could probably have been resolved 

I don't think TCP/IP was even involved (on the VMS side).
In fact, I remember the VMS admins weren't amused
when all those devices running on TCP/IP
(PCs, workstations, X-terminals, printers)
started to use (and "spoil") "their" Ethernet from the late 1980s
onwards.

> without
> anything as draconian as a platform migration.

There was no platform migration only triggered
by a couple of cluster crashes.
Those who still needed/wanted VMS just accepted
them as a fact of life.
Those who could escape went Unix, which had
faster, cheaper hardware and soon better
industry and freeware support. Both OSs
were used in parallel for several years.
But there was little to no incentive to stay on VMS,
not even cluster stability. That's why I brought
up this crash story.
So coming back to this subthread's start again, logical names are
about the only advantage I can remember.

> Indeed - likely network (cluster communications) issues which, if TCP/IP
> is all one has been trained on, can be a bit like sending construction
> electricians to diagnose and repair a diesel-electromotive unit with a
> failed prime mover.

Your hasty conclusions are quite a bit arrogant,
since I didn't give that many details (mainly
because I can't recall many of them after all those years).
In any case you have no right to diss our VMS admins
who did the job back then. I'd rather blame VMS
being not as unbreakable as you want to believe.

On Jun 25, 9:54=A0pm, David J Dachtera <djesys...@spam.comcast.net>
wrote:
> John Wallace wrote:
>
> > [snip]
> > In DEC's case, they backed the OSI horse almost exclusively. At other
> > vendors I was aware of, OSI was a bit of a "token" (er, sorry)
> > gesture, and they stuck with their IP comfort zone for the real
> > business.
>
> Hhhmmm... I thought "OSI" was a more generic reference, not a specific
> protocol.
>
> DECnet-V was built built around the OSI 7-layer model. You can see that
> in NCL.
>
> TCP/IP is often discussed in terms of the 7-layer OSI model.
>
> So, now I'm confused.
>
> Has the 7-layer model been abandoned? ...genericised? ...?
>
> D.J.D.

The particular protocols found in a real seven layer OSI
implementation have largely been abandoned (there's no practical
modern use for OSI transport or session or presentation or application
layers, which were 4-7), although some relics survive. The concept of
a seven layer "reference model" lives on, and is probably a useful
tool in basic networking education, although how relevant or useful it
is at layer four and above is arguable. One of the higher layer relics
which does live on in places is the ASN.1 encoding of data (the 1980s
OSI precursor of the "modern" approach, which seems to mean
transferring everything encoded as ASCII text separated by lots of <
and > and "tags"). Mind you, although ASN.1 has been around since
1984, Microsoft were still getting it wrong as recently as 2004 (see
their Security Vulnerability described in MS04-007 where they managed
to get signed and unsigned mixed up).

As regards the comparison between clusters and "NFS-centric" (etc)
systems - it's a bit like comparing an SMP system with a loosely
coupled collection of boxes. In an SMP system, you can get quite fine
grained (tightly coupled) resource sharing, but if part of the OS dies
on one system, usually everything in the whole SMP system dies with
it, because of the considerable importance of resource sharing and
synchronisation. In a loosely coupled collection of boxes (what UNIX
folks sometimes call a cluster), if something dies, many other
unrelated things *may* be able to carry on because of the *limited*
importance of resource sharing between them. In a cluster, if
something cluster-critical dies, drastic things may happen, again
because of the importance of shared/synchronised resources (tightly
coupled systems).

You can't have it both ways - either the resource sharing etc is loose
and a failure/loss usually matters little, or the resource sharing is
tight and a loss *may* matter a lot. It's not a case of one is better
or worse, but one is certainly *easier* to implement (though maybe not
easier to operate and manage), and which one is the best fit may vary
depending on needs.

Bringing down a whole cluster was unheard of in my experience,
starting in the early days of LAVcs and ending a *long* time after
that. Even if all comms was lost, there'd still typically be one node
up for the others to rejoin later.

