[Info-vax] OpenVMS versus Windows/GE Telemetry Control Systems.

Bill Gunshannon billg999 at cs.uofs.edu
Wed Jan 16 10:32:32 EST 2013 

In article <kd5p4e$3kv$1 at dont-email.me>,
	David Froble <davef at tsoft-inc.com> writes:
> Bill Gunshannon wrote:
>> In article <kd52bk$as$1 at dont-email.me>,
>> 	David Froble <davef at tsoft-inc.com> writes:
>>> Stephen Hoffman wrote:
>>>> On 2013-01-15 20:27:19 +0000, Stephen Hoffman said:
>>>>
>>>>> On 2013-01-15 20:10:04 +0000, Bob Gezelter said:
>>>>>
>>>>>> I note that my published recommendation for nearly twenty years has 
>>>>>> been to "air-gap" process control systems from the general corporate 
>>>>>> network as well as the public Internet [citation: Computer Security 
>>>>>> Handbook, 3rd Edition].
>>>>> That approach is great.  In theory.  But the air gap is not always 
>>>>> practical.   As Stuxnet showed, there are ways to jump the air gap, too.
>>>> And not three minutes after posting that:
>>>>
>>>> http://arstechnica.com/security/2013/01/two-us-power-plants-infected-with-malware-spread-via-usb-drive/ 
>>>>
>>>>
>>>>
>>> I seem to recall that the USB ports on Alphas were not functional under 
>>> VMS.  If that's correct, then another security notch for VMS ...
>>>
>>> :-)
>> 
>> So, in order to be safe you have to give up some convenience.
> 
> Did you miss the smiley ?

Of course not.  But it doesn't change the truthfullness of the statement.
But then, I think we all now that security wasn't the driving factor in
VMS's decision to not support USB.

> 
>> And the same is true of any system.  Security people always walk a thin
>> line between convenience and safety.
> 
> Maybe so, but it doesn't have to be that way.  I'd bet there are many 
> people here on c.o.v that could come up with convient and safe methods 
> for communications, software distribution, and such.

Sure you can.  But any method that is secure will have at least one layer
of complexity added on that it would not have if security was not even
considered.

> 
> As a small example, I've implemented some socket communications.  The 
> socket is basically an open port to the world.  But it's under program 
> control, and what's coming in must meet expectations, or it's flushed 
> and the connection dropped.  Are there ways to defeat such?  I have to 
> say that I don't know, but, I really doubt it.

But sockets were already avaialable.  In order to have security you had to
do it yourself in a more complex manner.  And anyone who wishes to use
your system has to learn it, and program to it.  Don't you see that as
less convenient than just programming to the default socket interface
that most VMS programmers already know?

> 
>> And one simple, well published parameter and it is a non-threat to
>> Windows systems as well.  Without completely giving up the USB port.
> 
> The general problem, as I see it, is that Microsoft knew that they'd 
> more often than not be dealing with clueless computer illiterate people, 
> and so you got things such as autorun which attempt to do things without 
> much user interaction.  Such is everywhere in their software.  Real easy 
> for a nefarious person to take advantage of.

Your right.  And all of these things are documented and can be fixed.
But. there is a cost to the users.  And most places choose insecurity
over inconveniencing their employees.  And home people, well, no reason
to even go there.  And as proof of just how hard it is to get away with
inconveniencing users, let's look at DOD again.  One would expect them
to be the most draconian run systems on the face of the planet.  But,
alas, no.  DISA STIGS specifically prohibit autorun (I just checked and
this is true in Windows 8 as well).  This prohibition goes back at least
as far as NT.  Obviously, the Pentagon machines that got infected in the
well published Thumb Drive incident were not properly configured.  Why,
you say?  In 2007 I took part in a major exercise in Germany.  All of
the machines in the Operations Center had USB turned off.  The security
manager was forced to turn it on for certain (high ranking) people against
his recommendations.  One of these people was a certain AF General who
carried a keyring with three thumbdrives on it.  One for the public
INTERNET, one for NIPR (the unclassified military network) and one for
SIPR (the classified military network).  Am I the only one who sees the
very serious potential for spillages from this?  But he was a General.
Like I said aboe about security people.  They walk a thin line and
often get pushed over it because there are some people you just don't
inconvenience.

> 
> So then users got used to all those neat little things that "just 
> happen", and guess who won't buy software without all the gizmos.

Users (for the most part) can be educated.  I used to STIG the boxes
I admined at the University.  Not to the full level, but enough that
during my tenure we did not have a single virus infection since we
gave up on Win98ME.  It can be done.

> 
> I've never felt that law enforcement should go after "hackers".  They 
> are performing a service.  Too bad people aren't learning ....

So what, let bank robbers go because they just point out security flaws
in banks?  Let Identity Theft go because they just point out the flaws
in the credit card industry?  How about the guy who breaks into your
house and steals your 3D TV?  He performed a service.  he showed you that
your locks aren't good enough to stop him.  why is it people think that
the normal rules of society should somehow be ignored when it comes to
computers?

I think people who commit any kind of crime involving a computer should
be prosecuted to the fuill extent of the law.  And I think countries
that harbor this kind of behavior should be shut off the INTERNET.

bill

-- 
Bill Gunshannon          |  de-moc-ra-cy (di mok' ra see) n.  Three wolves
billg999 at cs.scranton.edu |  and a sheep voting on what's for dinner.
University of Scranton   |
Scranton, Pennsylvania   |         #include <std.disclaimer.h>

More information about the Info-vax mailing list