Discussion:
Huge Cyber Attack Plunges NHS Into Chaos, 'Ransomware' Brings Down IT Systems
(too old to reply)
u***@gmail.com
2017-05-13 10:17:00 UTC
Permalink
Raw Message

j***@yahoo.co.uk
2017-05-13 12:22:04 UTC
Permalink
Raw Message
Post by u***@gmail.com
http://youtu.be/QImU_2mZ2C8
Many people might rather start at (e.g.)
http://www.bbc.co.uk/news/technology-39896393
(13 May) which has the headline "What is the
ransomware causing chaos globally?" - global
meaning 74 countries have been hit so far.

Oops, no, it's 99 countries now:
http://www.bbc.co.uk/news/technology-39901382
"Massive ransomware infection hits computers in 99
countries" (13 May)


Then there's at least two reasonably well informed
articles on TheRegister with several hundred comments.

And doubtless more elsewhere, with more to follow at
frequent intervals, maybe until people start to Think
Different again.
David Froble
2017-05-13 14:09:33 UTC
Permalink
Raw Message
Post by j***@yahoo.co.uk
Post by u***@gmail.com
http://youtu.be/QImU_2mZ2C8
Many people might rather start at (e.g.)
http://www.bbc.co.uk/news/technology-39896393
(13 May) which has the headline "What is the
ransomware causing chaos globally?" - global
meaning 74 countries have been hit so far.
http://www.bbc.co.uk/news/technology-39901382
"Massive ransomware infection hits computers in 99
countries" (13 May)
Then there's at least two reasonably well informed
articles on TheRegister with several hundred comments.
And doubtless more elsewhere, with more to follow at
frequent intervals, maybe until people start to Think
Different again.
In the news I've read, they state, only weendoze systems are being attacked.
Got to wonder how this may affect the thinking of some.

Nah, I must be delusional. To those people, they think weendoze is the only
computers there are, right? All the computer is good for is running Facebook,
Youtube, and such, right?

The acceptance of the entire concept of software that would allow such activity
seems to have become so commonplace that we're not even amazed anymore.

Maybe we need to start over ....
Simon Clubley
2017-05-13 22:39:58 UTC
Permalink
Raw Message
Post by j***@yahoo.co.uk
Post by u***@gmail.com
http://youtu.be/QImU_2mZ2C8
Many people might rather start at (e.g.)
http://www.bbc.co.uk/news/technology-39896393
(13 May) which has the headline "What is the
ransomware causing chaos globally?" - global
meaning 74 countries have been hit so far.
I was really pleased to see that the BBC and the security researchers
it interviewed very quickly (and in a very public way) made it clear
to the BBC's viewers/readers that this attack was only possible because
the NSA held onto the vulnerability and used it in a weapon instead
of immediately reporting the vulnerability to Microsoft.

This is going to be the number 1 example (until something worse comes
along :-() of why holding on to vulnerabilities and weaponising them
instead of reporting them to the vendor to be fixed is a Really Bad Idea.
Post by j***@yahoo.co.uk
http://www.bbc.co.uk/news/technology-39901382
"Massive ransomware infection hits computers in 99
countries" (13 May)
Then there's at least two reasonably well informed
articles on TheRegister with several hundred comments.
And doubtless more elsewhere, with more to follow at
frequent intervals, maybe until people start to Think
Different again.
Actually things may be about to take a turn for the worse, at least
here in the UK.

I've been reading through the Bulk Equipment Interference Warrants
section of the Investigatory Powers Act and I've come across
something that (on the surface at least) looks very disturbing.

In summary, the government appears to have just legalised press-ganging
_any_ person in the UK into working for GCHQ against their will a couple
of centuries after the Royal Navy stopped that exact practice.

Example scenario
----------------
If you are a security researcher in the UK and the government finds out
you have discovered a vulnerability, then it appears you can be forced
against your will to hand over your research to GCHQ. It also appears
that if you then still try to warn the vendor, the government can
prosecute you.

My reasoning
------------
According to paragraph 2 of section 190 (Implementation of warrants),
it looks like the government can force any individual within the UK
(and against their will) to reveal any security vulnerabilities they
know about to the government.

Note that while paragraph 5 of section 190 makes reference to the duty
of telecommunications operators, there does not appear to be any such
constraint under paragraph 2 of who can actually be served with the
warrant in the first place.

Under section 197, which references sections 132 to 134, if that
individual then tries to warn the vendor anyway about the security
vulnerability after receiving a warrant, it looks like the government
can then prosecute them and have them fined or jailed. See sections
132 to 134, in particular (3)(f) and (4) of section 132 as well as
section 134.

I really hope I am wrong about this, but if I am, then I am not seeing
what I am missing. If I am right, I hope it's just an oversight by
the government and not something deliberate. If you (or anyone) knows
more about this than I do, then I would be very interested to hear
your take on this.

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
David Froble
2017-05-13 23:05:36 UTC
Permalink
Raw Message
Post by Simon Clubley
Post by j***@yahoo.co.uk
Post by u***@gmail.com
http://youtu.be/QImU_2mZ2C8
Many people might rather start at (e.g.)
http://www.bbc.co.uk/news/technology-39896393
(13 May) which has the headline "What is the
ransomware causing chaos globally?" - global
meaning 74 countries have been hit so far.
I was really pleased to see that the BBC and the security researchers
it interviewed very quickly (and in a very public way) made it clear
to the BBC's viewers/readers that this attack was only possible because
the NSA held onto the vulnerability and used it in a weapon instead
of immediately reporting the vulnerability to Microsoft.
This is going to be the number 1 example (until something worse comes
along :-() of why holding on to vulnerabilities and weaponising them
instead of reporting them to the vendor to be fixed is a Really Bad Idea.
Post by j***@yahoo.co.uk
http://www.bbc.co.uk/news/technology-39901382
"Massive ransomware infection hits computers in 99
countries" (13 May)
Then there's at least two reasonably well informed
articles on TheRegister with several hundred comments.
And doubtless more elsewhere, with more to follow at
frequent intervals, maybe until people start to Think
Different again.
Actually things may be about to take a turn for the worse, at least
here in the UK.
I've been reading through the Bulk Equipment Interference Warrants
section of the Investigatory Powers Act and I've come across
something that (on the surface at least) looks very disturbing.
In summary, the government appears to have just legalised press-ganging
_any_ person in the UK into working for GCHQ against their will a couple
of centuries after the Royal Navy stopped that exact practice.
Example scenario
----------------
If you are a security researcher in the UK and the government finds out
you have discovered a vulnerability,
Here then is the important thing. How would they find out such, unless someone
has a big mouth and bigger ego?

1) report it before they find out you know anything
2) keep mouth (fingers) quiet until your chosen moment

Now, if they decide that you should have told them first, and decide to keel
haul you for not doing so, maybe time for a revolution?

:-) :-)
Post by Simon Clubley
then it appears you can be forced
against your will to hand over your research to GCHQ. It also appears
that if you then still try to warn the vendor, the government can
prosecute you.
My reasoning
------------
According to paragraph 2 of section 190 (Implementation of warrants),
it looks like the government can force any individual within the UK
(and against their will) to reveal any security vulnerabilities they
know about to the government.
Note that while paragraph 5 of section 190 makes reference to the duty
of telecommunications operators, there does not appear to be any such
constraint under paragraph 2 of who can actually be served with the
warrant in the first place.
Under section 197, which references sections 132 to 134, if that
individual then tries to warn the vendor anyway about the security
vulnerability after receiving a warrant, it looks like the government
can then prosecute them and have them fined or jailed. See sections
132 to 134, in particular (3)(f) and (4) of section 132 as well as
section 134.
I really hope I am wrong about this, but if I am, then I am not seeing
what I am missing. If I am right, I hope it's just an oversight by
the government and not something deliberate. If you (or anyone) knows
more about this than I do, then I would be very interested to hear
your take on this.
Simon.
Simon Clubley
2017-05-13 23:24:23 UTC
Permalink
Raw Message
Post by David Froble
Post by Simon Clubley
Example scenario
----------------
If you are a security researcher in the UK and the government finds out
you have discovered a vulnerability,
Here then is the important thing. How would they find out such, unless someone
has a big mouth and bigger ego?
Security vulnerabilities are not always discovered in isolation but
sometimes by a team with it's members working remotely.

It's also not beyond the bounds of possibility that people doing
vulnerability research have a certain pattern of search behaviour
which can be detected by government level data mining.

Anyway, it's just one example scenario; there are many others.

The point here is what the law now appears to allow the government to do
once the government discovers a person living within the UK has specific
knowledge or a particular skillset. It's not really about how the
government came to discover that in the first place.

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
Paul Sture
2017-05-14 10:06:56 UTC
Permalink
Raw Message
Post by Simon Clubley
Actually things may be about to take a turn for the worse, at least
here in the UK.
I've been reading through the Bulk Equipment Interference Warrants
section of the Investigatory Powers Act and I've come across
something that (on the surface at least) looks very disturbing.
In summary, the government appears to have just legalised press-ganging
_any_ person in the UK into working for GCHQ against their will a couple
of centuries after the Royal Navy stopped that exact practice.
Which particular document(s) are you looking at? There are so many to choose
from...
--
Everybody has a testing environment. Some people are lucky enough to
have a totally separate environment to run production in.
Simon Clubley
2017-05-14 12:41:29 UTC
Permalink
Raw Message
Post by Paul Sture
Post by Simon Clubley
Actually things may be about to take a turn for the worse, at least
here in the UK.
I've been reading through the Bulk Equipment Interference Warrants
section of the Investigatory Powers Act and I've come across
something that (on the surface at least) looks very disturbing.
In summary, the government appears to have just legalised press-ganging
_any_ person in the UK into working for GCHQ against their will a couple
of centuries after the Royal Navy stopped that exact practice.
Which particular document(s) are you looking at? There are so many to choose
from...
The IP Act itself. It's available on a government website at:

http://www.legislation.gov.uk/ukpga/2016/25/contents/enacted

for the enacted version or

http://www.legislation.gov.uk/ukpga/2016/25/contents

for the latest version (although the parts in question are identical
in both versions.)

The original print PDF is at:

http://www.legislation.gov.uk/ukpga/2016/25/pdfs/ukpga_20160025_en.pdf

I was working from the PDF version. Note that the PDF has been
reformatted slightly since I downloaded it, although the sections
I referenced still have the same contents.

Also note how the IPA lists the duties of telecommunications operators
when they receive a warrant but also how the paragraph dealing with
the actual issuing of the warrant does not appear to restrict itself
to issuing warrants to telecommunications operators only. In fact,
section 190 paragraph 2 specifically uses the phrase "any person"
without any qualification.

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
Paul Sture
2017-06-24 13:12:00 UTC
Permalink
Raw Message
Post by Simon Clubley
Post by Paul Sture
Post by Simon Clubley
Actually things may be about to take a turn for the worse, at least
here in the UK.
I've been reading through the Bulk Equipment Interference Warrants
section of the Investigatory Powers Act and I've come across
something that (on the surface at least) looks very disturbing.
In summary, the government appears to have just legalised press-ganging
_any_ person in the UK into working for GCHQ against their will a couple
of centuries after the Royal Navy stopped that exact practice.
Which particular document(s) are you looking at? There are so many to choose
from...
http://www.legislation.gov.uk/ukpga/2016/25/contents/enacted
for the enacted version or
http://www.legislation.gov.uk/ukpga/2016/25/contents
for the latest version (although the parts in question are identical
in both versions.)
http://www.legislation.gov.uk/ukpga/2016/25/pdfs/ukpga_20160025_en.pdf
I was working from the PDF version. Note that the PDF has been
reformatted slightly since I downloaded it, although the sections
I referenced still have the same contents.
Also note how the IPA lists the duties of telecommunications operators
when they receive a warrant but also how the paragraph dealing with
the actual issuing of the warrant does not appear to restrict itself
to issuing warrants to telecommunications operators only. In fact,
section 190 paragraph 2 specifically uses the phrase "any person"
without any qualification.
That's a fascinating document in terms of cross references and
structure. Properly understanding a given section plus looking up the
referenced items puts it in the "Hard sums" category.

