[Info-vax] OpenVMS versus Windows/GE Telemetry Control Systems.

Tue Jan 15 15:10:04 EST 2013

On Tuesday, January 15, 2013 1:46:39 PM UTC-5, John Wallace wrote:
> On Jan 15, 5:57 pm, Simon Clubley <clubley at remove_me.eisner.decus.org-
> 
> Earth.UFP> wrote:
> 
> > On 2013-01-15, David Froble <da... at tsoft-inc.com> wrote:
> 
> >
> 
> >
> 
> >
> 
> > > As for the case of the original poster, the Alpha systems are running
> 
> > > today, and will continue to run until something breaks.  Given the
> 
> > > history of DEC hardware, it should normally be expected to run for a
> 
> > > long time yet.  Individual pieces can and do break, and then it's a
> 
> > > question of whether there is any recourse to fixing or replacing the
> 
> > > failed equipment.  In most cases, fixing or replacing is far less costly
> 
> > > than a migration of the system to something else.  In business decisions
> 
> > > should be based on a cost / benefit ratio.
> 
> >
> 
> > I wonder why people only consider hardware breaking instead of also
> 
> > considering software breaking.
> 
> >
> 
> > In this Internet connected world, software can break just as hard as
> 
> > hardware when a security exploit is discovered and can be a _lot_ harder
> 
> > to fix than a simple hardware failure.
> 
> >
> 
> > If you have a hardware failure, you can just replace your board or
> 
> > component and resume normal service. OTOH, if someone finds a protocol
> 
> > vulnerability or stack/server coding error in the software you are
> 
> > running, you are dead in the water until either you find a workaround
> 
> > or your code base is fixed either by you or your vendor.
> 
> >
> 
> > Current mainstream platforms may have issues, but you can have more
> 
> > confidence that either a workaround or fix will be available in short
> 
> > order for any active exploit that makes it into the public domain for
> 
> > those platforms.
> 
> >
> 
> > I've gone through several cycles of getting Internet related components
> 
> > fixed under VMS and the fixes took a lot longer than I would be comfortable
> 
> > with if the problem in question had been a active exploit.
> 
> >
> 
> > Simon.
> 
> >
> 
> > --
> 
> > Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
> 
> > Microsoft: Bringing you 1980s technology to a 21st century world
> 
> 
> 
> 
> 
> Maybe.
> 
> 
> 
> Stuxnet was quietly working its way around Window boxes for a long
> 
> while (maybe a year?) before it got serious attention. Ignorance is
> 
> not necessarily bliss. If folks haven't yet looked into Stuxnet or its
> 
> successors (eg Duqu), there's no time like the present, and the
> 
> Wikipedia article on Stuxnet isn't a bad start, although for further
> 
> reading I'd recommend Ralph Langner and maybe Symantec.

Simon,

I note that my published recommendation for nearly twenty years has been to "air-gap" process control systems from the general corporate network as well as the public Internet [citation: Computer Security Handbook, 3rd Edition].

- Bob Gezelter, http://www.rlgsc.com