Perhaps the loosely-coupled/tightly-coupled stuff above wasn't
explained all that well, but really there's nothing that comes close
to VMS clusters, with the possible exception of Tandem's very own
little known NonStop Clusters for SCO Unix, which was really quite a
remarkable piece of UNIX software. I believe Keith Parris used to have
a few slides comparing various flavours of cluster. The classical
NonStop OS is also a fine piece of software but it's nothing to do
with clusters even though it manages to address some of the same
requirements in terms of reliability and scalability.

John Wallace schrieb:

> As regards the comparison between clusters and "NFS-centric" (etc)
> systems - it's a bit like comparing an SMP system with a loosely
> coupled collection of boxes. In an SMP system, you can get quite fine
> grained (tightly coupled) resource sharing, but if part of the OS dies
> on one system, usually everything in the whole SMP system dies with
> it, because of the considerable importance of resource sharing and
> synchronisation. In a loosely coupled collection of boxes (what UNIX
> folks sometimes call a cluster), if something dies, many other
> unrelated things *may* be able to carry on because of the *limited*
> importance of resource sharing between them. In a cluster, if
> something cluster-critical dies, drastic things may happen, again
> because of the importance of shared/synchronised resources (tightly
> coupled systems).
> 
> You can't have it both ways - either the resource sharing etc is loose
> and a failure/loss usually matters little, or the resource sharing is
> tight and a loss *may* matter a lot. It's not a case of one is better
> or worse, but one is certainly *easier* to implement (though maybe not
> easier to operate and manage), and which one is the best fit may vary
> depending on needs.

Now this sounds more sensible to me than the usual
"unbreakable under all conditions" claim.

> Bringing down a whole cluster was unheard of in my experience,
> starting in the early days of LAVcs and ending a *long* time after
> that. Even if all comms was lost, there'd still typically be one node
> up for the others to rejoin later.

Yet it has happened,
not only in the old days of 10Base2 cabling,
but also 2 or 3 years ago with more modern
equipment.
However, as you mention it, it may well
be that a few nodes have survived those incidents.
But if, for example, "only" 28 out of 30 nodes are going
down, this doesn't change things much for the users of
the 28 dead nodes.

On Jun 26, 12:46=A0am, Michael Kraemer <M.Krae...@gsi.de> wrote:
> John Wallace schrieb:
>
>
>
> > As regards the comparison between clusters and "NFS-centric" (etc)
> > systems - it's a bit like comparing an SMP system with a loosely
> > coupled collection of boxes. In an SMP system, you can get quite fine
> > grained (tightly coupled) resource sharing, but if part of the OS dies
> > on one system, usually everything in the whole SMP system dies with
> > it, because of the considerable importance of resource sharing and
> > synchronisation. In a loosely coupled collection of boxes (what UNIX
> > folks sometimes call a cluster), if something dies, many other
> > unrelated things *may* be able to carry on because of the *limited*
> > importance of resource sharing between them. In a cluster, if
> > something cluster-critical dies, drastic things may happen, again
> > because of the importance of shared/synchronised resources (tightly
> > coupled systems).
>
> > You can't have it both ways - either the resource sharing etc is loose
> > and a failure/loss usually matters little, or the resource sharing is
> > tight and a loss *may* matter a lot. It's not a case of one is better
> > or worse, but one is certainly *easier* to implement (though maybe not
> > easier to operate and manage), and which one is the best fit may vary
> > depending on needs.
>
> Now this sounds more sensible to me than the usual
> "unbreakable under all conditions" claim.
>
> > Bringing down a whole cluster was unheard of in my experience,
> > starting in the early days of LAVcs and ending a *long* time after
> > that. Even if all comms was lost, there'd still typically be one node
> > up for the others to rejoin later.
>
> Yet it has happened,
> not only in the old days of 10Base2 cabling,
> but also 2 or 3 years ago with more modern
> equipment.


