[Info-vax] OpenVMS versus Windows/GE Telemetry Control Systems.

Wed Jan 16 03:44:17 EST 2013

Bill Gunshannon wrote:
> In article <kd52bk$as$1 at dont-email.me>,
> 	David Froble <davef at tsoft-inc.com> writes:
>> Stephen Hoffman wrote:
>>> On 2013-01-15 20:27:19 +0000, Stephen Hoffman said:
>>>
>>>> On 2013-01-15 20:10:04 +0000, Bob Gezelter said:
>>>>
>>>>> I note that my published recommendation for nearly twenty years has 
>>>>> been to "air-gap" process control systems from the general corporate 
>>>>> network as well as the public Internet [citation: Computer Security 
>>>>> Handbook, 3rd Edition].
>>>> That approach is great.  In theory.  But the air gap is not always 
>>>> practical.   As Stuxnet showed, there are ways to jump the air gap, too.
>>> And not three minutes after posting that:
>>>
>>> http://arstechnica.com/security/2013/01/two-us-power-plants-infected-with-malware-spread-via-usb-drive/ 
>>>
>>>
>>>
>> I seem to recall that the USB ports on Alphas were not functional under 
>> VMS.  If that's correct, then another security notch for VMS ...
>>
>> :-)
> 
> So, in order to be safe you have to give up some convenience.

Did you miss the smiley ?

> And the same is true of any system.  Security people always walk a thin
> line between convenience and safety.

Maybe so, but it doesn't have to be that way.  I'd bet there are many 
people here on c.o.v that could come up with convient and safe methods 
for communications, software distribution, and such.

As a small example, I've implemented some socket communications.  The 
socket is basically an open port to the world.  But it's under program 
control, and what's coming in must meet expectations, or it's flushed 
and the connection dropped.  Are there ways to defeat such?  I have to 
say that I don't know, but, I really doubt it.

> And one simple, well published parameter and it is a non-threat to
> Windows systems as well.  Without completely giving up the USB port.

The general problem, as I see it, is that Microsoft knew that they'd 
more often than not be dealing with clueless computer illiterate people, 
and so you got things such as autorun which attempt to do things without 
much user interaction.  Such is everywhere in their software.  Real easy 
for a nefarious person to take advantage of.

So then users got used to all those neat little things that "just 
happen", and guess who won't buy software without all the gizmos.

I've never felt that law enforcement should go after "hackers".  They 
are performing a service.  Too bad people aren't learning ....