[Info-vax] Encrypted TCP/IP network printserver spooled printing for OpenVMS (secure-IPP?)

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Fri May 4 11:42:29 EDT 2018 

On 2018-05-03 23:27:58 +0000, seasoned_geek said:

> On Thursday, May 3, 2018 at 12:33:32 PM UTC-5, Stephen Hoffman wrote:
>> On 2018-05-03 16:40:40 +0000, seasoned_geek said:
>> 
>>> 
>>> Prior to this change serial and parallel support was provided by CUPS.  
>>> It's now been pushed out of CUPS and it was pushed out without warning. 
>>> This doesn't mean that distros didn't add their own OS level drivers 
>>> for serial and parallel ports, but this was dropped like a bomb during 
>>> an LTS release without warning. The change cause a rather significant 
>>> uproar on Ubuntu and other distro forums because existing installations 
>>> broke badly when upgraded.
>> 
>> Not just Apple.  DEC — remember them? — stopped making OpenVMS-capable 
>> computers with parallel ports, and serial ports became quite rare on 
>> DEC gear over twenty years ago.
> 
> I like ya Hoff, but Apple is in no way shape or form qualified to 
> determine what is and is not "business use." Apple is a NO-TECH company.

Apple is one of the most heavily invested companies around.   DEC was 
once invested in creating new interconnects and new technology.  VAX, 
Ethernet, DECtalk, DECnet, etc.  Apple is large enough and with a sales 
volume and revenues which allows them to design and build and ship 
products at a scale that the folks at DEC could only dream of, too.  
The Apple Arm cores, the T-series security chips, the use of seL4, 
then-new connectors such as lightning (and which still works better 
than the standardized USB-C), and software integration and frameworks, 
too.  DEC had a history in most or all of those same areas.  Where DEC 
differed then from Apple now was in user interface design skills and in 
the ability to clearly communicate and to stay on message; DEC didn't 
do so well in those areas in later years.

Some light reading:
https://www.apple.com/business/docs/iOS_Security_Guide.pdf
https://www.blackhat.com/docs/us-16/materials/us-16-Mandt-Demystifying-The-Secure-Enclave-Processor.pdf 


> Fools stand in-line to buy a new phone which isn't really any different 
> or better, unless changing the location and type of charging port 
> really means that much to someone.

Ponder what's involved in getting gear to work as well as Apple does, 
with the designs and testing and integration that's involved, and at 
the scale of production that Apple operates at.

Customers as fools?   Those folks obviously have different values than 
you do, certainly.   Budgets differ, too.  There are a whole lot of 
folks that value products that are easy to use and reliable.  That 
ease-of-use is also an opening that VSI can work toward with OpenVMS, 
too.  OpenVMS used to have that easy-to-use and easy-to-program market, 
after all.   Where it was easier to use a VAX/VMS box to connect two 
other random servers, for instance.  VAX and VMS were themselves 
unusually well integrated.   But times and expectations and tools have 
moved on, and VSI is working to catch up in many areas.

> In the embedded systems and engineering worlds serial and parallel 
> ports are __EVERYWHERE__.

Ponder what changes OpenVMS would need to become competitive in those 
areas.  What else beyond the serial port or the parallel port — and 
which can be retrofit via PCI or connected via terminal server or HP 
JetDirect for that matter.  There's a lot that would be retired for 
folks in those areas to be interested in replacing Linux or BSD or 
Windows or seL4 or Wind River or whatever they're currently using.

As for the common hardware?   General-purpose desktops and 
general-purpose servers just don't have parallel and have restricted 
numbers of or variously no serial ports.  Nor do most printers.   We're 
not headed in that direction, either.

> The same is true for customs crossings and every other place which is 
> legally bound to have an un-interceptable hardwired connection.

As for avoiding signal interception, that's less about the tech than 
about the shielding.  Both against leakage of signals such as that 
provided by Tempest, and against physical access and providing 
protection and detecting taps.  Which often means conduit or similar.   
And Ethernet — optical or twisted pair — or USB runs just fine in 
conduit.

