[Info-vax] "Shanghai Stock Exchange" and OpenVMS

Richard B. Gilbert rgilbert88 at comcast.net
Fri Jan 23 11:43:52 EST 2009 

Johnny Billquist wrote:
> Bill Gunshannon wrote:
>> In article <glaua6$4pu$1 at tempo.update.uu.se>,
>>     Johnny Billquist <bqt at softjar.se> writes:
>>> Bill Gunshannon wrote:
>>>> In article <CKqdnel_5rWYS-XUnZ2dnUVZ_v_inZ2d at giganews.com>,
>>>>     "Richard B. Gilbert" <rgilbert88 at comcast.net> writes:
>>>>> Bill Gunshannon wrote:
>>>>>> In article <0005d0dd$0$2088$c3e8da3 at news.astraweb.com>,
>>>>>>     JF Mezei <jfmezei.spamnot at vaxination.ca> writes:
>>>>>>> Richard B. Gilbert wrote:
>>>>>>>
>>>>>>>> You can safely plug them in and turn them on.  It's when you 
>>>>>>>> connect them to a network that you have to worry about 
>>>>>>>> "electronic organisms" infecting your Windows systems.
>>>>>>> This week's virus can be transmitted when you plug in an USB key.
>>>>>>>
>>>>>>> Sony managed to infect Windows machines when the user inserted a 
>>>>>>> MUSIC
>>>>>>> CD into the machines (that rootkit thing).
>>>>>>>
>>>>>>> So leaving a Windows box unconnected to a network is not a 
>>>>>>> garantee that
>>>>>>>  it won't be infected.
>>>>>> And all of these exploits can be prevented by proper configuration of
>>>>>> Windows.
>>>>>>
>>>>>> bill
>>>>>>
>>>>> And how many people know how to "properly configure Windows"???
>>>> How many know how to "properly configure VMS"?
>>>>
>>>>> Where is this "proper configuration" documented?  The last time I 
>>>>> looked
>>>>> Windows was shipping without any "documentation".
>>>>  
>>>> Well, you can get docs from NIST specifically covering security.  
>>>> And then
>>>> there are the checklists from DISA that are publicly available.  
>>>> And, being
>>>> as we are talking about supposed professionals in major corporations 
>>>> and
>>>> not your momma's PC,  if they don't already know where to find this 
>>>> stuff
>>>> they certainly should know how to go out and find it.  Even Google 
>>>> finds
>>>> piles of references including the stuff from NIST.
>>> Right. So, all you have to do to make your Windows computer safe is 
>>> surf around a while, look at various places, which you *hope* will 
>>> give you good information, and not actually make your machine more 
>>> exploitable (how do you know what to trust on the Internet?). 
>>
>> I realize you are not from this side of the pond, but I cn assure I
>> would trust security information I got from DISA, NIST and NSA (yes,
>> I looked today and they do Windows security docs, too) long before
>> I would trust what I was likely to get from HP.  :-)
> 
> :-)
> Well, I'm not too sure I would trust anything from NSA. The rest of that 
> bunch I don't even know about.
> 
>>>                                                   So you boot your 
>>> machine, insert a CD or two, to install some software, hopefully 
>>> don't insert any music CDs, surf around without catching the 
>>> attention of anyone who just happens to probe your machine before you 
>>> manager to improve the security. 
>>
>> I thought we were talking about datacenters and professionals here?
>> Of course you secure the machine before you put it into the production
>> environment.  I would hope the same was true of VMS no matte rhow secure
>> you think it is.
> 
> But it's a chicken and egg situation. You need to plug it in to make it 
> safe. You can't make it safe before you plug it in.
> While you can solve some problems by using another machine to search for 
> information, there is a whole bunch of absolutely citical windows 
> updates you need to install, and for that, the machine really needs to 
> be on the net. And that means being on the net before you can secure the 
> machine.
> 

ISTR largely solving this problem by using one machine to download all 
the various updates and patches and burning them to a CD.  I then 
carried the CD around the building and used it to update each PC with 
the latest and greatest.

AIRC, it worked pretty well.  We managed to shut down the worm, whose 
name I have now forgotten, by closing the vulnerabilities it used to 
install itself.

>>>                        Find information on the net which is correct, 
>>> and which you can trust, which you then follow. And then you hope 
>>> that there isn't even more you need to do which isn't mentioned 
>>> anywhere you can find (how did you even know what to look for in the 
>>> first place?).
>>
>> Well, just for the fun of it I typed "Securing Windows" into google.
>> Got lots of stuff.  Tried a few more times adding "NIST", "DISA" and
>> "NSA" each time and pretty much found all the stuff I have been telling
>> people here about for years.  Some people just don't want to hear.  
>> They are quite happy living with their delusion.
> 
> Still have the problem of who I can trust. In addition to atleast me 
> never heard of "NIST" or "DISA". :-)
> 
>>> Don't you see how ridiculous this is?
>>
>> Not at all.  Claiming that Windows can't be secured when what you really
>> mean is I want it to be that way out of the box is ridiculous.  We are
>> supposed to be professionals.  If everyone could do this we wouldn't have
>> jobs.
> 
> I've still to meet a single professional who manage to make a Windows 
> system secure. Even when they really try they fail. If nothing else, 
> just because there are still so many huge security problems 
> undiscovered. Just look at all the absolutely criticial security patches 
> that regularly appear from Microsoft.
> But anyway... No, not even computer professionals (atleast none that 
> I've ever met) have managed to cover all bases. The task is just too big 
> and difficult to overview.
> 
> (But maybe that is true of all systems, it's just that the obvious holes 
> are more appearant in Windows.)
> 
>     Johnny
>

More information about the Info-vax mailing list