INFO-VAX Tue, 12 Jun 2007 Volume 2007 : Issue 319 Contents: Re: %TCPIP-E-ROUTEERROR from TCPIP SHOW ROUTES... Re: 8086 vs patches RE: 8086 vs patches Re: 8086 vs patches AEST on Alpha Re: ALPHA_V732_MASTER_ECO_LIST.txt RE: Another opportunity Re: Another opportunity RE: Another opportunity Re: Another opportunity Re: Another opportunity RE: Another opportunity Re: Another opportunity Re: Another opportunity Re: Another opportunity RE: Another opportunity Re: Another opportunity Re: bad checksum for AXP_DNVOSIECO02-V83 Re: Bandwidth Test BYPASS privilege !! Re: BYPASS privilege !! Re: BYPASS privilege !! Re: BYPASS privilege !! Re: BYPASS privilege !! Re: BYPASS privilege !! Re: BYPASS privilege !! Re: BYPASS privilege !! Re: BYPASS privilege !! Re: BYPASS privilege !! RE: BYPASS privilege !! Re: BYPASS privilege !! Re: BYPASS privilege !! Re: BYPASS privilege !! Re: BYPASS privilege !! Re: BYPASS privilege !! Re: BYPASS privilege !! Re: BYPASS privilege !! Re: BYPASS privilege !! Re: BYPASS privilege !! Re: BYPASS privilege !! Re: BYPASS privilege !! Re: Lightning & Time to buy lottery tickets Re: Lightning & Time to buy lottery tickets Re: Lightning & Time to buy lottery tickets Re: Minimum priv to run an audit Re: Minimum priv to run an audit Re: OT: Lightning & Time to buy lottery tickets Re: porting ignorance (was Re: Story Time) Question for the Group Re: Question for the Group Re: Question for the Group Re: Question for the Group Re: Question for the Group Re: Question for the Group Re: Question to Bob Re: Reflection's VT emulation (was: DECTerm Bold fonts on ReflectionX (Version 6 Re: SAMBA not ready to be a replacement for PathWorks Re: SAMBA not ready to be a replacement for PathWorks SMTP.CONFIG: Reject-Mail-From: for part of an address? Where is the love? (Was: Re: Question for the Group) [Q] Minimum priv to run an audit Re: [Q] Minimum priv to run an audit ---------------------------------------------------------------------- Date: Mon, 11 Jun 2007 19:05:21 -0500 From: David J Dachtera Subject: Re: %TCPIP-E-ROUTEERROR from TCPIP SHOW ROUTES... Message-ID: <466DE341.4F5FD653@spam.comcast.net> Peter 'EPLAN' LANGSTOeGER wrote: > > In article <46689B42.1256A6E4@spam.comcast.net>, David J Dachtera writes: > >Galen wrote: > >> > >> We're running TCP/IP V5.3 (no TCP/IP ecos) ... > > > >There's your problem right there - UCX *ALWAYS* has ECOs! > > TCPIP V5.6 still does not ;-) The release is young, my friend! -- David J Dachtera dba DJE Systems http://www.djesys.com/ Unofficial OpenVMS Marketing Home Page http://www.djesys.com/vms/market/ Unofficial Affordable OpenVMS Home Page: http://www.djesys.com/vms/soho/ Unofficial OpenVMS-IA32 Home Page: http://www.djesys.com/vms/ia32/ Unofficial OpenVMS Hobbyist Support Page: http://www.djesys.com/vms/support/ ------------------------------ Date: Mon, 11 Jun 2007 19:11:59 -0500 From: David J Dachtera Subject: Re: 8086 vs patches Message-ID: <466DE4CF.56F47E84@spam.comcast.net> JF Mezei wrote: > > Nobody accepted to provide me with a supply of chocolate in exchange for > my stopping the use of the term "8086" to designate the industry > standard architecture (since this is where it has its roots). > > I have a new proposal to make: > > I would be willing to stop using the 8086 monicker if Kerry Main were > willing to stop using the "many many patches" argument. > > Would that be a fair deal that would benefit the c.o.v. community at large ? Sorry, no. The 8086 8/16 bit CPU has not been widely used since the dawn of the 80x86 chips, especially the 80386 16/32 bit chips and later. I'm not even sure 8086 is even made anymore. Patch-of-the-hour, on the other hand, is a fact of life in the M$, UN*X, Java, etc. worlds. -- David J Dachtera dba DJE Systems http://www.djesys.com/ Unofficial OpenVMS Marketing Home Page http://www.djesys.com/vms/market/ Unofficial Affordable OpenVMS Home Page: http://www.djesys.com/vms/soho/ Unofficial OpenVMS-IA32 Home Page: http://www.djesys.com/vms/ia32/ Unofficial OpenVMS Hobbyist Support Page: http://www.djesys.com/vms/support/ ------------------------------ Date: Mon, 11 Jun 2007 23:04:30 -0400 From: "Main, Kerry" Subject: RE: 8086 vs patches Message-ID: > -----Original Message----- > From: JF Mezei [mailto:jfmezei.spamnot@vaxination.ca] > Sent: June 10, 2007 6:07 PM > To: Info-VAX@Mvb.Saic.Com > Subject: 8086 vs patches >=20 > Nobody accepted to provide me with a supply of chocolate in exchange > for > my stopping the use of the term "8086" to designate the industry > standard architecture (since this is where it has its roots). >=20 > I have a new proposal to make: >=20 > I would be willing to stop using the 8086 monicker if Kerry Main were > willing to stop using the "many many patches" argument. >=20 > Would that be a fair deal that would benefit the c.o.v. community at > large ? >=20 > (My goal would be to get Mr Main to find other arguments to push VMS > instead of using that one over and over again). Ok, a couple of simple questions for you ..=20 Why is it ok to bash OpenVMS on this or that, but when a very valid concern about the alternatives being promoted is raised, you want to sweep these concerns under the carpet as if the problems raised do not exist? Forget what platform you are using today. If you were in charge of a large mission critical IT environment that uses a proven platform, and your developers or BU's came to you with their demands to move to a new platform that had numerous monthly security patches documented by the platform vendor, how would you respond to this? 1. Agree with the developers on need to move to the new platform as you don't want to be seen as a dinosaur? Or 2. Ask for a business justification that involved looking at real costs that includes Test/QA and Operational impacts associated with these monthly patches? Or 3. Do nothing and avoid meetings where you might need to justify the existing environment? Regards Kerry Main Senior Consultant HP Services Canada Voice: 613-592-4660 Fax: 613-591-4477 kerryDOTmainAThpDOTcom (remove the DOT's and AT)=20 OpenVMS - the secure, multi-site OS that just works. ------------------------------ Date: Mon, 11 Jun 2007 23:16:52 -0400 From: JF Mezei Subject: Re: 8086 vs patches Message-ID: Main, Kerry wrote: > Forget what platform you are using today. If you were in charge of a > large mission critical IT environment that uses a proven platform, and > your developers or BU's came to you with their demands to move to a new > platform that had numerous monthly security patches documented by the > platform vendor, how would you respond to this? How much of a test system where those patches can be implemented and tested ? (fully fledged system with all required licences). How much downtime for production per month to implement those patches ? What percentage of published patches would apply to this production environment ? (aka: if this system isn't running "sendmail", then don't count all the "sendmail" patches. ). The more applications run on that OS, the more patches one normally will expect. The lack of patches on VMS is perhaps a reflection of the lack of applications. Note that even for VMS, a truly mission critical system needs a test system to evaluate , test and deploy new software versions, and patches to the applications. If the linux or even the windows guys can come to me with a clear and REALISTIC plan to implement that app in robust way and manage it in a robust way, then I would have to logically agree if it saves the company money while providing reliable IT service. Windows is bad. But a large part of its image is due to companies choosing not only windows because it was cheap, but also hiring inexperienced windows weenies to manage those systems and that means improper change control, impromer securing of those machines and it also means improper discipline in terms of change control and opening apps on production systems just to play around. Put windows under serious , experienced administrators, and you would find that it would be possible to run it as a mission critical system. In the past, there were many issues because 8086s just were underpowered, which meant stuff like Dell requiring 200 wintel crap boxes to run its web server and that had huge system management problems. But as the 8086 has become more and more powerful, this has greatly reduced the scalability problems. (and with Linux, it becomes even easier). Furthermore, with deployment of disk arrays to even windows instances, it allows multiple instances to access static data from a disk array. ------------------------------ Date: Mon, 11 Jun 2007 19:43:16 -0700 From: "Tom Linden" Subject: AEST on Alpha Message-ID: Spent a while trying to located a downloadable exexutuable for Alpha. Anybody have a link? -- PL/I for OpenVMS www.kednos.com ------------------------------ Date: Mon, 11 Jun 2007 19:04:18 +0000 (UTC) From: helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) Subject: Re: ALPHA_V732_MASTER_ECO_LIST.txt Message-ID: In article <1181583983.390260.320270@o11g2000prd.googlegroups.com>, "george.pagliarulo@hp.com" writes: > It used to be > and was changed to >= . We had instances of customers > installing a kit and, for some reason or another, having to re-install > to get an image back on the system. Since the database saw the image > as already being installed, with it being >, it would not install the > "new" (same) image. DOH. This sounds like the database marked the image as installed before it actually was. I can see this happening if a disk fills up or whatever, but only if the database is updated before the actual installation. Is that the case? ------------------------------ Date: Mon, 11 Jun 2007 17:09:03 -0400 From: "Main, Kerry" Subject: RE: Another opportunity Message-ID: > -----Original Message----- > From: Dan Allen [mailto:dallen@nist.gov] > Sent: June 11, 2007 11:10 AM > To: Info-VAX@Mvb.Saic.Com > Subject: RE: Another opportunity >=20 > Mention VMS to almost anyone here and watch the reaction. Anything > from total > lack of recognition to "is that old thing still around". >=20 > Dan You mean that thing that is approx 8 or 9 years *younger* than UNIX? Thats like the middle aged man calling the 35 year old "old" .. :-) UNIX--> 1969 OpenVMS--> 1978 Regards Kerry Main Senior Consultant HP Services Canada Voice: 613-592-4660 Fax: 613-591-4477 kerryDOTmainAThpDOTcom (remove the DOT's and AT)=20 OpenVMS - the secure, multi-site OS that just works. ------------------------------ Date: 11 Jun 2007 21:26:54 GMT From: bill@cs.uofs.edu (Bill Gunshannon) Subject: Re: Another opportunity Message-ID: <5d5t0uF33h3mnU1@mid.individual.net> In article , "Main, Kerry" writes: >> -----Original Message----- >> From: Dan Allen [mailto:dallen@nist.gov] >> Sent: June 11, 2007 11:10 AM >> To: Info-VAX@Mvb.Saic.Com >> Subject: RE: Another opportunity >>=20 >> Mention VMS to almost anyone here and watch the reaction. Anything >> from total >> lack of recognition to "is that old thing still around". >>=20 >> Dan > > > You mean that thing that is approx 8 or 9 years *younger* than UNIX? > > Thats like the middle aged man calling the 35 year old "old" .. > >:-) > > UNIX--> 1969 > OpenVMS--> 1978 > Maybe it's just like people. Some are old at 30 while others are still young at 57. bill -- Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves bill@cs.scranton.edu | and a sheep voting on what's for dinner. University of Scranton | Scranton, Pennsylvania | #include ------------------------------ Date: Mon, 11 Jun 2007 21:36:58 +0000 (UTC) From: helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) Subject: RE: Another opportunity Message-ID: In article , "Main, Kerry" writes: > You mean that thing that is approx 8 or 9 years *younger* than UNIX? > > Thats like the middle aged man calling the 35 year old "old" .. > > :-) > > UNIX--> 1969 > OpenVMS--> 1978 True, but that sort of misses the point. It's all about perception; if it were about facts, everyone would use VMS. Last night, I saw Ozzy Osbourne on CNN mentioning that he had three grandchildren. However, he doesn't conform to the conventional image of the old man. There's also the reverse, of course, like Holly Johnson from Frankie Goes to Hollywood, back when they were new---he was 20 or so, but reminded many people of their grandparents with respect to his hairstyle, the way he dressed etc. Most people would probably think of U2 as a relatively modern band, although they formed before some heavy-metal groups who are still playing heavy metal. U2 re-invent themselves, wherease the heavy-metal folks are more