I could imagine some kind of custom program with easily accessible
pop up windows for the referenced bits. Might need one of these
screens to handle that:

"Samsung releases 49-inch desktop monitor with 32:9 aspect ratio"

<https://www.theregister.co.uk/2017/06/16/samsung_49_inch_chg90_desktop_monitor/>

This is not unrelated to your other topic of VMS documentation, i.e. the
difficulty of accessing copious documentation with easy access to items
referenced, in a more usable fashion than, say, multiple tabs in a
browser.
--
Everybody has a testing environment. Some people are lucky enough to
have a totally separate environment to run production in.
Simon Clubley
2017-06-24 20:16:25 UTC
Permalink
Raw Message
Post by Paul Sture
Post by Simon Clubley
http://www.legislation.gov.uk/ukpga/2016/25/contents/enacted
for the enacted version or
http://www.legislation.gov.uk/ukpga/2016/25/contents
for the latest version (although the parts in question are identical
in both versions.)
http://www.legislation.gov.uk/ukpga/2016/25/pdfs/ukpga_20160025_en.pdf
[snip]
Post by Paul Sture
That's a fascinating document in terms of cross references and
structure. Properly understanding a given section plus looking up the
referenced items puts it in the "Hard sums" category.
Tell me about it Paul. :-(

One side effect of this format is that a casual reader cannot quickly
read the law to make sure that the powers it enables are limited to
the powers which the government claims it enables.

I'll let you decide if that was an intended or unintended side effort
of how these laws are written.

The latest news is that given how unclear the situation still is, I have
now asked the Home Office directly for an answer to this question.
I deliberately kept it to a single simple question with only a little
bit of analysis in order to try and force them to address the actual
question itself.

I don't know if I will get an answer or if it's going to be anything
more than PR spiel if I do...
Post by Paul Sture
I could imagine some kind of custom program with easily accessible
pop up windows for the referenced bits. Might need one of these
"Samsung releases 49-inch desktop monitor with 32:9 aspect ratio"
<https://www.theregister.co.uk/2017/06/16/samsung_49_inch_chg90_desktop_monitor/>
This is not unrelated to your other topic of VMS documentation, i.e. the
difficulty of accessing copious documentation with easy access to items
referenced, in a more usable fashion than, say, multiple tabs in a
browser.
The parallels have not been lost on me... :-)

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
Paul Sture
2017-06-25 19:07:24 UTC
Permalink
Raw Message
Post by Simon Clubley
Post by Paul Sture
Post by Simon Clubley
http://www.legislation.gov.uk/ukpga/2016/25/contents/enacted
for the enacted version or
http://www.legislation.gov.uk/ukpga/2016/25/contents
for the latest version (although the parts in question are identical
in both versions.)
http://www.legislation.gov.uk/ukpga/2016/25/pdfs/ukpga_20160025_en.pdf
[snip]
Post by Paul Sture
That's a fascinating document in terms of cross references and
structure. Properly understanding a given section plus looking up the
referenced items puts it in the "Hard sums" category.
Tell me about it Paul. :-(
Ayup.
Post by Simon Clubley
One side effect of this format is that a casual reader cannot quickly
read the law to make sure that the powers it enables are limited to
the powers which the government claims it enables.
I'll let you decide if that was an intended or unintended side effort
of how these laws are written.
It strongly reminds me of spaghetti code that got that way by continual
and extensive tweaking. I do wonder what sort of authoring tools they
have in place to keep track of it all.
Post by Simon Clubley
The latest news is that given how unclear the situation still is, I have
now asked the Home Office directly for an answer to this question.
I deliberately kept it to a single simple question with only a little
bit of analysis in order to try and force them to address the actual
question itself.
I don't know if I will get an answer or if it's going to be anything
more than PR spiel if I do...
I have heard of people getting boilerplate responses which manage to
evade the issue. I wish you more luck than that.
Post by Simon Clubley
Post by Paul Sture
I could imagine some kind of custom program with easily accessible
pop up windows for the referenced bits. Might need one of these
"Samsung releases 49-inch desktop monitor with 32:9 aspect ratio"
<https://www.theregister.co.uk/2017/06/16/samsung_49_inch_chg90_desktop_monitor/>
This is not unrelated to your other topic of VMS documentation, i.e. the
difficulty of accessing copious documentation with easy access to items
referenced, in a more usable fashion than, say, multiple tabs in a
browser.
The parallels have not been lost on me... :-)
I might have a poke around the structure to see what I can extract.
No promises at this stage, of course.
--
Everybody has a testing environment. Some people are lucky enough to
have a totally separate environment to run production in.
Simon Clubley
2017-06-26 23:43:23 UTC
Permalink
Raw Message
Post by Paul Sture
Post by Simon Clubley
One side effect of this format is that a casual reader cannot quickly
read the law to make sure that the powers it enables are limited to
the powers which the government claims it enables.
I'll let you decide if that was an intended or unintended side effort
of how these laws are written.
It strongly reminds me of spaghetti code that got that way by continual
and extensive tweaking. I do wonder what sort of authoring tools they
have in place to keep track of it all.
That's actually a really good way to think about it.
Post by Paul Sture
Post by Simon Clubley
The latest news is that given how unclear the situation still is, I have
now asked the Home Office directly for an answer to this question.
I deliberately kept it to a single simple question with only a little
bit of analysis in order to try and force them to address the actual
question itself.
I don't know if I will get an answer or if it's going to be anything
more than PR spiel if I do...
I have heard of people getting boilerplate responses which manage to
evade the issue. I wish you more luck than that.
Thanks.

I don't expect to get anything "exciting" or definitive back unfortunately,
but OTOH it would be nice to know for sure one way or another.
Post by Paul Sture
Post by Simon Clubley
The parallels have not been lost on me... :-)
I might have a poke around the structure to see what I can extract.
No promises at this stage, of course.
Of course. :-)

The other gem in this law are the sections that refer to another
section but say that other section should be read as if phrase X
was replaced by phrase Y.

That means it's not a simple matter of linking to that section, but
instead linking to that section _and_ indicating somehow that it's
contents need to be changed to replace phrase X with phrase Y.

Sir Humphrey would have been very proud of this government.

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
Paul Sture
2017-06-30 13:22:47 UTC
Permalink
Raw Message
Post by Simon Clubley
Post by Paul Sture
Post by Simon Clubley
One side effect of this format is that a casual reader cannot quickly
read the law to make sure that the powers it enables are limited to
the powers which the government claims it enables.
I'll let you decide if that was an intended or unintended side effort
of how these laws are written.
It strongly reminds me of spaghetti code that got that way by continual
and extensive tweaking. I do wonder what sort of authoring tools they
have in place to keep track of it all.
That's actually a really good way to think about it.
It has me wondering about taking it further and seeing if code analysis
tools could be applied to such text, for example, to establish where
the logical flow through the code/text jumps around too much for easy
comprehension.

A lot of spaghetti code I dealt with back in the day also suffered from
extensive copying and pasting lumps of code. Recalling one particular
example, an intermediate value used in a calculation was too small.
Identifying the offending calculation was easy, but tracking down all
the copied and pasted bits was quite difficult, especially where
variable and/or label names had been changed.

Yes, I did see duplicated text in the document that appeared to follow
this practice.
Post by Simon Clubley
Post by Paul Sture
Post by Simon Clubley
The latest news is that given how unclear the situation still is, I have
now asked the Home Office directly for an answer to this question.
I deliberately kept it to a single simple question with only a little
bit of analysis in order to try and force them to address the actual
question itself.
I don't know if I will get an answer or if it's going to be anything
more than PR spiel if I do...
I have heard of people getting boilerplate responses which manage to
evade the issue. I wish you more luck than that.
Thanks.
I don't expect to get anything "exciting" or definitive back unfortunately,
but OTOH it would be nice to know for sure one way or another.
Clarification would help, but might be subject to "we'll only know when
this is tested in court". Pity the poor souls who have to go through
court cases to find out...
Post by Simon Clubley
Post by Paul Sture
Post by Simon Clubley
The parallels have not been lost on me... :-)
I might have a poke around the structure to see what I can extract.
No promises at this stage, of course.
Of course. :-)
The other gem in this law are the sections that refer to another
section but say that other section should be read as if phrase X
was replaced by phrase Y.
That means it's not a simple matter of linking to that section, but
instead linking to that section _and_ indicating somehow that it's
contents need to be changed to replace phrase X with phrase Y.
That's an alternative to the copy/paste/amend sequence I mentioned
above. That should ease the identification of copied/pasted bits,
even though it wreaks havoc with comprehension. FWIW COBOL
recognised the need for this kind of thing decades ago with
"COPY ... REPLACING" Here's an example of that in use:

<https://stackoverflow.com/questions/7386301/copy-statement-with-replacing-in-cobol>

(Note that VMS COBOL doesn't allow nested COPY statements; I could
have used that back in the day, but there we go)
Post by Simon Clubley
Sir Humphrey would have been very proud of this government.
He would indeed. I can recommend watching "Yes Minister" and "Yes Prime
Minister" again as a refresher course.
--
Everybody has a testing environment. Some people are lucky enough to
have a totally separate environment to run production in.
Stephen Hoffman
2017-05-15 15:21:23 UTC
Permalink
Raw Message
Post by Simon Clubley
I was really pleased to see that the BBC and the security researchers
it interviewed very quickly (and in a very public way) made it clear to
the BBC's viewers/readers that this attack was only possible because
the NSA held onto the vulnerability and used it in a weapon instead of
immediately reporting the vulnerability to Microsoft.
This is going to be the number 1 example (until something worse comes
along :-() of why holding on to vulnerabilities and weaponising them
instead of reporting them to the vendor to be fixed is a Really Bad Idea.
A central praxis of any national intelligence entity involves gathering
and using technical exploits to advance national interests. These
entities are not publicly-funded hardware- and software-testing
agencies for private concerns. These agencies gather intelligence
through various available means. Vulnerabilities in Microsoft Windows
are among those means.

Folks have made the case that releasing details once the exploits are
burned might be or is reasonable, but it's also quite possible that a
vendor notification did occur here.

What can VSI learn here? Or other vendors with non-trivial software
based on OpenVMS, for that matter? Effective means of issuing patches
are vital for addressing vulnerabilities cases, as the current
manually-notified and manually-invoked and per-host PCSI-based
implementation is greatly lacking. Deprecating insecure protocols and
implementations, whether it's CIFS SMBv1 or Purdy or otherwise.
Implementing a bug-reporting channel active and not using
***@gmail.com email addresses in business contexts, too.
Maybe even consider implementing a bug bounty program, once the
existing and overt vulnerabilities have been addressed by VSI IP and
other work underway, or in the third-party software package.
--
Pure Personal Opinion | HoffmanLabs LLC
V***@SendSpamHere.ORG
2017-05-13 16:14:57 UTC
Permalink
Raw Message
Post by u***@gmail.com
http://youtu.be/QImU_2mZ2C8
... and I thought NHS was on VMS. Colin???
--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG

I speak to machines with the voice of humanity.
Paul Sture
2017-05-13 16:36:45 UTC
Permalink
Raw Message
Post by V***@SendSpamHere.ORG
... and I thought NHS was on VMS. Colin???
At least some of it was/still is, but this particular nasty is attacking
Windows workstations, of which the NHS has plenty.

