Discussion:
How would you load balance excess webserver traffic between multiple OpenVMS servers?
(too old to reply)
D W
2021-01-11 12:12:10 UTC
Permalink
There are MULTIPLE different approaches to doing this. Most involve HTTP (web) cookies and may involve DNS round robin load balancing or load balancers.

But how would this be accomplished using Apache or another web package on OpenVMS?

Would you use the same approach?

Also if you house a DB like RDB on a separate OpenVMS server, what would be the fastest connect solution to obtain the fastest data transport rates between the DB server and other web servers?
Arne Vajhøj
2021-01-11 13:34:35 UTC
Permalink
Post by D W
There are MULTIPLE different approaches to doing this. Most involve
HTTP (web) cookies and may involve DNS round robin load balancing or
load balancers.
But how would this be accomplished using Apache or another web
package on OpenVMS?
Would you use the same approach?
If HTTP requests for a given URL need to be spread out on multiple
web servers then some sort of load balancing is required.

In the IT industry in general having a dedicated load balancer or
having a network box in front with an embedded load balancer doing it
is common.

I am skeptical about DNS due to lack of handling of a web server
being down.

For VMS specifically there is also the cluster IP address, which
I have no idea whether will work well with a web server.

Cookies is not required for load balancing per se. If the requests
coming in are completely stateless then you don't need them. But if
there is state, then load balancers are usually able to route all
requests from same client to same web server (sticky session).
Post by D W
Also if you house a DB like RDB on a separate OpenVMS server, what
would be the fastest connect solution to obtain the fastest data
transport rates between the DB server and other web servers?
There is no silver bullet.

On the web servers you need the application code & data to stay resident
in memory and reuse threads/processes to process requests as
starting processes and loading images are expensive. And
the database connections need to be managed by a connection pool
as open connection is expensive (note that a connection pool
also require application code& data resident in memory).

You need a fast network between web servers and database servers.
Preferably dedicated.

Having web servers on same servers as database is obviously the fastest
network as it is no network. But it also lock you into a N:N
relation ship between web and database servers instead of a more
flexible M:N. And it prevents you from putting in a firewall between
web and database servers, which your security people may really
like.

Arne
Phillip Helbig (undress to reply)
2021-01-11 14:00:23 UTC
Permalink
Post by Arne Vajhøj
For VMS specifically there is also the cluster IP address, which
I have no idea whether will work well with a web server.
It works completely transparently with a webserver with no problems, but
it is for failover, not load balancing (in general, not just for
HTTP(s)).
Marc Van Dyck
2021-01-11 14:45:18 UTC
Permalink
Post by Arne Vajhøj
On the web servers you need the application code & data to stay resident
in memory and reuse threads/processes to process requests as
starting processes and loading images are expensive. And
the database connections need to be managed by a connection pool
as open connection is expensive (note that a connection pool
also require application code& data resident in memory).
Wasn't ACMS made to solve just that problem ? Has one already tried to
implement a web server with ACMS - assuming anyone still knows the
product, that is ?
--
Marc Van Dyck
Robert A. Brooks
2021-01-11 16:08:15 UTC
Permalink
Post by Marc Van Dyck
Post by Arne Vajhøj
On the web servers you need the application code & data to stay resident
in memory and reuse threads/processes to process requests as
starting processes and loading images are expensive. And
the database connections need to be managed by a connection pool
as open connection is expensive (note that a connection pool
also require application code& data resident in memory).
Wasn't ACMS made to solve just that problem ? Has one already tried to
implement a web server with ACMS - assuming anyone still knows the
product, that is ?
ACMS is being ported to X86.
--
-- Rob
Marc Van Dyck
2021-01-11 16:26:35 UTC
Permalink
Post by Robert A. Brooks
Post by Marc Van Dyck
Post by Arne Vajhøj
On the web servers you need the application code & data to stay resident
in memory and reuse threads/processes to process requests as
starting processes and loading images are expensive. And
the database connections need to be managed by a connection pool
as open connection is expensive (note that a connection pool
also require application code& data resident in memory).
Wasn't ACMS made to solve just that problem ? Has one already tried to
implement a web server with ACMS - assuming anyone still knows the
product, that is ?
ACMS is being ported to X86.
I hope so because I need it...
--
Marc Van Dyck
Arne Vajhøj
2021-01-11 16:23:30 UTC
Permalink
Post by Marc Van Dyck
Post by Arne Vajhøj
On the web servers you need the application code & data to stay resident
in memory and reuse threads/processes to process requests as
starting processes and loading images are expensive. And
the database connections need to be managed by a connection pool
as open connection is expensive (note that a connection pool
also require application code& data resident in memory).
Wasn't ACMS made to solve just that problem ? Has one already tried to
implement a web server with ACMS - assuming anyone still knows the
product, that is ?
I know little about ACMS, but it is my clear impression that it
is way more than a database connection pool.

A database connection pool is really a simple concept.

Without pool: request processing opens a physical connection
to the database, do what it need to do and closes connection.

With pool: at startup N connections are made, request processing
borrows a connection from the pool use it and return it.

There can be some bells and whistles with pool size
increasing and decreasing over time depending on demand,
the pool making keep alive queries, failover handling etc. -
but the basics are very simple.

Arne
Marc Van Dyck
2021-01-11 16:28:32 UTC
Permalink
Post by Arne Vajhøj
Post by Marc Van Dyck
Post by Arne Vajhøj
On the web servers you need the application code & data to stay resident
in memory and reuse threads/processes to process requests as
starting processes and loading images are expensive. And
the database connections need to be managed by a connection pool
as open connection is expensive (note that a connection pool
also require application code& data resident in memory).
Wasn't ACMS made to solve just that problem ? Has one already tried to
implement a web server with ACMS - assuming anyone still knows the
product, that is ?
I know little about ACMS, but it is my clear impression that it
is way more than a database connection pool.
A database connection pool is really a simple concept.
Without pool: request processing opens a physical connection
to the database, do what it need to do and closes connection.
With pool: at startup N connections are made, request processing
borrows a connection from the pool use it and return it.
There can be some bells and whistles with pool size
increasing and decreasing over time depending on demand,
the pool making keep alive queries, failover handling etc. -
but the basics are very simple.
Arne
My answer was about the whole paragraph, not just the last sentence...
I.e. also keeping code in memory and re-using existing processes.
--
Marc Van Dyck
Jan-Erik Söderholm
2021-01-11 16:41:12 UTC
Permalink
Post by Marc Van Dyck
Post by Arne Vajhøj
Post by Marc Van Dyck
Post by Arne Vajhøj
On the web servers you need the application code & data to stay resident
in memory and reuse threads/processes to process requests as
starting processes and loading images are expensive. And
the database connections need to be managed by a connection pool
as open connection is expensive (note that a connection pool
also require application code& data resident in memory).
Wasn't ACMS made to solve just that problem ? Has one already tried to
implement a web server with ACMS - assuming anyone still knows the
product, that is ?
I know little about ACMS, but it is my clear impression that it
is way more than a database connection pool.
A database connection pool is really a simple concept.
Without pool: request processing opens a physical connection
to the database, do what it need to do and closes connection.
With pool: at startup N connections are made, request processing
borrows a connection from the pool use it and return it.
There can be some bells and whistles with pool size
increasing and decreasing over time depending on demand,
the pool making keep alive queries, failover handling etc. -
but the basics are very simple.
Arne
My answer was about the whole paragraph, not just the last sentence...
I.e. also keeping code in memory and re-using existing processes.
No web server can talk to a "database" in its own. You need some
web server process that does the DB "work". Any web server should
support persitant processes so that multiple requests can be serverd
by in-memory processes that already have the database attach open.

We use Python using PYRTE and WASD and get responstimes as viewed
from the browser in the 10's of millisecond. The Python overhead is
also very low due to the fact that the process already have the
Python environment loaded and "compiled".

If it has been calm for the timeout period (configurable, think it
is 5-10 min by default) there is a 0-5 - 1 .0 sec Python startup
delay for a new process to be created.
Arne Vajhøj
2021-01-11 18:02:20 UTC
Permalink
Post by Jan-Erik Söderholm
Post by Marc Van Dyck
Post by Arne Vajhøj
Post by Marc Van Dyck
Post by Arne Vajhøj
On the web servers you need the application code & data to stay resident
in memory and reuse threads/processes to process requests as
starting processes and loading images are expensive. And
the database connections need to be managed by a connection pool
as open connection is expensive (note that a connection pool
also require application code& data resident in memory).
Wasn't ACMS made to solve just that problem ? Has one already tried to
implement a web server with ACMS - assuming anyone still knows the
product, that is ?
I know little about ACMS, but it is my clear impression that it
is way more than a database connection pool.
A database connection pool is really a simple concept.
Without pool: request processing opens a physical connection
to the database, do what it need to do and closes connection.
With pool: at startup N connections are made, request processing
borrows a connection from the pool use it and return it.
There can be some bells and whistles with pool size
increasing and decreasing over time depending on demand,
the pool making keep alive queries, failover handling etc. -
but the basics are very simple.
My answer was about the whole paragraph, not just the last sentence...
I.e. also keeping code in memory and re-using existing processes.
No web server can talk to a "database" in its own. You need some
web server process that does the DB "work".
That is mostly a terminology issue.

If one defines:

web server = server that handle requests for static content and has an
extension for running code

app server = server that can both handle requests for static content
and run code

then yes.

But with a different definition of web server (like app server above),
then web servers can run code directly.
Post by Jan-Erik Söderholm
Any web server should
support persitant processes so that multiple requests can be serverd
by in-memory processes that already have the database attach open.
We use Python using PYRTE and WASD and get responstimes as viewed
from the browser in the 10's of millisecond. The Python overhead is
also very low due to the fact that the process already have the
Python environment loaded and "compiled".
The feature is common. Apache got its modules.

But any application need to use the feature and use the
database connection pool to get the benefits.

Arne
Phillip Helbig (undress to reply)
2021-01-11 13:58:49 UTC
Permalink
Post by D W
There are MULTIPLE different approaches to doing this. Most involve
HTTP (web) cookies and may involve DNS round robin load balancing or
load balancers.
Why not use the metric server and load broaker on a shared-everything
cluster?
Post by D W
But how would this be accomplished using Apache or another web package on OpenVMS?
See above.
Post by D W
Also if you house a DB like RDB on a separate OpenVMS server, what
would be the fastest connect solution to obtain the fastest data
transport rates between the DB server and other web servers?
DECnet?
Marc Van Dyck
2021-01-11 14:43:00 UTC
Permalink
Post by Phillip Helbig (undress to reply)
Post by D W
There are MULTIPLE different approaches to doing this. Most involve
HTTP (web) cookies and may involve DNS round robin load balancing or
load balancers.
Why not use the metric server and load broaker on a shared-everything
cluster?
Post by D W
But how would this be accomplished using Apache or another web package on OpenVMS?
See above.
Post by D W
Also if you house a DB like RDB on a separate OpenVMS server, what
would be the fastest connect solution to obtain the fastest data
transport rates between the DB server and other web servers?
DECnet?
Was thinking about that too. It would also protect your database
servers
from anything using IP...
--
Marc Van Dyck
Phillip Helbig (undress to reply)
2021-01-11 15:22:11 UTC
Permalink
Post by Marc Van Dyck
Was thinking about that too. It would also protect your database
servers
from anything using IP...
With Rdb, access to the database via DECnet is supported. It can also
save on license costs if you need more web servers than nodes with the
database open.
Marc Van Dyck
2021-01-11 16:31:01 UTC
Permalink
Post by Phillip Helbig (undress to reply)
Post by Marc Van Dyck
Was thinking about that too. It would also protect your database
servers
from anything using IP...
With Rdb, access to the database via DECnet is supported. It can also
save on license costs if you need more web servers than nodes with the
database open.
Sure... Horizontal power for the web servers, vertical power for the
database...
--
Marc Van Dyck
Stephen Hoffman
2021-01-11 15:58:47 UTC
Permalink
Post by D W
There are MULTIPLE different approaches to doing this. Most involve
HTTP (web) cookies and may involve DNS round robin load balancing or
load balancers.
But how would this be accomplished using Apache or another web package on OpenVMS?
If locked into that configuration, with mod_proxy_balancer most likely.
Same as with Apache elsewhere.
Post by D W
Would you use the same approach?
mod_proxy_balancer or reverse-proxies or redirects or such? Prolly not.
Depends. There's a whole lot of necessary detail here. Detail that's
not yet been referenced.
Post by D W
Also if you house a DB like RDB on a separate OpenVMS server, what
would be the fastest connect solution to obtain the fastest data
transport rates between the DB server and other web servers?
That depends. Sharing is a potential option, as can be replacing Rdb
with something faster; an in-memory database, for instance. Or using a
CDN, which can provide the bandwidth and DDoS protections and
geographic distribution, among other benefits.

Other options include clustering and fibre channel and moving Rdb
locally (which'll increase lock traffic), or moving to the fastest
available network between the web servers and the database server.

This also involves performance and trend modeling, and likely involves
replacing HDDs with SSDs and related efforts on the servers, as I'd
expect a heavier load between Rdb and its database storage than between
Rdb and the database client web servers.

If you're thinking about a Parler-class app for instance, there are
already some discussions of what's involved there that are going on
else-network and which you may want to review—even if you're not
re-hosting Parler, the problems are broadly similar at scale.
--
Pure Personal Opinion | HoffmanLabs LLC
Simon Clubley
2021-01-11 18:21:24 UTC
Permalink
Post by Stephen Hoffman
If you're thinking about a Parler-class app for instance, there are
already some discussions of what's involved there that are going on
else-network and which you may want to review?even if you're not
re-hosting Parler, the problems are broadly similar at scale.
Ok, _that_ possibility never occurred to me when I read Bob's original
post. Do you know something that the rest of us are unaware of ?

I would not recommend VMS as it stands today for such a high-profile
and potentially hostile environment.

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.
D W
2021-01-11 19:01:33 UTC
Permalink
Post by Simon Clubley
Post by Stephen Hoffman
If you're thinking about a Parler-class app for instance, there are
already some discussions of what's involved there that are going on
else-network and which you may want to review?even if you're not
re-hosting Parler, the problems are broadly similar at scale.
Ok, _that_ possibility never occurred to me when I read Bob's original
post. Do you know something that the rest of us are unaware of ?
maybe :)
Post by Simon Clubley
I would not recommend VMS as it stands today for such a high-profile
and potentially hostile environment.
you would prefer linux or windows? I thought OpenVMS was made for hostile environments.

Putting each user in a RWED controlled box along with appropriate ACLs
I would assume would outclass any other solution out there, as long as VSI has terminated all of their C strings properly. :)
Post by Simon Clubley
Simon.
--
Walking destinations on a map are further away than they appear.
Stephen Hoffman
2021-01-11 19:19:56 UTC
Permalink
Post by D W
Post by Simon Clubley
Post by Stephen Hoffman
If you're thinking about a Parler-class app for instance, there are
already some discussions of what's involved there that are going on
else-network and which you may want to review?even if you're not
re-hosting Parler, the problems are broadly similar at scale.
Ok, _that_ possibility never occurred to me when I read Bob's original
post. Do you know something that the rest of us are unaware of ?
maybe :)
Okay. I will not be further responding to nor further assisting with
this or with any other related threads.
--
Pure Personal Opinion | HoffmanLabs LLC
Simon Clubley
2021-01-12 13:52:49 UTC
Permalink
Post by D W
Post by Simon Clubley
Post by Stephen Hoffman
If you're thinking about a Parler-class app for instance, there are
already some discussions of what's involved there that are going on
else-network and which you may want to review?even if you're not
re-hosting Parler, the problems are broadly similar at scale.
Ok, _that_ possibility never occurred to me when I read Bob's original
post. Do you know something that the rest of us are unaware of ?
maybe :)
Post by Simon Clubley
I would not recommend VMS as it stands today for such a high-profile
and potentially hostile environment.
you would prefer linux or windows? I thought OpenVMS was made for hostile environments.
As mentioned already, Linux has a number of security and isolation
features that VMS is lacking.
Post by D W
Putting each user in a RWED controlled box along with appropriate ACLs
I would assume would outclass any other solution out there, as long as VSI has terminated all of their C strings properly. :)
If that's what you think security is all about in 2021 Bob, then you
simply don't have a clue about what is involved.

BTW, you don't even have to go through security, you can go around it.
That's exactly what I did and all the protections and ACLs would have
made absolutely no difference.