traditional. Which is better is a different question; what the truth is is a different question; the point is that the PERCEPTION is that VMS hasn't been improved in a while. We all know this is not true, but that is the PERCEPTION in the outside world. At work, we have quite modern HP hardware and quite up-to-date versions of VMS, compilers, Rdb etc. I vaguely mentioned a few details to a former university colleague, whose first impression was that the computing was quite CONSERVATIVE. Actually, in many respects we are cutting edge. The PERCEPTION is, though, if one mentions VMS, then people think of something which hasn't changed much. It must be like the reaction a one-hit wonder receives, who must be quite depressed if his best music came afterward but wasn't as popular. Unfortunately, such perceptions aren't changed by stating the facts. ------------------------------ Date: Mon, 11 Jun 2007 17:01:26 -0500 From: Ron Johnson Subject: Re: Another opportunity Message-ID: On 06/11/07 16:09, Main, Kerry wrote: >> -----Original Message----- >> From: Dan Allen [mailto:dallen@nist.gov] >> Sent: June 11, 2007 11:10 AM >> To: Info-VAX@Mvb.Saic.Com >> Subject: RE: Another opportunity >> >> Mention VMS to almost anyone here and watch the reaction. Anything >> from total >> lack of recognition to "is that old thing still around". >> >> Dan > > > You mean that thing that is approx 8 or 9 years *younger* than UNIX? > > Thats like the middle aged man calling the 35 year old "old" .. > > :-) > > UNIX--> 1969 > OpenVMS--> 1978 Unix keeps reinventing it's innards and outards(??), though (newer, better filesystems, newer shells with more features, fancier GUIs, etc, etc ad nauseum). BSD and Linux internally look *nothing* like AT&T Unix. (Their lawyers ensured that.) OTOH, I'd bet dime to a dollar that there still many traces of code from the original AXP VMS port, and even money that there's still a lot of "elder days" code in there. ODS-2 has been around since 1980(?) and ODS-5 is too incompatible with existing apps to be deployed in many circumstances. DCL is substantially the same as when I first started using it in 1989. The last big new feature was PIPE in v7.0. But that idea came from Unix!!! Oh, wait: a "big" usability enhancement in v8.2: the DCL line length was increased from a pathetic 250 bytes to a less-pathetic (?)4096 bytes. -- Ron Johnson, Jr. Jefferson LA USA Give a man a fish, and he eats for a day. Hit him with a fish, and he goes away for good! ------------------------------ Date: Tue, 12 Jun 2007 00:12:54 +0200 From: "P. Sture" Subject: Re: Another opportunity Message-ID: In article <5d567qF335oqgU1@mid.individual.net>, bill@triangle.cs.uofs.edu (Bill Gunshannon) wrote: > A draft document has just come out of NIST called "Guidelines on Securing > Public Web Servers (Draft)". > Found it at: > Just started it but I already noticed a paragraph (3.6.1) that is right > up VMS's alley. So, anybody taking bets on wether or not HP will levarge > this great marketing opportunity? -- Paul Sture ------------------------------ Date: Mon, 11 Jun 2007 19:40:01 -0400 From: "Main, Kerry" Subject: RE: Another opportunity Message-ID: > -----Original Message----- > From: Ron Johnson [mailto:ron.l.johnson@cox.net] > Sent: June 11, 2007 6:01 PM > To: Info-VAX@Mvb.Saic.Com > Subject: Re: Another opportunity >=20 > On 06/11/07 16:09, Main, Kerry wrote: > >> -----Original Message----- > >> From: Dan Allen [mailto:dallen@nist.gov] > >> Sent: June 11, 2007 11:10 AM > >> To: Info-VAX@Mvb.Saic.Com > >> Subject: RE: Another opportunity > >> > >> Mention VMS to almost anyone here and watch the reaction. Anything > >> from total > >> lack of recognition to "is that old thing still around". > >> > >> Dan > > > > > > You mean that thing that is approx 8 or 9 years *younger* than UNIX? > > > > Thats like the middle aged man calling the 35 year old "old" .. > > > > :-) > > > > UNIX--> 1969 > > OpenVMS--> 1978 >=20 > Unix keeps reinventing it's innards and outards(??), though (newer, > better filesystems, newer shells with more features, fancier GUIs, > etc, etc ad nauseum). >=20 > BSD and Linux internally look *nothing* like AT&T Unix. (Their > lawyers ensured that.) >=20 Basic architecture is the same. Otherwise, how would they continue with the "UNIX is UNIX" story (yes, we all know that this is not true and that numerous incompatibilities exist between UNIX's). Hey, perhaps I'm wrong - what's the difference between fork on Solaris and fork on Linux? > OTOH, I'd bet dime to a dollar that there still many traces of code > from the original AXP VMS port, and even money that there's still a > lot of "elder days" code in there. >=20 Also, from VAX days as well. Same for UNIX thought... If this were not true, you would have major issues with compatibility. > ODS-2 has been around since 1980(?) and ODS-5 is too incompatible > with existing apps to be deployed in many circumstances. DCL is > substantially the same as when I first started using it in 1989. And how long as the basic UNIX shell commands been around? Oh yes, longer than DCL. :-) > The last big new feature was PIPE in v7.0. But that idea came from > Unix!!! >=20 > Oh, wait: a "big" usability enhancement in v8.2: the DCL line length > was increased from a pathetic 250 bytes to a less-pathetic (?)4096 > bytes. >=20 You have not been following the new VMS releases to much have you? As only a small example, check out VMS V8.* new features: http://h71000.www7.hp.com/openvms/integrity/v83features.html (V8.3) http://h71000.www7.hp.com/openvms/integrity/v82features.html (V8.2) Also note the performance, UNIX portability, security, new HW, new clustering features, new .. you get the drift. Regards, Kerry Main Senior Consultant HP Services Canada Voice: 613-592-4660 Fax: 613-591-4477 kerryDOTmainAThpDOTcom (remove the DOT's and AT)=20 OpenVMS - the secure, multi-site OS that just works. ------------------------------ Date: Tue, 12 Jun 2007 00:20:04 -0000 From: ultradwc@gmail.com Subject: Re: Another opportunity Message-ID: <1181607604.980928.251740@u2g2000hsc.googlegroups.com> On Jun 11, 7:40 pm, "Main, Kerry" wrote: > > -----Original Message----- > > From: Ron Johnson [mailto:ron.l.john...@cox.net] > > Sent: June 11, 2007 6:01 PM > > To: Info-...@Mvb.Saic.Com > > Subject: Re: Another opportunity > > > On 06/11/07 16:09, Main, Kerry wrote: > > >> -----Original Message----- > > >> From: Dan Allen [mailto:dal...@nist.gov] > > >> Sent: June 11, 2007 11:10 AM > > >> To: Info-...@Mvb.Saic.Com > > >> Subject: RE: Another opportunity > > > >> Mention VMS to almost anyone here and watch the reaction. Anything > > >> from total > > >> lack of recognition to "is that old thing still around". > > > >> Dan > > > > You mean that thing that is approx 8 or 9 years *younger* than UNIX? > > > > Thats like the middle aged man calling the 35 year old "old" .. > > > > :-) > > > > UNIX--> 1969 > > > OpenVMS--> 1978 > > > Unix keeps reinventing it's innards and outards(??), though (newer, > > better filesystems, newer shells with more features, fancier GUIs, > > etc, etc ad nauseum). > > > BSD and Linux internally look *nothing* like AT&T Unix. (Their > > lawyers ensured that.) > > Basic architecture is the same. Otherwise, how would they continue with > the "UNIX is UNIX" story (yes, we all know that this is not true and > that numerous incompatibilities exist between UNIX's). > > Hey, perhaps I'm wrong - what's the difference between fork on Solaris > and fork on Linux? > > > OTOH, I'd bet dime to a dollar that there still many traces of code > > from the original AXP VMS port, and even money that there's still a > > lot of "elder days" code in there. > > Also, from VAX days as well. Same for UNIX thought... If this were not > true, you would have major issues with compatibility. > > > ODS-2 has been around since 1980(?) and ODS-5 is too incompatible > > with existing apps to be deployed in many circumstances. DCL is > > substantially the same as when I first started using it in 1989. > > And how long as the basic UNIX shell commands been around? Oh yes, > longer than DCL. > > :-) > > > The last big new feature was PIPE in v7.0. But that idea came from > > Unix!!! > > > Oh, wait: a "big" usability enhancement in v8.2: the DCL line length > > was increased from a pathetic 250 bytes to a less-pathetic (?)4096 > > bytes. > > You have not been following the new VMS releases to much have you? > > As only a small example, check out VMS V8.* new features:http://h71000.www7.hp.com/openvms/integrity/v83features.html(V8.3)http://h71000.www7.hp.com/openvms/integrity/v82features.html(V8.2) > > Also note the performance, UNIX portability, security, new HW, new > clustering features, new .. you get the drift. > > Regards, > > Kerry Main > Senior Consultant > HP Services Canada > Voice: 613-592-4660 > Fax: 613-591-4477 > kerryDOTmainAThpDOTcom > (remove the DOT's and AT) > > OpenVMS - the secure, multi-site OS that just works.- Hide quoted text - > > - Show quoted text - and many complain on here that tcpip is not getting enough attention but ignore the fact that TCPware and multinet ARE getting new features all the time and offer bullet proof ip services such as ssh2 ... oops, I forgot the linux mentality that its not free, but the old adage you get what you pay for comes to mind ... :) ------------------------------ Date: Tue, 12 Jun 2007 02:57:03 +0200 From: Michael Kraemer Subject: Re: Another opportunity Message-ID: ultradwc@gmail.com schrieb: > > and many complain on here that tcpip is not getting > enough attention but ignore the fact that TCPware > and multinet ARE getting new features all the time > and offer bullet proof ip services such as ssh2 ... > > oops, I forgot the linux mentality that its not free, linux mentality isn't "free" but "affordable". Or why do you think people still buy distribution CDs although Linux is "free" ? BTW, it is new to me, that Oracle etc give away their Linux stuff for free. Moreover, Unix/Linux mentality is, that in a networked world TCP/IP should be part of the OS, which it is in Unix for about 20 years or so. The fact that it is still a matter of discussion in VMS-land shows how far behind VMS is w/ respect to others. Even OS/2 and AmigaOS have it integrated now. ------------------------------ Date: Mon, 11 Jun 2007 18:59:08 -0700 From: "johnhreinhardt@yahoo.com" Subject: Re: Another opportunity Message-ID: <1181613548.359490.26370@o11g2000prd.googlegroups.com> On Jun 11, 8:57 pm, Michael Kraemer wrote: > ultra...@gmail.com schrieb: > > > > > and many complain on here that tcpip is not getting > > enough attention but ignore the fact that TCPware > > and multinet ARE getting new features all the time > > and offer bullet proof ip services such as ssh2 ... > > > oops, I forgot the linux mentality that its not free, > > linux mentality isn't "free" but "affordable". > Or why do you think people still buy distribution CDs > although Linux is "free" ? > BTW, it is new to me, that Oracle etc give away > their Linux stuff for free. They don't. They charge for the "Linux stuff" just like they charge for any other - unless it falls into the narrow band allowed for in the developer's license. I quote from the "Oracle Technology Network Developer License" to which you must agree in order to legally download Oracle RDBMS 10gR2 (10.2.0.1): "LICENSE RIGHTS We grant you a nonexclusive, nontransferable limited license to use the programs only for the purpose of developing a single prototype of your application, and not for any other purpose. If you use the application you develop under this license for any internal data processing or for any commercial or production purposes, or you want to use the programs for any purpose other than as permitted under this agreement, you must contact us, or an Oracle reseller, to obtain the appropriate license. We may audit your use of the programs. Program documentation may be accessed online at http://www.oracle.com/technology/documentation. Ownership and Restrictions We retain all ownership and intellectual property rights in the programs. The programs may be installed on one computer only, and used by one person in the operating environment identified by us. You may make one copy of the programs for backup purposes. You may not: - use the programs for your own internal data processing or for any commercial or production purposes, or use the programs for any purpose except the development of a single prototype of your application; - use the application you develop with the programs for any internal data processing or commercial or production