Apparently Microsoft have issued a relevant security patch for Windows XP,
even though they previously said no more patches for that:

≤https://www.theregister.co.uk/2017/05/13/wannacrypt_ransomware_worm/>ß
--
Everybody has a testing environment. Some people are lucky enough to
have a totally separate environment to run production in.
j***@yahoo.co.uk
2017-05-13 17:03:20 UTC
Permalink
Raw Message
Post by Paul Sture
Post by V***@SendSpamHere.ORG
... and I thought NHS was on VMS. Colin???
At least some of it was/still is, but this particular nasty is attacking
Windows workstations, of which the NHS has plenty.
Apparently Microsoft have issued a relevant security patch for Windows XP,
≤https://www.theregister.co.uk/2017/05/13/wannacrypt_ransomware_worm/>ß
--
Everybody has a testing environment. Some people are lucky enough to
have a totally separate environment to run production in.
Microsoft's desktop people said no more patches for
XP a while back.

Microsoft's less widely known 'embedded' people [1]
have a repackaged but otherwise compatible Windows XP
which is supported until 2019:
https://support.microsoft.com/en-gb/help/18581/lifecycle-faq-windows-products
says
"Windows Embedded Standard 2009. This product is an
updated release of the toolkit and componentized
version of Windows XP. It was originally released in
2008, and Extended Support will end on January 8, 2019."

There's also Windows PoSReady, a further derivative for
use in PoS environments. (OK, OK, it's "Point of Sale",
ie shop cash tills, maybe bank ATMs, etc).


Anyone who bought a piece of high value long lifecyle
kit which is reliant on low value short lifecycle
hardware and software is heading for trouble (but it
hasn't yet stopped it happening).

[1] "Embedded" in this case doesn't mean WinCE; it
means commodity x86 OSes repackaged and relicenced
for use in things like test+measurement equipment,
hospital scanners, and other such high value long
lifecycle kit.
Stephen Hoffman
2017-05-13 18:48:18 UTC
Permalink
Raw Message
Microsoft's desktop people said no more patches forXP a while back.
Patches are available for Windows XP. They're just not free.

Folks in the UK government decided not to pay for patch access, and
system upgrades are seemingly on a replacement cycle in NHS and many
other places, so the outcome here with NHS and others running older and
insure and down-revision systems was inevitable.

Here's a write-up on NHS:
https://conspicuouschatter.wordpress.com/2017/05/13/the-politics-of-the-wannacrypt-ransomware-outbreak/



Some notes, links and resources on the Windows malware:
https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168


It's a near certainty that the current malware worm will start up again
too, as the anti-VM check will be fixed, and new variants of the worm
will be launched.


As for inevitability on other platforms? There are more than a few
OpenVMS servers in exposed and down-revision configurations too, and
that's ignoring the security issues that can and variously do still
exist in current and currently-patched OpenVMS configurations. This
for business reasons, for financial reasons, and just because some of
the folks running the servers don't know better or don't know how.
Those famous long-uptime OpenVMS servers have been running how many
years without patches? The Process IP stacks do and VSI IP should
plug some of the holes, though work here is ongoing and certainly not
limited to the IP stack and IP services.

But then as I've commended, various OpenVMS sites are still using
telnet and FTP and DECnet and down-revision networks and device
firmware, down-revision iLO ports and default and easily-guessed and
widely-known passwords, so why would an attacker necessarily bother
leveraging an NSA exploit into a worm? Well, that and there aren't
enough OpenVMS servers around to really warrant automating an attack.
There are presently 705 systems claiming to be OpenVMS systems and 51
claiming to be VAX/VMS systems directly accessible on the 'net, with 49
OpenVMS servers hosted at Rackspace and 17 servers on Comcast Business.
That, and I see some running known-insecure SSLv2 and SSLv3, and
more than a few with the very-old and known-insecure OpenSSL/0.9.8d
so...

A belief that breaches and ransomware can't happen on OpenVMS isn't
tenable, either. I dealt with a case of ransomware on MicroVMS in
~1985 and with an earlier case on RSX-11M in ~1983. OpenVMS breaches,
too. This stuff is not new. It's just become better distributed
and better automated. and the data encryption has gotten better, and
the attacks faster. The value of the data on the servers has
increased, too.
--
Pure Personal Opinion | HoffmanLabs LLC
David Froble
2017-05-13 20:33:40 UTC
Permalink
Raw Message
Post by Stephen Hoffman
Those famous long-uptime OpenVMS servers have been running how many
years without patches?
Steve has been ranting about the "long uptime" concept for a while now. A
humorous, well, to everyone but Dave, story about that.

I got woken up this morning by a phone call. It was the boss. "The SSH at
<customer> isn't working!" "Wha" mutters the still groggy Dave. No clue what's
happening. Took a few hours to remember that the TCP/IP stuff wasn't doing the
job, and that SSH had been purchased from Process. Finally found the
installation PDF on my weendoze system. Slowly, I realize that I had installed
it many years ago.

After installation, one task is to modify SYSTARTUP_VMS.COM to include invoking
SYS$STARTUP:PSCSSH$STARTUP.COM. You will probably guess that that step hadn't
happened, years ago. Not sure why, but, the buck stops here, I guess.

A test of system startup after modifying the system is prudent. Not many years
later when you don't even remember installing the product.
Bill Gunshannon
2017-05-13 21:10:37 UTC
Permalink
Raw Message
Post by Paul Sture
Post by V***@SendSpamHere.ORG
... and I thought NHS was on VMS. Colin???
At least some of it was/still is, but this particular nasty is attacking
Windows workstations, of which the NHS has plenty.
Apparently Microsoft have issued a relevant security patch for Windows XP,
≤https://www.theregister.co.uk/2017/05/13/wannacrypt_ransomware_worm/>ß
If it were only attacking workstations they would not have lost all
their data to ransomware. Sounds like servers, whatever they are
running, are getting hit, too.

bill
Arne Vajhøj
2017-05-13 23:48:42 UTC
Permalink
Raw Message
Post by Bill Gunshannon
Post by Paul Sture
Post by V***@SendSpamHere.ORG
... and I thought NHS was on VMS. Colin???
At least some of it was/still is, but this particular nasty is attacking
Windows workstations, of which the NHS has plenty.
Apparently Microsoft have issued a relevant security patch for Windows XP,
≤https://www.theregister.co.uk/2017/05/13/wannacrypt_ransomware_worm/>ß
If it were only attacking workstations they would not have lost all
their data to ransomware. Sounds like servers, whatever they are
running, are getting hit, too.
It relates to SMB server.

That is part of bot desktop and server Windows.

The patch released two months ago list both
desktop and server Windows.

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Note the two months part.

As is MS practice (and probably every company's practice) that they
only release a patch for supported Windows versions.

What MS did yesterday was to also provide a patch for some
unsupported Windows versions: XP, 2003 and 8.

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Arne
David Turner
2017-05-17 01:40:03 UTC
Permalink
Raw Message
I, as I'm sure you all do, get viruses emailed to me (or attached) or
malicious crap being sent all the time.
I run centos on pcs here. When I double click on an attachment (just for
fun) it asks me what I want to do, open the file (and then I have to
choose an app with which to open it) or save it.

CENTOS/UBUNTU/DEBIAN MINT are all free. What the hell is the NHS
thinking? I know they have Redhat servers there. Why oh why would anyone
choose to use MS$???

The NHS applications/interfaces are all web-based from what my ex
bro-in-law told me.
No excuse
Post by Bill Gunshannon
Post by Paul Sture
Post by V***@SendSpamHere.ORG
... and I thought NHS was on VMS. Colin???
At least some of it was/still is, but this particular nasty is attacking
Windows workstations, of which the NHS has plenty.
Apparently Microsoft have issued a relevant security patch for Windows XP,
≤https://www.theregister.co.uk/2017/05/13/wannacrypt_ransomware_worm/>ß
If it were only attacking workstations they would not have lost all
their data to ransomware. Sounds like servers, whatever they are
running, are getting hit, too.
bill
Jan-Erik Soderholm
2017-05-17 07:32:47 UTC
Permalink
Raw Message
Post by David Turner
I, as I'm sure you all do, get viruses emailed to me (or attached) or
malicious crap being sent all the time.
I run centos on pcs here. When I double click on an attachment (just for
fun) it asks me what I want to do, open the file (and then I have to choose
an app with which to open it) or save it.
CENTOS/UBUNTU/DEBIAN MINT are all free. What the hell is the NHS thinking?
I know they have Redhat servers there. Why oh why would anyone choose to
use MS$???
The NHS applications/interfaces are all web-based from what my ex
bro-in-law told me.
My guess is that many of the users of the NHS applications are also
users of other applications such as normal "office" tools.
Post by David Turner
No excuse
Post by Bill Gunshannon
Post by Paul Sture
Post by V***@SendSpamHere.ORG
... and I thought NHS was on VMS. Colin???
At least some of it was/still is, but this particular nasty is attacking
Windows workstations, of which the NHS has plenty.
Apparently Microsoft have issued a relevant security patch for Windows XP,
≤https://www.theregister.co.uk/2017/05/13/wannacrypt_ransomware_worm/>ß
If it were only attacking workstations they would not have lost all
their data to ransomware. Sounds like servers, whatever they are
running, are getting hit, too.
bill
Bill Gunshannon
2017-05-17 11:10:40 UTC
Permalink
Raw Message
Post by Jan-Erik Soderholm
Post by David Turner
I, as I'm sure you all do, get viruses emailed to me (or attached) or
malicious crap being sent all the time.
I run centos on pcs here. When I double click on an attachment (just for
fun) it asks me what I want to do, open the file (and then I have to choose
an app with which to open it) or save it.
CENTOS/UBUNTU/DEBIAN MINT are all free. What the hell is the NHS thinking?
I know they have Redhat servers there. Why oh why would anyone choose to
use MS$???
The NHS applications/interfaces are all web-based from what my ex
bro-in-law told me.
My guess is that many of the users of the NHS applications are also
users of other applications such as normal "office" tools.
Normal office tools run on Linux as well. And the learning curve
between them is much smaller than most people seem to think.

bill
Jan-Erik Soderholm
2017-05-17 11:16:27 UTC
Permalink
Raw Message
Post by Bill Gunshannon
Post by Jan-Erik Soderholm
Post by David Turner
I, as I'm sure you all do, get viruses emailed to me (or attached) or
malicious crap being sent all the time.
I run centos on pcs here. When I double click on an attachment (just for
fun) it asks me what I want to do, open the file (and then I have to choose
an app with which to open it) or save it.
CENTOS/UBUNTU/DEBIAN MINT are all free. What the hell is the NHS thinking?
I know they have Redhat servers there. Why oh why would anyone choose to
use MS$???
The NHS applications/interfaces are all web-based from what my ex
bro-in-law told me.
My guess is that many of the users of the NHS applications are also
users of other applications such as normal "office" tools.
Normal office tools run on Linux as well. And the learning curve
between them is much smaller than most people seem to think.
bill
OK, "common" office tools then. Why need any learning at all, if
you already know the normal/common office tools.

Anyway, my point was that the NHS applications are probably not
the only applications these users use. So you can probably not
select platform using the NHS applications alone.
j***@yahoo.co.uk
2017-05-17 07:50:35 UTC
Permalink
Raw Message
Post by David Turner
I, as I'm sure you all do, get viruses emailed to me (or attached) or
malicious crap being sent all the time.
I run centos on pcs here. When I double click on an attachment (just for
fun) it asks me what I want to do, open the file (and then I have to
choose an app with which to open it) or save it.
CENTOS/UBUNTU/DEBIAN MINT are all free. What the hell is the NHS
thinking? I know they have Redhat servers there. Why oh why would anyone
choose to use MS$???
The NHS applications/interfaces are all web-based from what my ex
bro-in-law told me.
No excuse
Post by Bill Gunshannon
Post by Paul Sture
Post by V***@SendSpamHere.ORG
... and I thought NHS was on VMS. Colin???
At least some of it was/still is, but this particular nasty is attacking
Windows workstations, of which the NHS has plenty.
Apparently Microsoft have issued a relevant security patch for Windows XP,
≤https://www.theregister.co.uk/2017/05/13/wannacrypt_ransomware_worm/>ß
If it were only attacking workstations they would not have lost all
their data to ransomware. Sounds like servers, whatever they are
running, are getting hit, too.
bill
Your information is incomplete (at best).