VMSclusters when properly designed by people with clue and with
adequate budgets, and operated by people with clue, can be very highly
available. They weren't/aren't called "disaster tolerant" for nothing,
and actually "unbreakable under all conditions" wouldn't be an
unreasonable claim for the high end ones. This isn't just a paper
claim either, there are real life experiences that have shown it works
(in addition to your real life experience that shows the basic ones
aren't so resilient).

Dual-redundant everything (including LAN connections) would be an
important aspect of the high availability design, but were not a
requirement for a basic cluster. Many important clusters were/are
designed and operated giving due consideration to the availability
stuff; many other VMSclusters (probably including the one you worked
on) weren't so well funded or maybe not so well thought out.

> However, as you mention it, it may well
> be that a few nodes have survived those incidents.
> But if, for example, "only" 28 out of 30 nodes are going
> down, this doesn't change things much for the users of
> the 28 dead nodes.

At a guess this would be a cluster of workstations with one server as
a "boot node", running as a single system image cluster and a single
system management domain. About as tightly coupled as you can get
without being an SMP system, and a relatively common configuration in
the "technical computing" world at one time. These were often
introduced to minimise management costs (manage one cluster rather
than dozens of boxes) rather than maximise availability, and in the
simplest config if you lose the boot node or its network you lose the
"satellites" too. There are/were simple changes that can be made to
the basic setup which can significantly add to the availability, and
changes were even made to the OS to help in cases like this.

In setups like this, basic improvements like the already-mentioned
dual-redundant LANS can usually be added to at least the important
systems (often the boot nodes); it's relatively trivial to use a pair
of dual-redundant boot nodes with a quorum disk or quorum system so
either boot node can fail and the cluster itself survives, and there's
plenty other stuff which don't cost a great deal of money relative to
downtime for a couple of dozen systems. A couple of sentences here can
only touch on the subject. There's lots more in documents like the
Guidelines for VMScluster Configurations, but when it really matters
there's no substitute for paying for the services of someone with a
clue.

For whatever reason, lots of companies weren't prepared to spend the
money on the extra availability which could be had. However, some did
do the cost/benefit analysis and convinced themselves that it *was*
worth the investment. Others were perhaps just unconvinced the
technology could ever be anything like "unbreakable under all
conditions". Maybe they hadn't seen it configured and demonstrated
properly and understand the significance of what's being shown?

Have you seen the HP Disaster Proof video previously mentioned on this
newsgroup, have you read about what lies behind it? It covers not just
VMS, but also HP's own HP-UX and Nonstop, and the "industry standard"
RHEL and Windows? Start at www.hp.com/go/disasterproof - you may need
to follow the link to the Enterprise Library to watch the video (or
you can watch it on Youtube).

John Wallace schrieb:

> VMSclusters when properly designed by people with clue and with
> adequate budgets, and operated by people with clue, can be very highly
> available. 

You should be a bit more careful calling other people clueless
unless you know them or unless you have walked in their
shoes for a day or so.

> At a guess this would be a cluster of workstations with one server as
> a "boot node", running as a single system image cluster and a single
> system management domain. About as tightly coupled as you can get
> without being an SMP system, and a relatively common configuration in
> the "technical computing" world at one time. These were often
> introduced to minimise management costs (manage one cluster rather
> than dozens of boxes) rather than maximise availability, and in the
> simplest config if you lose the boot node or its network you lose the
> "satellites" too. There are/were simple changes that can be made to
> the basic setup which can significantly add to the availability, and
> changes were even made to the OS to help in cases like this.

All this may well be, but at some point I think they had
dedundant server nodes. If simple changes to the setup
would have fixed it, they would have done it, I'm sure.
But my point still remains: if it needs extra effort
and extra budget to raise a stock VMS cluster to the
same level of availabality a stock Unix setup has,
why bother with VMS?