purposes without securing an appropriate license from us; - continue to develop your application after you have used it for any internal data processing, commercial or production purpose without securing an appropriate license from us, or an Oracle reseller; - remove or modify any program markings or any notice of our proprietary rights; - make the programs available in any manner to any third party; - use the programs to provide third party training; - assign this agreement or give or transfer the programs or an interest in them to another individual or entity; - cause or permit reverse engineering (unless required by law for interoperability), disassembly or decompilation of the programs; - disclose results of any program benchmark tests without our prior consent; or, - use any Oracle name, trademark or logo." It allows you to develop an application and that's about it. You can't use it to create an application - even for your own use - and actually use it. the killer phrase is "license to use the programs only for the purpose of developing a single prototype of your application, and not for any other purpose." Once the application is done OR YOU USE IT EVEN ONCE you need to get a non-free (as in beer) honest to goodness paid for license in order to be able to continue to use it yourself or to sell it to others. You also can't install Oracle on a system and use that system to train anyone else. You CAN use it to train yourself, but that's it. They do have a somewhat relaxed license available for the Oracle Express Database product. The "Oracle Technology Network Developer License Terms for Oracle Database Express Edition" states: "License Rights We grant you a nonexclusive, nontransferable limited license to use the programs for: (a) purposes of developing, prototyping and running your applications for your own internal data processing operations; (b) you may also distribute the programs with your applications; (c) you may use the programs to provide third party demonstrations and training; and d) you may copy and distribute the programs to your licensees provided that each such licensee agrees to the terms of this Agreement. You are not permitted to use the programs for any purpose other than as permitted under this Agreement. Program documentation is either shipped with the programs, or documentation may accessed online at http://www.oracle.com/technology/documentation. Any use of the Oracle Database Express Edition is subject to the following limitations; 1. Express Edition is limited to a single instance on any server; 2. Express Edition may be installed on a multiple CPU server, but may only be executed on one processor in any server; 3. Express Edition may only be used to support up to 4GB of user data (not including Express Edition system data); 4. Express Edition may use up to 1 GB RAM of available memory." So with this product you can, at least develop applications for yourself and run them. Note, however, the limitations placed on the type of system and data size which limit the usefulness to small or single person shops. The Oracle Database Express edition also is only available for Microsoft Windows or Linux on Intel x86. No Linux on x86-64, Sparc, Alpha, etc. No Solaris/AIX/Xeinx/etc. Windows is also only the Intel x86 for the various Windows 2000/XP releases. No Vista yet, though I'm sure it's coming. If you look at the feature set for the Express edition compared to the Standard or Enterprise editions you will notice several significant differences which may make it unsuitable for some (particularly hard-core DBA's wishing to play with the more interesting parts). So again, with Oracle and Linux "free" has some limitations. ------------------------------ Date: Mon, 11 Jun 2007 22:34:25 -0400 From: "Main, Kerry" Subject: RE: Another opportunity Message-ID: > -----Original Message----- > From: Michael Kraemer [mailto:M.Kraemer@gsi.de] > Sent: June 11, 2007 8:57 PM > To: Info-VAX@Mvb.Saic.Com > Subject: Re: Another opportunity >=20 > ultradwc@gmail.com schrieb: >=20 > > > > and many complain on here that tcpip is not getting > > enough attention but ignore the fact that TCPware > > and multinet ARE getting new features all the time > > and offer bullet proof ip services such as ssh2 ... > > > > oops, I forgot the linux mentality that its not free, >=20 > linux mentality isn't "free" but "affordable". > Or why do you think people still buy distribution CDs > although Linux is "free" ? > BTW, it is new to me, that Oracle etc give away > their Linux stuff for free. >=20 mmm.. well, it's a good product, but with list prices for Oracle Enterprise at $40K/CPU ($60K/CPU with RAC), lets not forget where the expense is... do the math for a small 2 node x86 RAC cluster (each x86 node=3D2 cpus) and see what number you come up with. > Moreover, Unix/Linux mentality is, that in a networked world > TCP/IP should be part of the OS, > which it is in Unix for about 20 years or so. > The fact that it is still a matter of discussion in VMS-land > shows how far behind VMS is w/ respect to others. > Even OS/2 and AmigaOS have it integrated now. As does OpenVMS .. what's your point? OpenVMS also has partner products like Multinet and TCPware which offer additional features as well, so imho, that's a good thing. Regards Kerry Main Senior Consultant HP Services Canada Voice: 613-592-4660 Fax: 613-591-4477 kerryDOTmainAThpDOTcom (remove the DOT's and AT)=20 OpenVMS - the secure, multi-site OS that just works. ------------------------------ Date: Tue, 12 Jun 2007 00:39:50 -0500 From: Ron Johnson Subject: Re: Another opportunity Message-ID: On 06/11/07 18:40, Main, Kerry wrote: >> -----Original Message----- >> From: Ron Johnson [mailto:ron.l.johnson@cox.net] >> Sent: June 11, 2007 6:01 PM >> To: Info-VAX@Mvb.Saic.Com >> Subject: Re: Another opportunity >> >> On 06/11/07 16:09, Main, Kerry wrote: >>>> -----Original Message----- >>>> From: Dan Allen [mailto:dallen@nist.gov] >>>> Sent: June 11, 2007 11:10 AM >>>> To: Info-VAX@Mvb.Saic.Com >>>> Subject: RE: Another opportunity >>>> >>>> Mention VMS to almost anyone here and watch the reaction. Anything >>>> from total >>>> lack of recognition to "is that old thing still around". >>>> >>>> Dan >>> >>> You mean that thing that is approx 8 or 9 years *younger* than UNIX? >>> >>> Thats like the middle aged man calling the 35 year old "old" .. >>> >>> :-) >>> >>> UNIX--> 1969 >>> OpenVMS--> 1978 >> Unix keeps reinventing it's innards and outards(??), though (newer, >> better filesystems, newer shells with more features, fancier GUIs, >> etc, etc ad nauseum). >> >> BSD and Linux internally look *nothing* like AT&T Unix. (Their >> lawyers ensured that.) >> > > Basic architecture is the same. Otherwise, how would they continue with > the "UNIX is UNIX" story (yes, we all know that this is not true and It's the API, not the implementation, that makes Unix. > that numerous incompatibilities exist between UNIX's). Actually, it's not easy to get to be able to legally be called UNIX. The *BSDs are grandfathered in, and Sun pays a license fee to SCOX for the privilege. Otherwise, you've got to conform to the Single Unix Specification (a descendant of OSF). Didn't DEC brag about 15 years ago that OpenVMS was a certified Unix? I know that IBM did so on the mainframe. And Linux can't be called Unix: it's a work-alike. BTW, an important point: "Linux" relies deeply on the GNU toolchain. If there is a flaw in the GNU libc implentation of malloc, then the system as a whole won't scale well. This was demonstrated recently in a comparison of MySQL 5.0.?? on recent vintages of Debian(?), {Free,Open,Net}BSD on an 8x x86-64 system. OpenBSD & NetBSD just couldn't scale *at all*, and "modern Linux" tanked when the number of threads MySQL threads exceeded the number of CPUs. FreeBSD, however, leveled off at it's peak performance. When the GNU malloc was replaced with google-malloc, Linux's performance graph looked almost exactly like that of FreeBSD. > Hey, perhaps I'm wrong - what's the difference between fork on Solaris > and fork on Linux? Implementation efficiency. >> OTOH, I'd bet dime to a dollar that there still many traces of code >> from the original AXP VMS port, and even money that there's still a >> lot of "elder days" code in there. >> > > Also, from VAX days as well. Same for UNIX thought... If this were not > true, you would have major issues with compatibility. Absolutely not true. >> ODS-2 has been around since 1980(?) and ODS-5 is too incompatible >> with existing apps to be deployed in many circumstances. DCL is >> substantially the same as when I first started using it in 1989. > > And how long as the basic UNIX shell commands been around? Oh yes, > longer than DCL. > > :-) 1. (grrr) not all the switches are the same, 2. they are implemented differently, 3. they don't have to be implemented at all (there ae DOS-like shells), 4. there are many different shells, with many different features and purposes (some are full-featured and incompatible, while some are designed to be low- or tiny-footprint). >> The last big new feature was PIPE in v7.0. But that idea came from >> Unix!!! >> >> Oh, wait: a "big" usability enhancement in v8.2: the DCL line length >> was increased from a pathetic 250 bytes to a less-pathetic (?)4096 >> bytes. >> > > You have not been following the new VMS releases to much have you? > > As only a small example, check out VMS V8.* new features: > http://h71000.www7.hp.com/openvms/integrity/v83features.html (V8.3) Yeah!! I can finally burn DVDs!!!! And VMS has finally implemented AES encryption!!! 10GbitE and 4Gbit HBAs!! The ability to generate modern hash keys for files!!!! Cutting edge stuff, dude!!!! Not. VMS is treading water, slowly. > http://h71000.www7.hp.com/openvms/integrity/v82features.html (V8.2) > > Also note the performance, UNIX portability, security, new HW, new > clustering features, new .. you get the drift. Call me when DCL has for-loops, while-loops, case statements and user-defined functions. The ability to string it all on one line would also be a big help. Too bad those are also trailing edge features. -- Ron Johnson, Jr. Jefferson LA USA Give a man a fish, and he eats for a day. Hit him with a fish, and he goes away for good! ------------------------------ Date: Mon, 11 Jun 2007 21:09:00 +0200 From: "P. Sture" Subject: Re: bad checksum for AXP_DNVOSIECO02-V83 Message-ID: In article , Bill Bennett wrote: > I've tried twice today to download the new DECnet-Plus ECO > AXP_DNVOSIECO02-V83 from the ITRC FTP site, and both times > got the same checksum for the ZIPEXE file (CHECKSUM$CHECKSUM > = "2926599316"), which unfortunately does not agree with > the checksum in the cover letter, although the ZIPEXE runs > and unpacks the PCSI files without obvious error. (And no, > the checksum in the cover letter doesn't agree with that > for the PCSI$COMPRESSED file, either.) > > Has anyone been able to download AXP_DNVOSIECO02-V83.ZIPEXE > and get the checksum listed in the cover letter? > The CHECKSUM program can return different values depending on the file attributes, which of course can get munged by either FTP or the browser you use for the download. -- Paul Sture ------------------------------ Date: Mon, 11 Jun 2007 21:35:00 +0000 (UTC) From: Rick Jones Subject: Re: Bandwidth Test Message-ID: > > if you can run it at both ends then you can use ttcp from the > > command prompt > Can't. If there is still a server out there with chargen and discard enabled, you could use ttcp to connect to it and not need something at the other end. netperf emulates that with the global -N option (no control). rick jones -- portable adj, code that compiles under more than one compiler these opinions are mine, all mine; HP might not want them anyway... :) feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH... ------------------------------ Date: Mon, 11 Jun 2007 11:35:24 -0700 From: BaxterD@tessco.com Subject: BYPASS privilege !! Message-ID: <1181586924.538206.314370@h2g2000hsg.googlegroups.com> We are currently preparing for the dreaded Sarbanes-Oxley stuff and are discussing the effects (if any) of removing BYPASS privilege from the SYSTEM account. In particular, we are concerned whether this privilege is "absolutely" required by anything in the system startup. One related question would also be, Does anyone know of any SysAdmin function which "absolutely" must be done from the SYSTEM account, i.e. any function which would fail even if the account used was an exact copy of the system account (except the name). 