To everyone else: I keep warning you about security researchers possibly
taking a serious interest in probing VMS at some point in the future and
about everything that could come from that.

If Bob sets up some kind of conservative social networking environment
using VMS (which it is a poor choice for anyway), then that is _exactly_
what is going to happen.

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.
ultr...@gmail.com
2021-01-12 15:50:54 UTC
Permalink
Post by Simon Clubley
Post by D W
Post by Simon Clubley
Post by Stephen Hoffman
If you're thinking about a Parler-class app for instance, there are
already some discussions of what's involved there that are going on
else-network and which you may want to review?even if you're not
re-hosting Parler, the problems are broadly similar at scale.
Ok, _that_ possibility never occurred to me when I read Bob's original
post. Do you know something that the rest of us are unaware of ?
maybe :)
Post by Simon Clubley
I would not recommend VMS as it stands today for such a high-profile
and potentially hostile environment.
you would prefer linux or windows? I thought OpenVMS was made for hostile environments.
As mentioned already, Linux has a number of security and isolation
features that VMS is lacking.
Post by D W
Putting each user in a RWED controlled box along with appropriate ACLs
I would assume would outclass any other solution out there, as long as VSI has terminated all of their C strings properly. :)
If that's what you think security is all about in 2021 Bob, then you
simply don't have a clue about what is involved.
BTW, you don't even have to go through security, you can go around it.
That's exactly what I did and all the protections and ACLs would have
made absolutely no difference.
To everyone else: I keep warning you about security researchers possibly
taking a serious interest in probing VMS at some point in the future and
about everything that could come from that.
If Bob sets up some kind of conservative social networking environment
using VMS (which it is a poor choice for anyway), then that is _exactly_
what is going to happen.
Simon.
--
Walking destinations on a map are further away than they appear.
if what you say is true you can thank the introduction of the c language
into the OS level development.
Simon Clubley
2021-01-12 18:44:26 UTC
Permalink
Post by ***@gmail.com
if what you say is true you can thank the introduction of the c language
into the OS level development.
This has nothing to do with C. Much of VMS was originally written
in Macro-32 and BLISS.

And BTW, the descriptors and counted strings that VMS uses are
harder to compromise but easier than C-style null terminated
strings to actually exploit when compromised.

This is because embedded nulls in the shellcode are treated as just
another data byte when using descriptors and counted strings and do
not terminate a copy when encountered, unlike with C-style null
terminated strings.

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.
ultr...@gmail.com
2021-01-12 15:52:28 UTC
Permalink
Post by Simon Clubley
Post by D W
Post by Simon Clubley
Post by Stephen Hoffman
If you're thinking about a Parler-class app for instance, there are
already some discussions of what's involved there that are going on
else-network and which you may want to review?even if you're not
re-hosting Parler, the problems are broadly similar at scale.
Ok, _that_ possibility never occurred to me when I read Bob's original
post. Do you know something that the rest of us are unaware of ?
maybe :)
Post by Simon Clubley
I would not recommend VMS as it stands today for such a high-profile
and potentially hostile environment.
you would prefer linux or windows? I thought OpenVMS was made for hostile environments.
As mentioned already, Linux has a number of security and isolation
features that VMS is lacking.
Post by D W
Putting each user in a RWED controlled box along with appropriate ACLs
I would assume would outclass any other solution out there, as long as VSI has terminated all of their C strings properly. :)
If that's what you think security is all about in 2021 Bob, then you
simply don't have a clue about what is involved.
BTW, you don't even have to go through security, you can go around it.
That's exactly what I did and all the protections and ACLs would have
made absolutely no difference.
To everyone else: I keep warning you about security researchers possibly
taking a serious interest in probing VMS at some point in the future and
about everything that could come from that.
If Bob sets up some kind of conservative social networking environment
using VMS (which it is a poor choice for anyway), then that is _exactly_
what is going to happen.
Simon.
--
Walking destinations on a map are further away than they appear.
and again assuming what you say is true you just shot down using OpenVMS for any web services.
Arne Vajhøj
2021-01-12 16:16:51 UTC
Permalink
Post by ***@gmail.com
Post by Simon Clubley
To everyone else: I keep warning you about security researchers possibly
taking a serious interest in probing VMS at some point in the future and
about everything that could come from that.
If Bob sets up some kind of conservative social networking environment
using VMS (which it is a poor choice for anyway), then that is _exactly_
what is going to happen.
and again assuming what you say is true you just shot down using OpenVMS for any web services.
VMS is just not an obvious choice for high volume public web sites.

Software availability on VMS is below Linux:
* PHP, Python and Java/Jakarta EE has much less support on VMS than on Linux
* ASP.NET and node.js are not available on VMS at all

VMS is more expensive than Linux (and that matters when we talk huge
clusters to handle high volume):
* Itanium is more expensive than x86-64
* VMS is more expensive than RHEL and Windows
* VMS is way more expensive than CentOS and Ubuntu

And VMS is a lot less security tested than Linux.

That does not mean that all web is irrelevant for VMS.

There are lots of lower volume, intranet or integration
with existing VMS applications where web access to VMS
makes a lot of sense.

Arne
Simon Clubley
2021-01-12 18:49:49 UTC
Permalink
Post by ***@gmail.com
and again assuming what you say is true you just shot down using OpenVMS for any web services.
Sokath, his eyes open!

For a more detailed reply, see Arne's reply. I agree with everything
in there.

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.
ultr...@gmail.com
2021-01-12 21:01:55 UTC
Permalink
Post by Simon Clubley
Post by ***@gmail.com
and again assuming what you say is true you just shot down using OpenVMS for any web services.
Sokath, his eyes open!
For a more detailed reply, see Arne's reply. I agree with everything
in there.
Simon.
--
Walking destinations on a map are further away than they appear.
well somebody better tell Mark Daniel he just wasted 20 years of his life developing WASD for nothing. :)
Jan-Erik Söderholm
2021-01-12 21:52:16 UTC
Permalink
Post by ***@gmail.com
Post by Simon Clubley
Post by ***@gmail.com
and again assuming what you say is true you just shot down using OpenVMS for any web services.
Sokath, his eyes open!
For a more detailed reply, see Arne's reply. I agree with everything
in there.
Simon.
--
Walking destinations on a map are further away than they appear.
well somebody better tell Mark Daniel he just wasted 20 years of his life developing WASD for nothing. :)
I've used WASD for 20+ yearss and that is not for nothing.
Simon Clubley
2021-01-13 13:17:32 UTC
Permalink
Post by ***@gmail.com
Post by Simon Clubley
Post by ***@gmail.com
and again assuming what you say is true you just shot down using OpenVMS for any web services.
Sokath, his eyes open!
For a more detailed reply, see Arne's reply. I agree with everything
in there.
well somebody better tell Mark Daniel he just wasted 20 years of his life developing WASD for nothing. :)
Even the early versions of WASD had glaring security flaws that survived
for years in the wild and which were only found when someone decided to
do some security probing of WASD.

You know, the same kind of probing that I did for DCL and which revealed
a decades-old disastrous security flaw in DCL ?

Like I keep saying, I wonder what else is going to be found in VMS if
the professional security researchers decide to start probing it.

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.
Dave Froble
2021-01-13 19:02:27 UTC
Permalink
Post by Simon Clubley
Post by ***@gmail.com
Post by Simon Clubley
Post by ***@gmail.com
and again assuming what you say is true you just shot down using OpenVMS for any web services.
Sokath, his eyes open!
For a more detailed reply, see Arne's reply. I agree with everything
in there.
well somebody better tell Mark Daniel he just wasted 20 years of his life developing WASD for nothing. :)
Even the early versions of WASD had glaring security flaws that survived
for years in the wild and which were only found when someone decided to
do some security probing of WASD.
You know, the same kind of probing that I did for DCL and which revealed
a decades-old disastrous security flaw in DCL ?
"DISASTROUS!?

Could you provide documentation on several of the disasters?
--
David Froble Tel: 724-529-0450
Dave Froble Enterprises, Inc. E-Mail: ***@tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA 15486
Simon Clubley
2021-01-13 19:24:48 UTC
Permalink
Post by Dave Froble
Post by Simon Clubley
Post by ***@gmail.com
Post by Simon Clubley
Post by ***@gmail.com
and again assuming what you say is true you just shot down using OpenVMS for any web services.
Sokath, his eyes open!
For a more detailed reply, see Arne's reply. I agree with everything
in there.
well somebody better tell Mark Daniel he just wasted 20 years of his life developing WASD for nothing. :)
Even the early versions of WASD had glaring security flaws that survived
for years in the wild and which were only found when someone decided to
do some security probing of WASD.
You know, the same kind of probing that I did for DCL and which revealed
a decades-old disastrous security flaw in DCL ?
"DISASTROUS!?
Could you provide documentation on several of the disasters?
Well, I would call a non-privileged user on VAX and Alpha being able
to get full control of the system from the DCL prompt disastrous.

As for WASD, the most glaring security flaw I remember was a directory
traversal flaw but there were several other issues identified.

The point I am making David is that outside parties probing a system
or application can reveal security flaws that have been around for years
whether that's a glaring security flaw such as the directory traversal
flaw in WASD or a disastrous flaw in DCL.

There is a problem in the VMS world where some people think that because
no-one has bothered to look for vulnerabilities, then that means there
are no vulnerabilities to be found.

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.
Stephen Hoffman
2021-01-12 16:18:41 UTC
Permalink
Post by Simon Clubley
If that's what you think security is all about in 2021 Bob, then you
simply don't have a clue about what is involved.
Bob has an unshakable confidence in the validity of his one answer to
any and all computing requirements: OpenVMS.

That answer might have been ~feasible ~30 years ago.

Tasks and requirements and expectations and competition and pricing and
apps are all very different now.
Post by Simon Clubley
BTW, you don't even have to go through security, you can go around it.
That's exactly what I did and all the protections and ACLs would have
made absolutely no difference.
A local-privilege escalation is a local-privilege escalation. OpenVMS
has had a few. I've attached one of the more famous (earlier) examples
below.

This is where jails / sandboxes and app isolation is expected. OpenVMS
doesn't particularly isolate apps, and trying to use ACLs gets...
interesting. I've had DECinspect break my configurations, when the
lock-down tooling was used. (Back when DECinspect was in more common
usage, too.) A fair chunk of work atop SEVMS would be required from VSI
to add jails/sandboxes/isolation, particularly with integrity and
signing—secure delivery is rather more involved when the apps
themselves cannot be trusted to be free of malware and free of flaws.
And then there's app auditing and app provisioning and app updates and
a variety of other topics. Getting this all configured and going is the
smaller part of the work too. Keeping this going and keeping this
secure and apps current and isolated and secure is no small investment
in time and tooling and focus.

There's also little app development guidance available for writing
secure apps for OpenVMS, which doesn't help. The security manual omits
much that is expected of apps in this networked era.
Post by Simon Clubley
To everyone else: I keep warning you about security researchers
possibly taking a serious interest in probing VMS at some point in the
future and about everything that could come from that.
If Bob sets up some kind of conservative social networking environment
using VMS (which it is a poor choice for anyway), then that is
_exactly_ what is going to happen.
Bob and the particular "maybe" project most recently now seems moot, as
the "maybe" customer has reportedly acquired different hosting.
Ignoring that for the moment, and reviewing some other of Bob's
discussions for those that are unfamiliar...

Bob has previously recommended replacing Microsoft Windows desktops
with OpenVMS, had widely recommended OpenVMS be used within voting
machinery, and now as a high-profile and contentious "maybe" hosting
project.

Could OpenVMS do these tasks? Given far too much budget and far too
much time and far too much retraining and a whole lot of work prolly
yes, but all that very far from economically and easily, and likely not
securely.

Desktop: Approximately no desktop apps and no Office compatibility and
no two-factor and no modern browser for OpenVMS—that'd all have to be
found or built or added.

Embedded: Approximately no benefit and a whole lot of cost for embedded
usage, and which fundamentally doesn't address the issues and risks
involved with any embedded software.

Web hosting: Little tooling is available for running a high-profile and
contentious website and one with other issues as discussed in that
thread as well as an app that is a DDoS and intelligence service
target, and one that reportedly has problems with payment gateways and
with getting their client apps onto the major app stores. Though Bob
has the opportunity to create the necessary prototypes here, using real
data from the "maybe" API.

VSI has piles of work ahead with the x86-64 port. Little of which
includes OpenVMS for desktop and updates to the apps and tooling that
everybody* expects to have access to, little includes OpenVMS for
embedded—seL4 was previously recommended for a secure host platform for
embedded use though that too necessarily requires knowledge of and
integration with election auditing (and approximately none of this
addresses the issues Bob believes it would), and little includes
OpenVMS for high-end web hosting and related services and which
typically involves keeping a current Apache and related tooling and
prolly nginx or other web server, as well as one or more application
servers (Twisted and/or Tornado and/or Zend, etc), as well as Python.
And for sites that can be subject rapid scaling, there'll be the need
for tooling to keep OpenVMS current across a variable and potentially
increasing number of hosts, to quickly deploy patches, for geographic
server distribution for robustness and recovery and latency, log
collection and analysis and intrusion detection, and that'd have to be
locally written and/or acquired and integrated. Little of which
includes app isolation, R^X, jails, etc. And that's all before we
discuss the carrying costs of having hardware available for high or
peak loads. Approximately none of which is in the plans, and all of
which already exists on other platforms and products and apps that
target these disparate markets. The x86-64 port will have some benefits
around using hosting for added capacity and for peak loading, though
that necessarily means hosting, and it means you'll have to expect
insecure or hostile peers, though it's wise to assume your local
networks also have hostile peers connected.

Can OpenVMS do this stuff? Sure. Cost-effectively, and with a
reasonable deployment timeline? Nope. VSI is working to address some of
this, and particularly for existing OpenVMS customers. The folks
running "maybe", not so much.


Local-privilege escalation:

OPERATING SYSTEM: VAX/VMS V2.1
PRODUCT: VAX/VMS
COMPONENT: LOGINOUT


GRPNAM SECURITY HOLE IN LOGIN

PROBLEM STATEMENT:

The GRPNAM privilege is an evil demon, allowing the user to
invoke its secret entrance for all manner of nefarious
purposes not originally intended.


RESPONSE FROM DEC:

The great wizard VMS confronted the demon, raised his great
oaken staff carved in ancient runes, and spoke the magic
incantation:
"$SETPRV IMAGEACTIVATIONENHANCEDPRIVILEGES $CMKRNL!!"
There was a blinding flash of light and puff of smoke, and
the demon, reduced to harmlessness, scurried off into the
distance.