To begin with, NHS IT is not a single uniform
empire across the UK, even where IT hasn't yet
been outsourced.

There are browser-based apps, but the chances of
them *all* being standards-based vendor-independent
apps are approximately zero (IE6 is still required
in some places, allegedly).

The general concept of using open standards for
safe cost-effective interoperability (let alone
open source) is largely unheard of at senior level.

Big vendor-supported consortia seem much more likely
to win projects (and then repeatedly fail to deliver
medium term).

Why is it this way: beancounters and lawyers in
senior 'managament' is a large factor. Clueless
beancounters have believed the vendor (and IT
manager) hype that a Windows setup is not just
cheap to buy, it's cheap to run.

Maybe it might be cheap to run if some other
suckers are foolish enough to repeatedly pick up
the costs of failure, as seems to have happened
so far (not just in the NHS, not just in the UK).

Which leads to lawyers. Lawyers involved with
procurements like to have someone they have heard
of that they can sue. Some people like to have
pieces of paper like SLAs too.

Whether anyone's successfully sued a Windows
'solution provider' (or any other vendor) is left
as an exercise to the reader. Same goes for the
value of the SLA (vs the cost and value of
competent design and delivery).

MS in the UK have historically had strong contacts
at various levels e.g. up to Cabinet Office, and
have succeeded in playing a major part (directly
or indirectly) in major projects such as NPfIT
(NHS Programme for IT, later renamed to Connecting
for Health). Open standards and open source rarely
figure in this picture any more.

MS and others manage to achieve this commercial
success despite a record of repeated failures, as
do many other private and public sector IT
suppliers. It's helpful at the procurement stage
to have a big name and big bank accounts (BT,
Microsoft, etc).

ps
Are dodgy attachments all that relevant in
the big picture? When a "specially crafted
JPG file" can be used for either or both of
unauthenticated code execution and/or local
unauthorised privilege escalation (and there
are *lots* of those around, known and unknown),
you don't really need people to click on
dodgy attachments with embedded macros and
such (or even just PDF attachments) for
systems to be attacked.

Have a lot of fun.
V***@SendSpamHere.ORG
2017-05-17 13:29:52 UTC
Permalink
Raw Message
Post by David Turner
I, as I'm sure you all do, get viruses emailed to me (or attached) or
malicious crap being sent all the time.
I run centos on pcs here. When I double click on an attachment (just for
fun) it asks me what I want to do, open the file (and then I have to
choose an app with which to open it) or save it.
CENTOS/UBUNTU/DEBIAN MINT are all free. What the hell is the NHS
thinking? I know they have Redhat servers there. Why oh why would anyone
choose to use MS$???
I've pondered that very question for more than a decade!
--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG

I speak to machines with the voice of humanity.
David Froble
2017-05-17 15:17:17 UTC
Permalink
Raw Message
Post by David Turner
I, as I'm sure you all do, get viruses emailed to me (or attached) or
malicious crap being sent all the time.
I run centos on pcs here. When I double click on an attachment (just for
fun) it asks me what I want to do, open the file (and then I have to
choose an app with which to open it) or save it.
CENTOS/UBUNTU/DEBIAN MINT are all free. What the hell is the NHS
thinking? I know they have Redhat servers there. Why oh why would anyone
choose to use MS$???
I'll mention what I was told when I told a customer that they could not store
their customer's CC numbers and bank account info on an IIS server in plain text.

"Why not, everyone else does it."
Jan-Erik Soderholm
2017-05-17 15:39:15 UTC
Permalink
Raw Message
Post by David Froble
Post by David Turner
I, as I'm sure you all do, get viruses emailed to me (or attached) or
malicious crap being sent all the time.
I run centos on pcs here. When I double click on an attachment (just for
fun) it asks me what I want to do, open the file (and then I have to
choose an app with which to open it) or save it.
CENTOS/UBUNTU/DEBIAN MINT are all free. What the hell is the NHS
thinking? I know they have Redhat servers there. Why oh why would anyone
choose to use MS$???
I'll mention what I was told when I told a customer that they could not
store their customer's CC numbers and bank account info on an IIS server in
plain text.
"Why not, everyone else does it."
That would have been equally true for any server or platform.
I do not see that requirement as unique for IIS.
David Froble
2017-05-17 20:09:32 UTC
Permalink
Raw Message
Post by Jan-Erik Soderholm
Post by David Froble
Post by David Turner
I, as I'm sure you all do, get viruses emailed to me (or attached) or
malicious crap being sent all the time.
I run centos on pcs here. When I double click on an attachment (just for
fun) it asks me what I want to do, open the file (and then I have to
choose an app with which to open it) or save it.
CENTOS/UBUNTU/DEBIAN MINT are all free. What the hell is the NHS
thinking? I know they have Redhat servers there. Why oh why would anyone
choose to use MS$???
I'll mention what I was told when I told a customer that they could not
store their customer's CC numbers and bank account info on an IIS server in
plain text.
"Why not, everyone else does it."
That would have been equally true for any server or platform.
I do not see that requirement as unique for IIS.
In concept, you are correct. But at the time, IIS was the favorite target of
hackers. Might still be.

But it's not the platform, it's the total lack of concern for security. "Why
should I be concerned about security when no one else seems to be concerned?"
j***@yahoo.co.uk
2017-05-13 16:52:24 UTC
Permalink
Raw Message
Post by V***@SendSpamHere.ORG
Post by u***@gmail.com
http://youtu.be/QImU_2mZ2C8
... and I thought NHS was on VMS. Colin???
--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG
I speak to machines with the voice of humanity.
[not Colin, obviously, but I looked this up recently]

The NHSBT (NHS Blood and Transfusion) 'Pulse' setup was one of
many NHS systems. NHSBT was a highly available highly (disaster
tolerant) highly and rapidly scalable setup which was designed
and delivered by Xdelta and others, based on HP (and other)
kit, with VMS as a core component.

More info including an HP case study and an article from
Availability Digest: see
http://www.xdelta.co.uk/xdelta_news_events_archive.html#jlink2010
"It describes how the NHSBT made use of HP OpenVMS systems on Integrity Servers to build and run the world's biggest single donor database and blood product production control system. The disaster-tolerant system infrastructure was designed and built by XDelta on behalf of HP in collaboration with the application provider and system maintainer Savant. The database vendor was Mimer. The hardware reseller was OCSL.

Further details about the "Pulse renewal" project and its success in the 2009 Itanium Solutions Alliance Innovation Awards are available here."

Hth.
David Froble
2017-05-13 20:15:45 UTC
Permalink
Raw Message
Post by V***@SendSpamHere.ORG
Post by u***@gmail.com
http://youtu.be/QImU_2mZ2C8
... and I thought NHS was on VMS. Colin???
Some equipment could have imbedded systems, and, the office stuff was obviously
weendoze ....

The sad thing is, NSA knowing about the problem, and being much more interested
in invading computers than protecting the clueless people (us) they work for.
They could have had Microsoft putting out fixes long ago. Not that everyone
would have installed the fixes ....
Bill Gunshannon
2017-05-13 21:16:05 UTC
Permalink
Raw Message
Post by David Froble
Post by V***@SendSpamHere.ORG
Post by u***@gmail.com
http://youtu.be/QImU_2mZ2C8
... and I thought NHS was on VMS. Colin???
Some equipment could have imbedded systems, and, the office stuff was
obviously weendoze ....
The sad thing is, NSA knowing about the problem, and being much more
interested in invading computers than protecting the clueless people
(us) they work for. They could have had Microsoft putting out fixes long
ago. Not that everyone would have installed the fixes ....
If you knew anything at all about the Intel world you would know that
you never reveal what you know because the usually lets the bad guys
learn not only what you know, but how you learned it.

bill
David Froble
2017-05-13 23:11:26 UTC
Permalink
Raw Message
Post by Bill Gunshannon
Post by David Froble
Post by V***@SendSpamHere.ORG
Post by u***@gmail.com
http://youtu.be/QImU_2mZ2C8
... and I thought NHS was on VMS. Colin???
Some equipment could have imbedded systems, and, the office stuff was
obviously weendoze ....
The sad thing is, NSA knowing about the problem, and being much more
interested in invading computers than protecting the clueless people
(us) they work for. They could have had Microsoft putting out fixes long
ago. Not that everyone would have installed the fixes ....
If you knew anything at all about the Intel world you would know that
you never reveal what you know because the usually lets the bad guys
learn not only what you know, but how you learned it.
bill
The problem with that, and it is a problem, is that those intel types are
suppose to be working for us. You know, the people paying the taxes.

Nor did the NSA have to announce it publicly. They could have held some private
talks with Microsoft.

I'm not against sneaky intel people, I just feel that periodically they need to
understand who they are suppose to be protecting. The NSA has failed every US
citizen who may have suffered damages.
Bill Gunshannon
2017-05-14 02:08:24 UTC
Permalink
Raw Message
Post by David Froble
Post by Bill Gunshannon
Post by David Froble
Post by V***@SendSpamHere.ORG
Post by u***@gmail.com
http://youtu.be/QImU_2mZ2C8
... and I thought NHS was on VMS. Colin???
Some equipment could have imbedded systems, and, the office stuff was
obviously weendoze ....
The sad thing is, NSA knowing about the problem, and being much more
interested in invading computers than protecting the clueless people
(us) they work for. They could have had Microsoft putting out fixes long
ago. Not that everyone would have installed the fixes ....
If you knew anything at all about the Intel world you would know that
you never reveal what you know because the usually lets the bad guys
learn not only what you know, but how you learned it.
bill
The problem with that, and it is a problem, is that those intel types
are suppose to be working for us. You know, the people paying the taxes.
That is truly wishful thinking. The local politicians don't work for
you why would you think someone at NSA does. NSA has one mandate. Use
Inteligence methods to protect the United States.
Post by David Froble
Nor did the NSA have to announce it publicly. They could have held some
private talks with Microsoft.
And we can trust all those people at Microsoft are loyal Americans who
would not reveal any information? Oh wait, most of them aren't even
Americans cause Bill Gates is the biggest pusher for bringing in foreign
IT workers. Yeah, that's gonna work. And we all know how good all
these people are at keeping secrets.
Post by David Froble
I'm not against sneaky intel people, I just feel that periodically they
need to understand who they are suppose to be protecting. The NSA has
failed every US citizen who may have suffered damages.
The NSA did it's job. Releasing that information wold not have been
protecting us because it would have reduced their ability to do their
job. If anyone failed the US citizen it is the NIST and CERT who's job
it actually is to do this research on our behalf.

And, just to get this at least a little bit on topic...

I know VMS can export filesystems for NFS mounts on desktop and server
Windows machines. Not sure about SMB. But, given this scenario could
the ransomware pirates have used an exploit in a Windows box to encrypt
the filesystem on a VMS system? How up to date are those backups?

bill
David Froble
2017-05-14 02:24:54 UTC
Permalink
Raw Message
Post by Bill Gunshannon
Post by David Froble
Post by Bill Gunshannon
Post by David Froble
Post by V***@SendSpamHere.ORG
Post by u***@gmail.com
http://youtu.be/QImU_2mZ2C8
... and I thought NHS was on VMS. Colin???
Some equipment could have imbedded systems, and, the office stuff was
obviously weendoze ....
The sad thing is, NSA knowing about the problem, and being much more
interested in invading computers than protecting the clueless people
(us) they work for. They could have had Microsoft putting out fixes long
ago. Not that everyone would have installed the fixes ....
If you knew anything at all about the Intel world you would know that
you never reveal what you know because the usually lets the bad guys
learn not only what you know, but how you learned it.
bill
The problem with that, and it is a problem, is that those intel types
are suppose to be working for us. You know, the people paying the taxes.
That is truly wishful thinking. The local politicians don't work for
you why would you think someone at NSA does. NSA has one mandate. Use
Inteligence methods to protect the United States.
Wishful thinking, or the way things should be?