1. Has anyone out there actually done this? (i.e. removed BYPASS from the SYSTEM account) 2. Are there any white papers out there which discuss this in detail?? TIA Dave. ------------------------------ Date: Mon, 11 Jun 2007 18:41:53 -0000 From: IanMiller Subject: Re: BYPASS privilege !! Message-ID: <1181587313.906536.270870@q75g2000hsh.googlegroups.com> Why do you want to remove BYPASS? Why not use of the SYSTEM account for interactive use, batch use, network use. ------------------------------ Date: Mon, 11 Jun 2007 19:08:57 +0000 (UTC) From: helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) Subject: Re: BYPASS privilege !! Message-ID: In article <1181586924.538206.314370@h2g2000hsg.googlegroups.com>, BaxterD@tessco.com writes: > We are currently preparing for the dreaded Sarbanes-Oxley stuff > and are discussing the effects (if any) of removing BYPASS privilege > from the SYSTEM account. If it requires you to remove BYPASS from the system accouunt, it must be dreaded indeed! What is it? Of course, if the account has SETPRV, then it might as well have BYPASS in many situations. > In particular, we are concerned whether this privilege is > "absolutely" required by anything in the system startup. My guess would be that it is not, unless a) some file protections are incorrect or b) some utility checks for BYPASS even if it doesn't really need it. > One related question would also be, Does anyone know of any > SysAdmin function which "absolutely" must be done from the SYSTEM > account, i.e. any function which would fail even if the account used > was an exact copy of the system account (except the name). I have a non-system account with no dangerous privs enabled by default, where I can turn them on if necessary. I have never had a problem with this. However, some messages might scare you, like this from SYS$SYSTEM:STARTUP.COM: $if stdrv$this_user .nes. "SYSTEM" $then $stdrv$say "%STDRV-W-NOTSYSTEM, STARTUP is not running from the SYSTEM account." $stdrv$say "-STDRV-W-UNPREDICT, Results are unpredictable." ------------------------------ Date: 11 Jun 2007 15:09:01 -0500 From: brooks@cuebid.zko.hp.nospam (Rob Brooks) Subject: Re: BYPASS privilege !! Message-ID: BaxterD@tessco.com writes: > We are currently preparing for the dreaded Sarbanes-Oxley stuff > and are discussing the effects (if any) of removing BYPASS privilege > from the SYSTEM account. You will likely never get anyone from HP to state for the record that modifying the default or authorized privileges for the SYSTEM account is supported. If your auditors are recommending that action be taken, you should press to find exactly what their objections are, rather than capitulating to that absurd demand. -- Rob Brooks MSL -- Nashua brooks!cuebid.zko.hp.com ------------------------------ Date: Mon, 11 Jun 2007 15:22:26 -0400 From: John Reagan Subject: Re: BYPASS privilege !! Message-ID: BaxterD@tessco.com wrote: > We are currently preparing for the dreaded Sarbanes-Oxley stuff > and are discussing the effects (if any) of removing BYPASS privilege > from the SYSTEM account. > > In particular, we are concerned whether this privilege is > "absolutely" required by anything in the system startup. > > One related question would also be, Does anyone know of any > SysAdmin function which "absolutely" must be done from the SYSTEM > account, i.e. any function which would fail even if the account used > was an exact copy of the system account (except the name). > > 1. Has anyone out there actually done this? (i.e. removed > BYPASS from the SYSTEM account) > > 2. Are there any white papers out there which discuss this in > detail?? > > TIA > > Dave. > Note that removing BYPASS without removing SETPRV only slows me down for a second. And not removing CMKRNL just slows me down for a minute or two. -- John Reagan OpenVMS Pascal/Macro-32/COBOL Project Leader Hewlett-Packard Company ------------------------------ Date: Mon, 11 Jun 2007 12:27:38 -0700 From: Malcolm Dunnett Subject: Re: BYPASS privilege !! Message-ID: <466DA22A.40506@spammers.are.scum> Phillip Helbig---remove CLOTHES to reply wrote: > If it requires you to remove BYPASS from the system accouunt, it must be > dreaded indeed! What is it? Of course, if the account has SETPRV, then > it might as well have BYPASS in many situations. Ditto for CMEXEC and CMKRNL ------------------------------ Date: Mon, 11 Jun 2007 15:33:06 -0400 From: JF Mezei Subject: Re: BYPASS privilege !! Message-ID: <1f64b$466da378$cef8887a$3235@TEKSAVVY.COM> BaxterD@tessco.com wrote: > We are currently preparing for the dreaded Sarbanes-Oxley stuff > and are discussing the effects (if any) of removing BYPASS privilege > from the SYSTEM account. $SEARCH SYS$MANAGER:*.COM BYPASS will give you your answer. and you can then add SYS$STARTUP, SYS$SYSTEM, SYS$UPDATE to get even more ammunition. In terms of the startup, I used to have SYSTEM somewhat disabled and had created a different username under the same UIC. But eventually, I relented because I wanted to start to organise the startup process so that it could submit jobs to start various components and I needed to re-eneble SYSTEM for that. The clone had all the same privileges. SYSTEM has so many privileges that removing bypass still give it plenty of power. Remember that any user in the "system" UIC group (I think any group below value of 7 if I remember correctly) is blessed with automatic privileges anyways. Also, remember that any process with SETPRIV (which SYSTEM has by default) can give itself bypass. You are probably better off securing the password for this account, and making sure no other user has the ability to do a submit/user=system or any equivalent deed that would allow them to execute code under the SYSTEM UIC (batch, detached etc). ------------------------------ Date: Mon, 11 Jun 2007 15:37:56 -0400 From: "Richard B. Gilbert" Subject: Re: BYPASS privilege !! Message-ID: <466DA494.7090906@comcast.net> Phillip Helbig---remove CLOTHES to reply wrote: > In article <1181586924.538206.314370@h2g2000hsg.googlegroups.com>, > BaxterD@tessco.com writes: > > >> We are currently preparing for the dreaded Sarbanes-Oxley stuff >>and are discussing the effects (if any) of removing BYPASS privilege >>from the SYSTEM account. > > > If it requires you to remove BYPASS from the system accouunt, it must be > dreaded indeed! What is it? Of course, if the account has SETPRV, then > it might as well have BYPASS in many situations. > > >> In particular, we are concerned whether this privilege is >>"absolutely" required by anything in the system startup. > > > My guess would be that it is not, unless a) some file protections are > incorrect or b) some utility checks for BYPASS even if it doesn't really > need it. > > >> One related question would also be, Does anyone know of any >>SysAdmin function which "absolutely" must be done from the SYSTEM >>account, i.e. any function which would fail even if the account used >>was an exact copy of the system account (except the name). > > > I have a non-system account with no dangerous privs enabled by default, > where I can turn them on if necessary. I have never had a problem with > this. However, some messages might scare you, like this from > SYS$SYSTEM:STARTUP.COM: > > $if stdrv$this_user .nes. "SYSTEM" > $then > $stdrv$say "%STDRV-W-NOTSYSTEM, STARTUP is not running from the SYSTEM account." > $stdrv$say "-STDRV-W-UNPREDICT, Results are unpredictable." > I believe that you need to use SYSTEM to install software or, if you don't use SYSTEM, then an account with the same quotas, and limits and with many of the same privileges. But, you you are going to have an account with the characteristics of SYSTEM, you might just as well USE SYSTEM. You can enable a second password on the SYSTEM account with, say, one password known only to the System Manager, and the other known only to someone else so it takes TWO people to log in as system. That way there's a witness to anything done with the SYSTEM account. ------------------------------ Date: Mon, 11 Jun 2007 15:38:24 -0400 From: JF Mezei Subject: Re: BYPASS privilege !! Message-ID: <8b8eb$466da4b6$cef8887a$3969@TEKSAVVY.COM> OK, while there is a lot of stuff that checks for BYPASS being available, the original question probably still stands : What operations does SYSTEM have to make that require the specific goodies provided exclusively by BYPASS and not any other privileges ? I was thinking perhaps of security related stuff such as audit server, intrusion detection etc. But couldn't those function by having their images installed with bypass ? I have the impression that SYSTEM still has privileges that date back from the very early days of VMS even though newer privileges do the trick. ------------------------------ Date: Mon, 11 Jun 2007 19:41:28 -0000 From: Hein RMS van den Heuvel Subject: Re: BYPASS privilege !! Message-ID: <1181590888.125839.233510@k79g2000hse.googlegroups.com> On Jun 11, 1:35 pm, Baxt...@tessco.com wrote: > We are currently preparing for the dreaded Sarbanes-Oxley stuff > and are discussing the effects (if any) of removing BYPASS privilege > from the SYSTEM account. IMHO the BYPASS priv is the most dangerous of all from a destructive perspective. I personally would prefer it not to be part of set proc/priv=all or my authroized privs. > In particular, we are concerned whether this privilege is > "absolutely" required by anything in the system startup. If it is, then INHO it woudl be an erroneous setup and that should be address irrespectively. > One related question would also be, Does anyone know of any > SysAdmin function which "absolutely" must be done from the SYSTEM > account, i.e. any function which would fail even if the account used > was an exact copy of the system account (except the name). Nah, the name matters not. The UIC does. fwiw, Hein ------------------------------ Date: Mon, 11 Jun 2007 15:41:02 -0400 From: Subject: RE: BYPASS privilege !! Message-ID: <63A4454BFCE1C048B2683DBB63A3633301A0EB75@ETP-CIN-US-EX01.etp1.com> >-----Original Message----- >From: Malcolm Dunnett [mailto:nothome@spammers.are.scum]=20 >Sent: Monday, June 11, 2007 12:28 PM >To: Info-VAX@Mvb.Saic.Com >Subject: Re: BYPASS privilege !!> > >Phillip Helbig---remove CLOTHES to reply wrote: >> If it requires you to remove BYPASS from the system accouunt, it must be=20 >> dreaded indeed! What is it? Of course, if the account has SETPRV, then=20 >> it might as well have BYPASS in many situations.> > > Ditto for CMEXEC and CMKRNL Don't forget the often overlooked SYSNAM. With this, you can point the system to an alternate SYSUAF... Barry Treahy, Jr =20 Vice President/CIO Midwest Microwave, Inc. Emerson Network Power Connectivity Solutions E-mail: Barry.Treahy@EmersonNetworkPower.com Phone: 480/314-1320 Cell: 480/216-9568 Fax: 480/661-7028 =20 ... but it's a DRY HEAT! This e-mail is intended only for the addressee named above. As this e-mail may contain confidential or privileged information, if you are not the named addressee, you are not authorized to retain, read, copy or disseminate this message or any part of it. =0D ------------------------------ Date: Mon, 11 Jun 2007 13:26:04 -0700 From: Bob Gezelter Subject: Re: BYPASS privilege !! Message-ID: <1181593564.740180.130240@m36g2000hse.googlegroups.com> On Jun 11, 2:35 pm, Baxt...