INFO-VAX Sun, 31 Aug 2008 Volume 2008 : Issue 476 Contents: Good Fellas (Was Re: Remote access vulnerability in VMS) l'art pour l'art' (was: Re: DEFCON 16 and Hacking OpenVMS) RE: l'art pour l'art' (was: Re: DEFCON 16 and Hacking OpenVMS) Loose Cannon-dian (was: Re: DEFCON 16 and Hacking OpenVMS) Re: OT Legacy was: DEFCON 16 and Hacking OpenVMS ---------------------------------------------------------------------- Date: Sun, 31 Aug 2008 09:03:20 +0800 From: "Richard Maher" Subject: Good Fellas (Was Re: Remote access vulnerability in VMS) Message-ID: Hi Jerry, > He earned the trust and respect of his colleagues by demonstrating he > was worthy of such. Is the quickest way to do that, still to kill someone? I wouldn't want to break with tradition. > Jealousy rarely leads to a good end. "Jealousy"? Get out of the fucking playground will ya; this is a business! Would a Telco, a bank, or NasdaqOMX be jealous for wanting to protect their servers? (Especially when such vulnerabilities are being blabbed about not only outside of HP but all over the internet!) > Nor > does biting the hand that feeds you (even if it's not always exactly > what you want or when you want it). I've personally have never been on the "payroll", and have sadly relied on the old-fashioned litmus test of "Is it in the interest's of VMS?" when charting direction. If only I'd realized early on that VMS is the personal play-thing of the elite few then we all could've all saved some time. Full steam ahead; you're all doing very well! How's that installed-base going again? Regards Richard Maher PS. Looks like the "code of silence" isn't what it used to be? "Jerry Eckert" wrote in message news:da9b5489-96a2-44b4-b283-85c8f9c0a51c@m73g2000hsh.googlegroups.com... On Aug 29, 9:05 pm, "Richard Maher" wrote: > > I hope I'm wrong, but there was another recent post here indicating that > some were fortunate enough to enjoy the patronage of the Andy Goldsteins of > this world, and were getting direct updates on the availability of patches > for other vulnerabilities while, presumably, fee-generating customers like > NasdaqOMX are told to piss-off and just wait in line like everybody else? > This is common in almost any business context. While it may not seem fair to those on the outside, there is some benefit to the rest of us. These back-door channels serve as an unofficial level of pre- release testing: I wonder how many times over the years they have identified problems that were corrected before customers were impacted by them? > So how do you get in with this in-crowd? Who do you have to sleep with (or > threaten to sleep with :-) Is there a Clique-Membership upgrade-option on > the license/warranty agreement that one can tick? A school-tie? A > secret-handshake? A political/sexual/religious orientation that always > helps? Just whose arse(s) do you have to kiss? > He earned the trust and respect of his colleagues by demonstrating he was worthy of such. He got a break the rest of us didn't and he made good use of it. Life isn't always fair: get used to it and do the best with what you have. Jealousy rarely leads to a good end. Nor does biting the hand that feeds you (even if it's not always exactly what you want or when you want it). ------------------------------ Date: Sun, 31 Aug 2008 08:12:16 +0800 From: "Richard Maher" Subject: l'art pour l'art' (was: Re: DEFCON 16 and Hacking OpenVMS) Message-ID: Hi Kerry, <<<<<<<<<<<<<<<<<<<<<<<<<<<<<< And for the record, after many wasted $'s, there are many CIO's that end up on the street after trying to replace a "legacy" environment with a new environment based on the buzz word technology of the day (SOA, shared services, J2EE, .Net) without really understanding the resource, culture and financial impact of this change. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> This seems to have such people foaming at the mouth recently: - http://en.wikipedia.org/wiki/Dependency_injection I've read it 4 times and still don't have the faintest idea what it's all about. But maybe I'm just missing the point in seeking purpose in such sublime beauty? Regards Richard Maher PS. Can anyone name a technology other than Java that has spawned so many acronyms? "Main, Kerry" wrote in message news:9D02E14BC0A2AE43A5D16A4CD8EC5A593ED5E39EA4@GVW1158EXB.americas.hpqcorp.net... > -----Original Message----- > From: JF Mezei [mailto:jfmezei.spamnot@vaxination.ca] > Sent: August 26, 2008 3:10 AM > To: Info-VAX@Mvb.Saic.Com > Subject: Re: DEFCON 16 and Hacking OpenVMS > > William Webb wrote: > > > Despite the fact that they're platform-neutral, it'd take AT LEAST > > fifteen years for them to get all the VMS stuff that runs *outside* > of > > the databases redone so it'd work reliably on Some Other Platform. > > What many corporations have done is simply stopped developping on VMS > and develop all new apps on modern non-legacy platforms. Over time > individual apps end up being replaced or made redundant by new apps on > a > different platform, leaving VMS with less and less importance. > > Eventually, where there are only a couple apps left on VMS, they will > decide to port them even if there is no immediate need to > rewrite/update > them so that the company can eliminate one platform to support. This is > especially true if on old hardware that HP charges and arm and a leg to > support. I love it when people throw that term "legacy" around to push their own agendas. Lets call it for what it is - "legacy" is a term that people