On Jun 26, 9:29=A0am, Michael Kraemer <M.Krae...@gsi.de> wrote:
> John Wallace schrieb:
>
> > VMSclusters when properly designed by people with clue and with
> > adequate budgets, and operated by people with clue, can be very highly
> > available.
>
> You should be a bit more careful calling other people clueless
> unless you know them or unless you have walked in their
> shoes for a day or so.

OK, change shorthand "clue" to "lots more clue than average". Happy
now? Either way, you don't get better than average uptime from systems
designed and run by average people; that's just the way averages work,
be it UNIX or mainframe or whatever. I don't know how average your
colleagues are/were (or how constrained they were by other factors)
but for whatever reason it sounds like their cluster availability was
worse than average.

>
> > At a guess this would be a cluster of workstations with one server as
> > a "boot node", running as a single system image cluster and a single
> > system management domain. About as tightly coupled as you can get
> > without being an SMP system, and a relatively common configuration in
> > the "technical computing" world at one time. These were often
> > introduced to minimise management costs (manage one cluster rather
> > than dozens of boxes) rather than maximise availability, and in the
> > simplest config if you lose the boot node or its network you lose the
> > "satellites" too. There are/were simple changes that can be made to
> > the basic setup which can significantly add to the availability, and
> > changes were even made to the OS to help in cases like this.
>
> All this may well be, but at some point I think they had
> dedundant server nodes. If simple changes to the setup
> would have fixed it, they would have done it, I'm sure.
> But my point still remains: if it needs extra effort
> and extra budget to raise a stock VMS cluster to the
> same level of availabality a stock Unix setup has,
> why bother with VMS?

In the case of a workstation cluster, the motivation for clustering
back then might well be so that sysadmins managed *one* (VMS) system
rather than dozens of separate systems, with the consequent saving in
manpower+money or increase in productivity. Plus clustering provides
simple easy transparent synchronised coordinated access to shared
files, databases, etc. Need a new node or an updated shared app? Add
it to the cluster in a few minutes and you're all set, no need to
update each individual workstation. Need simple easy shared access to
common code or some other shared resource? In a cluster, it "just
works".

As others have noted, clusters with problems such as you saw were not
typical (or "average"). In particular, those adopting this approach to
clustering to save admin time+money needed to be aware that if done on
the cheap it had single points of failure and consequent risk of
business impact, but on the other hand it had other significant
sysadmin and sharing advantages at the time. But lose the single
network connection to the single bootnode, and you lose the whole
cluster. Maybe you had two clustered servers at some point. Lots of
people with two or more clustered servers were and are very happy.
Neither of us knows what went wrong with your setup.

There wasn't (and afaik still isn't) any worthwhile single system
image single management domain UNIX clustering in common use, though
various not particularly designed in or integrated distributed
technologies have all done their bit to help UNIX (and sometimes other
OSes too) along the way. But last time I checked, distributed UNIX
filesystems still don't really do distributed locking in a mandatory
kind of way, perhaps because the underlying UNIX approach says that
locking isn't the core OS's problem, it's someone else's problem.

NonStop Clusters for SCO UNIX seemed to do much of the single system
image single management domain job, and in some ways did it better
than VMS, but it wasn't exactly in widespread use. I don't know what
it did about generic resource sharing/locking.

Michael Kraemer wrote:

> You should be a bit more careful calling other people clueless
> unless you know them or unless you have walked in their
> shoes for a day or so.


Someone who was born deaf would not know how beautiful a mozart symphony
could sound, he has no way to judge.

Someone brought up in windows and Unix have no way to know what "real"
clustering can give you because they have never experienced/seen it with
their own hands and eyes.

HP made a HUGE blunder when it dumped the VMS clustering (via Tru64) for
its HP-UX product. Probably because the people high enough to make such
decisions didn't really know the real advantages and competitive edge
those features could bring to HP, especially when you consider that IBM
has something that is far better than what HP-UX has.