@tessco.com wrote: > We are currently preparing for the dreaded Sarbanes-Oxley stuff > and are discussing the effects (if any) of removing BYPASS privilege > from the SYSTEM account. > > In particular, we are concerned whether this privilege is > "absolutely" required by anything in the system startup. > > One related question would also be, Does anyone know of any > SysAdmin function which "absolutely" must be done from the SYSTEM > account, i.e. any function which would fail even if the account used > was an exact copy of the system account (except the name). > > 1. Has anyone out there actually done this? (i.e. removed > BYPASS from the SYSTEM account) > > 2. Are there any white papers out there which discuss this in > detail?? > > TIA > > Dave. Dave, Having been through a few of these audits and other audits on behalf of clients, the most common solution has been to severely restrict the use of the SYSTEM account. The automatic usage during startup is not normally the issue (as has been noted, having BYPASS, SYSPRV, and a SYSTEM UIC is somewhat redundant in terms of getting access to files). What is more destructive of security at sites is the routine use of SYSTEM, rather than other assigned accounts. It is really a question of accountability. Normally, I recommend putting the system managers in a completely different UIC group, and being more limited with privileges, at least those that are default. While one will get a warning message if one is not logged into SYSTEM during some installs, I have not often had problems that required me to login to SYSTEM in the end. If I can be of additional assistance, please let me know. - Bob Gezelter, http://www.rlgsc.com Author, "OpenVMS Security" chapter; Handbook of Information Security (H. Bidgoli, Ed., 2005, Wiley) ------------------------------ Date: Mon, 11 Jun 2007 20:35:48 +0000 (UTC) From: helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) Subject: Re: BYPASS privilege !! Message-ID: In article <1f64b$466da378$cef8887a$3235@TEKSAVVY.COM>, JF Mezei writes: > Remember that any user in the "system" UIC group (I think any > group below value of 7 if I remember correctly) is blessed with > automatic privileges anyways. I think there is a system parameter which controls this, but the name escapes me now. ------------------------------ Date: 11 Jun 07 16:42:56 EDT From: cook@wvnvms.wvnet.edu (George Cook) Subject: Re: BYPASS privilege !! Message-ID: <8tIaFLGqb+SQ@wvnvms> In article , helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) writes: > In article <1f64b$466da378$cef8887a$3235@TEKSAVVY.COM>, JF Mezei > writes: > >> Remember that any user in the "system" UIC group (I think any >> group below value of 7 if I remember correctly) is blessed with >> automatic privileges anyways. > > I think there is a system parameter which controls this, but the name > escapes me now. MAXSYSGROUP ------------------------------ Date: Mon, 11 Jun 2007 16:51:10 -0400 From: JF Mezei Subject: Re: BYPASS privilege !! Message-ID: <34b81$466db5c4$cef8887a$24188@TEKSAVVY.COM> In the end, isn't it still true that for a functional system, you still need to trust at least one system manager who could still wreak havok on your system if he truly wanted to ? Or can a system truly be locked down to a point where the system manager cannot do his job without supervision from the security folks ? (And when, as is often the case, the system manager is the only one in the company who really knows VMS, those security folks who monitor the system manager would have no clue on what he is really doing. ------------------------------ Date: Mon, 11 Jun 2007 22:54:26 +0200 From: "P. Sture" Subject: Re: BYPASS privilege !! Message-ID: In article <1181586924.538206.314370@h2g2000hsg.googlegroups.com>, BaxterD@tessco.com wrote: > We are currently preparing for the dreaded Sarbanes-Oxley stuff > and are discussing the effects (if any) of removing BYPASS privilege > from the SYSTEM account. > > In particular, we are concerned whether this privilege is > "absolutely" required by anything in the system startup. > > One related question would also be, Does anyone know of any > SysAdmin function which "absolutely" must be done from the SYSTEM > account, i.e. any function which would fail even if the account used > was an exact copy of the system account (except the name). > > 1. Has anyone out there actually done this? (i.e. removed > BYPASS from the SYSTEM account) > > 2. Are there any white papers out there which discuss this in > detail?? > 1. Please see a thread I started in 2003, where a PRODUCT INSTALL "partially failed" because I did it from an account with LOG_IO disabled by default. tinyurl version: http://preview.tinyurl.com/32xkyo 2. As part of your investigation monitor BYPASS usage by auditing it. Some useful commands here: $ SET AUDIT/ALARM/ENABLE=ACCESS=FAIL $ SET AUDIT/AUDIT/ENABLE=ACCESS=FAIL $ $ SET AUDIT/ALARM/ENABLE=PRIVILEGE=SUCCESS:BYPASS $ SET AUDIT/AUDIT/ENABLE=PRIVILEGE=SUCCESS:BYPASS Repeat for other privileges you are interested in, but be careful. Audit too much, and your system disk will fill up quickly. -- Paul Sture ------------------------------ Date: Mon, 11 Jun 2007 17:00:27 -0400 From: "Richard B. Gilbert" Subject: Re: BYPASS privilege !! Message-ID: <466DB7EB.9050503@comcast.net> JF Mezei wrote: > In the end, isn't it still true that for a functional system, you still > need to trust at least one system manager who could still wreak havok on > your system if he truly wanted to ? > > Or can a system truly be locked down to a point where the system manager > cannot do his job without supervision from the security folks ? Yes, it can! It may take me days to remember exactly what it's called but there is a secondary password that can be required to log in to an account; IOW two passwords, only one of which is known to the system manager. I've never known a site that actually used this feature but it's there! ------------------------------ Date: Mon, 11 Jun 2007 17:05:49 -0700 From: BaxterD@tessco.com Subject: Re: BYPASS privilege !! Message-ID: <1181606749.449032.311320@c77g2000hse.googlegroups.com> First of all, I would like to say that this discussion came about during a meeting on SOX requirements, which morphed into a discussion about how it would be possible to "trick" our application if the villain had certain knowledge, programming skills and system privileges. We managed to come up with a surprising number of ways to work mischief, that would be difficult to detect immediately, and possibly even more difficult to figure out. Thanks to you all for your responses, and I want to start by saying that we agree with all of you. Whether BYPASS is freely given to the SYSTEM account or not, there is really no way of stopping a malicious admin from reeking havoc with your system, should he choose to. We were looking at it more from the point of auditability (?). A fundamental requirement of SOX is that there should be a clear demarkation between OS Admins and App Admins, and while it is usually relatively simple to restrict App Admins access to the OS, it is much less simple to stop a Sys Admin from messing with the App (again, should he choose to). In particular, it is usually the Sys Admin who sets up all of the security on your Application Data Files and Executables/Scripts, and as such he/they have all the power to work under/over/around/through the same security. To repeat what I said in para 1, it must be accepted that at some level, it is impossible to stop a malicious admin from doing whatever they have in mind to do. This being the case, then there are really only three objectives which we can aim for; 1. Lock down your executables, scripts and data as securely as possible. however if someone still manages to cause malicious damage, then; 2. be able to determine, after the fact, exactly what was done to your App, or Data, and be able to recover from it. and, 3. To be able to determine, again after the fact, exactly who did it. As far as SOX is concerned, they are primarily interested in objective #2. However objective #3 is still important if you want to avoid it happening again. Recovery after damage can be done (in our case) using the capabilities of RMS journaling, however the ability to acheive objective #3 depends on how you impliment Objective #1. Obviously, Identifiers and ACL's provide a way to lock down the files and directories which make up the application, and the UAF provides the means to control the app users. Equally obvious, to a user with BYPASS privilege, it matters not how well you lock down the security on your app, since BYPASS by definition, will bypass all system security. Once the app is properly secured, then the only way for a non-application, privileged username to access the application directories or files is either to grant themselves the necessary identifiers, or use BYPASS to bulldoze their way in. Both of these actions, (and most other discrete attempts) can be recorded in the Security Audit Journal. However, If there happen to be multiple Administrators, all using the SYSTEM account for their admin duties. How do you determine who did what? I know this sounds fairly paranoid, and for people running 2- and 3- tier apps, this all sounds a bit weird, but we are just running through (a few of the endless number of) options. 1. Give each admin a personalized admin account with no BYPASS (and maybe other privs also) 2. Lock down the SYSTEM account for use only when carrying out Maint, Upgrades or Patching. 3. Enable auditing of Privilege use and UAF modification. Final comment, I could present an endless number of scenarios which represent risk, and for each one, someone would come up with a solution. However the solution always comes after the solution. We are not asking for solutions, we are merely asking if anyone knows the answers to the two simple questions, 1. Does anyone know of any function, particularly during system startup, which "absolutely" requires BYPASS" privilege. 2. Does anyone know of any Admin function which "absolutely" requires the SYSTEM account. thanks. Dave. On Jun 11, 5:00 pm, "Richard B. Gilbert" wrote: > JF Mezei wrote: > > In the end, isn't it still true that for a functional system, you still > > need to trust at least one system manager who could still wreak havok on > > your system if he truly wanted to ? > > > Or can a system truly be locked down to a point where the system manager > > cannot do his job without supervision from the security folks ? > > Yes, it can! It may take me days to remember exactly what it's called > but there is a secondary password that can be required to log in to an > account; IOW two passwords, only one of which is known to the system > manager. I've never known a site that actually used this feature but > it's there! ------------------------------ Date: Mon, 11 Jun 2007 20:05:46 -0400 From: JF Mezei Subject: Re: BYPASS privilege !! Message-ID: Richard B. Gilbert wrote: > Yes, it can! It may take me days to remember exactly what it's called > but there is a secondary password that can be required to log in to an > account; IOW two passwords, only one of which is known to the system > manager. I've never known a site that actually used this feature but > it's there! Two passwords are not secure. Consider an emergency where the system manager is at work, but the second person is at home or on a business trip. I once had the two master passwords to a SWIFT application for those reasons. Eventually, having the system up and running has priority over what auditors demand and when push comes to shove, they have to waive those restrictions. The one advantage of the two password scheme is that it prevents access via POP and FTP and probably other apps that are designed to work with a single password. In fact, what might be interesting to do is a program which backs-up SYSUAF and RIGHTLIST on a daily basis, and compares that day's SYSUAF with the previous day's backup and then corroborates every chantge against the audit log to detect if any differences were made that were not logged and ring alarm bells when it finds some unaudited changes. ------------------------------ Date: Mon, 11 Jun 2007 19:17:45 -0500 From: David J Dachtera Subject: Re: BYPASS privilege !! Message-ID: <466DE629.EF387A91@spam.comcast.net> BaxterD@tessco.com wrote: > > We are currently preparing for the dreaded Sarbanes-Oxley stuff > and are discussing the effects (if any) of removing BYPASS privilege > from the SYSTEM account. > > In particular, we are concerned whether this privilege is > "absolutely" required by anything in the system startup. > > One related question would also be, Does anyone know of any > SysAdmin function which "absolutely" must be done from the SYSTEM > account, i.e. any function which would fail even if the account used > was an exact copy of the system account (except the name). > > 1. Has anyone out there actually done this? (i.e. removed > BYPASS from the SYSTEM account) > > 2. Are there any white papers out there which discuss this in > detail?? I would refer them to your local OpenVMS ambassador, as they appear to be unqualified to do this audit. Drop Sue a note off-line and she can probably steer you on to someone. -- David J Dachtera dba DJE Systems http://www.djesys.com/ Unofficial OpenVMS Marketing Home Page http://www.djesys.com/vms/market/ Unofficial Affordable OpenVMS Home Page: http://www.djesys.com/vms/soho/ Unofficial OpenVMS-IA32 Home Page: http://www.djesys.com/vms/ia32/ Unofficial OpenVMS Hobbyist Support Page: http://www.djesys.com/vms/support/ ------------------------------ Date: Mon, 11 Jun 2007 20:34:01 -0400 From: JF Mezei Subject: Re: BYPASS privilege !! Message-ID: <8cd76$466de9ff$cef8887a$15942@TEKSAVVY.COM> BaxterD@tessco.com wrote: > demarkation between OS Admins and App Admins, and while it is usually > relatively