Got to ask, what is this thing you're calling the United States? Isn't it the
people, the citizens?
Post by Bill Gunshannon
Post by David Froble
Nor did the NSA have to announce it publicly. They could have held some
private talks with Microsoft.
And we can trust all those people at Microsoft are loyal Americans who
would not reveal any information? Oh wait, most of them aren't even
Americans cause Bill Gates is the biggest pusher for bringing in foreign
IT workers. Yeah, that's gonna work. And we all know how good all
these people are at keeping secrets.
Don't expect me to defend Microsoft ....
Post by Bill Gunshannon
Post by David Froble
I'm not against sneaky intel people, I just feel that periodically they
need to understand who they are suppose to be protecting. The NSA has
failed every US citizen who may have suffered damages.
The NSA did it's job. Releasing that information wold not have been
protecting us because it would have reduced their ability to do their
job. If anyone failed the US citizen it is the NIST and CERT who's job
it actually is to do this research on our behalf.
Can you compare the budgets of NSA and those other organizations? Perhaps one
has much more resources?

I really have a hard time understanding what you think the NSA's job is, if it's
not serving the US public?

Maybe someone else should be funding them?
Bill Gunshannon
2017-05-14 13:31:31 UTC
Permalink
Raw Message
Post by David Froble
Post by Bill Gunshannon
Post by David Froble
Post by Bill Gunshannon
Post by David Froble
Post by V***@SendSpamHere.ORG
Post by u***@gmail.com
http://youtu.be/QImU_2mZ2C8
... and I thought NHS was on VMS. Colin???
Some equipment could have imbedded systems, and, the office stuff was
obviously weendoze ....
The sad thing is, NSA knowing about the problem, and being much more
interested in invading computers than protecting the clueless people
(us) they work for. They could have had Microsoft putting out fixes long
ago. Not that everyone would have installed the fixes ....
If you knew anything at all about the Intel world you would know that
you never reveal what you know because the usually lets the bad guys
learn not only what you know, but how you learned it.
bill
The problem with that, and it is a problem, is that those intel types
are suppose to be working for us. You know, the people paying the taxes.
That is truly wishful thinking. The local politicians don't work for
you why would you think someone at NSA does. NSA has one mandate. Use
Inteligence methods to protect the United States.
Wishful thinking, or the way things should be?
Isn't that what wishful thinking is? The way you think things should
be never seems to coincide with reality.
Post by David Froble
Got to ask, what is this thing you're calling the United States? Isn't
it the people, the citizens?
Of course it is. But it's all of them. Not just you. Not just any
individual. You remind me of Lockheed Martin Stockholders. That
should be an apt analogy. There are a group of nuns who hold about
50 shares of common stock and every year they propose that LMCO should
divest itself of all military business. Luckily, the rest of the
shareholders never agree.
Post by David Froble
Post by Bill Gunshannon
Post by David Froble
Nor did the NSA have to announce it publicly. They could have held some
private talks with Microsoft.
And we can trust all those people at Microsoft are loyal Americans who
would not reveal any information? Oh wait, most of them aren't even
Americans cause Bill Gates is the biggest pusher for bringing in foreign
IT workers. Yeah, that's gonna work. And we all know how good all
these people are at keeping secrets.
Don't expect me to defend Microsoft ....
Post by Bill Gunshannon
Post by David Froble
I'm not against sneaky intel people, I just feel that periodically they
need to understand who they are suppose to be protecting. The NSA has
failed every US citizen who may have suffered damages.
The NSA did it's job. Releasing that information wold not have been
protecting us because it would have reduced their ability to do their
job. If anyone failed the US citizen it is the NIST and CERT who's
job it actually is to do this research on our behalf.
Can you compare the budgets of NSA and those other organizations?
Perhaps one has much more resources?
Irrelevant. Has nothing to do with what their jobs are. Can you
compare the budgets of HP/HPE and VSI. Perhaps one has more resources.
Doesn't mean the one with more resources sees VMS as strategic.
Post by David Froble
I really have a hard time understanding what you think the NSA's job is,
if it's not serving the US public?
It is serving the US public. Just not in the manner you think they
should. Using your logic DOD is not "serving the US public" because
the Army isn't out picking up litter along our roads.
Post by David Froble
Maybe someone else should be funding them?
Or maybe they should just do their job regardless of whether or not you
think it's what they should be doing.

bill
u***@gmail.com
2017-05-14 10:14:36 UTC
Permalink
Raw Message
Post by Bill Gunshannon
Post by David Froble
Post by Bill Gunshannon
Post by David Froble
Post by V***@SendSpamHere.ORG
Post by u***@gmail.com
http://youtu.be/QImU_2mZ2C8
... and I thought NHS was on VMS. Colin???
Some equipment could have imbedded systems, and, the office stuff was
obviously weendoze ....
The sad thing is, NSA knowing about the problem, and being much more
interested in invading computers than protecting the clueless people
(us) they work for. They could have had Microsoft putting out fixes long
ago. Not that everyone would have installed the fixes ....
If you knew anything at all about the Intel world you would know that
you never reveal what you know because the usually lets the bad guys
learn not only what you know, but how you learned it.
bill
The problem with that, and it is a problem, is that those intel types
are suppose to be working for us. You know, the people paying the taxes.
That is truly wishful thinking. The local politicians don't work for
you why would you think someone at NSA does. NSA has one mandate. Use
Inteligence methods to protect the United States.
Post by David Froble
Nor did the NSA have to announce it publicly. They could have held some
private talks with Microsoft.
And we can trust all those people at Microsoft are loyal Americans who
would not reveal any information? Oh wait, most of them aren't even
Americans cause Bill Gates is the biggest pusher for bringing in foreign
IT workers. Yeah, that's gonna work. And we all know how good all
these people are at keeping secrets.
Post by David Froble
I'm not against sneaky intel people, I just feel that periodically they
need to understand who they are suppose to be protecting. The NSA has
failed every US citizen who may have suffered damages.
The NSA did it's job. Releasing that information wold not have been
protecting us because it would have reduced their ability to do their
job. If anyone failed the US citizen it is the NIST and CERT who's job
it actually is to do this research on our behalf.
And, just to get this at least a little bit on topic...
I know VMS can export filesystems for NFS mounts on desktop and server
Windows machines. Not sure about SMB. But, given this scenario could
the ransomware pirates have used an exploit in a Windows box to encrypt
the filesystem on a VMS system? How up to date are those backups?
bill
not if you properly secure your user accouts
Bill Gunshannon
2017-05-14 13:40:31 UTC
Permalink
Raw Message
Post by u***@gmail.com
Post by Bill Gunshannon
Post by David Froble
Post by Bill Gunshannon
Post by David Froble
Post by V***@SendSpamHere.ORG
Post by u***@gmail.com
http://youtu.be/QImU_2mZ2C8
... and I thought NHS was on VMS. Colin???
Some equipment could have imbedded systems, and, the office stuff was
obviously weendoze ....
The sad thing is, NSA knowing about the problem, and being much more
interested in invading computers than protecting the clueless people
(us) they work for. They could have had Microsoft putting out fixes long
ago. Not that everyone would have installed the fixes ....
If you knew anything at all about the Intel world you would know that
you never reveal what you know because the usually lets the bad guys
learn not only what you know, but how you learned it.
bill
The problem with that, and it is a problem, is that those intel types
are suppose to be working for us. You know, the people paying the taxes.
That is truly wishful thinking. The local politicians don't work for
you why would you think someone at NSA does. NSA has one mandate. Use
Inteligence methods to protect the United States.
Post by David Froble
Nor did the NSA have to announce it publicly. They could have held some
private talks with Microsoft.
And we can trust all those people at Microsoft are loyal Americans who
would not reveal any information? Oh wait, most of them aren't even
Americans cause Bill Gates is the biggest pusher for bringing in foreign
IT workers. Yeah, that's gonna work. And we all know how good all
these people are at keeping secrets.
Post by David Froble
I'm not against sneaky intel people, I just feel that periodically they
need to understand who they are suppose to be protecting. The NSA has
failed every US citizen who may have suffered damages.
The NSA did it's job. Releasing that information wold not have been
protecting us because it would have reduced their ability to do their
job. If anyone failed the US citizen it is the NIST and CERT who's job
it actually is to do this research on our behalf.
And, just to get this at least a little bit on topic...
I know VMS can export filesystems for NFS mounts on desktop and server
Windows machines. Not sure about SMB. But, given this scenario could
the ransomware pirates have used an exploit in a Windows box to encrypt
the filesystem on a VMS system? How up to date are those backups?
bill
not if you properly secure your user accouts
Well, that's always true. If the Windows boxes involved were "properly
secured" none of this would ever have happened. But reality is they
frequently are not. So the question remains if a filesystem is mounted
on a Windows box from VMS using either NFS or SMB (if that exists),
assuming the filesystem is usable on the Windows box and not read-only,
is it likely that this ransomware exploit could encrypt the VMS
filesystem?

bill
Simon Clubley
2017-05-14 15:31:23 UTC
Permalink
Raw Message
Post by Bill Gunshannon
So the question remains if a filesystem is mounted
on a Windows box from VMS using either NFS or SMB (if that exists),
assuming the filesystem is usable on the Windows box and not read-only,
is it likely that this ransomware exploit could encrypt the VMS
filesystem?
It generally doesn't encrypt the filesystem, it encrypts the files
present on the filesystem. It can also potentially be selective about
what it considers to be worthwhile encrypting as well.

However, having said that, yes, if the malware running under Windows
scanned all volumes visible to Windows and not just the local
physically attached ones then yes, any candidate files on the VMS
system which the PC user had write access to would also be encrypted.

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
Bill Gunshannon
2017-05-14 20:01:00 UTC
Permalink
Raw Message
Post by Simon Clubley
Post by Bill Gunshannon
So the question remains if a filesystem is mounted
on a Windows box from VMS using either NFS or SMB (if that exists),
assuming the filesystem is usable on the Windows box and not read-only,
is it likely that this ransomware exploit could encrypt the VMS
filesystem?
It generally doesn't encrypt the filesystem, it encrypts the files
present on the filesystem. It can also potentially be selective about
what it considers to be worthwhile encrypting as well.
I haven't really been following this kind of attack closely as being
retired it really isn't much of a problem to me (unless someone decides
to hire me to bail them out :-) but I remember many years ago one of
the better known ransomware pirates was encrypting the entire low-level
format of the disk. Not just data but disk structure and metadata as
well.
Post by Simon Clubley
However, having said that, yes, if the malware running under Windows
scanned all volumes visible to Windows and not just the local
physically attached ones then yes, any candidate files on the VMS
system which the PC user had write access to would also be encrypted.
So then, while it wouldn't be VMS' fault VMS systems are susceptible
to current malware attacks. Think about it. Might be even harder to
recover even if you paid the ransom as I am sure the recovery tool
doesn't run on VMS.

bill
Simon Clubley
2017-05-15 12:30:57 UTC
Permalink
Raw Message
Post by Bill Gunshannon
Post by Simon Clubley
However, having said that, yes, if the malware running under Windows
scanned all volumes visible to Windows and not just the local
physically attached ones then yes, any candidate files on the VMS
system which the PC user had write access to would also be encrypted.
So then, while it wouldn't be VMS' fault VMS systems are susceptible
to current malware attacks. Think about it. Might be even harder to
recover even if you paid the ransom as I am sure the recovery tool
doesn't run on VMS.
Why does it need to run on VMS ?

If the code which encrypted the VMS files runs on Windows, then
presumably that's where the recovery code will run as well.

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
Arne Vajhøj
2017-05-14 18:31:52 UTC
Permalink
Raw Message
Post by Bill Gunshannon
Well, that's always true. If the Windows boxes involved were "properly
secured" none of this would ever have happened. But reality is they
frequently are not. So the question remains if a filesystem is mounted
on a Windows box from VMS using either NFS or SMB (if that exists),
assuming the filesystem is usable on the Windows box and not read-only,
is it likely that this ransomware exploit could encrypt the VMS
filesystem?
Depends on the type of IO the ransomware use to access the files.