Where his secret entrance had been was naught but a little
pile of ashes, which the wind slowly drifted into letters
spelling the words "FIXED IN V2.3".
--
Pure Personal Opinion | HoffmanLabs LLC
ultr...@gmail.com
2021-01-12 18:18:05 UTC
Permalink
Post by Stephen Hoffman
Post by Simon Clubley
If that's what you think security is all about in 2021 Bob, then you
simply don't have a clue about what is involved.
Bob has an unshakable confidence in the validity of his one answer to
any and all computing requirements: OpenVMS.
That answer might have been ~feasible ~30 years ago.
Tasks and requirements and expectations and competition and pricing and
apps are all very different now.
Post by Simon Clubley
BTW, you don't even have to go through security, you can go around it.
That's exactly what I did and all the protections and ACLs would have
made absolutely no difference.
A local-privilege escalation is a local-privilege escalation. OpenVMS
has had a few. I've attached one of the more famous (earlier) examples
below.
This is where jails / sandboxes and app isolation is expected. OpenVMS
doesn't particularly isolate apps, and trying to use ACLs gets...
interesting. I've had DECinspect break my configurations, when the
lock-down tooling was used. (Back when DECinspect was in more common
usage, too.) A fair chunk of work atop SEVMS would be required from VSI
to add jails/sandboxes/isolation, particularly with integrity and
signing—secure delivery is rather more involved when the apps
themselves cannot be trusted to be free of malware and free of flaws.
And then there's app auditing and app provisioning and app updates and
a variety of other topics. Getting this all configured and going is the
smaller part of the work too. Keeping this going and keeping this
secure and apps current and isolated and secure is no small investment
in time and tooling and focus.
There's also little app development guidance available for writing
secure apps for OpenVMS, which doesn't help. The security manual omits
much that is expected of apps in this networked era.
Post by Simon Clubley
To everyone else: I keep warning you about security researchers
possibly taking a serious interest in probing VMS at some point in the
future and about everything that could come from that.
If Bob sets up some kind of conservative social networking environment
using VMS (which it is a poor choice for anyway), then that is
_exactly_ what is going to happen.
Bob and the particular "maybe" project most recently now seems moot, as
the "maybe" customer has reportedly acquired different hosting.
Ignoring that for the moment, and reviewing some other of Bob's
discussions for those that are unfamiliar...
Bob has previously recommended replacing Microsoft Windows desktops
with OpenVMS, had widely recommended OpenVMS be used within voting
machinery, and now as a high-profile and contentious "maybe" hosting
project.
Could OpenVMS do these tasks? Given far too much budget and far too
much time and far too much retraining and a whole lot of work prolly
yes, but all that very far from economically and easily, and likely not
securely.
Desktop: Approximately no desktop apps and no Office compatibility and
no two-factor and no modern browser for OpenVMS—that'd all have to be
found or built or added.
Embedded: Approximately no benefit and a whole lot of cost for embedded
usage, and which fundamentally doesn't address the issues and risks
involved with any embedded software.
Web hosting: Little tooling is available for running a high-profile and
contentious website and one with other issues as discussed in that
thread as well as an app that is a DDoS and intelligence service
target, and one that reportedly has problems with payment gateways and
with getting their client apps onto the major app stores. Though Bob
has the opportunity to create the necessary prototypes here, using real
data from the "maybe" API.
VSI has piles of work ahead with the x86-64 port. Little of which
includes OpenVMS for desktop and updates to the apps and tooling that
everybody* expects to have access to, little includes OpenVMS for
embedded—seL4 was previously recommended for a secure host platform for
embedded use though that too necessarily requires knowledge of and
integration with election auditing (and approximately none of this
addresses the issues Bob believes it would), and little includes
OpenVMS for high-end web hosting and related services and which
typically involves keeping a current Apache and related tooling and
prolly nginx or other web server, as well as one or more application
servers (Twisted and/or Tornado and/or Zend, etc), as well as Python.
And for sites that can be subject rapid scaling, there'll be the need
for tooling to keep OpenVMS current across a variable and potentially
increasing number of hosts, to quickly deploy patches, for geographic
server distribution for robustness and recovery and latency, log
collection and analysis and intrusion detection, and that'd have to be
locally written and/or acquired and integrated. Little of which
includes app isolation, R^X, jails, etc. And that's all before we
discuss the carrying costs of having hardware available for high or
peak loads. Approximately none of which is in the plans, and all of
which already exists on other platforms and products and apps that
target these disparate markets. The x86-64 port will have some benefits
around using hosting for added capacity and for peak loading, though
that necessarily means hosting, and it means you'll have to expect
insecure or hostile peers, though it's wise to assume your local
networks also have hostile peers connected.
Can OpenVMS do this stuff? Sure. Cost-effectively, and with a
reasonable deployment timeline? Nope. VSI is working to address some of
this, and particularly for existing OpenVMS customers. The folks
running "maybe", not so much.
OPERATING SYSTEM: VAX/VMS V2.1
PRODUCT: VAX/VMS
COMPONENT: LOGINOUT
GRPNAM SECURITY HOLE IN LOGIN
The GRPNAM privilege is an evil demon, allowing the user to
invoke its secret entrance for all manner of nefarious
purposes not originally intended.
The great wizard VMS confronted the demon, raised his great
oaken staff carved in ancient runes, and spoke the magic
"$SETPRV IMAGEACTIVATIONENHANCEDPRIVILEGES $CMKRNL!!"
There was a blinding flash of light and puff of smoke, and
the demon, reduced to harmlessness, scurried off into the
distance.
Where his secret entrance had been was naught but a little
pile of ashes, which the wind slowly drifted into letters
spelling the words "FIXED IN V2.3".
--
Pure Personal Opinion | HoffmanLabs LLC
so basically you are stating that the "OpenVMS is most secure OS on the planet" sales pitch bellowed by DEC and not so much HP marketing
over the years was just an oxymoron?
Arne Vajhøj
2021-01-12 18:45:29 UTC
Permalink
Post by ***@gmail.com
Post by Stephen Hoffman
OPERATING SYSTEM: VAX/VMS V2.1
PRODUCT: VAX/VMS
COMPONENT: LOGINOUT
GRPNAM SECURITY HOLE IN LOGIN
The GRPNAM privilege is an evil demon, allowing the user to
invoke its secret entrance for all manner of nefarious
purposes not originally intended.
The great wizard VMS confronted the demon, raised his great
oaken staff carved in ancient runes, and spoke the magic
"$SETPRV IMAGEACTIVATIONENHANCEDPRIVILEGES $CMKRNL!!"
There was a blinding flash of light and puff of smoke, and
the demon, reduced to harmlessness, scurried off into the
distance.
Where his secret entrance had been was naught but a little
pile of ashes, which the wind slowly drifted into letters
spelling the words "FIXED IN V2.3".
There was also the WANK worm.
Post by ***@gmail.com
so basically you are stating that the "OpenVMS is most secure OS on the planet" sales pitch bellowed by DEC and not so much HP marketing
over the years was just an oxymoron?
VMS was probably not the most secure back in the 1980's. But it was
better than many.

Per 2021 standards it was bad, but many other were even worse.

But applying 2021 standards to software from the 1980's is silly.

What is important is that other OS'es has improved security a lot
over the last 20 years, while VMS has seen relative little
enhancements.

VSI is trying to fix that now. But they cannot catch up
with 20 years of neglect over night.

Arne
Simon Clubley
2021-01-12 18:58:47 UTC
Permalink
Post by Arne Vajhøj
Post by ***@gmail.com
so basically you are stating that the "OpenVMS is most secure OS on the planet" sales pitch bellowed by DEC and not so much HP marketing
over the years was just an oxymoron?
VMS was probably not the most secure back in the 1980's. But it was
better than many.
Per 2021 standards it was bad, but many other were even worse.
But applying 2021 standards to software from the 1980's is silly.
Unfortunately, that is exactly what VSI are doing when making the
above statement.
Post by Arne Vajhøj
What is important is that other OS'es has improved security a lot
over the last 20 years, while VMS has seen relative little
enhancements.
VSI is trying to fix that now. But they cannot catch up
with 20 years of neglect over night.
Perhaps VSI should do this work (and there's a lot of it) before
making the above statement and hence painting a large target on
the backs of the VMS users.

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.
Stephen Hoffman
2021-01-12 19:39:38 UTC
Permalink
Post by Arne Vajhøj
Post by ***@gmail.com
so basically you are stating that the "OpenVMS is most secure OS on the
planet" sales pitch bellowed by DEC and not so much HP marketing over
the years was just an oxymoron?
Counter-productive is among the most charitable of interpretations for
that marketing shart.
Post by Arne Vajhøj
But applying 2021 standards to software from the 1980's is silly.
Applying knowledge of pre-millennial security and risks and defenses
and tooling to 2021-era environment is also silly.
Unfortunately, that is exactly what VSI are doing when making the above
statement.
Worse.

But then Bob's heard all this before.

Write an OpenVMS app with modern security. Try it. Seriously. Go try
it. Try a simple secure app-to-app network connection. Write a client
and server using a TLSv1.3 connection with full client and server
certificate verification and with a certificate revocation check, with
encrypted storage data, and with a secure password and secure private
key store, and with compatibility with commercial certificate vendors,
and call me back. This is one of the most basic operations for an app
developer writing a distributed app in 2021. And it's fundamental for
that "maybe" app server that's been referenced here. Can OpenVMS be
used here? Sure. Can all of this stuff be implemented? Absolutely. Is
the source code involved here complex and bug-prone and poorly
documented? Yes. Are these tasks easier with higher-level frameworks
available elsewhere? Of course.
--
Pure Personal Opinion | HoffmanLabs LLC
ultr...@gmail.com
2021-01-12 20:55:51 UTC
Permalink
Post by Stephen Hoffman
Post by Arne Vajhøj
Post by ***@gmail.com
so basically you are stating that the "OpenVMS is most secure OS on the
planet" sales pitch bellowed by DEC and not so much HP marketing over
the years was just an oxymoron?
Counter-productive is among the most charitable of interpretations for
that marketing shart.
Post by Arne Vajhøj
But applying 2021 standards to software from the 1980's is silly.
Applying knowledge of pre-millennial security and risks and defenses
and tooling to 2021-era environment is also silly.
Unfortunately, that is exactly what VSI are doing when making the above
statement.
Worse.
But then Bob's heard all this before.
Write an OpenVMS app with modern security. Try it. Seriously. Go try
it. Try a simple secure app-to-app network connection. Write a client
and server using a TLSv1.3 connection with full client and server
certificate verification and with a certificate revocation check, with
encrypted storage data, and with a secure password and secure private
key store, and with compatibility with commercial certificate vendors,
and call me back. This is one of the most basic operations for an app
developer writing a distributed app in 2021. And it's fundamental for
that "maybe" app server that's been referenced here. Can OpenVMS be
used here? Sure. Can all of this stuff be implemented? Absolutely. Is
the source code involved here complex and bug-prone and poorly
documented? Yes. Are these tasks easier with higher-level frameworks
available elsewhere? Of course.
--
Pure Personal Opinion | HoffmanLabs LLC
no thanks I would rather pay Process to modify decnet over IP to run in an SSH tunnel.
Dave Froble
2021-01-13 01:02:37 UTC
Permalink
Post by ***@gmail.com
Post by Stephen Hoffman
Post by Arne Vajhøj
Post by ***@gmail.com
so basically you are stating that the "OpenVMS is most secure OS on the
planet" sales pitch bellowed by DEC and not so much HP marketing over
the years was just an oxymoron?
Counter-productive is among the most charitable of interpretations for
that marketing shart.
Post by Arne Vajhøj
But applying 2021 standards to software from the 1980's is silly.
Applying knowledge of pre-millennial security and risks and defenses
and tooling to 2021-era environment is also silly.
Unfortunately, that is exactly what VSI are doing when making the above
statement.
Worse.
But then Bob's heard all this before.
Write an OpenVMS app with modern security. Try it. Seriously. Go try
it. Try a simple secure app-to-app network connection. Write a client
and server using a TLSv1.3 connection with full client and server
certificate verification and with a certificate revocation check, with
encrypted storage data, and with a secure password and secure private
key store, and with compatibility with commercial certificate vendors,
and call me back. This is one of the most basic operations for an app
developer writing a distributed app in 2021. And it's fundamental for
that "maybe" app server that's been referenced here. Can OpenVMS be
used here? Sure. Can all of this stuff be implemented? Absolutely. Is
the source code involved here complex and bug-prone and poorly
documented? Yes. Are these tasks easier with higher-level frameworks
available elsewhere? Of course.
--
Pure Personal Opinion | HoffmanLabs LLC
no thanks I would rather pay Process to modify decnet over IP to run in an SSH tunnel.
That doesn't even begin to address all the issues.

First, there is no absolute security, just trying to stay ahead of the
opposition.

Nothing special about DECnet, nor anything really bad about TCP/IP.
Both work. Both have issues. The key thing is being able to talk to
most of the world. DECnet has some nice pieces. But it's not practical
for non-VMS work, it currently does not support any encryption, and
there is no valid reason to re-invent any wheels.
--
David Froble Tel: 724-529-0450
Dave Froble Enterprises, Inc. E-Mail: ***@tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA 15486
ultr...@gmail.com
2021-01-13 16:50:14 UTC
Permalink
Post by Dave Froble
Post by ***@gmail.com
Post by Stephen Hoffman
Post by Arne Vajhøj
Post by ***@gmail.com
so basically you are stating that the "OpenVMS is most secure OS on the
planet" sales pitch bellowed by DEC and not so much HP marketing over
the years was just an oxymoron?
Counter-productive is among the most charitable of interpretations for
that marketing shart.
Post by Arne Vajhøj
But applying 2021 standards to software from the 1980's is silly.
Applying knowledge of pre-millennial security and risks and defenses
and tooling to 2021-era environment is also silly.
Unfortunately, that is exactly what VSI are doing when making the above
statement.
Worse.
But then Bob's heard all this before.
Write an OpenVMS app with modern security. Try it. Seriously. Go try
it. Try a simple secure app-to-app network connection. Write a client
and server using a TLSv1.3 connection with full client and server
certificate verification and with a certificate revocation check, with
encrypted storage data, and with a secure password and secure private
key store, and with compatibility with commercial certificate vendors,
and call me back. This is one of the most basic operations for an app
developer writing a distributed app in 2021. And it's fundamental for
that "maybe" app server that's been referenced here. Can OpenVMS be
used here? Sure. Can all of this stuff be implemented? Absolutely. Is
the source code involved here complex and bug-prone and poorly
documented? Yes. Are these tasks easier with higher-level frameworks
available elsewhere? Of course.
--
Pure Personal Opinion | HoffmanLabs LLC
no thanks I would rather pay Process to modify decnet over IP to run in an SSH tunnel.
That doesn't even begin to address all the issues.
First, there is no absolute security, just trying to stay ahead of the
opposition.
Nothing special about DECnet, nor anything really bad about TCP/IP.
Both work. Both have issues. The key thing is being able to talk to
most of the world. DECnet has some nice pieces. But it's not practical
for non-VMS work, it currently does not support any encryption, and
there is no valid reason to re-invent any wheels.
--
David Froble Tel: 724-529-0450
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA 15486
well Dave did you see the part where I mentioned for a fee that Process will enable their decnet over IP to run in an SSH tunnel?
Dave Froble
2021-01-13 19:04:06 UTC
Permalink
Post by ***@gmail.com
Post by Dave Froble
Post by ***@gmail.com
Post by Stephen Hoffman
Post by Arne Vajhøj
Post by ***@gmail.com
so basically you are stating that the "OpenVMS is most secure OS on the
planet" sales pitch bellowed by DEC and not so much HP marketing over
the years was just an oxymoron?
Counter-productive is among the most charitable of interpretations for
that marketing shart.
Post by Arne Vajhøj
But applying 2021 standards to software from the 1980's is silly.
Applying knowledge of pre-millennial security and risks and defenses
and tooling to 2021-era environment is also silly.
Unfortunately, that is exactly what VSI are doing when making the above
statement.
Worse.
But then Bob's heard all this before.
Write an OpenVMS app with modern security. Try it. Seriously. Go try
it. Try a simple secure app-to-app network connection. Write a client
and server using a TLSv1.3 connection with full client and server
certificate verification and with a certificate revocation check, with
encrypted storage data, and with a secure password and secure private
key store, and with compatibility with commercial certificate vendors,
and call me back. This is one of the most basic operations for an app
developer writing a distributed app in 2021. And it's fundamental for
that "maybe" app server that's been referenced here. Can OpenVMS be
used here? Sure. Can all of this stuff be implemented? Absolutely. Is
the source code involved here complex and bug-prone and poorly
documented? Yes. Are these tasks easier with higher-level frameworks
available elsewhere? Of course.
--
Pure Personal Opinion | HoffmanLabs LLC
no thanks I would rather pay Process to modify decnet over IP to run in an SSH tunnel.
That doesn't even begin to address all the issues.
First, there is no absolute security, just trying to stay ahead of the
opposition.
Nothing special about DECnet, nor anything really bad about TCP/IP.
Both work. Both have issues. The key thing is being able to talk to
most of the world. DECnet has some nice pieces. But it's not practical
for non-VMS work, it currently does not support any encryption, and
there is no valid reason to re-invent any wheels.
--
David Froble Tel: 724-529-0450
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA 15486
well Dave did you see the part where I mentioned for a fee that Process will enable their decnet over IP to run in an SSH tunnel?
well Bob, did you see the part where I mentioned "talk to most of the
world"?
--
David Froble Tel: 724-529-0450
Dave Froble Enterprises, Inc. E-Mail: ***@tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA 15486
Arne Vajhøj
2021-01-13 14:55:35 UTC
Permalink
Write an OpenVMS app with modern security. Try it. Seriously. Go try it.
Try a simple secure app-to-app network connection. Write a client and
server using a TLSv1.3 connection with full client and server
certificate verification and with a certificate revocation check, with
encrypted storage data, and with a secure password and secure private
key store, and with compatibility with commercial certificate vendors,
and call me back. This is one of the most basic operations for an app
developer writing a distributed app in 2021. And it's fundamental for
that "maybe" app server that's been referenced here. Can OpenVMS be used
here? Sure. Can all of this stuff be implemented? Absolutely. Is the
source code involved here complex and bug-prone and poorly documented?
Yes. Are these tasks easier with higher-level frameworks available
elsewhere? Of course.
No argument that VMS is behind regarding tools and libraries.