simple to restrict App Admins access to the OS, it is much > less simple to stop a Sys Admin from messing with the App I'll give you my experience with the defunct ST400 app for SWIFT transfers on VMS. The app was designed to prevent tampering of the data. One file has encrypted records. There was a readable log file. But if I were to mess with the log file, the app would notice it in many ways. First, each record has a checksum as part of the swift transfer. There were also application level privileges. For instance, if a user issued a funds transfer request above that user's limit, the request would be routed to someone with authorisation for that level of transfer. Another example was the operators. Every night, they were the ones who sent tha daily statement of transactions to each correspondant bank. To do this, they had to have an ST400 application account, but that account was restricted to 0$ transfers. So they couldn't cheat and add a few transactions in the batch to send money to their swiss bank account. And more importantly, while I could redirect some logical names to cause that operation to use a different file with my own transactions, the operation would still be restricted by the operator's ST400 account restriction (aka: still unable to send some money from that bank to my swiss bank account). Sending money to a swiss bank account would have also required I use my personnal Concorde to fly to switzerland ASAP to widthdraw the money from that acocunt before business hours in north america since at that time, the ST400 manager would look at the overnight logs and notice outgoing fnds and know to which account they had gone. On the other hand, when you look at ALLIN1, the system manager can do a LOT of things and change people's email contents etc etc and this is not logged and absolutely not traceable. So one needs a properly designed application that is actively designed to prevent tampering of data. ------------------------------ Date: Mon, 11 Jun 2007 19:39:25 -0500 From: David J Dachtera Subject: Re: BYPASS privilege !! Message-ID: <466DEB3D.A3C7AF9E@spam.comcast.net> BaxterD@tessco.com wrote: > [snip] > Thanks to you all for your responses, and I want to start by > saying that we agree with all of you. Whether BYPASS is freely > given to the SYSTEM account or not, there is really no way of stopping > a malicious admin from reeking havoc with your system, should he > choose to. Apologies for being pedantic here... the work you want is "wreak" (havoc). See: http://www.m-w.com/cgi-bin/dictionary?wreak -- David J Dachtera dba DJE Systems http://www.djesys.com/ Unofficial OpenVMS Marketing Home Page http://www.djesys.com/vms/market/ Unofficial Affordable OpenVMS Home Page: http://www.djesys.com/vms/soho/ Unofficial OpenVMS-IA32 Home Page: http://www.djesys.com/vms/ia32/ Unofficial OpenVMS Hobbyist Support Page: http://www.djesys.com/vms/support/ ------------------------------ Date: Mon, 11 Jun 2007 16:45:28 -0400 From: JF Mezei Subject: Re: Lightning & Time to buy lottery tickets Message-ID: <59988$466db46e$cef8887a$24188@TEKSAVVY.COM> John Smith wrote: > With 802.11n (draft) now available, if you aren't running anything that > needs better than WPA-2 protection, you can get 75Mbps real-world throughput > on devices that support 802.11n. This eliminates any ethernet surge concerns > to the end devices. You just have to protect the ethernet network at the > router/switch level. But won't lighthing adapt to wireless devices (like viruses adapt to antibiotics) and eventually learn to generate EM strong enough to zap the wireless interfaces ? :-) :-) :-) On another newsgroup, I was pointed to http://www.lightningtech.com which has a most excellent FAQ which confirms what happened to me. It isn't juste EMI, but it is also surges that come from the ground. What I am still unsure of is whether lightning arrestors are a good thing or not. Having a deeply grounded antennas on your roof is akin to a huge billboard with the words "HIT ME !" on it. You are making your building an great place for lightning to strike. And while these arrestors will safely conduct the current to the ground, you are still stuck with the EMI and ground surge problems which are worse because of the direct hit on your building. (but if you're going to be hit anyways, then you need them). ------------------------------ Date: Mon, 11 Jun 2007 17:00:01 -0400 From: "John Smith" Subject: Re: Lightning & Time to buy lottery tickets Message-ID: JF Mezei wrote: > John Smith wrote: >> With 802.11n (draft) now available, if you aren't running anything >> that needs better than WPA-2 protection, you can get 75Mbps >> real-world throughput on devices that support 802.11n. This >> eliminates any ethernet surge concerns to the end devices. You just >> have to protect the ethernet network at the router/switch level. > > But won't lighthing adapt to wireless devices (like viruses adapt to > antibiotics) and eventually learn to generate EM strong enough to zap > the wireless interfaces ? :-) :-) :-) > > On another newsgroup, I was pointed to http://www.lightningtech.com > which has a most excellent FAQ which confirms what happened to me. It > isn't juste EMI, but it is also surges that come from the ground. > > What I am still unsure of is whether lightning arrestors are a good > thing or not. Having a deeply grounded antennas on your roof is akin > to a huge billboard with the words "HIT ME !" on it. You are making > your building an great place for lightning to strike. And while these > arrestors will safely conduct the current to the ground, you are still > stuck with the EMI and ground surge problems which are worse because > of the direct hit on your building. > > (but if you're going to be hit anyways, then you need them). Put everything inside a Faraday cage ( or in a Tempest environment ), use opto-isolation on all your network equipment,. Finally ....use a wood-burning steam boiler outside the cage and direct the steam to a turbine/generator located inside the cage to generate electricity. Run the steam plant as either closed-loop, or condense the steam and open up a distilled water business on the side. :-) Or maybe buy the Cheyenne Mountain facility (might be a cheaper option). Or rent space in the Diefenbunker. -- OpenVMS - The never-advertised operating system with the dwindling ISV base. ------------------------------ Date: Mon, 11 Jun 2007 16:23:31 -0500 From: Ron Johnson Subject: Re: Lightning & Time to buy lottery tickets Message-ID: On 06/11/07 14:47, John Smith wrote: [snip] > > > With 802.11n (draft) now available, if you aren't running anything that > needs better than WPA-2 protection, you can get 75Mbps real-world throughput Gah!!!! That's almost as bad as using FreeBSD. > on devices that support 802.11n. This eliminates any ethernet surge concerns > to the end devices. You just have to protect the ethernet network at the > router/switch level. -- Ron Johnson, Jr. Jefferson LA USA Give a man a fish, and he eats for a day. Hit him with a fish, and he goes away for good! ------------------------------ Date: Mon, 11 Jun 2007 16:30:38 -0700 From: john.s.haro@boeing.com Subject: Re: Minimum priv to run an audit Message-ID: <1181604638.577554.180040@x35g2000prf.googlegroups.com> On Jun 11, 3:35 pm, s...@antinode.org (Steven M. Schweda) wrote: > From: john.s.h...@boeing.com > > > I have a user who we would like to elevate just high enough to perform > > an $anal/audit > > > Anyone know if there is a minimum priv to add that will allow this > > without granting full privs? or is an ACL required on the auditjournal > > file ? > > I believe that all you need is READ access to the audit journal > (SYS$MANAGER:SECURITY.AUDIT$JOURNAL), so an ACL should do the job. > > ------------------------------------------------------------------------ > > Steven M. Schweda sms@antinode-org > 382 South Warwick Street (+1) 651-699-9818 > Saint Paul MN 55105-2547 Thanks Steve, That did work. Now - anyone know a similar method to allow non-prived user the ability to list users fro sysuaf.dat ? ( we are creating a user account specifically for auditing ) -JohnH ------------------------------ Date: Mon, 11 Jun 2007 21:11:45 -0500 (CDT) From: sms@antinode.org (Steven M. Schweda) Subject: Re: Minimum priv to run an audit Message-ID: <07061121114497_202003EE@antinode.org> From: john.s.haro@boeing.com > Now - anyone know a similar method to allow non-prived user the > ability to list users fro sysuaf.dat ? According to the HELP in AUTHORIZE: [...] o System user authorization file (SYSUAF.DAT) [...] o Network proxy authorization file [NET$PROXY.DAT] [...] o Rights database file (RIGHTSLIST.DAT) [...] To use AUTHORIZE, you must have write access to all three of these files (you must have an account with the user identification code (UIC) of [SYSTEM] or the SYSPRV privilege). [...] If SYSPRV sounds like too much to give away, you may find it useful to arrange for a highly privileged user/account to create (periodically or on demand) a report containing only safe information for use by a less privileged user/account. ------------------------------------------------------------------------ Steven M. Schweda sms@antinode-org 382 South Warwick Street (+1) 651-699-9818 Saint Paul MN 55105-2547 ------------------------------ Date: Mon, 11 Jun 2007 14:49:24 -0500 From: Ron Johnson Subject: Re: OT: Lightning & Time to buy lottery tickets Message-ID: <8Hhbi.22101$6z4.11056@newsfe19.lga> On 06/11/07 10:08, Rich Jordan wrote: > On Jun 10, 11:57 am, David J Dachtera > wrote: >> Rambo wrote: >> >>> Well, a similar thing happened to me at work two years ago, during >>> "storm of century" in Poland. except it wasn't "near miss", it was a >>> direct hit. We have lost electricity for nearly 6 hours after that. >>> Results: >>> - $5000 ATM switch busted, wouldn't boot, wouldn't squeak (wish it >>> went to my collection) >>> - HP Ethernet switch started loosing packets, >>> - two SuperStacks II, both made something like this: BUZZZZ-zz---ZZZ, >>> one had 4 ports fried, another "just" two and lost management ability. >>> - one computer lost EtherExpress Pro/100 >> I worked at a factory back in the middle 70's. A power pole just outside the >> plant took a direct hit. A fair amount of the electrical infrastructure inside >> the plant had to be replaced. >> >> While I worked there, had another stormy day. The sky grew so dark that the >> parking lot lights came on - we could see that through the frosted windows at >> the tops of the walls. Then, the power failed suddenly. Rather an eerie scene >> with no lights and the green-hued, darkened sky. A tornado had gone skipping >> across the area less than a mile south of the plant. "Exploded" numerous houses >> in the residential areas, just missing a high school, virtually obliterated the >> electrical substation that fed the industrial park. The plant was without power >> for three days. >> >> -- >> David J Dachtera >> dba DJE Systemshttp://www.djesys.com/ >> >> Unofficial OpenVMS Marketing Home Pagehttp://www.djesys.com/vms/market/ >> >> Unofficial Affordable OpenVMS Home Page:http://www.djesys.com/vms/soho/ >> >> Unofficial OpenVMS-IA32 Home Page:http://www.djesys.com/vms/ia32/ >> >> Unofficial OpenVMS Hobbyist Support Page:http://www.djesys.com/vms/support/ > > > Once at home, once at work. We're in the middle of a 5-unit townhouse > building. Lightning struck the tree outside one end unit (we were not > home). The tree survived, but the answering machine, two analog > phones, three Hayes Optima modems, a VT320, a DECserver 200, and the > serial port on a Macintosh IIci all died. > > At work we lost a bank of Xyplex terminal servers to a building hit > once, along with the compressor for a Liebert A/C unit. The strike > ran down one corner of the building, and the Xyplex that fried served > terminals incliding the affected corner office on the top floor. > Everything else in the computer room seemed fine (5 VAX cluster, > HSC50/70 and many disks) for about three days, then the PDU started > flaking out randomly cutting power to several circuits in the room. > Fixed under contract, fortunately. The office lost its VT terminal, > desktop pc (386-16, big deal at the time), calculator, phone, TV/VCR > setup, and wall clock, as I recall. What ever happened to lightning rods? -- Ron Johnson, Jr. Jefferson LA USA Give a man a fish, and he eats for a day. Hit him with a fish, and he goes away for good! ------------------------------ Date: Mon, 11 Jun 2007 14:10:57 -0400 From: "David Turner, Island Computers" Subject: Re: porting ignorance (was Re: Story Time) Message-ID: <136r418br6e5919@news.supernews.com> I heard they dumped it (VMS)and upgraded to Superior Windows XP 64 Edition on Integrity. ;0) DT "Ron Johnson" wrote in message news:GYKai.176474$mJ1.13463@newsfe22.lga... > On 06/09/07 07:07, Main, Kerry wrote: > [snip] >> classroom and graduate projects that port open source >> applications-typically running on Linux or Open64-to OpenVMS. "It's a > > What's Open64? > > -- > Ron Johnson, Jr. > Jefferson LA USA > > Give a man a fish, and he eats for a day. > Hit him with a fish, and he goes away for good! ------------------------------ Date: Mon, 11 Jun 2007 19:35:08 -0500 From: David J Dachtera Subject: Question for the Group Message-ID: <466DEA3C.C88A73AD@spam.comcast.net> Folks, I'll likely be severely chastised for this, but here goes... I've been carrying on an exchange by private e-mail where it was suggested that the negativity expressed in this forum is greatly damaging to VMS. So, I'd like to solicit your comments on that, and also pose a question where you can, effectively, wish for "the world": in your opinion, what would have to happen to stem what is viewed as an endless stream of complaints and vitriol here in comp.os.vms? Please express yourself freely (but take a lesson from the Illinois high school senior who almost wound up doing time for carrying that to an extreme). I'd recommend containing yourself only as far as to suppress obscenities and profanity - (blank) and (Censored) work, at least for me these days - as well as suppressing any talk of violence which could lead to untold troubles. We don't need that distraction. Anyone who wishes to respond anonymously may send your reply directly to me - how to demung the reply-to should be obvious. I will then "sanitize" and post such messages, but be advised that I might clean up language, grammar, punctuation, capitalization, etc. to mask characteristics that might divulge the identity of an anonymous respondent. Have at it - or have at me, whatever works for you. -- David J Dachtera dba DJE Systems http://www.djesys.com/ ------------------------------ Date: Tue, 12 Jun 2007 01:55:58 GMT From: VAXman- @SendSpamHere.ORG Subject: Re: Question for the Group Message-ID: <00A68FFB.C19EE991@SendSpamHere.ORG> In article <466DEA3C.C88A73AD@spam.comcast.net>, David J Dachtera writes: > > >Folks, > >I'll likely be severely chastised for this, but here goes... > >I've been carrying on an exchange by private e-mail where it was suggested that >the negativity expressed in this forum is greatly damaging to VMS. > >So, I'd like to solicit your comments on that, and also pose a question where >you can, effectively, wish for "the world": in your opinion, what would have to >happen to stem what is viewed as an endless stream of complaints and vitriol >here in comp.os.vms? I believe that most here are very positive about VMS. Any negativity is the result of mistreatment by the step-parents of the bastard child VMS. Case in point, roll the clock back to my posting about 2 weeks ago regard- ing the list of VMS ISVs which appeared in Sue's post. I have *yet* to be contacted by the group that claims that I told them to bugger off and not contact me. Signe contacted me in private email about this but I have not heard a thing. If HP is outsourcing their liason activities with ISVs and that is causing me to be overlooked, I believe that that simply reflects poorly on HP -- but not VMS. Let me add too that I don't believe for one minute that Signe or Sue or anybody involved with VMS dropped the ball on this. They are hand-tied by HP corp. policy and I would assume doing what they can within the limits of HP policy. I, and I'll wager others here, love VMS. The "vitriol" of which you speak is not directed at VMS. This is not present day public school! We do not reward mediocre performance and turn our heads away from the substandard. I really do believe that HP is the epitome of a "demotivational" poster I made some time ago. It reads: MEDIOCRITY Why excel when mundane is ubiquitous? I will now go back to proudly waving my VMS flag whilst the counter-intel- ligence within HP attempts to subvert my ability to do so. -- VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM "Well my son, life is like a beanstalk, isn't it?" ------------------------------ Date: Mon, 11 Jun 2007 22:09:41 -0400 From: "Richard B. Gilbert" Subject: Re: Question for the Group Message-ID: <466E0065.9050500@comcast.net> David J Dachtera wrote: > Folks, > > I'll likely be severely chastised for this, but here goes... > > I've been carrying on an exchange by private e-mail where it was suggested that > the negativity expressed in this forum is greatly damaging to VMS. > > So, I'd like to solicit your comments on that, and also pose a question where > you can, effectively, wish for "the world": in your opinion, what would have to > happen to stem what is viewed as an endless stream of complaints and vitriol > here in comp.os.vms? > > Please express yourself freely (but take a lesson from the Illinois high school > senior who almost wound up doing time for carrying that to an extreme). I'd > recommend containing yourself only as far as to suppress obscenities and > profanity - (blank) and (Censored) work, at least for me these days - as well as > suppressing any talk of violence which could lead to untold troubles. We don't > need that distraction. > > Anyone who wishes to respond anonymously may send your reply directly to me - > how to demung the reply-to should be obvious. I will then "sanitize" and post > such messages, but be advised that I might clean up language, grammar, > punctuation, capitalization, etc. to mask characteristics that might divulge the > identity of an anonymous respondent. > > Have at it - or have at me, whatever works for you. > The "negativity" that I see appears to be a realistic assessment. H-P does not and will not market VMS. Given that, there is little hope of keeping the O/S alive. I think I mentioned recently that, in the fall of 1998, I was offered a $5000 raise and a $5000 signing bonus to take a VMS job. When the company was acquired in the summer of 2004, my services were no longer required. By anyone! The demand for VMS people has vanished. The O/S has effectively vanished. It still runs in a lot of places where Ctrl-Alt-Del is not an option but most of those places are out of the public eye. The Robert Morris worm brought the Unix world to its knees a few years ago. VMS was not affected. Did anybody notice that? Did anybody step up and say "that couldn't happen to VMS"? We knew that but, if the marketing folks did, they didn't care to say so! If your correspondent thinks the negativity here is damaging VMS, what does he think of HP's marketing? ------------------------------ Date: Mon, 11 Jun 2007 22:53:39 -0400 From: =?ISO-8859-1?Q?Arne_Vajh=F8j?= Subject: Re: Question for the Group Message-ID: <466e0aa8$0$90276$14726298@news.sunsite.dk> Richard B. Gilbert wrote: > I think I mentioned recently that, in the fall of 1998, I was offered a > $5000 raise and a $5000 signing bonus to take a VMS job. When the > company was acquired in the summer of 2004, my services were no longer > required. By anyone! The demand for VMS people has vanished. The O/S > has effectively vanished. It still runs in a lot of places where > Ctrl-Alt-Del is not an option but most of those places are out of the > public eye. That is the general direction since the late 90's. > The Robert Morris worm brought the Unix world to its knees a few years > ago. VMS was not affected. Did anybody notice that? Did anybody step > up and say "that couldn't happen to VMS"? We knew that but, if the > marketing folks did, they didn't care to say so! "Few years" ?? It was in 1988 ! > If your correspondent thinks the negativity here is damaging VMS, what > does he think of HP's marketing? My guess is that he works there ! :-) Arne ------------------------------ Date: Mon, 11 Jun 2007 23:02:28 -0400 From: "Richard B. Gilbert" Subject: Re: Question for the Group Message-ID: <466E0CC4.8040107@comcast.net> Arne Vajhøj wrote: > Richard B. Gilbert wrote: > >> I think I mentioned recently that, in the fall of 1998, I was offered >> a $5000 raise and a $5000 signing bonus to take a VMS job. When the >> company was acquired in the summer of 2004, my services were no longer >> required. By anyone! The demand for VMS people has vanished. The >> O/S has effectively vanished. It still runs in a lot of places where >> Ctrl-Alt-Del is not an option but most of those places are out of the >> public eye. > > > That is the general direction since the late 90's. > >> The Robert Morris worm brought the Unix world to its knees a few years >> ago. VMS was not affected. Did anybody notice that? Did anybody >> step up and say "that couldn't happen to VMS"? We knew that but, if >> the marketing folks did, they didn't care to say so! > > > "Few years" ?? > > It was in 1988 ! When you're as old as I am, 1988 isn't all that long ago! ------------------------------ Date: Tue, 12 Jun 2007 00:00:35 -0400 From: JF Mezei Subject: Re: Question for the Group Message-ID: <781c3$466e1a6a$cef8887a$8296@TEKSAVVY.COM> Not long ago, there was an article on how airlines now assign employees to monitor discussion groups on the internet to spot horror stories, investigate internally and fix problems to prevent/reduce such horror stories. Not only have airline realised that the bad publicity is hurting them, but they have realised that these forums are a great place to spot problems in their "systems" and bypass layers of employees who are affraid to report bad news to their bosses. If I had been HP's top management, especially Stallard (due to his terrible first words to the VMS community expecting them to move to HPUX after 9 months of total silence on the future of VMS), I would have come here and made a plea to be in touch with the community to ensure that VMS's potential is fully leveraged by HP and to spot problems "in the system". Instead, we got NOTHING. NADA. NOT A WORD. Were it not for Sue, the VMS community would not have gotten ANY information about the future of VMS since june 25 2001. And we all realise that Sue has her hands tied behind her back and still must represent her employer. Just try to imagine what VMS would be like had Sue not been there for us in the last couple of years. No boot camp. And consider the number of fires that Sue helped put out with individual customers who couldn't get the time of day in VMS format from their local office. However, Sue does not appear to have the support of anyone above her because she appears to be swimming against a strong current from higher management. How can Sue realistically get Cerner back to VMS if Hurd, Livermore or Stallard negotiated multi-million deals to get Cerner to drop VMS ? In real life, the simplest way to save VMS would be to clone Sue's brain and implant the copy into Ann Livermore's head. HP HAS BEEN REPEATEDLY GIVEN SIMPLE TASKS IT CAN DO TO SHUT US UP AND MAKE US FEEL COMFORTABLE (marketing) AND HP HAS STEADFASTEDLY REFUSED TO CHANGE ITS POLICY TO PREVENT MARKETING OF VMS. I do not know who complained to mr Dachtera, but if it is an HP employee higher than Sue, then that employee is totally imcompetant because he/she/it should know that we have been asking for the same thing FOR OVER A DECADE and the onwer of VMS have steadfastedly refused to market VMS at even a modest level. HP should know that the short live "renaissance" preiod not long before the premedidated massacre of Alpha had caused VMS to grow by close to 10% in a few months. And that was a very modest marketing budget. But it proves that VMS has great potential. An HP employee who does not understand the c.o.v. community is one which is detached with reality. This is quite similar to the state of IBM as Gerstner took over. Only happy customers were polled to ensure that top management thought the lower management were doing a great job and customers were happy. Like it or not, we are the ones who suffer first from the slow death of VMS. We are the ones to see VMS budgets stagnate while projects for other platforms galore. We are the first ones to lose our jobs or not have contracts renewed because no more develop ent is done on VMS. HP only sees some effect years later when that system is taken off maintenance. And if HP (corp) says that VMS has a assured future, how come they would get Cerner to switch to HP-UX and drop VMS ? Gartner spotted the signs of a cancer for VMS. Nobody believed