Requiring a local disk => no problem.

Transparent whether file on local disk or network drive => potential
problem.

You would need to look at the malware to determine it.

I find it rather likely that the IO is transparent, so if you don't
check then I think you should assume that it potentially can encrypt
everything it has write access to.

Arne
Stephen Hoffman
2017-05-15 16:11:30 UTC
Permalink
Raw Message
Post by u***@gmail.com
Post by Bill Gunshannon
I know VMS can export filesystems for NFS mounts on desktop and server
Windows machines. Not sure about SMB. But, given this scenario could
the ransomware pirates have used an exploit in a Windows box to encrypt
the filesystem on a VMS system? How up to date are those backups?
Yes, the files on the exports can be encrypted by the clients with
write access. At least one version of the recent mess issues the
equivalent of SET PROTECTION=W:RWED on all storage and all shares, too.
That'll take a while to clean up, just as soon as the first
admin-access user gets hit.
Post by u***@gmail.com
not if you properly secure your user accouts
False. It's down-revision Windows clients that would encrypt the files
on the SMB share.
--
Pure Personal Opinion | HoffmanLabs LLC
Arne Vajhøj
2017-05-14 14:19:54 UTC
Permalink
Raw Message
Post by Bill Gunshannon
Post by David Froble
Nor did the NSA have to announce it publicly. They could have held some
private talks with Microsoft.
And we can trust all those people at Microsoft are loyal Americans who
would not reveal any information? Oh wait, most of them aren't even
Americans cause Bill Gates is the biggest pusher for bringing in foreign
IT workers. Yeah, that's gonna work. And we all know how good all
these people are at keeping secrets.
Probably not important for the main point, but MS != Bill Gates.

Bill Gates stepped down as CEO in 2000. Left their senior
management in 2006. Stepped down as chairman of the board 2014.

He has been selling off MS shares for many years. Since 2014
he has not been the biggest shareholder. And today his
ownership should be down to about 2%.

(2% of MS is still a lot of money)

Arne
Bill Gunshannon
2017-05-14 19:56:09 UTC
Permalink
Raw Message
Post by Arne Vajhøj
Post by Bill Gunshannon
Post by David Froble
Nor did the NSA have to announce it publicly. They could have held some
private talks with Microsoft.
And we can trust all those people at Microsoft are loyal Americans who
would not reveal any information? Oh wait, most of them aren't even
Americans cause Bill Gates is the biggest pusher for bringing in foreign
IT workers. Yeah, that's gonna work. And we all know how good all
these people are at keeping secrets.
Probably not important for the main point, but MS != Bill Gates.
Bill Gates stepped down as CEO in 2000. Left their senior
management in 2006. Stepped down as chairman of the board 2014.
He has been selling off MS shares for many years. Since 2014
he has not been the biggest shareholder. And today his
ownership should be down to about 2%.
(2% of MS is still a lot of money)
Arne
Ignatius of Loyola died 450 years ago. Would you say his
legacy has no more influence on the the University I retired
from 2 years ago?

bill
Arne Vajhøj
2017-05-15 00:15:48 UTC
Permalink
Raw Message
Post by Bill Gunshannon
Post by Arne Vajhøj
Post by Bill Gunshannon
Post by David Froble
Nor did the NSA have to announce it publicly. They could have held some
private talks with Microsoft.
And we can trust all those people at Microsoft are loyal Americans who
would not reveal any information? Oh wait, most of them aren't even
Americans cause Bill Gates is the biggest pusher for bringing in foreign
IT workers. Yeah, that's gonna work. And we all know how good all
these people are at keeping secrets.
Probably not important for the main point, but MS != Bill Gates.
Bill Gates stepped down as CEO in 2000. Left their senior
management in 2006. Stepped down as chairman of the board 2014.
He has been selling off MS shares for many years. Since 2014
he has not been the biggest shareholder. And today his
ownership should be down to about 2%.
(2% of MS is still a lot of money)
Ignatius of Loyola died 450 years ago. Would you say his
legacy has no more influence on the the University I retired
from 2 years ago?
I am sure that Bill Gates legacy still has a significant impact on MS.

But they are not the same. The overlap of point of view is not 0%
but it is not 100% either.

Just like I will assume your university and Ignatius of Loyola
does not have 0% or 100% overlap of point of views.

Arne
Kerry Main
2017-05-15 01:40:37 UTC
Permalink
Raw Message
-----Original Message-----
Vajhøj via Info-vax
Sent: May 14, 2017 8:16 PM
Subject: Re: [Info-vax] Huge Cyber Attack Plunges NHS Into Chaos,
'Ransomware' Brings Down IT Systems
Post by Bill Gunshannon
Post by Arne Vajhøj
Post by Bill Gunshannon
Post by David Froble
Nor did the NSA have to announce it publicly. They could have
held
Post by Bill Gunshannon
Post by Arne Vajhøj
Post by Bill Gunshannon
Post by David Froble
some
private talks with Microsoft.
And we can trust all those people at Microsoft are loyal Americans
who
Post by Bill Gunshannon
Post by Arne Vajhøj
Post by Bill Gunshannon
would not reveal any information? Oh wait, most of them aren't
even
Post by Bill Gunshannon
Post by Arne Vajhøj
Post by Bill Gunshannon
Americans cause Bill Gates is the biggest pusher for bringing in
foreign
Post by Bill Gunshannon
Post by Arne Vajhøj
Post by Bill Gunshannon
IT workers. Yeah, that's gonna work. And we all know how good all
these people are at keeping secrets.
Probably not important for the main point, but MS != Bill Gates.
Bill Gates stepped down as CEO in 2000. Left their senior
management in 2006. Stepped down as chairman of the board 2014.
He has been selling off MS shares for many years. Since 2014
he has not been the biggest shareholder. And today his
ownership should be down to about 2%.
(2% of MS is still a lot of money)
Ignatius of Loyola died 450 years ago. Would you say his
legacy has no more influence on the the University I retired
from 2 years ago?
I am sure that Bill Gates legacy still has a significant impact on MS.
But they are not the same. The overlap of point of view is not 0%
but it is not 100% either.
Just like I will assume your university and Ignatius of Loyola
does not have 0% or 100% overlap of point of views.
Arne
While many like to ridicule Bill Gates, one needs to remember that he is
also by far the one who has given the most $'s to global charities.

A couple of years back, the totals were Bill Gates - $26B (via the Bill
Gates Foundation), Warren Buffet - $5B and others further down the list.


Regards,

Kerry Main
Kerry dot main at starkgaming dot com
Scott Dorsey
2017-05-15 02:08:10 UTC
Permalink
Raw Message
Post by Arne Vajhøj
Post by Bill Gunshannon
Ignatius of Loyola died 450 years ago. Would you say his
legacy has no more influence on the the University I retired
from 2 years ago?
I am sure that Bill Gates legacy still has a significant impact on MS.
But they are not the same. The overlap of point of view is not 0%
but it is not 100% either.
Just like I will assume your university and Ignatius of Loyola
does not have 0% or 100% overlap of point of views.
I assure you that Ignatius of Loyola would never have approved of
last-minute exam cramming, for instance. But I'm willing to bet that
students do it anyway. Clearly the influence is limited.
--scott
--
"C'est un Nagra. C'est suisse, et tres, tres precis."
u***@gmail.com
2017-05-14 10:12:42 UTC
Permalink
Raw Message
Post by Bill Gunshannon
Post by David Froble
Post by V***@SendSpamHere.ORG
Post by u***@gmail.com
http://youtu.be/QImU_2mZ2C8
... and I thought NHS was on VMS. Colin???
Some equipment could have imbedded systems, and, the office stuff was
obviously weendoze ....
The sad thing is, NSA knowing about the problem, and being much more
interested in invading computers than protecting the clueless people
(us) they work for. They could have had Microsoft putting out fixes long
ago. Not that everyone would have installed the fixes ....
If you knew anything at all about the Intel world you would know that
you never reveal what you know because the usually lets the bad guys
learn not only what you know, but how you learned it.
bill
I will tell a secret now. It is garbage, a single user unsecure os
trying to be a muliuser secure os.
Bill Gunshannon
2017-05-14 13:47:43 UTC
Permalink
Raw Message
Post by u***@gmail.com
Post by Bill Gunshannon
Post by David Froble
Post by V***@SendSpamHere.ORG
Post by u***@gmail.com
http://youtu.be/QImU_2mZ2C8
... and I thought NHS was on VMS. Colin???
Some equipment could have imbedded systems, and, the office stuff was
obviously weendoze ....
The sad thing is, NSA knowing about the problem, and being much more
interested in invading computers than protecting the clueless people
(us) they work for. They could have had Microsoft putting out fixes long
ago. Not that everyone would have installed the fixes ....
If you knew anything at all about the Intel world you would know that
you never reveal what you know because the usually lets the bad guys
learn not only what you know, but how you learned it.
bill
I will tell a secret now. It is garbage, a single user unsecure os
trying to be a muliuser secure os.
Matter of opinion and irrelevant because like it or not, it is the state
of current IT in the world today. And VMS is not going to replace it.

I ran Windows servers for over 20 years (starting with NT 3.51 all the
way up through 2012 which was current when I retired). As an academic
institution we were constantly under attack (once had an Air Force site
attacking us and the guy I called on the phone got very irate that I
would have the nerve to question his actions!) We had only one breach
in all that time and it was to a user account where the user had been
using his local system password as his password at every website that
required a login. Wanna guess how many of them actually encrypt
passwords at all? Windows can be secure while still maintaining
functionality. Few places actually know how to do it and you don't
learn that from MCSE certification.

bill
Simon Clubley
2017-05-14 15:23:24 UTC
Permalink
Raw Message
Post by Bill Gunshannon
I ran Windows servers for over 20 years (starting with NT 3.51 all the
way up through 2012 which was current when I retired). As an academic
institution we were constantly under attack (once had an Air Force site
attacking us and the guy I called on the phone got very irate that I
would have the nerve to question his actions!) We had only one breach
in all that time and it was to a user account where the user had been
using his local system password as his password at every website that
required a login. Wanna guess how many of them actually encrypt
passwords at all? Windows can be secure while still maintaining
functionality. Few places actually know how to do it and you don't
learn that from MCSE certification.
Correction: you only had one breach that you _knew_ about.

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
Bill Gunshannon
2017-05-14 20:02:23 UTC
Permalink
Raw Message
Post by Simon Clubley
Post by Bill Gunshannon
I ran Windows servers for over 20 years (starting with NT 3.51 all the
way up through 2012 which was current when I retired). As an academic
institution we were constantly under attack (once had an Air Force site
attacking us and the guy I called on the phone got very irate that I
would have the nerve to question his actions!) We had only one breach
in all that time and it was to a user account where the user had been
using his local system password as his password at every website that
required a login. Wanna guess how many of them actually encrypt
passwords at all? Windows can be secure while still maintaining
functionality. Few places actually know how to do it and you don't
learn that from MCSE certification.
Correction: you only had one breach that you _knew_ about.
Well, lets just say that I only had one more than all the VMS systems in
the world.

bill
Bill Gunshannon
2017-05-14 20:40:41 UTC
Permalink
Raw Message
Post by Bill Gunshannon
Post by Simon Clubley
Post by Bill Gunshannon
I ran Windows servers for over 20 years (starting with NT 3.51 all the
way up through 2012 which was current when I retired). As an academic
institution we were constantly under attack (once had an Air Force site
attacking us and the guy I called on the phone got very irate that I
would have the nerve to question his actions!) We had only one breach
in all that time and it was to a user account where the user had been
using his local system password as his password at every website that
required a login. Wanna guess how many of them actually encrypt
passwords at all? Windows can be secure while still maintaining
functionality. Few places actually know how to do it and you don't
learn that from MCSE certification.
Correction: you only had one breach that you _knew_ about.
Well, lets just say that I only had one more than all the VMS systems in
the world.
And let's clarify even that one. A student gave his password away. An
outsider logged into his account and modified his web page. Was that a
systems breach? If someone did the same thing on a VMS system would you
consider the VMS system to have been breached? If so, then I can give
you dozens (if not hundreds) of examples where this was, in fact, done.
And not even by someone giving out their password. The passwords were
acquired using a fake login program running on VMS being connected to
from VT-100 terminals on DECServer 200's. Would that be considered a
systems breach?


bill
Scott Dorsey
2017-05-15 02:06:15 UTC
Permalink
Raw Message
Post by Bill Gunshannon
And let's clarify even that one. A student gave his password away. An
outsider logged into his account and modified his web page. Was that a
systems breach? If someone did the same thing on a VMS system would you
consider the VMS system to have been breached? If so, then I can give
you dozens (if not hundreds) of examples where this was, in fact, done.
And not even by someone giving out their password. The passwords were
acquired using a fake login program running on VMS being connected to
from VT-100 terminals on DECServer 200's. Would that be considered a
systems breach?
Most definitely. As was the time when we got a Fortran compiler update
tape in the mail and installed it and found it created a number of new
privileged accounts instead of updating the compiler. It turned out that
the tape wasn't sent by DEC at all.

