[Info-vax] "Shanghai Stock Exchange" and OpenVMS

[Bill Gunshannon]

In article <glc3lp$chl$1 at tempo.update.uu.se>,
	Johnny Billquist <bqt at softjar.se> writes:
> Bill Gunshannon wrote:
>> In article <glaua6$4pu$1 at tempo.update.uu.se>,
>> 	Johnny Billquist <bqt at softjar.se> writes:
>>> Bill Gunshannon wrote:
>>>> In article <CKqdnel_5rWYS-XUnZ2dnUVZ_v_inZ2d at giganews.com>,
>>>> 	"Richard B. Gilbert" <rgilbert88 at comcast.net> writes:
>>>>> Bill Gunshannon wrote:
>>>>>> In article <0005d0dd$0$2088$c3e8da3 at news.astraweb.com>,
>>>>>> 	JF Mezei <jfmezei.spamnot at vaxination.ca> writes:
>>>>>>> Richard B. Gilbert wrote:
>>>>>>>
>>>>>>>> You can safely plug them in and turn them on.  It's when you connect 
>>>>>>>> them to a network that you have to worry about "electronic organisms" 
>>>>>>>> infecting your Windows systems.
>>>>>>> This week's virus can be transmitted when you plug in an USB key.
>>>>>>>
>>>>>>> Sony managed to infect Windows machines when the user inserted a MUSIC
>>>>>>> CD into the machines (that rootkit thing).
>>>>>>>
>>>>>>> So leaving a Windows box unconnected to a network is not a garantee that
>>>>>>>  it won't be infected.
>>>>>> And all of these exploits can be prevented by proper configuration of
>>>>>> Windows.
>>>>>>
>>>>>> bill
>>>>>>
>>>>> And how many people know how to "properly configure Windows"???
>>>> How many know how to "properly configure VMS"?
>>>>
>>>>> Where is this "proper configuration" documented?  The last time I looked
>>>>> Windows was shipping without any "documentation".
>>>>  
>>>> Well, you can get docs from NIST specifically covering security.  And then
>>>> there are the checklists from DISA that are publicly available.  And, being
>>>> as we are talking about supposed professionals in major corporations and
>>>> not your momma's PC,  if they don't already know where to find this stuff
>>>> they certainly should know how to go out and find it.  Even Google finds
>>>> piles of references including the stuff from NIST.
>>> Right. So, all you have to do to make your Windows computer safe is surf 
>>> around a while, look at various places, which you *hope* will give you 
>>> good information, and not actually make your machine more exploitable 
>>> (how do you know what to trust on the Internet?). 
>> 
>> I realize you are not from this side of the pond, but I cn assure I
>> would trust security information I got from DISA, NIST and NSA (yes,
>> I looked today and they do Windows security docs, too) long before
>> I would trust what I was likely to get from HP.  :-)
> 
>:-)
> Well, I'm not too sure I would trust anything from NSA. The rest of that 
> bunch I don't even know about.

That's just anti-American bias.  NSA's sole job is security.  And they
have a tremendous budget to get it done.  You don't have to take any
of it on blind faith.  They usually publish white-papers and other docs
explaining their actions.  Where do you think SELinux came from?

NIST : National Institute of Standards and Technology
DISA : Defense information Systems Agency

All people with a very big investment in securing IT Infrastructure.
And, being taxpayer funded all of their research comes into the public
doamin.  If more people actually used it a lot of probelms would just
go away.

> 
>>>                                                   So you boot your 
>>> machine, insert a CD or two, to install some software, hopefully don't 
>>> insert any music CDs, surf around without catching the attention of 
>>> anyone who just happens to probe your machine before you manager to 
>>> improve the security. 
>> 
>> I thought we were talking about datacenters and professionals here?
>> Of course you secure the machine before you put it into the production
>> environment.  I would hope the same was true of VMS no matte rhow secure
>> you think it is.
> 
> But it's a chicken and egg situation. You need to plug it in to make it 
> safe. You can't make it safe before you plug it in.

Plug it into what power?  Yeah, I guess that's a problem.  Tough to
even install if you don't plug it in.  Network?  Not really.  You can
always use a machine that is already on the net to download the needed
updates and then install them if you are really that paranoid.  But,
one of the simplest ways is to put the new box behind a tightly locked
down firewall running NAT and use it to contact nothing but MS until
you have installed all the needed updates.  Sound like a lot of work?
I guess it depends on how paranoid you are.  :-)

> While you can solve some problems by using another machine to search for 
> information, there is a whole bunch of absolutely citical windows 
> updates you need to install, and for that, the machine really needs to 
> be on the net. And that means being on the net before you can secure the 
> machine.