them, and pointed to the fact that a couple years later, VMS wasn't dead yet. Meanwhile, customers have been leaving VMS one by one. If nothing is done to fix it, the cancer will kill VMS. With HP nw supporting Cerner's move away from VMS to HP-UX (which is reality means customers moving to IBM), it is an indication that HP has truly put VMS in paliative care and expects it to die soon. And just like they promised great future for alpha right up until June 24 2001 at 23:59, they will promise a great future for VMS right up until the day they announce it is dead. And the folks in VMS management won't even know that announcement will be coming until it is made public. WE ARE NOT THE ONES HURTING VMS. We are merely pointing to the fact that it is HP IS HURTING VMS. Since June 25 2001 (alpha genocide), September 7th 2001 (Carly/Curly wedding announcement) and May 7th 2001 (official wedding of HP/Compaq), HP has done NOTHING to gain our trust and signifiy that it truly intends to make VMS succesful. VMS employees have done their darndest to minimise the damage done by HP corporate with regards to VMS. But the damage is being done by HP corporate every day they refuse to market VMS. Everyday they refuse to allow a press release about VMS to go to their main press release web site and out to the newswires. Either VMS management is truly incompetant and doesn't know how to work the HP machines to get a press release out "officially", or HP has a hard policy to prohibit any VMS marketing, so VMS management is stuck with whatever internal means they have to make as much noise as their can DESPITE HP. Lets take the first possibility. If VMS management were truly incompetant, then the 4 persons above it (Fink, Stallard, Livermore, Hurd) would do something to rectify this and not jeoperdise a great source or profit. Clearly, nothing is being done. And this lack of marketing has transcended multiple VMS managers from Marcello to Gorham to Hurd in just the recent years. I have one thing to say to VMS management: You may have nice plush severance packages when they announce the end of VMS, but WE DO NOT. We have an ever greater self interest in the success of VMS than you do. And if you truly care about the future of VMS, you would risk talking to use in private and tell us wher the real problems are within HP so that we can then write our letters to Hurd in such a way that he might start to look in to the right areas and discover a problem and fix it. We now there are problems. If we don't get any info about them under the table, then our letters of complaints are aimless and have far less impact. Hurd *should* be OS neutral because he is not from any HP heritage (HP, Compaq, DEC, Tandem). If the people below him (Stallard, Livermore) have a strong bias, then Hurd has to be told so he can discover that bias and learn to work around it and isolate those people who have been guiding him in the wrong direction since he cae on-board. And if you are a former employee, then your letter to Hurd could have far greater impact if you can freely "tell it like it is" and point to the very poeple who are squandering a great source of revenus/profits and misguiding Hurd on the true potential of VMS. ------------------------------ Date: Tue, 12 Jun 2007 00:49:41 +0200 From: "Dr. Dweeb" Subject: Re: Question to Bob Message-ID: <466dd188$0$7609$157c6196@dreader2.cybercity.dk> http://www.amazon.co.uk/God-Delusion-Richard-Dawkins/dp/0593055489/ref=pd_bbs_sr_1/026-4625950-5871600?ie=UTF8&s=books&qid=1181602133&sr=8-1 ------------------------------ Date: Mon, 11 Jun 2007 19:15:00 -0500 From: David J Dachtera Subject: Re: Reflection's VT emulation (was: DECTerm Bold fonts on ReflectionX (Version 6 Message-ID: <466DE584.4CDC0822@spam.comcast.net> Michael Unger wrote: > > On 2007-06-11 15:11, "John E. Malmberg" wrote: > > > SJF Mezei wrote: > >> John E. Malmberg wrote: > >> > >> [...] > > > >>> Also, on my Reflections 2 (Version 5.20), bold text is not showing up > >>> as bold, only as normal. The only work around I have found is to make > >>> bold text a different color. So if someone has a better hack, I would > >>> appreciate it. > >> > >> This would have to do with your local PC font directory and how it maps > >> X fonts to your PC fonts, as well as which fonts it reports it has when > >> talking to the X client (the VMS box). > > > > Reflection 2 is a VT4xx emulator with out REGIS graphics. It has > > nothing to do with X11 except that at the time I bought Reflection X, if > > you requested it, they bundled Reflection 2 in free. > > > > So what I am doing is attempting to get more life out of an ancient > > package of Reflections.X. > > > > I am hoping that someone has done this already and has some answers. > > It's been quite some time -- so "IIRC", "AFAIR", and similar disclaimers > ahead ... > > Reflection's VT-420 emulation (I've used "Reflection 4" years ago) maps > the 16 possible combinations of the VT's "attribute bits" ("bold", > "underline", "blink", "reverse") to 16 different colours on a VGA > display (which KEA's "Enterprise 2000" VT-420 emulation does as well). I > don't remember if you can set text and background colours independently. > > What I usually do (black background assumed) is similar to the following > pattern: > > normal ............. (medium) grey, i.e., RGB = 128,128,128 > bold ............... (light) white, i.e., RGB = 255,255,255 > underline .......... (medium) green > underline & bold ... light green > blink .............. (medium) cyan > blink & bold ....... light cyan > > and so on for all possible combinations. Actually, JF is inquiring about Reflection/X - the X-server for Windows PCs. The underlying issue is generic to any X window displayed on the subject workstation(s), not just DECterm. Reflection/2, /4, etc. are character-cell terminal emulators. -- David J Dachtera dba DJE Systems http://www.djesys.com/ Unofficial OpenVMS Marketing Home Page http://www.djesys.com/vms/market/ Unofficial Affordable OpenVMS Home Page: http://www.djesys.com/vms/soho/ Unofficial OpenVMS-IA32 Home Page: http://www.djesys.com/vms/ia32/ Unofficial OpenVMS Hobbyist Support Page: http://www.djesys.com/vms/support/ ------------------------------ Date: Mon, 11 Jun 2007 11:04:31 -0700 From: IanMiller Subject: Re: SAMBA not ready to be a replacement for PathWorks Message-ID: <1181585071.266446.55830@p47g2000hsd.googlegroups.com> Advanced Server V7.3B is supported on OpenVMS Alpha V8.3 and according to the VMS roadmap slide 37 will be supported on V8.4 when that comes out in H2 2008. The SPD [http://h18000.www1.hp.com/info/SP3050/SP3050pf.pdf] says "Advanced Server V7.3B for OpenVMS requires HP OpenVMS Alpha Version 7.3-2, 8.2 or 8.3." ------------------------------ Date: Mon, 11 Jun 2007 16:32:46 -0400 From: "PEN" Subject: Re: SAMBA not ready to be a replacement for PathWorks Message-ID: Hi, "IanMiller" wrote in message news:1181585071.266446.55830@p47g2000hsd.googlegroups.com... > Advanced Server V7.3B is supported on OpenVMS Alpha V8.3 and according > to the VMS roadmap slide 37 will be supported on V8.4 when that comes > out in H2 2008. > > The SPD [http://h18000.www1.hp.com/info/SP3050/SP3050pf.pdf] says > "Advanced Server V7.3B for OpenVMS requires HP OpenVMS Alpha Version > 7.3-2, 8.2 or 8.3." > > And it will install/run on OpenVMS Alpha versions as far back as 7.2-1 (though it's not officially supported). To override the OpenVMS version check during installation, first do: $ define pwrk$ignore_version 1 Regards, Paul ------------------------------ Date: Mon, 11 Jun 2007 19:18:42 +0000 (UTC) From: helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) Subject: SMTP.CONFIG: Reject-Mail-From: for part of an address? Message-ID: Will Reject-Mail-From: work with PART of an email address, or does it need a whole address? In other words, can one use this to reject mail from, for example, a certain (sub)domain or whatever? ------------------------------ Date: Tue, 12 Jun 2007 10:27:36 +0800 From: "Richard Maher" Subject: Where is the love? (Was: Re: Question for the Group) Message-ID: Hi David, I think I speak for everyone here when I say that next month's (being part of the revised H2CY07 deadline) announcement of IPsec for TCP/IP services, will see an end to *all* of the bitching and moaning oft seen in the personality-disorder magnet that is COV! What's more, the arrival of a caller's-mode safe lib$*vm* heap-manager will obliterate *all* off-topic religious/global-warming posts in an instant; just see if I'm not right :-) On a serious note, I would advise your anxious friend(s) not to pay too much attention to what goes on here; nobody else does. Several times I've tried the "Yes, you wre right all along, VMS is dead - so why keep telling us?" argument to no avail. Like other religious converts, it appears that those that have left VMS (for whatever reason) feel threatened, or are made insecure, by the fact that there are others who freely choose to remain loyal to VMS. Maybe it's time for a Dissolution of the COVs? A forum dedicated to forward-looking (1) technical discussion certainly has it's appeal. You start it and I'll come and contribute - How enticing's that? Just why there are so many people that no longer have anything to do with VMS (and some who never did) hell-bent on trashing this place is a mystery to me. (Needless to say, all of my crticisms have always been constructive :-) This is only a newsgroup; no one dies here! (Although many here appear to be getting closer (in age) to the death-zone than VMS :-) Cheers Richard Maher (1) But there is no future since the Alphacide and Larry, Mo and Curly were all in bed together, not to mention Palmer's hair-do. We're all doomed, I tell ya we're all going to die!!! :-) "David J Dachtera" wrote in message news:466DEA3C.C88A73AD@spam.comcast.net... > Folks, > > I'll likely be severely chastised for this, but here goes... > > I've been carrying on an exchange by private e-mail where it was suggested that > the negativity expressed in this forum is greatly damaging to VMS. > > So, I'd like to solicit your comments on that, and also pose a question where > you can, effectively, wish for "the world": in your opinion, what would have to > happen to stem what is viewed as an endless stream of complaints and vitriol > here in comp.os.vms? > > Please express yourself freely (but take a lesson from the Illinois high school > senior who almost wound up doing time for carrying that to an extreme). I'd > recommend containing yourself only as far as to suppress obscenities and > profanity - (blank) and (Censored) work, at least for me these days - as well as > suppressing any talk of violence which could lead to untold troubles. We don't > need that distraction. > > Anyone who wishes to respond anonymously may send your reply directly to me - > how to demung the reply-to should be obvious. I will then "sanitize" and post > such messages, but be advised that I might clean up language, grammar, > punctuation, capitalization, etc. to mask characteristics that might divulge the > identity of an anonymous respondent. > > Have at it - or have at me, whatever works for you. > > -- > David J Dachtera > dba DJE Systems > http://www.djesys.com/ ------------------------------ Date: Mon, 11 Jun 2007 15:17:55 -0700 From: john.s.haro@boeing.com Subject: [Q] Minimum priv to run an audit Message-ID: <1181600275.230870.297350@j4g2000prf.googlegroups.com> [Q] Minimum priv to run an audit I have a user who we would like to elevate just high enough to perform an $anal/audit Anyone know if there is a minimum priv to add that will allow this without granting full privs? or is an ACL required on the auditjournal file ? -JohnH ------------------------------ Date: Mon, 11 Jun 2007 17:35:04 -0500 (CDT) From: sms@antinode.org (Steven M. Schweda) Subject: Re: [Q] Minimum priv to run an audit Message-ID: <07061117350454_202003EE@antinode.org> From: john.s.haro@boeing.com > I have a user who we would like to elevate just high enough to perform > an $anal/audit > > Anyone know if there is a minimum priv to add that will allow this > without granting full privs? or is an ACL required on the auditjournal > file ? I believe that all you need is READ access to the audit journal (SYS$MANAGER:SECURITY.AUDIT$JOURNAL), so an ACL should do the job. ------------------------------------------------------------------------ Steven M. Schweda sms@antinode-org 382 South Warwick Street (+1) 651-699-9818 Saint Paul MN 55105-2547 ------------------------------ End of INFO-VAX 2007.319 ************************