> if it needs extra effort
> and extra budget to raise a stock VMS cluster to the
> same level of availabality a stock Unix setup has,
> why bother with VMS?

Excuse me ?????? To get the same data integrity on Unix as you get with
VMS, you need to spend a lot more effort on Unix and it can't be managed
 as eloquently. YOu may say "eloquent" doesn't matter, I say it does.
SOmething that has streamlined and straightforward management greatly
reduces the changes of human errors 9think about operators on teh night
shift)

And consider how much effort was put on VMS to ensure data integrity in
so many types of possible failure modes.

In article <107fd8e4-c07d-43a9-9f6d-64c0de71b3ef@g23g2000vbr.googlegroups.com>, John Wallace <johnwallace4@yahoo.co.uk> writes:
> On Jun 26, 9:29=A0am, Michael Kraemer <M.Krae...@gsi.de> wrote:
>> John Wallace schrieb:
>>
>> > VMSclusters when properly designed by people with clue and with
>> > adequate budgets, and operated by people with clue, can be very highly
>> > available.
>>
>> You should be a bit more careful calling other people clueless
>> unless you know them or unless you have walked in their
>> shoes for a day or so.
> 
> OK, change shorthand "clue" to "lots more clue than average". Happy
> now? Either way, you don't get better than average uptime from systems
> designed and run by average people; that's just the way averages work,
> be it UNIX or mainframe or whatever. I don't know how average your
> colleagues are/were (or how constrained they were by other factors)
> but for whatever reason it sounds like their cluster availability was
> worse than average.

As someone who has managed several VMS clusters (one with a thirteen
year uptime) for over twenty years, and who has done first level VMS
support for VMS admins at a dozen or so of our member institutions, I
agree that it sounds like their uptimes were significantly worse than
average.  Did they not have control over the cluster interconnect
(e.g. another group controlled the Ethernet)?  Could it have been an
operations problem?  An incompetent operator can cause major outages
on any system no matter how well set up it is.

By dynamically modifying the SYSGEN RECNXINTERVAL parameter, it is
possible for a cluster to survive a complete lost of its interconnect(s)
for hours (of course pretty much everything hangs during the outage).
It's how we handle reboots of our Ethernet switches which take several
minutes.

I don't recall ever having all the nodes of a cluster crash at once.
The reason that our cluster uptime is only thirteen years is that
we had an extended power outage, otherwise it would have an uptime
of sixteen years.


George Cook
WVNET

In article <h220rp$p5i$03$1@news.t-online.com>, M.Kraemer@gsi.de 
says...> 
> John Wallace schrieb:
> 
> > VMSclusters when properly designed by people with clue and with
> > adequate budgets, and operated by people with clue, can be very highly
> > available. 
> 
> You should be a bit more careful calling other people clueless
> unless you know them or unless you have walked in their
> shoes for a day or so.

Since you have completely and utterly failed to provide anything
but anecdotal evidence that there ever were any problems, you
have no reason to complain.

How do we know this cluster you are talking about ever existed?

When, where, what version, who were the people in charge?  What
was the actual crash symptom?  (Ask them off-line to provide
details to the group, if you don't want to post any names.)

As it stands now, your claims have no more validity than someone
who claims to have been abducted by aliens or been cured by
a psychic.

> 
> > At a guess this would be a cluster of workstations with one server as
> > a "boot node", running as a single system image cluster and a single
> > system management domain. About as tightly coupled as you can get
> > without being an SMP system, and a relatively common configuration in
> > the "technical computing" world at one time. These were often
> > introduced to minimise management costs (manage one cluster rather
> > than dozens of boxes) rather than maximise availability, and in the
> > simplest config if you lose the boot node or its network you lose the
> > "satellites" too. There are/were simple changes that can be made to
> > the basic setup which can significantly add to the availability, and
> > changes were even made to the OS to help in cases like this.
> 
> All this may well be, but at some point I think they had
> dedundant server nodes. If simple changes to the setup
> would have fixed it, they would have done it, I'm sure.
> But my point still remains: if it needs extra effort
> and extra budget to raise a stock VMS cluster to the
> same level of availabality a stock Unix setup has,
> why bother with VMS?