I have seen a lot of systems breaches on a lot of systems over the years
but that one was my absolute favorite. We never found the guys that did it,
but I'd love to buy them a beer.

Unlike those guys in Spain who set themselves up a fake DECNET area on SPAN
using our number....
--scott
--
"C'est un Nagra. C'est suisse, et tres, tres precis."
Bill Gunshannon
2017-05-15 11:23:19 UTC
Permalink
Raw Message
Post by Scott Dorsey
Post by Bill Gunshannon
And let's clarify even that one. A student gave his password away. An
outsider logged into his account and modified his web page. Was that a
systems breach? If someone did the same thing on a VMS system would you
consider the VMS system to have been breached? If so, then I can give
you dozens (if not hundreds) of examples where this was, in fact, done.
And not even by someone giving out their password. The passwords were
acquired using a fake login program running on VMS being connected to
from VT-100 terminals on DECServer 200's. Would that be considered a
systems breach?
Most definitely. As was the time when we got a Fortran compiler update
tape in the mail and installed it and found it created a number of new
privileged accounts instead of updating the compiler. It turned out that
the tape wasn't sent by DEC at all.
Have you ever read Ken Thompson's Turing Award Speech? It is, bay far,
a classic.
Post by Scott Dorsey
I have seen a lot of systems breaches on a lot of systems over the years
but that one was my absolute favorite. We never found the guys that did it,
but I'd love to buy them a beer.
Unlike those guys in Spain who set themselves up a fake DECNET area on SPAN
using our number....
--scott
bill
Simon Clubley
2017-05-15 12:36:20 UTC
Permalink
Raw Message
Post by Bill Gunshannon
And not even by someone giving out their password. The passwords were
acquired using a fake login program running on VMS being connected to
from VT-100 terminals on DECServer 200's. Would that be considered a
systems breach?
Yes it is and that is actually a massive security breach.

No user application running on VMS should ever be able to fake the
login process in this way.

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
Bill Gunshannon
2017-05-15 14:26:02 UTC
Permalink
Raw Message
Post by Simon Clubley
Post by Bill Gunshannon
And not even by someone giving out their password. The passwords were
acquired using a fake login program running on VMS being connected to
from VT-100 terminals on DECServer 200's. Would that be considered a
systems breach?
Yes it is and that is actually a massive security breach.
No user application running on VMS should ever be able to fake the
login process in this way.
Simon.
And just how would you have prevented it? Remember, this is pre-90's.
And, being student machines, you are greatly limited in how you can
stop them from doing anything. (that is, of course, the same problem
admins have with Windows today. I can lock a machine down so tight
it could never be hacked. Of course the users wouldn't be able to
use it either!! ;-)

bill
David Froble
2017-05-15 16:31:57 UTC
Permalink
Raw Message
Post by Simon Clubley
Post by Bill Gunshannon
And not even by someone giving out their password. The passwords were
acquired using a fake login program running on VMS being connected to
from VT-100 terminals on DECServer 200's. Would that be considered a
systems breach?
Yes it is and that is actually a massive security breach.
No user application running on VMS should ever be able to fake the
login process in this way.
I'm not sure how you'd stop such activity, unless you greatly restricted the
devices a non-prived user could access. Sometimes that's not desirable.

Myself, I found ZOOP entertaining, and made up my own back in the RSTS days.
Bill Gunshannon
2017-05-15 17:27:50 UTC
Permalink
Raw Message
Post by David Froble
Post by Simon Clubley
Post by Bill Gunshannon
And not even by someone giving out their password. The passwords were
acquired using a fake login program running on VMS being connected to
from VT-100 terminals on DECServer 200's. Would that be considered a
systems breach?
Yes it is and that is actually a massive security breach.
No user application running on VMS should ever be able to fake the
login process in this way.
I'm not sure how you'd stop such activity, unless you greatly restricted
the devices a non-prived user could access. Sometimes that's not
desirable.
Myself, I found ZOOP entertaining, and made up my own back in the RSTS days.
As usual, people here seem to be overthinking this. Students used to
leave a terminal logged in to the VAX with a user level program running
that spoofed the login process. so that the person, student, faculty or
staff, who followed them in the public lab would sit down, see the
LOGIN prompt and proceed to type their username and password. The
system would say Invalid login (whatever the real message was, I don't
remember) and then do a logoff. The user would hit return, get another
prompt and successfully login never realizing that they had just been
hacked. I know how to prevent this, but I can tell you from experience
that it was done in our labs for quite sometime until they finally had
a Sysadmin who recognized it and put a stop to it. (Hi Lori, if your
reading this!!)

bill
j***@yahoo.co.uk
2017-05-16 07:52:00 UTC
Permalink
Raw Message
Post by David Froble
Post by Simon Clubley
Post by Bill Gunshannon
And not even by someone giving out their password. The passwords were
acquired using a fake login program running on VMS being connected to
from VT-100 terminals on DECServer 200's. Would that be considered a
systems breach?
Yes it is and that is actually a massive security breach.
No user application running on VMS should ever be able to fake the
login process in this way.
I'm not sure how you'd stop such activity, unless you greatly restricted the
devices a non-prived user could access. Sometimes that's not desirable.
Myself, I found ZOOP entertaining, and made up my own back in the RSTS days.
In the days of hard wired terminals, the way to avoid "password
grabber" programs was documented in the VMS Guide to System
Security. It probably still is. It required the system manager
and the end user to be reasonably well informed, or at least
able to follow simple documented security processes, so it may
not work nowadays in many organisations, even if it was still
technically relevant.

Different considerations apply with the world of network-connected
terminals (LAT, SET HOST, TELNET/SSH, etc). There may be no single
universal solution.

Not sure quite where this leads. Meanwhile...

Has anybody not watched last year's movie/documentary "Zero
Days" yet? The non-techy one about Stuxnet? The Stuxnet that
went public in 2010, which should have been the first of
several very public wakeup calls to complacent IT
departments and their supervisors?

Stuxnet was made more complicated (*much* more complicated)
by its need to target specific systems on specific sites
and to remain unnoticed elsewhere, and also by its need to
muck around deep inside non-Windows boxes (the automation
kit involved).

Causing chaos in a network of Window boxes (whether up to
date or not) is clearly trivial by comparison.

Now might be a good time for those ill-informed IT bosses
(and their supervisors) to catch up, rather than paying
attention to some of the less well-informed media hype
currently being passed around.

https://en.wikipedia.org/wiki/Stuxnet
https://en.wikipedia.org/wiki/Zero_Days
Kerry Main
2017-05-20 13:29:24 UTC
Permalink
Raw Message
-----Original Message-----
johnwallace4--- via Info-vax
Sent: May 16, 2017 3:52 AM
Subject: Re: [Info-vax] Huge Cyber Attack Plunges NHS Into Chaos,
'Ransomware' Brings Down IT Systems
Post by David Froble
Post by Simon Clubley
Post by Bill Gunshannon
And not even by someone giving out their password. The
passwords were
Post by David Froble
Post by Simon Clubley
Post by Bill Gunshannon
acquired using a fake login program running on VMS being
connected to
Post by David Froble
Post by Simon Clubley
Post by Bill Gunshannon
from VT-100 terminals on DECServer 200's. Would that be
considered a
Post by David Froble
Post by Simon Clubley
Post by Bill Gunshannon
systems breach?
Yes it is and that is actually a massive security breach.
No user application running on VMS should ever be able to fake the
login process in this way.
I'm not sure how you'd stop such activity, unless you greatly
restricted
the
Post by David Froble
devices a non-prived user could access. Sometimes that's not
desirable.
Post by David Froble
Myself, I found ZOOP entertaining, and made up my own back in the
RSTS days.
In the days of hard wired terminals, the way to avoid "password
grabber" programs was documented in the VMS Guide to System
Security. It probably still is. It required the system manager
and the end user to be reasonably well informed, or at least
able to follow simple documented security processes, so it may
not work nowadays in many organisations, even if it was still
technically relevant.
Correct - with terminals and assuming a terminal server is used, from
the OpenVMS V8.4 security guide:
"Before you log into a terminal that is already on, invoke the secure
terminal server feature (if enabled) by pressing the Break key. The
secure server ensures that the OpenVMS login program is the only program
able to receive your login and thereby eliminates the possibility of
revealing a password to a password grabber program. This is particularly
relevant when you are working in a public terminal room."

This is not much different than the way current versions Windows
prevents such an attack - the user mgmt. allows the capability to
require a <ctrl-alt-delete> before presenting the login screen on a new
or locked login session. A ctrl-alt-delete drops any connection to a
prog currently running and forces a new login session.

[snip...]


Regards,

Kerry Main
Kerry dot main at starkgaming dot com
Stephen Hoffman
2017-05-15 16:07:51 UTC
Permalink
Raw Message
Post by u***@gmail.com
I will tell a secret now. It is garbage, a single user unsecure os
trying to be a muliuser secure os.
Business and financial decisions eclipse decisions of technical
elegance. That, and Windows and Windows Server and Linux servers
solve the problems that folks have, at prices the folks are willing to
pay. with tools that the folks are familiar with using or are willing
to learn. OpenVMS doesn't (yet) provide those benefits for enough
folks. Not outside of the installed base. VSI is certainly working
to address these and other areas secondary to getting the installed
base on VSI releases, but related efforts will take five or ten years
to really get rolling across VSI and partners and end-users, and that's
at the earliest.


Some experiments for you to try, with some common tasks system managers
and developers commonly encounter both on OpenVMS and on other
platforms:

...Go try installing OpenVMS with a current and secure web server,
secure versions of php and Java, with a secure version of SMB, with a
malware scan for files stored on the SMB share. For extra credit,
implement all this on OpenVMS cluster configuration that can't be
trivially monitored by a breached device on the local LAN; without
depending on a restricted-access LAN, with SMTP and IP network failover
across hosts in the cluster.

...Go try implementing a client-server application using a current,
secure TLSv1.3 connection on OpenVMS, checking both client and server
certificates against common certificate authorities and defending
against common interception attacks.
--
Pure Personal Opinion | HoffmanLabs LLC
Kerry Main
2017-05-20 12:39:56 UTC
Permalink
Raw Message
-----Original Message-----
Stephen Hoffman via Info-vax
Sent: May 15, 2017 12:08 PM
Subject: Re: [Info-vax] Huge Cyber Attack Plunges NHS Into Chaos,
'Ransomware' Brings Down IT Systems
Post by u***@gmail.com
I will tell a secret now. It is garbage, a single user unsecure os
trying to be a muliuser secure os.
Business and financial decisions eclipse decisions of technical
elegance. That, and Windows and Windows Server and Linux servers
solve the problems that folks have, at prices the folks are willing to
pay. with tools that the folks are familiar with using or are willing
to learn.
As the old saying goes, nothing is free in this world.