But it is not obvious to me that the stated goal requires:
* TLS 1.3 and not just 1.2+
* client side certificate verification and not just server side certificate

Arne
Stephen Hoffman
2021-01-13 15:24:53 UTC
Permalink
Post by Arne Vajhøj
Post by Stephen Hoffman
Write an OpenVMS app with modern security. Try it. Seriously. Go try
it. Try a simple secure app-to-app network connection. Write a client
and server using a TLSv1.3 connection with full client and server
certificate verification and with a certificate revocation check, with
encrypted storage data, and with a secure password and secure private
key store, and with compatibility with commercial certificate vendors,
and call me back. This is one of the most basic operations for an app
developer writing a distributed app in 2021. And it's fundamental for
that "maybe" app server that's been referenced here. Can OpenVMS be
used here? Sure. Can all of this stuff be implemented? Absolutely. Is
the source code involved here complex and bug-prone and poorly
documented? Yes. Are these tasks easier with higher-level frameworks
available elsewhere? Of course.
No argument that VMS is behind regarding tools and libraries.
* TLS 1.3 and not just 1.2+
* client side certificate verification and not just server side certificate
TLSv1.3 is current TLS, and is available within the current OpenVMS TLS kit.

Projects I've worked seek to verify both client and server identities.

Might I have accepted TLSv1.2 or later? Maybe. That makes this example
a little more involved.

Go try it, and call me back, and tell me what you think about the
development effort involved.
--
Pure Personal Opinion | HoffmanLabs LLC
Simon Clubley
2021-01-12 18:53:22 UTC
Permalink
Post by ***@gmail.com
so basically you are stating that the "OpenVMS is most secure OS on the planet" sales pitch bellowed by DEC and not so much HP marketing
over the years was just an oxymoron?
It would most accurately be described as a load of marketing bollocks.

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.
Dave Froble
2021-01-13 01:03:27 UTC
Permalink
Post by Simon Clubley
Post by ***@gmail.com
so basically you are stating that the "OpenVMS is most secure OS on the planet" sales pitch bellowed by DEC and not so much HP marketing
over the years was just an oxymoron?
It would most accurately be described as a load of marketing bollocks.
Isn't most marketing?
--
David Froble Tel: 724-529-0450
Dave Froble Enterprises, Inc. E-Mail: ***@tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA 15486
Chris Scheers
2021-01-12 22:46:05 UTC
Permalink
In a similar vein, there was a bug in about the VMS 4.4 (4.6?) time
frame that allowed an unprivileged user to gain write access to SYSUAF.

I had a FORTRAN program that was about 20 lines long that could modify
any user record, including granting privileges.
Post by Stephen Hoffman
Post by Simon Clubley
If that's what you think security is all about in 2021 Bob, then you
simply don't have a clue about what is involved.
Bob has an unshakable confidence in the validity of his one answer to
any and all computing requirements: OpenVMS.
That answer might have been ~feasible ~30 years ago.
Tasks and requirements and expectations and competition and pricing and
apps are all very different now.
Post by Simon Clubley
BTW, you don't even have to go through security, you can go around it.
That's exactly what I did and all the protections and ACLs would have
made absolutely no difference.
A local-privilege escalation is a local-privilege escalation. OpenVMS
has had a few. I've attached one of the more famous (earlier) examples
below.
This is where jails / sandboxes and app isolation is expected. OpenVMS
doesn't particularly isolate apps, and trying to use ACLs gets...
interesting. I've had DECinspect break my configurations, when the
lock-down tooling was used. (Back when DECinspect was in more common
usage, too.) A fair chunk of work atop SEVMS would be required from VSI
to add jails/sandboxes/isolation, particularly with integrity and
signing—secure delivery is rather more involved when the apps themselves
cannot be trusted to be free of malware and free of flaws. And then
there's app auditing and app provisioning and app updates and a variety
of other topics. Getting this all configured and going is the smaller
part of the work too. Keeping this going and keeping this secure and
apps current and isolated and secure is no small investment in time and
tooling and focus.
There's also little app development guidance available for writing
secure apps for OpenVMS, which doesn't help. The security manual omits
much that is expected of apps in this networked era.
Post by Simon Clubley
To everyone else: I keep warning you about security researchers
possibly taking a serious interest in probing VMS at some point in the
future and about everything that could come from that.
If Bob sets up some kind of conservative social networking environment
using VMS (which it is a poor choice for anyway), then that is
_exactly_ what is going to happen.
Bob and the particular "maybe" project most recently now seems moot, as
the "maybe" customer has reportedly acquired different hosting.
Ignoring that for the moment, and reviewing some other of Bob's
discussions for those that are unfamiliar...
Bob has previously recommended replacing Microsoft Windows desktops with
OpenVMS, had widely recommended OpenVMS be used within voting machinery,
and now as a high-profile and contentious "maybe" hosting project.
Could OpenVMS do these tasks? Given far too much budget and far too much
time and far too much retraining and a whole lot of work prolly yes, but
all that very far from economically and easily, and likely not securely.
Desktop: Approximately no desktop apps and no Office compatibility and
no two-factor and no modern browser for OpenVMS—that'd all have to be
found or built or added.
Embedded: Approximately no benefit and a whole lot of cost for embedded
usage, and which fundamentally doesn't address the issues and risks
involved with any embedded software.
Web hosting: Little tooling is available for running a high-profile and
contentious website and one with other issues as discussed in that
thread as well as an app that is a DDoS and intelligence service target,
and one that reportedly has problems with payment gateways and with
getting their client apps onto the major app stores. Though Bob has the
opportunity to create the necessary prototypes here, using real data
from the "maybe" API.
VSI has piles of work ahead with the x86-64 port. Little of which
includes OpenVMS for desktop and updates to the apps and tooling that
everybody* expects to have access to, little includes OpenVMS for
embedded—seL4 was previously recommended for a secure host platform for
embedded use though that too necessarily requires knowledge of and
integration with election auditing (and approximately none of this
addresses the issues Bob believes it would), and little includes OpenVMS
for high-end web hosting and related services and which typically
involves keeping a current Apache and related tooling and prolly nginx
or other web server, as well as one or more application servers (Twisted
and/or Tornado and/or Zend, etc), as well as Python. And for sites that
can be subject rapid scaling, there'll be the need for tooling to keep
OpenVMS current across a variable and potentially increasing number of
hosts, to quickly deploy patches, for geographic server distribution for
robustness and recovery and latency, log collection and analysis and
intrusion detection, and that'd have to be locally written and/or
acquired and integrated. Little of which includes app isolation, R^X,
jails, etc. And that's all before we discuss the carrying costs of
having hardware available for high or peak loads. Approximately none of
which is in the plans, and all of which already exists on other
platforms and products and apps that target these disparate markets. The
x86-64 port will have some benefits around using hosting for added
capacity and for peak loading, though that necessarily means hosting,
and it means you'll have to expect insecure or hostile peers, though
it's wise to assume your local networks also have hostile peers connected.
Can OpenVMS do this stuff? Sure. Cost-effectively, and with a
reasonable deployment timeline? Nope. VSI is working to address some of
this, and particularly for existing OpenVMS customers. The folks running
"maybe", not so much.
OPERATING SYSTEM: VAX/VMS V2.1
PRODUCT: VAX/VMS
COMPONENT: LOGINOUT
GRPNAM SECURITY HOLE IN LOGIN
The GRPNAM privilege is an evil demon, allowing the user to
invoke its secret entrance for all manner of nefarious
purposes not originally intended.
The great wizard VMS confronted the demon, raised his great
oaken staff carved in ancient runes, and spoke the magic
"$SETPRV IMAGEACTIVATIONENHANCEDPRIVILEGES $CMKRNL!!"
There was a blinding flash of light and puff of smoke, and
the demon, reduced to harmlessness, scurried off into the
distance.
Where his secret entrance had been was naught but a little
pile of ashes, which the wind slowly drifted into letters
spelling the words "FIXED IN V2.3".
--
-----------------------------------------------------------------------
Chris Scheers, Applied Synergy, Inc.

Voice: 817-237-3360 Internet: ***@applied-synergy.com
Fax: 817-237-3074
ultr...@gmail.com
2021-01-12 21:49:56 UTC
Permalink
Post by Simon Clubley
Post by D W
Post by Simon Clubley
Post by Stephen Hoffman
If you're thinking about a Parler-class app for instance, there are
already some discussions of what's involved there that are going on
else-network and which you may want to review?even if you're not
re-hosting Parler, the problems are broadly similar at scale.
Ok, _that_ possibility never occurred to me when I read Bob's original
post. Do you know something that the rest of us are unaware of ?
maybe :)
Post by Simon Clubley
I would not recommend VMS as it stands today for such a high-profile
and potentially hostile environment.
you would prefer linux or windows? I thought OpenVMS was made for hostile environments.
As mentioned already, Linux has a number of security and isolation
features that VMS is lacking.
Post by D W
Putting each user in a RWED controlled box along with appropriate ACLs
I would assume would outclass any other solution out there, as long as VSI has terminated all of their C strings properly. :)
If that's what you think security is all about in 2021 Bob, then you
simply don't have a clue about what is involved.
BTW, you don't even have to go through security, you can go around it.
That's exactly what I did and all the protections and ACLs would have
made absolutely no difference.
To everyone else: I keep warning you about security researchers possibly
taking a serious interest in probing VMS at some point in the future and
about everything that could come from that.
If Bob sets up some kind of conservative social networking environment
using VMS (which it is a poor choice for anyway), then that is _exactly_
what is going to happen.
Simon.
--
Walking destinations on a map are further away than they appear.
actually this is for a medium sized company who just got hit with a ransomware attack. They are tired of the hacks and expense
of trying to defeat this crap. I know someone who is high up there and told him I may be able to design an OpenVMS solution to
eliminate ransomware and malware attacks. They want to move their webserver in house to avoid shutdowns that Amazon and others are threatening.

My idea was to set up and Apache or WASD webserver since Purveyor is no longer functioning on the front end and using a decnet over IP
connection over an SSH tunnel connect to a back end server running RDB or some DB and to also send those web requests to the BE
OpenVMS server via the decnet over IP encrypted connection using Snergy DBL to process them for speed and security. Also I was going
to cluster the two systems together over the decnet over IP tunnel since the two boxes would reside in two different buildings right next
to each other so if one building burned the other would failover. This would be relatively cheap and secure solution eliminating ransomware and
malware attacks while providing 24/7 uptime I thought - until Hoffman just telling me it will not work.

So I guess OpenVMS can't stop ransomware attacks either?
Jan-Erik Söderholm
2021-01-12 22:00:01 UTC
Permalink
Post by ***@gmail.com
Post by Simon Clubley
Post by D W
Post by Simon Clubley
Post by Stephen Hoffman
If you're thinking about a Parler-class app for instance, there are
already some discussions of what's involved there that are going on
else-network and which you may want to review?even if you're not
re-hosting Parler, the problems are broadly similar at scale.
Ok, _that_ possibility never occurred to me when I read Bob's original
post. Do you know something that the rest of us are unaware of ?
maybe :)
Post by Simon Clubley
I would not recommend VMS as it stands today for such a high-profile
and potentially hostile environment.
you would prefer linux or windows? I thought OpenVMS was made for hostile environments.
As mentioned already, Linux has a number of security and isolation
features that VMS is lacking.
Post by D W
Putting each user in a RWED controlled box along with appropriate ACLs
I would assume would outclass any other solution out there, as long as VSI has terminated all of their C strings properly. :)
If that's what you think security is all about in 2021 Bob, then you
simply don't have a clue about what is involved.
BTW, you don't even have to go through security, you can go around it.
That's exactly what I did and all the protections and ACLs would have
made absolutely no difference.
To everyone else: I keep warning you about security researchers possibly
taking a serious interest in probing VMS at some point in the future and
about everything that could come from that.
If Bob sets up some kind of conservative social networking environment
using VMS (which it is a poor choice for anyway), then that is _exactly_
what is going to happen.
Simon.
--
Walking destinations on a map are further away than they appear.
actually this is for a medium sized company who just got hit with a ransomware attack. They are tired of the hacks and expense
of trying to defeat this crap. I know someone who is high up there and told him I may be able to design an OpenVMS solution to
eliminate ransomware and malware attacks. They want to move their webserver in house to avoid shutdowns that Amazon and others are threatening.
My idea was to set up and Apache or WASD webserver since Purveyor is no longer functioning on the front end and using a decnet over IP
connection over an SSH tunnel connect to a back end server running RDB or some DB and to also send those web requests to the BE
OpenVMS server via the decnet over IP encrypted connection using Snergy DBL to process them for speed and security. Also I was going
to cluster the two systems together over the decnet over IP tunnel since the two boxes would reside in two different buildings right next
to each other so if one building burned the other would failover. This would be relatively cheap and secure solution eliminating ransomware and
malware attacks while providing 24/7 uptime I thought - until Hoffman just telling me it will not work.
So I guess OpenVMS can't stop ransomware attacks either?
What are you waiting for? If you have the solution and a paying customer,
then just go for it!

You will not get any ransomeware attacks (not any successfull ones at
least) on your VMS servers. But you need some frontend systems, not?
Where are the users accessing/using this web solution located?
Inhouse or out on the internet?

