Re: $SETUAI() Query/Problem

From: covendotartdottalk21dotcom (postmaster_at_127.0.0.1)
Date: 02/02/04

• Next message: JF Mezei: "Re: $SETUAI() Query/Problem"
• Previous message: John Smith: "Re: Rumours of (CPU) Wars"
• In reply to: Larry Kilgallen: "Re: $SETUAI() Query/Problem"
• Next in thread: Larry Kilgallen: "Re: $SETUAI() Query/Problem"
• Reply: Larry Kilgallen: "Re: $SETUAI() Query/Problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Date: Sun, 1 Feb 2004 23:13:39 -0000

"Larry Kilgallen" <Kilgallen@SpamCop.net> wrote in message
news:kzO4pYdQXv9J@eisner.encompasserve.org...
> In article <9JWdndpAE7B9xYHdRVn-gw@brightview.com>,
"covendotartdottalk21dotcom" <postmaster@127.0.0.1> writes:
> > Again, you're making a presumption (in #2) that access from any DECnet
> > or IP address is permitted to these systems. It's not. Permitted/
> > trusted nodes can be (and are) defined.
>
> Breakin attempts do not require a "node". A personal computer emulating
> a terminal will do just fine.

And network traffic coming from a PC needs to be identified by? Some
kind of addressing mechanism, relevant to the network protocol which it
is using, which either is or isn't supported by the intended target,
and can then be dealt with in an appropriate manner by the network
protocol stack(s) if present.

> And I think your network consisting entirely of secured computers
> with no connections to the outside world but yet with some risk
> of password sniffing is unlikely.

They don't have connections to the outside world.

Some risk of password sniffing? Well, anyone with a legitimate box
on the network (or physical access to disconnect a legitimate box,
and plug in their own one), and can put an adapter into promiscuous
mode can do just that.

Having hundreds of VMS systems (on their own separate network) might
perhaps imply to some people that they are used in some way for
handling internet traffic, but (at least) in this case, they're not.

> > Is $HASH_PASSWORD()'s functionality generic (not specifically the
> > algorithms that are used), or is (some of) the implementation
> > VMS-specific?
>
> Anything that takes VMS descriptors as input is VMS Specific.

Yes, but is there anything in the actual code which could not be
ported to another O/S?

e.g. is there some element of the code which Digital/Compaq/HP have
never publicly released to the outside world, and as a result, nobody
could have implemented it for themselves on VMS (much less on any
other O/S - which is what you said would not be surprised about)?

> I think you should revise your strategy of presuming that posters to
> comp.os.vms do not know what they are talking about. Admittedly I
> was unclear in my first post about the need for an attacker to mount
> a dictionary attack, but the risk really is ther.

I don't really want to trade personal insults in a public forum; I
know perfectly well that the vast majority of posters to, and the
silent majority/minority of readers of c.o.v do know what they are
talking about (VMS-wise); however, being unnecessarily acerbic in
your initial responses to simple questions really does nobody any
favours.

Yes, I'm asking people to respond in their own personal time, without
charge, and of course, people have no obligation to do so - but if my
question offends you, or doesn't stimulate your interest, then just
ignore it - manners don't cost.

Unfortunately, some people, on seeing churlish responses from posters
here, may tar the rest of the VMS community with the same brush, and
perhaps then not consider buying VMS solutions, in the belief that
they are likely to encounter similar hostile attitudes from system
manglers/operators or companies offering support on their VMS
products.

This won't help increase wider acceptance of VMS, or indeed, prolong
its lifespan.

Can/will you tell me whether AUTHORIZE now uses $GETUAI()/$SETUAI(),
or not?

> > Instead of bitching about the fact that I'm trying to achieve an
> > automated way of changing passwords on thousands of accounts across
> > hundreds of systems, have you got any *useful* suggestions on how this
> > might be achieved (in a different way to the way I have been trying)?
>
> I would suggest you start by getting a subscription to the source
listings.

But you've said that programmatically changing passwords in this
manner isn't the way to go about it, so VMS sources (not cheap, as I
recall) are unlikely to help!

Do you have any real solutions to a very real (or at least, percieved)
problem?

Mark

---

• Next message: JF Mezei: "Re: $SETUAI() Query/Problem"
• Previous message: John Smith: "Re: Rumours of (CPU) Wars"
• In reply to: Larry Kilgallen: "Re: $SETUAI() Query/Problem"
• Next in thread: Larry Kilgallen: "Re: $SETUAI() Query/Problem"
• Reply: Larry Kilgallen: "Re: $SETUAI() Query/Problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Relevant Pages Re: $SETUAI() Query/Problem ... > $SETUAI transfers the entire UAF record to disk, ... VMS Breakin Evasion ... Well, the box would have to be physically connected into our network, ... > AST capabilities) did not exist when Authorize was written. ... (comp.os.vms) Re: OpenVMS Security ... >> You are absolutely right Andrew, however it seems you define 'network' ... > DECnet would at this point be a better option is laughable. ... Within a pure VMS ... or I use the IP stack for DECnet over IP to copy sofware over the ... (comp.os.vms) Re: Routable Protocol for Clustering ... > Here's some specific info from our network engineers... ... > due to the fact that they will not support IP clustering. ... From the point of view of what a VMS cluster does, ... > fiber resources to dedicate paths for Proprietary VMS use exclusively. ... (comp.os.vms) Re: SMTP setup for rank newbie ... >>found that there was no SMTP service running on this node. ... I have little VMS experience, ... I walked into this network set up as it is, ... (comp.os.vms)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)