While the marketing hype says gmail is free, the reality is the cost of
your privacy.

As stated clearly in their privacy agreement (which most simply click I
accept), I am sure most people do not know (or even care?) that Google
scans all their Gmail and sells (oops "shares") with their "partners".

How much is your privacy worth?
OpenVMS doesn't (yet) provide those benefits for enough
folks. Not outside of the installed base. VSI is certainly working
to address these and other areas secondary to getting the installed
base on VSI releases, but related efforts will take five or ten years
to really get rolling across VSI and partners and end-users, and that's
at the earliest.
Imho, 2017-2020 are transition years for VSI OpenVMS from being
supported by a HW provider (DEC/Compaq/HP) who was primarily interested
in OS's as a means to sell new server, storage, and network
infrastructure to a software based company (VSI) that is 100% focussed
on selling added value based on the core product.

That is not something which happens overnight.
Some experiments for you to try, with some common tasks system
managers
and developers commonly encounter both on OpenVMS and on other
...Go try installing OpenVMS with a current and secure web server,
secure versions of php and Java, with a secure version of SMB, with a
malware scan for files stored on the SMB share. For extra credit,
implement all this on OpenVMS cluster configuration that can't be
trivially monitored by a breached device on the local LAN; without
depending on a restricted-access LAN, with SMTP and IP network
failover
across hosts in the cluster.
...Go try implementing a client-server application using a current,
secure TLSv1.3 connection on OpenVMS, checking both client and server
certificates against common certificate authorities and defending
against common interception attacks.
Perhaps I am missing something here, but is not tlsv1.3 still in draft
mode?

May 04, 2017:
<https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/>
" The forthcoming OpenSSL 1.1.1 release will include support for
TLSv1.3. The new release will be binary and API compatible with OpenSSL
1.1.0. In theory, if your application supports OpenSSL 1.1.0, then all
you need to do to upgrade is to drop in the new version of OpenSSL when
it becomes available and you will automatically start being able to use
TLSv1.3. However there are some issues that application developers and
deployers need to be aware of. In this blog post I am going to cover
some of those things."

" As of the time of writing TLSv1.3 is still in draft. Periodically a
new version of the draft standard is published by the TLS Working Group.
Implementations of the draft are required to identify the specific draft
version that they are using. This means that implementations based on
different draft versions do not interoperate with each other."

In terms of a secure web server on OpenVMS:
< https://wasd.vsm.com.au/wasd_root/doc/features/features_0400.html>
<https://wasd.vsm.com.au/wasd_root/doc/features/>

Of course there is lots of room for improvement in many areas, but
recent and upcoming enhancements like Java 8, new file system, x86-64
platform, potentially new license / support models etc. are all major
core enhancements which will position VSI OpenVMS for growth in the
2020+ timeframes.


Regards,

Kerry Main
Kerry dot main at starkgaming dot com
--
Pure Personal Opinion | HoffmanLabs LLC
_______________________________________________
Info-vax mailing list
http://rbnsn.com/mailman/listinfo/info-vax_rbnsn.com
u***@gmail.com
2017-05-21 21:09:49 UTC
Permalink
Raw Message
Post by Kerry Main
-----Original Message-----
Stephen Hoffman via Info-vax
Sent: May 15, 2017 12:08 PM
Subject: Re: [Info-vax] Huge Cyber Attack Plunges NHS Into Chaos,
'Ransomware' Brings Down IT Systems
Post by u***@gmail.com
I will tell a secret now. It is garbage, a single user unsecure os
trying to be a muliuser secure os.
Business and financial decisions eclipse decisions of technical
elegance. That, and Windows and Windows Server and Linux servers
solve the problems that folks have, at prices the folks are willing to
pay. with tools that the folks are familiar with using or are willing
to learn.
As the old saying goes, nothing is free in this world.
While the marketing hype says gmail is free, the reality is the cost of
your privacy.
As stated clearly in their privacy agreement (which most simply click I
accept), I am sure most people do not know (or even care?) that Google
scans all their Gmail and sells (oops "shares") with their "partners".
How much is your privacy worth?
OpenVMS doesn't (yet) provide those benefits for enough
folks. Not outside of the installed base. VSI is certainly working
to address these and other areas secondary to getting the installed
base on VSI releases, but related efforts will take five or ten years
to really get rolling across VSI and partners and end-users, and
that's
at the earliest.
Imho, 2017-2020 are transition years for VSI OpenVMS from being
supported by a HW provider (DEC/Compaq/HP) who was primarily interested
in OS's as a means to sell new server, storage, and network
infrastructure to a software based company (VSI) that is 100% focussed
on selling added value based on the core product.
That is not something which happens overnight.
Some experiments for you to try, with some common tasks system managers
and developers commonly encounter both on OpenVMS and on other
...Go try installing OpenVMS with a current and secure web server,
secure versions of php and Java, with a secure version of SMB, with a
malware scan for files stored on the SMB share. For extra credit,
implement all this on OpenVMS cluster configuration that can't be
trivially monitored by a breached device on the local LAN; without
depending on a restricted-access LAN, with SMTP and IP network failover
across hosts in the cluster.
...Go try implementing a client-server application using a current,
secure TLSv1.3 connection on OpenVMS, checking both client and server
certificates against common certificate authorities and defending
against common interception attacks.
Perhaps I am missing something here, but is not tlsv1.3 still in draft
mode?
<https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/>
" The forthcoming OpenSSL 1.1.1 release will include support for
TLSv1.3. The new release will be binary and API compatible with OpenSSL
1.1.0. In theory, if your application supports OpenSSL 1.1.0, then all
you need to do to upgrade is to drop in the new version of OpenSSL when
it becomes available and you will automatically start being able to use
TLSv1.3. However there are some issues that application developers and
deployers need to be aware of. In this blog post I am going to cover
some of those things."
" As of the time of writing TLSv1.3 is still in draft. Periodically a
new version of the draft standard is published by the TLS Working Group.
Implementations of the draft are required to identify the specific draft
version that they are using. This means that implementations based on
different draft versions do not interoperate with each other."
< https://wasd.vsm.com.au/wasd_root/doc/features/features_0400.html>
<https://wasd.vsm.com.au/wasd_root/doc/features/>
Of course there is lots of room for improvement in many areas, but
recent and upcoming enhancements like Java 8, new file system, x86-64
platform, potentially new license / support models etc. are all major
core enhancements which will position VSI OpenVMS for growth in the
2020+ timeframes.
Regards,
Kerry Main
Kerry dot main at starkgaming dot com
--
Pure Personal Opinion | HoffmanLabs LLC
_______________________________________________
Info-vax mailing list
http://rbnsn.com/mailman/listinfo/info-vax_rbnsn.com
I'll bet you purveyor on openvms is more secure than any windows
server :)
V***@SendSpamHere.ORG
2017-05-14 13:34:33 UTC
Permalink
Raw Message
Post by David Froble
Post by V***@SendSpamHere.ORG
Post by u***@gmail.com
http://youtu.be/QImU_2mZ2C8
... and I thought NHS was on VMS. Colin???
Some equipment could have imbedded systems, and, the office stuff was obviously
weendoze ....
The sad thing is, NSA knowing about the problem, and being much more interested
in invading computers than protecting the clueless people (us) they work for.
They could have had Microsoft putting out fixes long ago. Not that everyone
would have installed the fixes ....
Makes me feel all warm-'n'-fuzzy that I've never had it and never will! Albeit, I
would like to find somebody with WEENDOZE to download some data from a device for
me due to the manufacturer having crawled into bed with Micro$uck and thus, there
is only a WEENDOZE comm utility for it.
--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG

I speak to machines with the voice of humanity.
u***@gmail.com
2017-05-14 10:45:51 UTC
Permalink
Raw Message
Post by u***@gmail.com
http://youtu.be/QImU_2mZ2C8
use tcpip from process software and other auth they have like this


Two-factor authentication solution for OpenVMS systems
Read the latest issue of the (IN)SECURE Magazine

Process Software announced that it has achieved technical interoperability certification between the VMS Authentication Module and RSA SecurID two-factor authentication solution. This RSA Secured partner program certification signifies that a technical partnership has been extended to increase security for OpenVMS customers.

The VMS Authentication Module is being used at a large financial institution in Switzerland to give more than 1,000 customers secure access to a banking application running on several OpenVMS systems. “This organization provides customers with RSA SecurID cards for access to their personal financial information which is more secure than the use of static passwords,” said Heinz Genhart, GFR Software Solutions AG. “Process Software’s VMS Authentication Module API allowed us to easily integrate RSA SecurID agent software with this financial institution’s application.”

Process Software’s VMS Authentication Module software provides two implementation options. It can be incorporated into the normal OpenVMS login procedure or used to protect a particular application on the OpenVMS system. Once a user logs into the OpenVMS operating system using normal procedures, access to a specific applications is granted with a RSA SecurID card. The RSA SecurID agent is one of several authentication methods available that can be integrated into third-party applications using the VMS Authentication Module’s API.
Baldrick
2017-05-16 10:04:28 UTC
Permalink
Raw Message
...

* B I O D I V E R S I T Y * (that's biodiversity)

Our reliance and dependence on one single platform will be our undoing.

Well not those using mostly more reliable systems, no VMS systems in the NHS were harmed during the attack but I can't choose who my transport provider / healthcare booking provider / etc. use and they BLINDLY use this rubbish.

Windows 3.1 wasn't secure, how many goddamn iterations and its STILL not secure. Time to throw it away. I don't want your excuses about it, that emperor is NAKED and probably illegal in most states in the US.

Its only a matter of time before some terrorist group or other get something so blanket hitting everything current and near current takes down the globe.

STUXNET was a test, as was Friday, just a test, see if it works. We are all worried about what North Korea are up to and the general political situation, heck its all just a diversion from what REALLY going on ! Carry on, watch your football, your eurovisual pop concerts, but when the collapse comes don't say i didn't tell you so! Coffee anyone?

(pure opinion, as hoff says)
Stephen Hoffman
2017-05-16 15:04:30 UTC
Permalink
Raw Message
Post by Baldrick
...
* B I O D I V E R S I T Y * (that's biodiversity)
Our reliance and dependence on one single platform will be our undoing.
Well not those using mostly more reliable systems, no VMS systems in
the NHS were harmed during the attack but I can't choose who my
transport provider / healthcare booking provider / etc. use and they
BLINDLY use this rubbish.
The SMB worm patch for Windows XP was reportedly available to folks
with Microsoft support for Windows XP back in February.

As was previously linked, UK Government leadership made a decision not
to fund the associated maintenance and upgrades. They bet wrong.
These bets do sometimes go badly wrong, too.

Those bad bets and those security problems can and do happen with
OpenVMS servers, too. And yes, there have been "messes" on OpenVMS
servers, too. Hacked OpenVMS servers, et al.

BTW, a hacked Windows XP client box or IoT box or printer box on the
same network also has an easy view into SCS, DECnet, FTP and telnet,
too. Reliably isolating a network over time is not easy.

As for commodity software and hardware, businesses and governments have
chosen what is cheap and common and familiar, and what works well
enough. As do most customers, and of most products. Consolidation is
part of how this all works, at least until somebody has a much better
idea or product or service. OpenVMS isn't (yet?) all that and a bag
of chips either, though VSI is clearly working on that.

Right now, VSI is fully-committed on the port and on Kittson server
support and the rest of the roadmap, and on getting their business and
customer base to stable and increasing revenues. And particularly on
keeping that installed base happy, and necessarily. If y'all want VSI
to expand and to compete as a bespoke software provider, then the VSI
folks and third-party providers are going to have to provide
marketably-better features and capabilities and/or better prices, too.
Or VSI is going to need a whole lot more marketing caché, no pun
intended.
--
Pure Personal Opinion | HoffmanLabs LLC
Loading...