In what way are Amazon (AWS?) "and others" threatening with shutdowns?
ultr...@gmail.com
2021-01-12 22:27:05 UTC
Permalink
Post by Jan-Erik Söderholm
Post by ***@gmail.com
Post by Simon Clubley
Post by D W
Post by Simon Clubley
Post by Stephen Hoffman
If you're thinking about a Parler-class app for instance, there are
already some discussions of what's involved there that are going on
else-network and which you may want to review?even if you're not
re-hosting Parler, the problems are broadly similar at scale.
Ok, _that_ possibility never occurred to me when I read Bob's original
post. Do you know something that the rest of us are unaware of ?
maybe :)
Post by Simon Clubley
I would not recommend VMS as it stands today for such a high-profile
and potentially hostile environment.
you would prefer linux or windows? I thought OpenVMS was made for hostile environments.
As mentioned already, Linux has a number of security and isolation
features that VMS is lacking.
Post by D W
Putting each user in a RWED controlled box along with appropriate ACLs
I would assume would outclass any other solution out there, as long as VSI has terminated all of their C strings properly. :)
If that's what you think security is all about in 2021 Bob, then you
simply don't have a clue about what is involved.
BTW, you don't even have to go through security, you can go around it.
That's exactly what I did and all the protections and ACLs would have
made absolutely no difference.
To everyone else: I keep warning you about security researchers possibly
taking a serious interest in probing VMS at some point in the future and
about everything that could come from that.
If Bob sets up some kind of conservative social networking environment
using VMS (which it is a poor choice for anyway), then that is _exactly_
what is going to happen.
Simon.
--
Walking destinations on a map are further away than they appear.
actually this is for a medium sized company who just got hit with a ransomware attack. They are tired of the hacks and expense
of trying to defeat this crap. I know someone who is high up there and told him I may be able to design an OpenVMS solution to
eliminate ransomware and malware attacks. They want to move their webserver in house to avoid shutdowns that Amazon and others are threatening.
My idea was to set up and Apache or WASD webserver since Purveyor is no longer functioning on the front end and using a decnet over IP
connection over an SSH tunnel connect to a back end server running RDB or some DB and to also send those web requests to the BE
OpenVMS server via the decnet over IP encrypted connection using Snergy DBL to process them for speed and security. Also I was going
to cluster the two systems together over the decnet over IP tunnel since the two boxes would reside in two different buildings right next
to each other so if one building burned the other would failover. This would be relatively cheap and secure solution eliminating ransomware and
malware attacks while providing 24/7 uptime I thought - until Hoffman just telling me it will not work.
So I guess OpenVMS can't stop ransomware attacks either?
What are you waiting for? If you have the solution and a paying customer,
then just go for it!
You will not get any ransomeware attacks (not any successfull ones at
least) on your VMS servers. But you need some frontend systems, not?
Where are the users accessing/using this web solution located?
Inhouse or out on the internet?
In what way are Amazon (AWS?) "and others" threatening with shutdowns?
I said the front end system would be an apache or wasd webserver taking internet requests.
ultr...@gmail.com
2021-01-12 22:29:38 UTC
Permalink
Post by Jan-Erik Söderholm
Post by ***@gmail.com
Post by Simon Clubley
Post by D W
Post by Simon Clubley
Post by Stephen Hoffman
If you're thinking about a Parler-class app for instance, there are
already some discussions of what's involved there that are going on
else-network and which you may want to review?even if you're not
re-hosting Parler, the problems are broadly similar at scale.
Ok, _that_ possibility never occurred to me when I read Bob's original
post. Do you know something that the rest of us are unaware of ?
maybe :)
Post by Simon Clubley
I would not recommend VMS as it stands today for such a high-profile
and potentially hostile environment.
you would prefer linux or windows? I thought OpenVMS was made for hostile environments.
As mentioned already, Linux has a number of security and isolation
features that VMS is lacking.
Post by D W
Putting each user in a RWED controlled box along with appropriate ACLs
I would assume would outclass any other solution out there, as long as VSI has terminated all of their C strings properly. :)
If that's what you think security is all about in 2021 Bob, then you
simply don't have a clue about what is involved.
BTW, you don't even have to go through security, you can go around it.
That's exactly what I did and all the protections and ACLs would have
made absolutely no difference.
To everyone else: I keep warning you about security researchers possibly
taking a serious interest in probing VMS at some point in the future and
about everything that could come from that.
If Bob sets up some kind of conservative social networking environment
using VMS (which it is a poor choice for anyway), then that is _exactly_
what is going to happen.
Simon.
--
Walking destinations on a map are further away than they appear.
actually this is for a medium sized company who just got hit with a ransomware attack. They are tired of the hacks and expense
of trying to defeat this crap. I know someone who is high up there and told him I may be able to design an OpenVMS solution to
eliminate ransomware and malware attacks. They want to move their webserver in house to avoid shutdowns that Amazon and others are threatening.
My idea was to set up and Apache or WASD webserver since Purveyor is no longer functioning on the front end and using a decnet over IP
connection over an SSH tunnel connect to a back end server running RDB or some DB and to also send those web requests to the BE
OpenVMS server via the decnet over IP encrypted connection using Snergy DBL to process them for speed and security. Also I was going
to cluster the two systems together over the decnet over IP tunnel since the two boxes would reside in two different buildings right next
to each other so if one building burned the other would failover. This would be relatively cheap and secure solution eliminating ransomware and
malware attacks while providing 24/7 uptime I thought - until Hoffman just telling me it will not work.
So I guess OpenVMS can't stop ransomware attacks either?
What are you waiting for? If you have the solution and a paying customer,
then just go for it!
You will not get any ransomeware attacks (not any successfull ones at
least) on your VMS servers. But you need some frontend systems, not?
Where are the users accessing/using this web solution located?
Inhouse or out on the internet?
In what way are Amazon (AWS?) "and others" threatening with shutdowns?
have you been on vacation? Research Parler and other bans. Smaller business are starting to talk about pulling their web services back in house.
Jan-Erik Söderholm
2021-01-12 23:00:34 UTC
Permalink
Post by ***@gmail.com
Post by Jan-Erik Söderholm
Post by ***@gmail.com
Post by Simon Clubley
Post by D W
Post by Simon Clubley
Post by Stephen Hoffman
If you're thinking about a Parler-class app for instance, there are
already some discussions of what's involved there that are going on
else-network and which you may want to review?even if you're not
re-hosting Parler, the problems are broadly similar at scale.
Ok, _that_ possibility never occurred to me when I read Bob's original
post. Do you know something that the rest of us are unaware of ?
maybe :)
Post by Simon Clubley
I would not recommend VMS as it stands today for such a high-profile
and potentially hostile environment.
you would prefer linux or windows? I thought OpenVMS was made for hostile environments.
As mentioned already, Linux has a number of security and isolation
features that VMS is lacking.
Post by D W
Putting each user in a RWED controlled box along with appropriate ACLs
I would assume would outclass any other solution out there, as long as VSI has terminated all of their C strings properly. :)
If that's what you think security is all about in 2021 Bob, then you
simply don't have a clue about what is involved.
BTW, you don't even have to go through security, you can go around it.
That's exactly what I did and all the protections and ACLs would have
made absolutely no difference.
To everyone else: I keep warning you about security researchers possibly
taking a serious interest in probing VMS at some point in the future and
about everything that could come from that.
If Bob sets up some kind of conservative social networking environment
using VMS (which it is a poor choice for anyway), then that is _exactly_
what is going to happen.
Simon.
--
Walking destinations on a map are further away than they appear.
actually this is for a medium sized company who just got hit with a ransomware attack. They are tired of the hacks and expense
of trying to defeat this crap. I know someone who is high up there and told him I may be able to design an OpenVMS solution to
eliminate ransomware and malware attacks. They want to move their webserver in house to avoid shutdowns that Amazon and others are threatening.
My idea was to set up and Apache or WASD webserver since Purveyor is no longer functioning on the front end and using a decnet over IP
connection over an SSH tunnel connect to a back end server running RDB or some DB and to also send those web requests to the BE
OpenVMS server via the decnet over IP encrypted connection using Snergy DBL to process them for speed and security. Also I was going
to cluster the two systems together over the decnet over IP tunnel since the two boxes would reside in two different buildings right next
to each other so if one building burned the other would failover. This would be relatively cheap and secure solution eliminating ransomware and
malware attacks while providing 24/7 uptime I thought - until Hoffman just telling me it will not work.
So I guess OpenVMS can't stop ransomware attacks either?
What are you waiting for? If you have the solution and a paying customer,
then just go for it!
You will not get any ransomeware attacks (not any successfull ones at
least) on your VMS servers. But you need some frontend systems, not?
Where are the users accessing/using this web solution located?
Inhouse or out on the internet?
In what way are Amazon (AWS?) "and others" threatening with shutdowns?
have you been on vacation? Research Parler and other bans. Smaller business are starting to talk about pulling their web services back in house.
Right. So you make your platform and design decissions on whatever that
clown of a president does or doesn't? And his misuse of some services.
And Parler seems to have been a communication platform for those "national
terrorist groups" that was part of the Capitol "incident".

What has that to do with anything discussed here?

No, I have not been on vacation, I just didn't made that connection...
Stephen Hoffman
2021-01-13 01:24:29 UTC
Permalink
Post by Jan-Erik Söderholm
Right. So you make your platform and design decissions on whatever that
clown of a president does or doesn't? And his misuse of some services.
And Parler seems to have been a communication platform for those
"national terrorist groups" that was part of the Capitol "incident".
What has that to do with anything discussed here?
No, I have not been on vacation, I just didn't made that connection...
At the risk of stating the obvious... Absent those entities supporting
insurrection, sedition, or coup, or those entities involved with
activities considered illegal, approximately everybody hosting their
services on commercial hosting providers is fine. If an entity is
involved with or associated with insurrection, sedition, coup, illegal
activities, or suchlike, expect there'll be some pushback.

For those that want to rehost your existing instances on AWS or
elsewhere, that's certainly worth consideration. I suspect interest in
re-hosting on an OpenVMS cluster will thin when the quotes and the
detailed project specs and timeline arrive at the customer for
consideration. Particularly prior to the OpenVMS x86-64 port.

Bob was a strong supporter of the outgoing US President and his
policies and activities during the 2016 election. Prolly still a
proponent of the outgoing US President.

Bob was then a proponent of re-hosting voting machines over onto
OpenVMS back around 2016, too. Seemingly uninterested in information
on election auditing and related voting-assurance activities (had sent
along various pointers, too), nor interested in seL4 or other product
alternatives that have targeted high-assurance and embedded
environments.
--
Pure Personal Opinion | HoffmanLabs LLC
ultr...@gmail.com
2021-01-13 17:10:52 UTC
Permalink
Post by Stephen Hoffman
Post by Jan-Erik Söderholm
Right. So you make your platform and design decissions on whatever that
clown of a president does or doesn't? And his misuse of some services.
And Parler seems to have been a communication platform for those
"national terrorist groups" that was part of the Capitol "incident".
What has that to do with anything discussed here?
No, I have not been on vacation, I just didn't made that connection...
At the risk of stating the obvious... Absent those entities supporting
insurrection, sedition, or coup, or those entities involved with
activities considered illegal, approximately everybody hosting their
services on commercial hosting providers is fine. If an entity is
involved with or associated with insurrection, sedition, coup, illegal
activities, or suchlike, expect there'll be some pushback.
For those that want to rehost your existing instances on AWS or
elsewhere, that's certainly worth consideration. I suspect interest in
re-hosting on an OpenVMS cluster will thin when the quotes and the
detailed project specs and timeline arrive at the customer for
consideration. Particularly prior to the OpenVMS x86-64 port.
Bob was a strong supporter of the outgoing US President and his
policies and activities during the 2016 election. Prolly still a
proponent of the outgoing US President.
so businesses who support a certain political party can't purchase a vms solution? That sounds like a marketing solution DEC would make.
Post by Stephen Hoffman
Bob was then a proponent of re-hosting voting machines over onto
OpenVMS back around 2016, too. Seemingly uninterested in information
on election auditing and related voting-assurance activities (had sent
along various pointers, too), nor interested in seL4 or other product
alternatives that have targeted high-assurance and embedded
environments.
--
Pure Personal Opinion | HoffmanLabs LLC
And I still am a proponent of developing a vms voting system but the pole stations would not need a vms box, only a clustered setup in the SOS offices of each state.

Voting would be by PC or PHONE app. Verification by text or email would be used. 30 days to vote and on election day until 8pm local time. Then that is it. vms tabulates and done in an hour.

NO PAPER BALLETS. NO FRAUD. AUDIT TRAIL WOULD BE AN IP TRAIL ON VMS. SIMPLE AND EFFECTIVE.

NO ONE STANDING AT A DOMINION MACHINE CHANGING VOTES. THE ONLY ONE HAVING ACCESS WOULD BE THE SOS AND A REP FROM EACH PARTY WITH EVERY KEY STRUCK ON THE KEYBOARD AUDITED
BY THE ITANIUM TO START THE X86 EVENTUALLY.
Dave Froble
2021-01-13 19:24:05 UTC
Permalink
Post by ***@gmail.com
NO PAPER BALLETS. NO FRAUD. AUDIT TRAIL WOULD BE AN IP TRAIL ON VMS. SIMPLE AND EFFECTIVE.
NO ONE STANDING AT A DOMINION MACHINE CHANGING VOTES. THE ONLY ONE HAVING ACCESS WOULD BE THE SOS AND A REP FROM EACH PARTY WITH EVERY KEY STRUCK ON THE KEYBOARD AUDITED
BY THE ITANIUM TO START THE X86 EVENTUALLY.
Ya know Bob, I happen to agree that voting could be done better.

For example, the rules that prohibit the counting of early votes until
election day were a part of the problem. The early votes should have
been counted, but not revealed, before election day. That might have
avoided the late counting mess.

I'm able to get on my county election bureau site and confirm that my
vote was counted. But I cannot see that vote. Perhaps privacy should
not be as important as honesty at times? If every vote in the country
could be checked, then people could check their votes. Still have to
trust the software that tabulates the votes.

But, let's be fair, according to the beliefs of some people, over the
last several hundred years, there has never been an honest election.
Perhaps there was great dishonesty when Trump won in 2016? Perhaps
there was Republican stuffing of votes in states Trump won in 2020?

The problem is, in what appears to have been a rather honest election,
the losers don't want to accept the will of the people. Tell me Bob,
what happens to our democratic form of government if everyone decides to
ignore the will of the people?
--
David Froble Tel: 724-529-0450
Dave Froble Enterprises, Inc. E-Mail: ***@tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA 15486
Stephen Hoffman
2021-01-13 21:25:01 UTC
Permalink
Post by Dave Froble
The problem is, in what appears to have been a rather honest election,
the losers don't want to accept the will of the people.
...what happens to our democratic form of government if everyone
decides to ignore the will of the people?
On our present course, we're headed for more violence, more deaths,
more racism, more misogyny, and the rest. Or we're headed for some
folks getting arrested and tried. Or prolly both.

As for voting, I'd previously spent a fair amount of time providing
non-partisan sources of information on election security, but there are
folks uninterested in learning about that well-studied topic.

Swapping in OpenVMS as an embedded system in a voting machine will do
nothing but increase the costs of the voting machines.

The same steps will still be required to ensure election integrity
regardless of the embedded software in use.

Dominion is suiing some folks for their claims, so there'll be more on
that saga as the courts progress.
--
Pure Personal Opinion | HoffmanLabs LLC
ultr...@gmail.com
2021-01-13 16:43:37 UTC
Permalink
Post by Jan-Erik Söderholm
Post by ***@gmail.com
Post by Jan-Erik Söderholm
Post by ***@gmail.com
Post by Simon Clubley
Post by D W
Post by Simon Clubley
Post by Stephen Hoffman
If you're thinking about a Parler-class app for instance, there are
already some discussions of what's involved there that are going on
else-network and which you may want to review?even if you're not
re-hosting Parler, the problems are broadly similar at scale.
Ok, _that_ possibility never occurred to me when I read Bob's original
post. Do you know something that the rest of us are unaware of ?
maybe :)
Post by Simon Clubley
I would not recommend VMS as it stands today for such a high-profile
and potentially hostile environment.
you would prefer linux or windows? I thought OpenVMS was made for hostile environments.
As mentioned already, Linux has a number of security and isolation
features that VMS is lacking.
Post by D W
Putting each user in a RWED controlled box along with appropriate ACLs
I would assume would outclass any other solution out there, as long as VSI has terminated all of their C strings properly. :)
If that's what you think security is all about in 2021 Bob, then you
simply don't have a clue about what is involved.
BTW, you don't even have to go through security, you can go around it.
That's exactly what I did and all the protections and ACLs would have
made absolutely no difference.
To everyone else: I keep warning you about security researchers possibly
taking a serious interest in probing VMS at some point in the future and
about everything that could come from that.
If Bob sets up some kind of conservative social networking environment
using VMS (which it is a poor choice for anyway), then that is _exactly_
what is going to happen.
Simon.
--
Walking destinations on a map are further away than they appear.
actually this is for a medium sized company who just got hit with a ransomware attack. They are tired of the hacks and expense
of trying to defeat this crap. I know someone who is high up there and told him I may be able to design an OpenVMS solution to
eliminate ransomware and malware attacks. They want to move their webserver in house to avoid shutdowns that Amazon and others are threatening.
My idea was to set up and Apache or WASD webserver since Purveyor is no longer functioning on the front end and using a decnet over IP
connection over an SSH tunnel connect to a back end server running RDB or some DB and to also send those web requests to the BE
OpenVMS server via the decnet over IP encrypted connection using Snergy DBL to process them for speed and security. Also I was going
to cluster the two systems together over the decnet over IP tunnel since the two boxes would reside in two different buildings right next
to each other so if one building burned the other would failover. This would be relatively cheap and secure solution eliminating ransomware and
malware attacks while providing 24/7 uptime I thought - until Hoffman just telling me it will not work.
So I guess OpenVMS can't stop ransomware attacks either?
What are you waiting for? If you have the solution and a paying customer,
then just go for it!
You will not get any ransomeware attacks (not any successfull ones at
least) on your VMS servers. But you need some frontend systems, not?
Where are the users accessing/using this web solution located?
Inhouse or out on the internet?
In what way are Amazon (AWS?) "and others" threatening with shutdowns?
have you been on vacation? Research Parler and other bans. Smaller business are starting to talk about pulling their web services back in house.
Right. So you make your platform and design decissions on whatever that
clown of a president does or doesn't? And his misuse of some services.
And Parler seems to have been a communication platform for those "national
terrorist groups" that was part of the Capitol "incident".
What has that to do with anything discussed here?
No, I have not been on vacation, I just didn't made that connection...
many businesses are making decisions based on what those clown IT service providers like amazon apple and google are now doing as is this company.
k***@gmail.com
2021-01-13 00:29:04 UTC
Permalink
-----Original Message-----
Info-vax
Sent: January-12-21 6:30 PM
Subject: Re: [Info-vax] How would you load balance excess webserver traffic
between multiple OpenVMS servers?
Post by Jan-Erik Söderholm
Post by ***@gmail.com
Post by Simon Clubley
On Monday, January 11, 2021 at 1:21:26 PM UTC-5, Simon Clubley
Post by Simon Clubley
Post by Stephen Hoffman
If you're thinking about a Parler-class app for instance, there
are already some discussions of what's involved there that are
going on else-network and which you may want to review?even if
you're not re-hosting Parler, the problems are broadly similar at
scale.
Post by Jan-Erik Söderholm
Post by ***@gmail.com
Post by Simon Clubley
Post by Simon Clubley
Ok, _that_ possibility never occurred to me when I read Bob's
original post. Do you know something that the rest of us are unaware
of ?
Post by Jan-Erik Söderholm
Post by ***@gmail.com
Post by Simon Clubley
maybe :)
Post by Simon Clubley
I would not recommend VMS as it stands today for such a
high-profile and potentially hostile environment.
you would prefer linux or windows? I thought OpenVMS was made for
hostile environments.
Post by Jan-Erik Söderholm
Post by ***@gmail.com
Post by Simon Clubley
As mentioned already, Linux has a number of security and isolation
features that VMS is lacking.
Putting each user in a RWED controlled box along with appropriate
ACLs I would assume would outclass any other solution out there,
as long as VSI has terminated all of their C strings properly. :)
If that's what you think security is all about in 2021 Bob, then
you simply don't have a clue about what is involved.
BTW, you don't even have to go through security, you can go around it.
That's exactly what I did and all the protections and ACLs would
have made absolutely no difference.
To everyone else: I keep warning you about security researchers
possibly taking a serious interest in probing VMS at some point in
the future and about everything that could come from that.
If Bob sets up some kind of conservative social networking
environment using VMS (which it is a poor choice for anyway), then
that is _exactly_ what is going to happen.
Simon.
--
Walking destinations on a map are further away than they appear.
actually this is for a medium sized company who just got hit with a
ransomware attack. They are tired of the hacks and expense of trying
to defeat this crap. I know someone who is high up there and told him I
may be able to design an OpenVMS solution to eliminate ransomware and
malware attacks. They want to move their webserver in house to avoid
shutdowns that Amazon and others are threatening.
Post by Jan-Erik Söderholm
Post by ***@gmail.com
My idea was to set up and Apache or WASD webserver since Purveyor is
no longer functioning on the front end and using a decnet over IP
connection over an SSH tunnel connect to a back end server running
RDB or some DB and to also send those web requests to the BE OpenVMS
server via the decnet over IP encrypted connection using Snergy DBL
to process them for speed and security. Also I was going to cluster the two
systems together over the decnet over IP tunnel since the two boxes would
reside in two different buildings right next to each other so if one building
burned the other would failover. This would be relatively cheap and secure
solution eliminating ransomware and malware attacks while providing 24/7
uptime I thought - until Hoffman just telling me it will not work.
Post by Jan-Erik Söderholm
Post by ***@gmail.com
So I guess OpenVMS can't stop ransomware attacks either?
What are you waiting for? If you have the solution and a paying
customer, then just go for it!
You will not get any ransomeware attacks (not any successfull ones at
least) on your VMS servers. But you need some frontend systems, not?
Where are the users accessing/using this web solution located?
Inhouse or out on the internet?
In what way are Amazon (AWS?) "and others" threatening with shutdowns?
have you been on vacation? Research Parler and other bans. Smaller business
are starting to talk about pulling their web services back in house.
Well, business ethics "should" always be a part of any new business opportunity.

