[Info-vax] "Shanghai Stock Exchange" and OpenVMS

Johnny Billquist bqt at softjar.se
Fri Jan 23 04:44:14 EST 2009 

Bill Gunshannon wrote:
> In article <glaua6$4pu$1 at tempo.update.uu.se>,
> 	Johnny Billquist <bqt at softjar.se> writes:
>> Bill Gunshannon wrote:
>>> In article <CKqdnel_5rWYS-XUnZ2dnUVZ_v_inZ2d at giganews.com>,
>>> 	"Richard B. Gilbert" <rgilbert88 at comcast.net> writes:
>>>> Bill Gunshannon wrote:
>>>>> In article <0005d0dd$0$2088$c3e8da3 at news.astraweb.com>,
>>>>> 	JF Mezei <jfmezei.spamnot at vaxination.ca> writes:
>>>>>> Richard B. Gilbert wrote:
>>>>>>
>>>>>>> You can safely plug them in and turn them on.  It's when you connect 
>>>>>>> them to a network that you have to worry about "electronic organisms" 
>>>>>>> infecting your Windows systems.
>>>>>> This week's virus can be transmitted when you plug in an USB key.
>>>>>>
>>>>>> Sony managed to infect Windows machines when the user inserted a MUSIC
>>>>>> CD into the machines (that rootkit thing).
>>>>>>
>>>>>> So leaving a Windows box unconnected to a network is not a garantee that
>>>>>>  it won't be infected.
>>>>> And all of these exploits can be prevented by proper configuration of
>>>>> Windows.
>>>>>
>>>>> bill
>>>>>
>>>> And how many people know how to "properly configure Windows"???
>>> How many know how to "properly configure VMS"?
>>>
>>>> Where is this "proper configuration" documented?  The last time I looked
>>>> Windows was shipping without any "documentation".
>>>  
>>> Well, you can get docs from NIST specifically covering security.  And then
>>> there are the checklists from DISA that are publicly available.  And, being
>>> as we are talking about supposed professionals in major corporations and
>>> not your momma's PC,  if they don't already know where to find this stuff
>>> they certainly should know how to go out and find it.  Even Google finds
>>> piles of references including the stuff from NIST.
>> Right. So, all you have to do to make your Windows computer safe is surf 
>> around a while, look at various places, which you *hope* will give you 
>> good information, and not actually make your machine more exploitable 
>> (how do you know what to trust on the Internet?). 
> 
> I realize you are not from this side of the pond, but I cn assure I
> would trust security information I got from DISA, NIST and NSA (yes,
> I looked today and they do Windows security docs, too) long before
> I would trust what I was likely to get from HP.  :-)

:-)
Well, I'm not too sure I would trust anything from NSA. The rest of that 
bunch I don't even know about.

>>                                                   So you boot your 
>> machine, insert a CD or two, to install some software, hopefully don't 
>> insert any music CDs, surf around without catching the attention of 
>> anyone who just happens to probe your machine before you manager to 
>> improve the security. 
> 
> I thought we were talking about datacenters and professionals here?
> Of course you secure the machine before you put it into the production
> environment.  I would hope the same was true of VMS no matte rhow secure
> you think it is.

But it's a chicken and egg situation. You need to plug it in to make it 
safe. You can't make it safe before you plug it in.
While you can solve some problems by using another machine to search for 
information, there is a whole bunch of absolutely citical windows 
updates you need to install, and for that, the machine really needs to 
be on the net. And that means being on the net before you can secure the 
machine.

>>                        Find information on the net which is correct, and 
>> which you can trust, which you then follow. And then you hope that there 
>> isn't even more you need to do which isn't mentioned anywhere you can 
>> find (how did you even know what to look for in the first place?).
> 
> Well, just for the fun of it I typed "Securing Windows" into google.
> Got lots of stuff.  Tried a few more times adding "NIST", "DISA" and
> "NSA" each time and pretty much found all the stuff I have been telling
> people here about for years.  Some people just don't want to hear.  
> They are quite happy living with their delusion.

Still have the problem of who I can trust. In addition to atleast me 
never heard of "NIST" or "DISA". :-)

>> Don't you see how ridiculous this is?
> 
> Not at all.  Claiming that Windows can't be secured when what you really
> mean is I want it to be that way out of the box is ridiculous.  We are
> supposed to be professionals.  If everyone could do this we wouldn't have
> jobs.

I've still to meet a single professional who manage to make a Windows 
system secure. Even when they really try they fail. If nothing else, 
just because there are still so many huge security problems 
undiscovered. Just look at all the absolutely criticial security patches 
that regularly appear from Microsoft.
But anyway... No, not even computer professionals (atleast none that 
I've ever met) have managed to cover all bases. The task is just too big 
and difficult to overview.

(But maybe that is true of all systems, it's just that the obvious holes 
are more appearant in Windows.)

	Johnny

-- 
Johnny Billquist                  || "I'm on a bus
                                   ||  on a psychedelic trip
email: bqt at softjar.se             ||  Reading murder books
pdp is alive!                     ||  tryin' to stay hip" - B. Idol

More information about the Info-vax mailing list