[Info-vax] OpenVMS versus Windows/GE Telemetry Control Systems.
John Wallace
johnwallace4 at yahoo.co.uk
Wed Jan 16 03:27:11 EST 2013
On Jan 16, 3:08 am, David Froble <da... at tsoft-inc.com> wrote:
> Stephen Hoffman wrote:
> > On 2013-01-16 02:15:39 +0000, David Froble said:
>
> >> I seem to recall that the USB ports on Alphas were not functional
> >> under VMS. If that's correct, then another security notch for VMS ...
>
> >> :-)
>
> > AFAIK, the AlphaServer GS1280 familty were the only Alpha systems with
> > formal USB support.
> > (You can <http://labs.hoffmanlabs.com/node/1410> enable USB on a few
> > other Alpha boxes, too.)
> > The OpenVMS Itanium boxes all have USB support.
> > Most other boxes do have USB support, and can be potential staging areas.
> > The vulnerability with various widgets can be an auto-run, but it's
> > feasible to get folks to run "games" and other such, too.
>
> Well, if you're not going to go along with my light hearted approach,
> then all I'll say on the matter is that people are suppose to know what
> they are doing, or they should not be doing it.
>
> I'm sure there are lots of ways to 'vet' a USB memory stick before using
> it in a secure environment. I'm sure there are many other methods of
> insuring maleware doesn't reach vital systems.
>
> I'm also sure that no matter what you do on the human front, there are
> enough dickweeds out there that sooner or later one of them is going to
> do something stupid. (It's what they do ..)
>
> To me, one of the few things that I can think of is computer systems
> that know how to vet anything fed to them, and do so. Variations on
> that theme might be the "sandbox" approach you seem to favor, software
> that can be set up to accept only certain things and rejects anything
> else, and such. No autorun stuff that can get at the OS. Just specific
> applications for accepting valid data.
"Vetting for troublesome things" is a popular tactic but doesn't work
too well against malware which uses exploits which the AV/malware
suppliers aren't yet detecting (the so called "zero day" exploits, for
example). Stuxnet (again) used several of these, which helped it stay
under the radar for a while. Windows probably has plenty left.
Specific applications for accepting valid data is a great idea. Now
try selling the concept (and its costs) to the PHBs and (equally) the
fans of PHP etc.
More information about the Info-vax
mailing list