However, just because something is technically possible, does not mean it is something that a company should ethically do.

Unfortunately, where $'s are concerned, business ethics all to often takes a back seat.

Re: moving cloud solutions back in-house. This has been starting to happen increasingly as companies realize the real costs of outsourcing (aka public cloud solutions). Many are moving to private cloud on-prem solutions, but with new service models that provides similar or better services as Cloud providers in terms of provisioning, workload orchestration, smart ticketing (Service desk integration), higher customized security solutions that are integrated with their own NOC's and service desks, synthetic transaction monitoring with service desk integration etc.

Re: OpenVMS high volume solutions.

Most companies designing a high-volume web site would never use just the basic tools one gets with any native OS platform. They would customize and often use third party tools and/or COTS products to enhance the overall security and/or technical aspects of the target solution.

This would be the same approach using OpenVMS in any high-volume opportunity.

As an example, additional security and/or TCPIP and/or web products for the OpenVMS server components of a new high-volume solution might be to use:

- WASD Web Server
<https://wasd.vsm.com.au/wasd_root/>

- System Detective from PointSecure
<https://pointsecure.com/products/system-detective/>

- PointAudit from PointSecure
<https://pointsecure.com/products/pointaudit/>

- Multinet TCPIP from Process Software
<http://www.process.com/products/multinet/whats_new.html>

- Multinet VMS Authentication Module (LDAP, AD, Radius integration)
<http://www.process.com/products/vam/index.html>

- ISE Job Scheduling and backups in multi-platform environment
<https://www.i-s-e.com/>

Regards,

Kerry Main
Kerry dot main at starkgaming dot com
--
This email has been checked for viruses by AVG.
https://www.avg.com
ultr...@gmail.com
2021-01-13 16:48:45 UTC
Permalink
Post by k***@gmail.com
-----Original Message-----
Info-vax
Sent: January-12-21 6:30 PM
Subject: Re: [Info-vax] How would you load balance excess webserver traffic
between multiple OpenVMS servers?
On Monday, January 11, 2021 at 1:21:26 PM UTC-5, Simon Clubley
Regards,
Kerry Main
Kerry dot main at starkgaming dot com
--
This email has been checked for viruses by AVG.
https://www.avg.com
thanks I'm already aware of those but I would run TCPware over multinet. It runs faster. I did the testing years ago
before I selected TCPware. And yes I know about IPV6 but that can be addressed down the road if it ever fully materializes.
Arne Vajhøj
2021-01-13 00:43:33 UTC
Permalink
Post by ***@gmail.com
Post by Jan-Erik Söderholm
Post by ***@gmail.com
They want to move their webserver in house to avoid shutdowns that Amazon and others are threatening.
In what way are Amazon (AWS?) "and others" threatening with shutdowns?
have you been on vacation? Research Parler and other bans. Smaller business are starting to talk about pulling their web services back in house.
No.

Only certain types of businesses have that problem: facilitation of
copyright violations, facilitation of prostitution, facilitation
of illegal gambling etc. - and now facilitation of conspiracy
theories leading to murder has been added to the list.

But 99.99+% of businesses do not have to worry.

Arne
Simon Clubley
2021-01-13 13:22:53 UTC
Permalink
Post by Jan-Erik Söderholm
You will not get any ransomeware attacks (not any successfull ones at
least) on your VMS servers.
What on earth makes you say that ???

In the early days of Linux, some people thought that it was immune to
the same security problems that Windows was suffering from at the time.

That mindset lasted only until Linux became popular enough to make it
worthwhile to probe for security issues.

To the credit of the Linux community however, they seriously improved
things as a result of these early probing efforts and hence made Linux
more secure.

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.
Jan-Erik Söderholm
2021-01-13 14:15:09 UTC
Permalink
Post by Simon Clubley
Post by Jan-Erik Söderholm
You will not get any ransomeware attacks (not any successfull ones at
least) on your VMS servers.
What on earth makes you say that ???
The "ransomeware" attacs are done against the system where a mail client
or a browser is running. None of that has any usage on VMS.
Post by Simon Clubley
Until it becomes popular enough or high-profile enough.....
Right. Or when pigs fly.
Stephen Hoffman
2021-01-13 15:20:42 UTC
Permalink
Post by Jan-Erik Söderholm
Post by Simon Clubley
Post by Jan-Erik Söderholm
You will not get any ransomeware attacks (not any successfull ones at
least) on your VMS servers.
What on earth makes you say that ???
The "ransomeware" attacs are done against the system where a mail
client or a browser is running. None of that has any usage on VMS.
"Nice web site you got there friend. It'd be a shame if somebody DDoS'd
you off the 'net."

As has happened.

DDoS rates above 300 GBps have happened.

One DDoS I worked involving OpenVMS. That DDoS clobbered network
traffic. The DDoS traffic was using NTP reflection bug within OpenVMS.
That NTP bug got fixed a while back. In this case, the folks weren't
even targeting OpenVMS itself, just a flaw in OpenVMS, and their use of
that flaw knocked access to a crawl. They weren't even ransoming
OpenVMS network access, OpenVMS itself was "participating" in the DDoS
of somebody else to the extent of its internet connection.
--
Pure Personal Opinion | HoffmanLabs LLC
ultr...@gmail.com
2021-01-13 17:18:00 UTC
Permalink
Post by Stephen Hoffman
Post by Jan-Erik Söderholm
Post by Simon Clubley
Post by Jan-Erik Söderholm
You will not get any ransomeware attacks (not any successfull ones at
least) on your VMS servers.
What on earth makes you say that ???
The "ransomeware" attacs are done against the system where a mail
client or a browser is running. None of that has any usage on VMS.
"Nice web site you got there friend. It'd be a shame if somebody DDoS'd
you off the 'net."
As has happened.
DDoS rates above 300 GBps have happened.
One DDoS I worked involving OpenVMS. That DDoS clobbered network
traffic. The DDoS traffic was using NTP reflection bug within OpenVMS.
That NTP bug got fixed a while back. In this case, the folks weren't
even targeting OpenVMS itself, just a flaw in OpenVMS, and their use of
that flaw knocked access to a crawl. They weren't even ransoming
OpenVMS network access, OpenVMS itself was "participating" in the DDoS
of somebody else to the extent of its internet connection.
--
Pure Personal Opinion | HoffmanLabs LLC
TOO BAD THEY DIDN'T THINK OF HIRING A DDOS FILTERING COMPANY TO HANDLE THAT FOR YOU.
Jan-Erik Söderholm
2021-01-13 19:08:29 UTC
Permalink
Post by Jan-Erik Söderholm
Post by Simon Clubley
Post by Jan-Erik Söderholm
You will not get any ransomeware attacks (not any successfull ones at
least) on your VMS servers.
What on earth makes you say that ???
The "ransomeware" attacs are done against the system where a mail client
or a browser is running. None of that has any usage on VMS.
"Nice web site you got there friend. It'd be a shame if somebody DDoS'd you
off the 'net."
DDos != ransomware

DDos is another area of problems...
Arne Vajhøj
2021-01-13 19:17:49 UTC
Permalink
Post by Jan-Erik Söderholm
Post by Stephen Hoffman
Post by Jan-Erik Söderholm
Post by Simon Clubley
Post by Jan-Erik Söderholm
You will not get any ransomeware attacks (not any successfull ones at
least) on your VMS servers.
What on earth makes you say that ???
The "ransomeware" attacs are done against the system where a mail
client or a browser is running. None of that has any usage on VMS.
"Nice web site you got there friend. It'd be a shame if somebody
DDoS'd you off the 'net."
DDos != ransomware
DDos is another area of problems...
Yes - totally different.

But still not something running VMS on the web server will help solve.

Arne
Stephen Hoffman
2021-01-13 15:12:25 UTC
Permalink
Post by Simon Clubley
Post by Jan-Erik Söderholm
You will not get any ransomeware attacks (not any successfull ones at
least) on your VMS servers.
What on earth makes you say that ???
There's also that hosting a high-profile and controversial web site—a
site such as Parler, for instance—makes any platform into a target.
Even if the site is not breached—which is a questionable starting
position particularly for a high-profile and controversial site—a
self-hosted site can be targeted for ransom with a DDoS. Few outside
CDNs and DDoS providers and government-scale entities will have the
available and distributed network bandwidth to continue operations
during a DDoS. Krebs was hit with 363 GBps sustained several years ago,
and I'd expect larger are now possible. And a self-hosted site that
gets DDoS'd also means self-hosted mail and other local activities are
all offline, too. DDoS ransoms happen. Even if the host itself is not
breached, which is what Jan-Erik is assuming. (Not everybody can
redirect their DNS records to Mossad during a DDoS. Yes, that's
happened.)

As for the general configuration and general question.... I suspect
this'll all end when Bob gets quoted a price somewhere above USD$50K
for a couple of hosts and for clustering, and as the envisioned cluster
config won't be robust as two-host clusters as clusters absent quorum
disk are primary-secondary only. One similar config was USD$60K for a
pair of low-end Alpha boxes, clustered.

With newer (not new) Itanium server hardware, and with more storage and
storage and I/O hardware for redundancy and backups and other sundry
parts, USD$100K wouldn't surprise.

And that configuration was pre-SaaS licensing, so there'll be ongoing
support payments with the new configurations. The new OpenVMS product
licenses have termination dates.

And if Rdb is the preferred database behind that hilarious database
configuration, well, I haven't seen a quote for that recently, but the
quotes I have seen for Rdb have generally been prodigious.

And that's before we discuss the costs and effort involved in
configuring and deploying and maintaining the software involved.
Various of which will have to be locally developed, usually including
maintenance, security and auditing, backups, and other such scripting.

TL;DR: interest in most of these OpenVMS new-cluster projects seem to
evaporate around the time the quotes are received. Whether these folks
end up remaining on AWS or other hosting, or pay for local Windows or
Linux or BSD or OpenVMS or otherwise, on local hardware? An
organization involved with legitimate activities and not otherwise
threatening to bomb Amazon data centers or ilk is not at risk of
getting kicked off AWS. If allegations of treasons or criminal
activities potentially arise as part of your business plan, yes, y'all
will probably want to host elsewhere, and else-domain.


ps: When self-hosting "everything", don't assume that locally-hosted
mail will arrive at the destination. Various (big) providers will
simply drop arriving mail from low-reputation or no-reputation mail
servers, and whether configured with DANE, SPF, DKIM and DMARC, or
otherwise.
--
Pure Personal Opinion | HoffmanLabs LLC
Arne Vajhøj
2021-01-13 15:27:45 UTC
Permalink
On a somewhat different trail.

There is a lot of posts here about high profile targets and
the fact that some may consider taking such down an interesting
challenge.

Just note that even though those guys can be dangerous, then
there are other guys that are even more dangerous.

Those with practically unlimited resources, practically
no risk of ever getting caught and no desire for
publicity. Those that today are often called "state actors".

They have resources and skills. And they may breach a system,
steal data and leave with as little evidence as possible left behind.