Resistance to signals interception is a specialty that — bluntly — is 
still somewhat further down the road for VSI and OpenVMS and its 
security, as OpenVMS needs to get some more basic security in place.  
Such as disk encryption, a password manager, multi-factor 
authentication support, SGX and secure enclave support, integrated 
certificate management, distributed logging, cryptographic pseudo 
random number generation, and integrated networking for that matter.

BTW: There are some other communications signals in those same physical 
areas that are just as interesting to adversaries and just as valuable, 
and that are easily intercepted: 
https://queue.acm.org/detail.cfm?id=1626175

> In the embedded systems world, especially in the industrial world, 
> serial and parallel can never ever ever go away. But hey, Apple, being 
> a NO-TECH company having even less of a clue about how business and 
> industry work than Arne just ripped the sh*t out without telling 
> anyone. That's AGILE for you. Cause death and dismemberment, then add a 
> story to the sprint to bury all of the bodies.

Ignoring that I'm looking at a CUPS (2.2.5) display offering FireWire, 
lpr/lpd, and a variety of other older printing protocols...  And 
ignoring that serial printing is still in CUPS and that different 
software development methodologies work differently for different folks 
and work not at all for others...   And ignoring that the adoption of 
CUPS for accessing modern printers clearly doesn't preclude the 
continued use of existing and older connections?   Serial and parallel 
printers just aren't a big market for new installations.   OpenVMS 
isn't very big in industrial computing, either.  Not any more.  There's 
a whole lot of work to get back to that, and a whole lot of folks 
aren't interested in 64-bit servers.   OpenVMS would need massive work 
to fit and work in 32-bit and Arm and RISC-V hardware, and a 
substantial drop in price, and probably also in power consumption.  The 
necessity of better IPv6 communications and easier security would be 
generic across most OpenVMS installations, irrespective of the use of 
serial or parallel or USB or network printing.

Also from CUPS 2.2.5:

"Device Discovery
When run with no arguments, the backend should list the devices and 
schemes it supports or is advertising to the standard output. The 
output consists of zero or more lines consisting of any of the 
following forms:
    device-class scheme "Unknown" "device-info"
    device-class device-uri "device-make-and-model" "device-info"
    device-class device-uri "device-make-and-model" "device-info" "device-id"
    device-class device-uri "device-make-and-model" "device-info" 
"device-id" "device-location"
The cupsBackendReport() function can be used to generate these lines 
and handle any necessary escaping of characters in the various strings.
The device-class field is one of the following values:
direct
The device-uri refers to a specific direct-access device with no 
options, such as a parallel, USB, or SCSI device.
file
The device-uri refers to a file on disk.
network
The device-uri refers to a networked device and conforms to the general 
form for network URIs.
serial
The device-uri refers to a serial device with configurable baud rate 
and other options. If the device-uri contains a baud value, it 
represents the maximum baud rate supported by the device."

> Guess what. Ten years from now they are still going to be making 
> desktop and tower computers with both serial and parallel ports because 
> they are required for engineering and embedded systems work.

And adopting CUPS precludes the few folks that want to print via 
serial?  I've still got a DEClaser 1152 around somewhere and it can 
probably be coaxed into working assuming cartridges can be secured, if 
you need to borrow that when your old serial printer dies.  Yeah, there 
are still a few serial printers and serial ports and such around.  
That's the way of old computing and old computers and old 
interconnections.  And old software, for that matter.   But serial and 
parallel printing — like OSI — is just not the direction the market is 
headed toward.  Manufacturing and embedded and pretty much everybody in 
computing can have unique requirements, but most folks just aren't 
headed toward serial or xmodem or other similar older interconnection 
or printing schemes.  Not in enough volume to matter for VSI and 
OpenVMS.






-- 
Pure Personal Opinion | HoffmanLabs LLC

More information about the Info-vax mailing list