Assumes facts not in evidence, as they say on various legal
dramas.

-- 
John Santos
Evans Griffiths & Hart, Inc.

In article <MPG.24b08bef6cbfcc98969d@news.verizon.net>,
 John Santos <john@egh.com> wrote:

> Since you have completely and utterly failed to provide anything
> but anecdotal evidence that there ever were any problems, you
> have no reason to complain.
> 
> How do we know this cluster you are talking about ever existed?
> 
> When, where, what version, who were the people in charge?  What
> was the actual crash symptom?  (Ask them off-line to provide
> details to the group, if you don't want to post any names.)
> 
> As it stands now, your claims have no more validity than someone
> who claims to have been abducted by aliens or been cured by
> a psychic.

I think the major point here John is that maybe Michael's then employers 
would not come up with the budget for someone who could have sorted it 
out.

I'm afraid I've seen this happen, and it was often more about empire 
building or preserving the status quo rather than addressing the real 
business problem :-(

-- 
Paul Sture
Titanium inside

On Jun 28, 2:01=A0pm, "P. Sture" <paul.nos...@sture.ch> wrote:
> In article <MPG.24b08bef6cbfcc989...@news.verizon.net>,
> =A0John Santos <j...@egh.com> wrote:
>
> > Since you have completely and utterly failed to provide anything
> > but anecdotal evidence that there ever were any problems, you
> > have no reason to complain.
>
> > How do we know this cluster you are talking about ever existed?
>
> > When, where, what version, who were the people in charge? =A0What
> > was the actual crash symptom? =A0(Ask them off-line to provide
> > details to the group, if you don't want to post any names.)
>
> > As it stands now, your claims have no more validity than someone
> > who claims to have been abducted by aliens or been cured by
> > a psychic.
>
> I think the major point here John is that maybe Michael's then employers
> would not come up with the budget for someone who could have sorted it
> out.
>
> I'm afraid I've seen this happen, and it was often more about empire
> building or preserving the status quo rather than addressing the real
> business problem :-(
>
> --
> Paul Sture
> Titanium inside

I've seen the beancounter problem too (it is a lucky person who
*hasn't* seen it), and in this particular case the relevant history is
likely so far in the past that important things like facts and details
have been lost, whereas impressions still remain. Unfortunately what
problemsolving needs is facts and details rather than impressions, so
unless we get a minor miracle there's probably nowhere further to take
this.

John Santos schrieb:

> Since you have completely and utterly failed to provide anything
> but anecdotal evidence 

And how is the claim "I never saw a cluster crash"
anything more than anecdotal ?

> that there ever were any problems, you
> have no reason to complain.

And you have no reason to call other people clueless
just because something doesn't quite fit into your
view of the world.

> How do we know this cluster you are talking about ever existed?

The VAX cluster of yore is gone for sure.
How can I prove that it ever existed?
How can I convince a creationist that evolution exists?

> When, where, what version, who were the people in charge?  What
> was the actual crash symptom?  (Ask them off-line to provide
> details to the group, if you don't want to post any names.)

I don't think that level of detail makes a difference.
Crashes happened with earlier versions on VAX and also
some two years ago with alphas and the then current version
of VMS.
The latter ones at least could be tracked down to somebody wreaking
havoc on the network, which shouldn't have happened,
but as usual, shit happens (but that's not the point).
The net effect was that
the Unix boxen almost grinded to a halt, but with
enough patience one could complete at least some work,
monitor shows NICs busy close to 100%
VMS cluster crashed immediately, alphas showed BSOD,
and the whole thingy couldn't be brought back to life
for hours, until the network problem was fixed.
And no, those people aren't clueless, there is
15 to 20 years of experience.
Configuration is such, that a few servers are
connected to a couple of workstations for process control,
possibly scattered all over the campus,
on the same network as all other devices (embedded stuff,
PCs, Unix, etc), necessarily scattered across the campus.
I.e. not exactly a cleanroom setup,
but a really hostile environment,
which is almost impossible to change, at least
not within budget.
Their proposal to avoid future trouble in the short-term
(long-term is to replace it by HA-Linux anyway)
was not to change the cluster, but to implement
better network segmenting to isolate VMS from the rest.
For me this is a strong hint that VMS clusters
might indeed have a problem coping with junk on the network.