Arne
ultr...@gmail.com
2021-01-13 17:23:47 UTC
Permalink
Post by Stephen Hoffman
Post by Simon Clubley
Post by Jan-Erik Söderholm
You will not get any ransomeware attacks (not any successfull ones at
least) on your VMS servers.
What on earth makes you say that ???
There's also that hosting a high-profile and controversial web site—a
site such as Parler, for instance—makes any platform into a target.
Even if the site is not breached—which is a questionable starting
position particularly for a high-profile and controversial site—a
self-hosted site can be targeted for ransom with a DDoS. Few outside
CDNs and DDoS providers and government-scale entities will have the
available and distributed network bandwidth to continue operations
during a DDoS. Krebs was hit with 363 GBps sustained several years ago,
and I'd expect larger are now possible. And a self-hosted site that
gets DDoS'd also means self-hosted mail and other local activities are
all offline, too. DDoS ransoms happen. Even if the host itself is not
breached, which is what Jan-Erik is assuming. (Not everybody can
redirect their DNS records to Mossad during a DDoS. Yes, that's
happened.)
As for the general configuration and general question.... I suspect
this'll all end when Bob gets quoted a price somewhere above USD$50K
for a couple of hosts and for clustering, and as the envisioned cluster
config won't be robust as two-host clusters as clusters absent quorum
disk are primary-secondary only. One similar config was USD$60K for a
pair of low-end Alpha boxes, clustered.
With newer (not new) Itanium server hardware, and with more storage and
storage and I/O hardware for redundancy and backups and other sundry
parts, USD$100K wouldn't surprise.
And that configuration was pre-SaaS licensing, so there'll be ongoing
support payments with the new configurations. The new OpenVMS product
licenses have termination dates.
And if Rdb is the preferred database behind that hilarious database
configuration, well, I haven't seen a quote for that recently, but the
quotes I have seen for Rdb have generally been prodigious.
And that's before we discuss the costs and effort involved in
configuring and deploying and maintaining the software involved.
Various of which will have to be locally developed, usually including
maintenance, security and auditing, backups, and other such scripting.
TL;DR: interest in most of these OpenVMS new-cluster projects seem to
evaporate around the time the quotes are received. Whether these folks
end up remaining on AWS or other hosting, or pay for local Windows or
Linux or BSD or OpenVMS or otherwise, on local hardware? An
organization involved with legitimate activities and not otherwise
threatening to bomb Amazon data centers or ilk is not at risk of
getting kicked off AWS. If allegations of treasons or criminal
activities potentially arise as part of your business plan, yes, y'all
will probably want to host elsewhere, and else-domain.
ps: When self-hosting "everything", don't assume that locally-hosted
mail will arrive at the destination. Various (big) providers will
simply drop arriving mail from low-reputation or no-reputation mail
servers, and whether configured with DANE, SPF, DKIM and DMARC, or
otherwise.
--
Pure Personal Opinion | HoffmanLabs LLC
YOU KNOW HAVING A DECNET OVER IP SSH CONNECTION TO THE OTHER BUILDING GIVES ME OTHER WAYS TO CREATE REDUNDANCY
BESIDES CLUSTERING, RIGHT?
Phillip Helbig (undress to reply)
2021-01-13 16:30:51 UTC
Permalink
Post by Jan-Erik Söderholm
The "ransomeware" attacs are done against the system where a mail client
or a browser is running. None of that has any usage on VMS.
???
Jan-Erik Söderholm
2021-01-13 19:09:07 UTC
Permalink
Post by Jan-Erik Söderholm
The "ransomeware" attacs are done against the system where a mail client
or a browser is running. None of that has any usage on VMS.
???
???
ultr...@gmail.com
2021-01-13 16:58:11 UTC
Permalink
Post by Simon Clubley
Post by Jan-Erik Söderholm
You will not get any ransomeware attacks (not any successfull ones at
least) on your VMS servers.
What on earth makes you say that ???
In the early days of Linux, some people thought that it was immune to
the same security problems that Windows was suffering from at the time.
That mindset lasted only until Linux became popular enough to make it
worthwhile to probe for security issues.
To the credit of the Linux community however, they seriously improved
things as a result of these early probing efforts and hence made Linux
more secure.
Simon.
--
Walking destinations on a map are further away than they appear.
so secure that the ransomware attacks continue to this day
Arne Vajhøj
2021-01-13 17:58:10 UTC
Permalink
Post by ***@gmail.com
Post by Simon Clubley
Post by Jan-Erik Söderholm
You will not get any ransomeware attacks (not any successfull ones at
least) on your VMS servers.
What on earth makes you say that ???
In the early days of Linux, some people thought that it was immune to
the same security problems that Windows was suffering from at the time.
That mindset lasted only until Linux became popular enough to make it
worthwhile to probe for security issues.
To the credit of the Linux community however, they seriously improved
things as a result of these early probing efforts and hence made Linux
more secure.
so secure that the ransomware attacks continue to this day
Not many ransomware attacks on Linux servers.

Arne
Arne Vajhøj
2021-01-13 00:37:31 UTC
Permalink
Post by ***@gmail.com
actually this is for a medium sized company who just got hit with a ransomware attack. They are tired of the hacks and expense
of trying to defeat this crap. I know someone who is high up there and told him I may be able to design an OpenVMS solution to
eliminate ransomware and malware attacks.
????

I believe ransomware attacks typical infect the office PC's, so changing
the web server from Linux/Windows to VMS will not help.
Post by ***@gmail.com
So I guess OpenVMS can't stop ransomware attacks either?
A VMS server will obviously not preventing Windows office PC's
from getting attacked.

The likelihood of the VMS server itself being attacked
is probably very small. Servers in general are rarely
hit by that type of attack. The malware creator will
most likely not want to target VMS. And the typical
attack form of emails with attachments or links does
not work with VMS MAIL.

Arne
Phillip Helbig (undress to reply)
2021-01-13 10:47:08 UTC
Permalink
Post by Arne Vajhøj
I believe ransomware attacks typical infect the office PC's, so changing
the web server from Linux/Windows to VMS will not help.
Post by ***@gmail.com
So I guess OpenVMS can't stop ransomware attacks either?
A VMS server will obviously not preventing Windows office PC's
from getting attacked.
Are there any office PCs involved at all?
Jan-Erik Söderholm
2021-01-13 11:27:35 UTC
Permalink
Post by Phillip Helbig (undress to reply)
Post by Arne Vajhøj
I believe ransomware attacks typical infect the office PC's, so changing
the web server from Linux/Windows to VMS will not help.
Post by ***@gmail.com
So I guess OpenVMS can't stop ransomware attacks either?
A VMS server will obviously not preventing Windows office PC's
from getting attacked.
Are there any office PCs involved at all?
What else will create the http calls for the web server?
Dave Froble
2021-01-13 19:37:39 UTC
Permalink
Post by Jan-Erik Söderholm
Post by Phillip Helbig (undress to reply)
Post by Arne Vajhøj
I believe ransomware attacks typical infect the office PC's, so changing
the web server from Linux/Windows to VMS will not help.
Post by ***@gmail.com
So I guess OpenVMS can't stop ransomware attacks either?
A VMS server will obviously not preventing Windows office PC's
from getting attacked.
Are there any office PCs involved at all?
What else will create the http calls for the web server?
Me ...

I have software that originates HTTP requests. No PC or WEENDOZE
involved. It also is sort of harsh with unexpected replys.
--
David Froble Tel: 724-529-0450
Dave Froble Enterprises, Inc. E-Mail: ***@tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA 15486
Phillip Helbig (undress to reply)
2021-01-13 11:51:16 UTC
Permalink
Post by Jan-Erik Söderholm
Post by Phillip Helbig (undress to reply)
Post by Arne Vajhøj
I believe ransomware attacks typical infect the office PC's, so changing
the web server from Linux/Windows to VMS will not help.
Post by ***@gmail.com
So I guess OpenVMS can't stop ransomware attacks either?
A VMS server will obviously not preventing Windows office PC's
from getting attacked.
Are there any office PCs involved at all?
What else will create the http calls for the web server?
Customers? If I understood correctly, the front end for the application
is the web server. It is accessed by customers outside the company.
Yes, they might use PCs, they might use something else (a tablet or
smartphone, perhaps?).
Jan-Erik Söderholm
2021-01-13 12:07:47 UTC
Permalink
Post by Phillip Helbig (undress to reply)
Post by Jan-Erik Söderholm
Post by Phillip Helbig (undress to reply)
Post by Arne Vajhøj
I believe ransomware attacks typical infect the office PC's, so changing
the web server from Linux/Windows to VMS will not help.
Post by ***@gmail.com
So I guess OpenVMS can't stop ransomware attacks either?
A VMS server will obviously not preventing Windows office PC's
from getting attacked.
Are there any office PCs involved at all?
What else will create the http calls for the web server?
Customers? If I understood correctly, the front end for the application
is the web server. It is accessed by customers outside the company.
Yes, they might use PCs, they might use something else (a tablet or
smartphone, perhaps?).
Right. So then there is PC's involved. What do you find most
likely? That there are client PCs or that there aren't?
Phillip Helbig (undress to reply)
2021-01-13 16:29:47 UTC
Permalink
Post by Jan-Erik Söderholm
Post by Phillip Helbig (undress to reply)
Post by Jan-Erik Söderholm
Post by Phillip Helbig (undress to reply)
Post by Arne Vajhøj
A VMS server will obviously not preventing Windows office PC's
from getting attacked.
Are there any office PCs involved at all?
What else will create the http calls for the web server?
Customers? If I understood correctly, the front end for the application
is the web server. It is accessed by customers outside the company.
Yes, they might use PCs, they might use something else (a tablet or
smartphone, perhaps?).
Right. So then there is PC's involved. What do you find most
likely? That there are client PCs or that there aren't?
But those are beyond the control of the person implementing the VMS
solution.
ultr...@gmail.com
2021-01-13 16:56:17 UTC
Permalink
Post by Jan-Erik Söderholm
Post by Phillip Helbig (undress to reply)
Post by Arne Vajhøj
I believe ransomware attacks typical infect the office PC's, so changing
the web server from Linux/Windows to VMS will not help.
Post by ***@gmail.com
So I guess OpenVMS can't stop ransomware attacks either?
A VMS server will obviously not preventing Windows office PC's
from getting attacked.
Are there any office PCs involved at all?
What else will create the http calls for the web server?
Customers? If I understood correctly, the front end for the application
is the web server. It is accessed by customers outside the company.
Yes, they might use PCs, they might use something else (a tablet or
smartphone, perhaps?).
not only customers but also internal https calls. ("isn't everything https in these days :)")
Dave Froble
2021-01-13 19:40:00 UTC
Permalink
Post by ***@gmail.com
Post by Jan-Erik Söderholm
Post by Phillip Helbig (undress to reply)
Post by Arne Vajhøj
I believe ransomware attacks typical infect the office PC's, so changing
the web server from Linux/Windows to VMS will not help.
Post by ***@gmail.com
So I guess OpenVMS can't stop ransomware attacks either?
A VMS server will obviously not preventing Windows office PC's
from getting attacked.
Are there any office PCs involved at all?
What else will create the http calls for the web server?
Customers? If I understood correctly, the front end for the application
is the web server. It is accessed by customers outside the company.
Yes, they might use PCs, they might use something else (a tablet or
smartphone, perhaps?).
not only customers but also internal https calls. ("isn't everything https in these days :)")
No!
--
David Froble Tel: 724-529-0450
Dave Froble Enterprises, Inc. E-Mail: ***@tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA 15486
Dave Froble
2021-01-13 19:38:33 UTC
Permalink
Post by Phillip Helbig (undress to reply)
Post by Jan-Erik Söderholm
Post by Phillip Helbig (undress to reply)
Post by Arne Vajhøj
I believe ransomware attacks typical infect the office PC's, so changing
the web server from Linux/Windows to VMS will not help.
Post by ***@gmail.com
So I guess OpenVMS can't stop ransomware attacks either?
A VMS server will obviously not preventing Windows office PC's
from getting attacked.
Are there any office PCs involved at all?
What else will create the http calls for the web server?
Customers? If I understood correctly, the front end for the application
is the web server. It is accessed by customers outside the company.
Yes, they might use PCs, they might use something else (a tablet or
smartphone, perhaps?).
Or VMS ...
--
David Froble Tel: 724-529-0450
Dave Froble Enterprises, Inc. E-Mail: ***@tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA 15486
Arne Vajhøj
2021-01-13 14:39:26 UTC
Permalink
Post by Phillip Helbig (undress to reply)
Post by Arne Vajhøj
I believe ransomware attacks typical infect the office PC's, so changing
the web server from Linux/Windows to VMS will not help.
Post by ***@gmail.com
So I guess OpenVMS can't stop ransomware attacks either?
A VMS server will obviously not preventing Windows office PC's
from getting attacked.
Are there any office PCs involved at all?
For ransomware attacks typical yes.

Arne
ultr...@gmail.com
2021-01-13 16:53:58 UTC
Permalink
Post by Phillip Helbig (undress to reply)
Post by Arne Vajhøj
I believe ransomware attacks typical infect the office PC's, so changing
the web server from Linux/Windows to VMS will not help.
Post by ***@gmail.com
So I guess OpenVMS can't stop ransomware attacks either?
A VMS server will obviously not preventing Windows office PC's
from getting attacked.
Are there any office PCs involved at all?
sure, that is where Powerterm would come in
Simon Clubley
2021-01-13 13:35:34 UTC
Permalink
Post by Arne Vajhøj
Post by ***@gmail.com
actually this is for a medium sized company who just got hit with a ransomware attack. They are tired of the hacks and expense
of trying to defeat this crap. I know someone who is high up there and told him I may be able to design an OpenVMS solution to
eliminate ransomware and malware attacks.
????
I believe ransomware attacks typical infect the office PC's, so changing
the web server from Linux/Windows to VMS will not help.
No. That's the common initial entry point. It's not the final resting
place for such attacks.

For example:

https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

It spread using network shares to attack other computers. Note that
multiple Windows Server versions are listed there.

There are also dedicated server ransomware attacks:

https://www.zdnet.com/article/this-unusual-new-ransomware-is-going-after-servers/
Post by Arne Vajhøj
The likelihood of the VMS server itself being attacked
is probably very small.
Until it becomes popular enough or high-profile enough to be
worthwhile attacking.

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.
Arne Vajhøj
2021-01-13 14:38:33 UTC
Permalink
Post by Simon Clubley
Post by Arne Vajhøj
Post by ***@gmail.com
actually this is for a medium sized company who just got hit with a ransomware attack. They are tired of the hacks and expense
of trying to defeat this crap. I know someone who is high up there and told him I may be able to design an OpenVMS solution to
eliminate ransomware and malware attacks.
????
I believe ransomware attacks typical infect the office PC's, so changing
the web server from Linux/Windows to VMS will not help.
No. That's the common initial entry point. It's not the final resting
place for such attacks.
The common mo is to encrypt desktop PC's hard drive and ask for ransom.
Post by Simon Clubley
https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
It spread using network shares to attack other computers. Note that
multiple Windows Server versions are listed there.
Servers were impacted as well since the vulnerability impacted those
as well.

But per the same Wikipedia article 98% of the infected computers were
running Windows 7.
Post by Simon Clubley
https://www.zdnet.com/article/this-unusual-new-ransomware-is-going-after-servers/
Yes. And? "typical" does not imply "all".

Arne
Dave Froble
2021-01-13 01:20:36 UTC
Permalink
Post by ***@gmail.com
actually this is for a medium sized company who just got hit with a ransomware attack.
Anyone hit by ransomware probably deserves it. I don't blame the
hackers, I blame the "bank that stores it's cash on the front sidewalk".
Post by ***@gmail.com
They are tired of the hacks and expense
of trying to defeat this crap.
That is the only thing that could have a chance of stopping the hacking.
Try for some reasonable security, rather than "everyone else does it".
Post by ***@gmail.com
I know someone who is high up there and told him I may be able to design an OpenVMS solution to
eliminate ransomware and malware attacks.
Well, maybe. It will depend upon lots of things. Right now I doubt any
of the hacker's tools would do much on VMS, but, as Simon warns, there
is no reason they could not be designed to do so.
Post by ***@gmail.com
They want to move their webserver in house to avoid shutdowns that Amazon and others are threatening.
Getting a hold on one's own data and apps is always a good first step.
Post by ***@gmail.com
My idea was to set up and Apache or WASD webserver since Purveyor is no longer functioning on the front end
I'd suggest WASD, however, I know little about setting up a web server.
Post by ***@gmail.com
and using a decnet over IP
connection over an SSH tunnel
Forget DECnet. TCP/IP will do the job, if used properly. Avoid all the
"middleware" and work at the bottom, using sockets. The hackers will be
familiar with much of the middleware. If you carefully design
communication protocols that are unknown to the hackers, that is a big
first step. Apps must be able to vet communications, and reject
anything other than what's expected, before letting any work be done on
the messages.
Post by ***@gmail.com
connect to a back end server running RDB or some DB and to also send those web requests to the BE
OpenVMS server via the decnet over IP encrypted connection using Snergy DBL to process them for speed and security. Also I was going
to cluster the two systems together over the decnet over IP tunnel since the two boxes would reside in two different buildings right next
to each other so if one building burned the other would failover. This would be relatively cheap and secure solution eliminating ransomware and
malware attacks while providing 24/7 uptime I thought - until Hoffman just telling me it will not work.
The wizard is not all powerful ..

:-)
Post by ***@gmail.com
So I guess OpenVMS can't stop ransomware attacks either?
I doubt current tools used for ransomware would work on VMS. That's a
good beginning.

For ransomware to work, it must be able to access and update your data.
That's non-trivial, unless one uses tools that easily such. Don't use
such tools. Don't allow easy access to the data. Backups to
non-rewritable storage and tightly controlled would allow quick recovery.

Lots of possibilities. But not when you store your cash on the front
sidewalk. Security by obscurity is one of the best types of security.
Security by the opposition not even knowing the data exists is even better.

But, there is no such thing as absolute security.
--
David Froble Tel: 724-529-0450
Dave Froble Enterprises, Inc. E-Mail: ***@tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA 15486
D W
2021-01-11 19:06:21 UTC
Permalink
Post by Simon Clubley
Post by Stephen Hoffman
If you're thinking about a Parler-class app for instance, there are
already some discussions of what's involved there that are going on
else-network and which you may want to review?even if you're not
re-hosting Parler, the problems are broadly similar at scale.
Ok, _that_ possibility never occurred to me when I read Bob's original
post. Do you know something that the rest of us are unaware of ?
I would not recommend VMS as it stands today for such a high-profile
and potentially hostile environment.
Simon.
--
Walking destinations on a map are further away than they appear.
of course you are at the mercy of the webserver and whether or not they have
proper null termination.