See what I said above.  I know of an entire network that is kept up
to date that is never connected to the real Internet.  I was even
taught how to set up and run a Windows Update Server of my own.  This
is what a serious corporate IT Infrastructure would use.  They would
get the updates from MS, test them and then update their corporate
network.  No one ever goes out to MS on their own.  The corporate network
doesn't even need to be connected to the Internet.

> 
>>>                        Find information on the net which is correct, and 
>>> which you can trust, which you then follow. And then you hope that there 
>>> isn't even more you need to do which isn't mentioned anywhere you can 
>>> find (how did you even know what to look for in the first place?).
>> 
>> Well, just for the fun of it I typed "Securing Windows" into google.
>> Got lots of stuff.  Tried a few more times adding "NIST", "DISA" and
>> "NSA" each time and pretty much found all the stuff I have been telling
>> people here about for years.  Some people just don't want to hear.  
>> They are quite happy living with their delusion.
> 
> Still have the problem of who I can trust. In addition to atleast me 
> never heard of "NIST" or "DISA". :-)

That's what we have Google for.  :-)

> 
>>> Don't you see how ridiculous this is?
>> 
>> Not at all.  Claiming that Windows can't be secured when what you really
>> mean is I want it to be that way out of the box is ridiculous.  We are
>> supposed to be professionals.  If everyone could do this we wouldn't have
>> jobs.
> 
> I've still to meet a single professional who manage to make a Windows 
> system secure. 

You have.  :-) Well, not personally, although i would love the chance
to share a beer and some face-to-face conversation with you.  I keep
telloing people here over and over.  I have labs that are used by
students.  They bring int heir CD's. They bring in floppies.  They 
bring in Thumbdrives.  They visit all kinds of bogus web sites.  I
have not had a virus. work, keybord logger or any other form of malware
in any of my labs since we stopped running Windows98.  And, starting
this next semester (in one week) they will be locked down even tighter.
All of this without adversely affecting what the students can do in
the labs.  I could be even more draconian but I have to walk that fine
line between security and usability.  I have had no problem doing it.
And, as I also have said repeatedly, I am no Windows expert.  I have no
certifications and doubt I could pass any of the exams.  If I ran a
corporate IT system it would be even more draconian than this  and thus,
even more bullet-proof.  It can be done.

>                Even when they really try they fail. If nothing else, 
> just because there are still so many huge security problems 
> undiscovered. Just look at all the absolutely criticial security patches 
> that regularly appear from Microsoft.

Some are not as "absolutely criticial" as people tend to think.  I have
mentioned "Security in Depth".  Learn about it.  Do you know that some
of the worst Windows security problems do not affect my labs not because
of Windows configuration but because of my firewall configuration.  It
has been very effective at keeping all the infected PC's scattered around
the campus (not all of the PC's are under my control :-) from attacking,
sucessfully or unsucessfully, my PC's. 

> But anyway... No, not even computer professionals (atleast none that 
> I've ever met) have managed to cover all bases. The task is just too big 
> and difficult to overview.

What would it take to convince you otherwise?  Come on over for a visit. :-)

> 
> (But maybe that is true of all systems, it's just that the obvious holes 
> are more appearant in Windows.)

Everything has holes.  I am sure even VMS does.  But you have to have someone
looking to find them.  Right now, Windows is the biggest target.  And it
is apathy and technical shortcomings that are the problem.  Just look at
the most famous problem with Unix.  Buffer-overruns.  Not only was this a
well known problem as far back as the late 70's, early 80's but there was 
even a product called "Safe-C" that fixed it.  Company went out of business.
Hmmm....  Now why do you think no one was interested in buying this compiler?
Why has noone made a C compiler that fixes it today?  Why has noone tried
re-writting Unix in something like Ada?  All are doable today.  But then,
nobody really cares.  All of the holes in Windows can be closed using the
"Defense in Depth" paradigm.  But it would require time, effort and probably
a bit more money.  And nobody really cares.

bill

-- 
Bill Gunshannon          |  de-moc-ra-cy (di mok' ra see) n.  Three wolves
billg999 at cs.scranton.edu |  and a sheep voting on what's for dinner.
University of Scranton   |
Scranton, Pennsylvania   |         #include <std.disclaimer.h>