And my point still remains why stock Unix boxen exposed
to the same junk responded much better than stock VMS cluster.

On Jun 29, 12:04=A0pm, Michael Kraemer <M.Krae...@gsi.de> wrote:
> John Santos schrieb:
>
> > Since you have completely and utterly failed to provide anything
> > but anecdotal evidence
>
> And how is the claim "I never saw a cluster crash"
> anything more than anecdotal ?
>
> > that there ever were any problems, you
> > have no reason to complain.
>
> And you have no reason to call other people clueless
> just because something doesn't quite fit into your
> view of the world.
>
> > How do we know this cluster you are talking about ever existed?
>
> The VAX cluster of yore is gone for sure.
> How can I prove that it ever existed?
> How can I convince a creationist that evolution exists?
>
> > When, where, what version, who were the people in charge? =A0What
> > was the actual crash symptom? =A0(Ask them off-line to provide
> > details to the group, if you don't want to post any names.)
>
> I don't think that level of detail makes a difference.
> Crashes happened with earlier versions on VAX and also
> some two years ago with alphas and the then current version
> of VMS.
> The latter ones at least could be tracked down to somebody wreaking
> havoc on the network, which shouldn't have happened,
> but as usual, shit happens (but that's not the point).
> The net effect was that
> the Unix boxen almost grinded to a halt, but with
> enough patience one could complete at least some work,
> monitor shows NICs busy close to 100%
> VMS cluster crashed immediately, alphas showed BSOD,
> and the whole thingy couldn't be brought back to life
> for hours, until the network problem was fixed.
> And no, those people aren't clueless, there is
> 15 to 20 years of experience.
> Configuration is such, that a few servers are
> connected to a couple of workstations for process control,
> possibly scattered all over the campus,
> on the same network as all other devices (embedded stuff,
> PCs, Unix, etc), necessarily scattered across the campus.
> I.e. not exactly a cleanroom setup,
> but a really hostile environment,
> which is almost impossible to change, at least
> not within budget.
> Their proposal to avoid future trouble in the short-term
> (long-term is to replace it by HA-Linux anyway)
> was not to change the cluster, but to implement
> better network segmenting to isolate VMS from the rest.
> For me this is a strong hint that VMS clusters
> might indeed have a problem coping with junk on the network.
>
> And my point still remains why stock Unix boxen exposed
> to the same junk responded much better than stock VMS cluster.

I already said this once (albeit in different words) but here it is
again: Stock UNIX boxen exposed to the same interconnect failure
survived "better" than stock VMSclusters because they are designed
differently and offer different tradeoffs. The VMS cluster world is
designed to use the cluster interconnect to provide a tightly coupled
set of systems, easy resource sharing, single admin domain, etc, and
if the sole interconnect fails, most of the cluster *must*, by design,
fail - it does so to protect the integrity of the shared resources.

A set of loosely connected UNIX boxes are not as reliant on the
network being 100% reliable, but do not offer the benefits of the
resource sharing and synchronisation which the tightly coupled
VMScluster can offer.

Your colleagues could of course have operated the VMS boxes as a
network of "loosely coupled" (unclustered) systems and then  in the
case of a network failure they would have been just as resilient as
the UNIX boxes. But by getting rid of clustering they would have lost
the benefits of resource sharing, single admin domain, etc, as
mentioned earlier.