What is the record of security holes on Apache OpenVMS?

What about WASD? Is it as good as Purveyor's Mark? :)
Stephen Hoffman
2021-01-11 19:16:35 UTC
Permalink
Post by Simon Clubley
Post by Stephen Hoffman
If you're thinking about a Parler-class app for instance, there are
already some discussions of what's involved there that are going on
else-network and which you may want to review?even if you're not
re-hosting Parler, the problems are broadly similar at scale.
Ok, _that_ possibility never occurred to me when I read Bob's original
post. Do you know something that the rest of us are unaware of ?
I do not know the goal here, nor the requirements and expectations here
past what has been posted, as D W / Bob / OP has not chosen to be
forthcoming on those details.

Parler is a "for instance" web-hosting and database configuration
example from current times, with very recent discussions of risks and
scale and trade-offs involved, and all of which can be learned from.

Whether hosting Parler on OpenVMS might be the goal here? I do not know.
Post by Simon Clubley
I would not recommend VMS as it stands today for such a high-profile
and potentially hostile environment.
Nor would I.

And I'd question the use of the word "potentially" there, in the case
of Parler.

The folks that are running Parler are seemingly learning about some of
these risks and related concerns, too.

This as the Parler data has been breached/dumped/hacked. And that's
including EXIF data and supposedly-deleted data. This per unverified
reports.
--
Pure Personal Opinion | HoffmanLabs LLC
D W
2021-01-11 18:55:17 UTC
Permalink
Post by Stephen Hoffman
Post by D W
There are MULTIPLE different approaches to doing this. Most involve
HTTP (web) cookies and may involve DNS round robin load balancing or
load balancers.
But how would this be accomplished using Apache or another web package on OpenVMS?
If locked into that configuration, with mod_proxy_balancer most likely.
Same as with Apache elsewhere.
Post by D W
Would you use the same approach?
mod_proxy_balancer or reverse-proxies or redirects or such? Prolly not.
Depends. There's a whole lot of necessary detail here. Detail that's
not yet been referenced.
Post by D W
Also if you house a DB like RDB on a separate OpenVMS server, what
would be the fastest connect solution to obtain the fastest data
transport rates between the DB server and other web servers?
That depends. Sharing is a potential option, as can be replacing Rdb
with something faster; an in-memory database, for instance. Or using a
CDN, which can provide the bandwidth and DDoS protections and
geographic distribution, among other benefits.
Other options include clustering and fibre channel and moving Rdb
locally (which'll increase lock traffic), or moving to the fastest
available network between the web servers and the database server.
This also involves performance and trend modeling, and likely involves
replacing HDDs with SSDs and related efforts on the servers, as I'd
expect a heavier load between Rdb and its database storage than between
Rdb and the database client web servers.
If you're thinking about a Parler-class app for instance, there are
already some discussions of what's involved there that are going on
else-network and which you may want to review—even if you're not
re-hosting Parler, the problems are broadly similar at scale.
--
Pure Personal Opinion | HoffmanLabs LLC
so are we saying here that decnet over a fibre channel connection is the fastest solution?
Stephen Hoffman
2021-01-11 19:03:31 UTC
Permalink
...so are we saying here that decnet over a fibre channel connection is
the fastest solution?
DECnet does not operate over Fibre Channel connections.

OpenVMS does not support Fibre Channel for Host-Bus-Adapter-to-HBA
host-to-host communications.

OpenVMS does support Fibre Channel for HBA-to-storage.

FC is a cluster storage connection, not a cluster communications connection.

In this case, moving Rdb activity co-resident with the web server
within a cluster *might* provide better performance, if it's
Rdb-to-database that's the constraint.

Without far more details on what's going on here, scale, load, budget,
current bottlenecks, budget, security risks, etc., there's little in
the way of recommendations.

And I'd discourage the use of DECnet in any new configuration
generally, as DECnet links are unencrypted and unauthenticated.
--
Pure Personal Opinion | HoffmanLabs LLC
D W
2021-01-11 19:11:35 UTC
Permalink
Post by Stephen Hoffman
...so are we saying here that decnet over a fibre channel connection is
the fastest solution?
DECnet does not operate over Fibre Channel connections.
OpenVMS does not support Fibre Channel for Host-Bus-Adapter-to-HBA
host-to-host communications.
OpenVMS does support Fibre Channel for HBA-to-storage.
FC is a cluster storage connection, not a cluster communications connection.
In this case, moving Rdb activity co-resident with the web server
within a cluster *might* provide better performance, if it's
Rdb-to-database that's the constraint.
Without far more details on what's going on here, scale, load, budget,
current bottlenecks, budget, security risks, etc., there's little in
the way of recommendations.
And I'd discourage the use of DECnet in any new configuration
generally, as DECnet links are unencrypted and unauthenticated.
--
Pure Personal Opinion | HoffmanLabs LLC
no that is not true. For a small fee Process Software will modify tcpware to allow their decnet over IP to run over an SSH tunnel. I considered doing that with my 33 node decnet over IP connections years ago.
Phillip Helbig (undress to reply)
2021-01-11 21:01:51 UTC
Permalink
Post by Stephen Hoffman
And I'd discourage the use of DECnet in any new configuration
generally, as DECnet links are unencrypted and unauthenticated.
Of course, but presumably here the machines with the Rdb database would
be connected to the webservers via a dedicated connection, i.e. no way
to get to them unless you get to the machines they're connected to, in
which case you've probably lost anyway.
Stephen Hoffman
2021-01-11 21:22:06 UTC
Permalink
Post by Phillip Helbig (undress to reply)
Post by Stephen Hoffman
And I'd discourage the use of DECnet in any new configuration
generally, as DECnet links are unencrypted and unauthenticated.
Of course, but presumably here the machines with the Rdb database would
be connected to the webservers via a dedicated connection, i.e. no way
to get to them unless you get to the machines they're connected to, in
which case you've probably lost anyway.
If DECnet, FTP, telnet, and other similar giblets from those earlier
eras are your preference or fit your requirements, have at.

I prefer to avoid assuming that the local network is secure, that the
local network can even be secured, and further prefer to avoid
implementing apps with insecure, unauthenticated, and feature-frozen
communications.

This whether during app overhauls, or within new-app work.
--
Pure Personal Opinion | HoffmanLabs LLC
Simon Clubley
2021-01-12 13:23:20 UTC
Permalink
Post by Phillip Helbig (undress to reply)
Post by Stephen Hoffman
And I'd discourage the use of DECnet in any new configuration
generally, as DECnet links are unencrypted and unauthenticated.
Of course, but presumably here the machines with the Rdb database would
be connected to the webservers via a dedicated connection, i.e. no way
to get to them unless you get to the machines they're connected to, in
which case you've probably lost anyway.
It's called defence in depth Phillip.

The idea is that if one part of your network gets compromised you want
to try and keep attackers isolated to that one part of your network.

IOW, just because one part of your network gets compromised, it doesn't
have to mean that the whole network gets compromised provided you have
designed things in that way. That means no unencrypted communications
on your internal networks however as attackers could use that to drill
deeper into the rest of your network.

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.
Dirk Munk
2021-01-13 14:03:47 UTC
Permalink
Post by D W
There are MULTIPLE different approaches to doing this. Most involve HTTP (web) cookies and may involve DNS round robin load balancing or load balancers.
But how would this be accomplished using Apache or another web package on OpenVMS?
Would you use the same approach?
Also if you house a DB like RDB on a separate OpenVMS server, what would be the fastest connect solution to obtain the fastest data transport rates between the DB server and other web servers?
First of all, I would look at WASD, and not Apache. WASD is (at least)
VMS Cluster aware, and is much and much more powerful (performance) than
Apache, at least it was the last time I looked.

You could use a DNS server with round robin functionality. That way you
can use multiple IP interfaces on one VMS server, as well as more VMS
servers.

Perhaps you can use DECRAM , however it has not been ported to x86-64
yet. Don't know how difficult that would be. DECRAM disks behave like
normal disks, so shadowing etc. is supported.
Arne Vajhøj
2021-01-13 14:43:29 UTC
Permalink
Post by Dirk Munk
First of all, I would look at WASD, and not Apache. WASD is (at least)
VMS Cluster aware, and is much and much more powerful (performance) than
Apache, at least it was the last time I looked.
The Apache install spread stuff out in specific and common, so I suppose
it is "cluster aware" as well.

BTW, I think that Apache spread out is a bad idea. It is confusing and
provide little value.

Arne
ultr...@gmail.com
2021-01-13 17:13:20 UTC
Permalink
Post by Arne Vajhøj
Post by Dirk Munk
First of all, I would look at WASD, and not Apache. WASD is (at least)
VMS Cluster aware, and is much and much more powerful (performance) than
Apache, at least it was the last time I looked.
The Apache install spread stuff out in specific and common, so I suppose
it is "cluster aware" as well.
BTW, I think that Apache spread out is a bad idea. It is confusing and
provide little value.
Arne
ALSO APACHE JUST DID NOT PERFORM WELL ON OUR ALPHAS COMPARED TO PURVEYOR.
ultr...@gmail.com
2021-01-13 17:01:18 UTC
Permalink
Post by Dirk Munk
Post by D W
There are MULTIPLE different approaches to doing this. Most involve HTTP (web) cookies and may involve DNS round robin load balancing or load balancers.
But how would this be accomplished using Apache or another web package on OpenVMS?
Would you use the same approach?
Also if you house a DB like RDB on a separate OpenVMS server, what would be the fastest connect solution to obtain the fastest data transport rates between the DB server and other web servers?
First of all, I would look at WASD, and not Apache. WASD is (at least)
VMS Cluster aware, and is much and much more powerful (performance) than
Apache, at least it was the last time I looked.
You could use a DNS server with round robin functionality. That way you
can use multiple IP interfaces on one VMS server, as well as more VMS
servers.
Perhaps you can use DECRAM , however it has not been ported to x86-64
yet. Don't know how difficult that would be. DECRAM disks behave like
normal disks, so shadowing etc. is supported.
do you mean like port forwarding or a www1. type of solution? I'm going to implement DNS services on their system just in case for redundancy.
Dirk Munk
2021-01-13 22:36:34 UTC
Permalink
Post by ***@gmail.com
Post by Dirk Munk
Post by D W
There are MULTIPLE different approaches to doing this. Most involve HTTP (web) cookies and may involve DNS round robin load balancing or load balancers.
But how would this be accomplished using Apache or another web package on OpenVMS?
Would you use the same approach?
Also if you house a DB like RDB on a separate OpenVMS server, what would be the fastest connect solution to obtain the fastest data transport rates between the DB server and other web servers?
First of all, I would look at WASD, and not Apache. WASD is (at least)
VMS Cluster aware, and is much and much more powerful (performance) than
Apache, at least it was the last time I looked.
You could use a DNS server with round robin functionality. That way you
can use multiple IP interfaces on one VMS server, as well as more VMS
servers.
Perhaps you can use DECRAM , however it has not been ported to x86-64
yet. Don't know how difficult that would be. DECRAM disks behave like
normal disks, so shadowing etc. is supported.
do you mean like port forwarding or a www1. type of solution? I'm going to implement DNS services on their system just in case for redundancy.
No, round robin is very simple.

let's say you have 4 vms ip interfaces for you server, they can be on
one server (4 interfaces) or two servers (2 x 2 interfaces) or 4
servers. The IP addresses are 10.0.0.1 , 10.0.0.2 , 10.0.0.3 , and
10.0.0.4 , so very simple.

With a round robin dns server, you will create a host www.myvms.com ,
and give that host all four IP addresses.

When you open a connection to www.myvms.com , it will go to 10.0.0.1 . A
second later it will go to 10.0.0.2 , and again a second later to
10.0.0.3 , and then to 10.0.0.4. , and finally back to 10.0.0.1 , and so on.

The DNS implementation on VMS does not support this AFAIK. Try to find a
good round-robin DNS server, most likely on Linux, and use two very
cheap and simple Linux servers for your DNS.
Arne Vajhøj
2021-01-14 00:32:33 UTC
Permalink
Post by Dirk Munk
Post by ***@gmail.com
Post by Dirk Munk
Post by D W
There are MULTIPLE different approaches to doing this. Most involve
HTTP (web) cookies and may involve DNS round robin load balancing or
load balancers.
You could use a DNS server with round robin functionality. That way you
can use multiple IP interfaces on one VMS server, as well as more VMS
servers.
do you mean like port forwarding or a www1. type of solution? I'm
going to implement DNS services on their system just in case for
redundancy.
No, round robin is very simple.
let's say you have 4 vms ip interfaces for you server, they can be on
one server (4 interfaces) or two servers (2 x 2 interfaces) or 4
servers. The IP addresses are 10.0.0.1 , 10.0.0.2 , 10.0.0.3 , and
10.0.0.4 , so very simple.
With a round robin dns server, you will create a host www.myvms.com ,
and give that host all four IP addresses.
When you open a connection to www.myvms.com , it will go to 10.0.0.1 . A
second later it will go to 10.0.0.2 , and again a second later to
10.0.0.3 , and then to 10.0.0.4. , and finally back to 10.0.0.1 , and so on.
The key question is what happens if 10.0.0.2 is down.

Arne
Dirk Munk
2021-01-14 00:40:59 UTC
Permalink
Post by Arne Vajhøj
Post by Dirk Munk
Post by ***@gmail.com
Post by Dirk Munk
Post by D W
There are MULTIPLE different approaches to doing this. Most involve
HTTP (web) cookies and may involve DNS round robin load balancing
or load balancers.
You could use a DNS server with round robin functionality. That way you
can use multiple IP interfaces on one VMS server, as well as more VMS
servers.
do you mean like port forwarding or a www1. type of solution? I'm
going to implement DNS services on their system just in case for
redundancy.
No, round robin is very simple.
let's say you have 4 vms ip interfaces for you server, they can be on
one server (4 interfaces) or two servers (2 x 2 interfaces) or 4
servers. The IP addresses are 10.0.0.1 , 10.0.0.2 , 10.0.0.3 , and
10.0.0.4 , so very simple.
With a round robin dns server, you will create a host www.myvms.com ,
and give that host all four IP addresses.
When you open a connection to www.myvms.com , it will go to 10.0.0.1 .
A second later it will go to 10.0.0.2 , and again a second later to
10.0.0.3 , and then to 10.0.0.4. , and finally back to 10.0.0.1 , and so on.
The key question is what happens if 10.0.0.2 is down.
Arne
Good point. A good round-robin DNS server would notice that.

In fact it seems there are round-robin DNS servers that can take the
load of a server into account, skipping severely loaded severs for
instance. Don't know how that actually works.
Bill Gunshannon
2021-01-14 01:36:12 UTC
Permalink
Post by Dirk Munk
Post by Arne Vajhøj
Post by Dirk Munk
Post by ***@gmail.com
Post by Dirk Munk
Post by D W
There are MULTIPLE different approaches to doing this. Most
involve HTTP (web) cookies and may involve DNS round robin load
balancing or load balancers.
You could use a DNS server with round robin functionality. That way you
can use multiple IP interfaces on one VMS server, as well as more VMS
servers.
do you mean like port forwarding or a www1. type of solution? I'm
going to implement DNS services on their system just in case for
redundancy.
No, round robin is very simple.
let's say you have 4 vms ip interfaces for you server, they can be on
one server (4 interfaces) or two servers (2 x 2 interfaces) or 4
servers. The IP addresses are 10.0.0.1 , 10.0.0.2 , 10.0.0.3 , and
10.0.0.4 , so very simple.
With a round robin dns server, you will create a host www.myvms.com ,
and give that host all four IP addresses.
When you open a connection to www.myvms.com , it will go to 10.0.0.1
. A second later it will go to 10.0.0.2 , and again a second later to
10.0.0.3 , and then to 10.0.0.4. , and finally back to 10.0.0.1 , and so on.
The key question is what happens if 10.0.0.2 is down.
Arne
Good point. A good round-robin DNS server would notice that.
Don't know much about DNS, do you? DNS Servers have no contact
whatsoever with the machines they point at.
Post by Dirk Munk
In fact it seems there are round-robin DNS servers that can take the
load of a server into account, skipping severely loaded severs for
instance. Don't know how that actually works.
Definitely don't now much about DNS Servers.

bill

Loading...