use in a polite but derogatory manner to imply that the future direction they prefer is not that which they view as the current direction. Microsoft calls Windows 2000 a legacy platform. IBM calls AIX V4.x a legacy platform. Sun calls Solaris 9/8 legacy platforms. Does this mean that Windows, Solaris and AIX are legacy platforms? Of course not. Every platform has legacy versions, but that does not mean current OS versions of that platform are "legacy". And for the record, after many wasted $'s, there are many CIO's that end up on the street after trying to replace a "legacy" environment with a new environment based on the buzz word technology of the day (SOA, shared services, J2EE, .Net) without really understanding the resource, culture and financial impact of this change. If I wanted to stir the pot, I would say distributed computing strategies are the next legacy platforms, but I don't, so I won't. :-) Regards Kerry Main Senior Consultant HP Services Canada Voice: 613-254-8911 Fax: 613-591-4477 kerryDOTmainAThpDOTcom (remove the DOT's and AT) OpenVMS - the secure, multi-site OS that just works. ------------------------------ Date: Sun, 31 Aug 2008 02:21:01 +0000 From: "Main, Kerry" Subject: RE: l'art pour l'art' (was: Re: DEFCON 16 and Hacking OpenVMS) Message-ID: <9D02E14BC0A2AE43A5D16A4CD8EC5A593ED5EBD8B3@GVW1158EXB.americas.hpqcorp.net> > -----Original Message----- > From: Richard Maher [mailto:maher_rj@hotspamnotmail.com] > Sent: August 30, 2008 8:12 PM > To: Info-VAX@Mvb.Saic.Com > Subject: l'art pour l'art' (was: Re: DEFCON 16 and Hacking OpenVMS) > > Hi Kerry, > > <<<<<<<<<<<<<<<<<<<<<<<<<<<<<< > And for the record, after many wasted $'s, there are many CIO's that > end up on the street after trying to replace a "legacy" environment > with a new environment based on the buzz word technology of the day > (SOA, shared services, J2EE, .Net) without really understanding the > resource, culture and financial impact of this change. > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> > > This seems to have such people foaming at the mouth recently: - > http://en.wikipedia.org/wiki/Dependency_injection > > I've read it 4 times and still don't have the faintest idea what it's > all > about. But maybe I'm just missing the point in seeking purpose in such > sublime beauty? > > Regards Richard Maher > > PS. Can anyone name a technology other than Java that has spawned so > many > acronyms? > [snip ...] Yeah, pretty scary when people make up stuff like this, pass it off as computer programming science when the only person who can understand it is the author. This is an example where someone could give a presentation on this topic and no one would ask questions as they would all be to afraid of looking like they do not understand something that everyone else does. [And of course, no one understood hardly a thing..] Now imagine a Software manager who wants to be seen as leading edge latching on to this ... :-) Next time a Sales person promotes the benefits of SOA and Shared services, ask them if they understand why DCE and timesharing concepts did not last .. [p.s. answer is not technical.] Regards Kerry Main Senior Consultant HP Services Canada Voice: 613-254-8911 Fax: 613-591-4477 kerryDOTmainAThpDOTcom (remove the DOT's and AT) OpenVMS - the secure, multi-site OS that just works. ------------------------------ Date: Sun, 31 Aug 2008 11:40:25 +0800 From: "Richard Maher" Subject: Loose Cannon-dian (was: Re: DEFCON 16 and Hacking OpenVMS) Message-ID: Hi Kerry, Boy are you singing from a different hymn-sheet! (Better tell Ann MacQuaid and Mick Keyes et al to fax some new ones through to Canada quick. You couldn't be more off-message if you tried!) [Do not get caught up in the "we need to keep up with the Jones" mentality that often drives companies to spend huge sums of IT $'s over many years which in the end is not successful anyway.] What, like ONC/RPC, DCE/RPC, Forte, Posix, pthreads, cma$threads, Java, Apache, gSOAP, GlassFish? [Yes, there may be a place for Java and/or other new technologies, but there is nothing wrong with continuing to use Cobol or Basic or Fortran because in the end, the business you are supporting really could not care less which language you use.] Wrong! VMS "Management" has shat on the your traditional VMS-3GL installed-base for over ten years :-( They are the ones that refer to us as "legacy 3GL users". They are the ones who insist you have to wrapper your 3GL code in a bollocks web-services veneer in order to open them up to the web. They are the ones that refuse point-blank to give us an XHR$ RTL so that our 3GL code can have native access to the plethora of RESTful web-services on the net. They are the ones who are embarassed by us, and lock us up in the attic like some dotty Aunt, when guests arrive. They are the ones that, to this day 2008, have not provided a workable sollution for simply putting GUI front-ends on existing 3GL code. They are the ones that give us suboptimizing compilers for IA64. And guess what? The client-base is voting with its feet :-( [Hence, this is why many Cust's choose an upgrade and integrate model vs. a replace everything from scratch strategy. Certainly the upgrade and integrate (e.g. web enable existing applications with connectors created to allow sharing of code/data with other app environments) is typically a small fraction of the costs when compared to a rip & replace everything strategy.] Agreed; that *is* what customers *want* to do, but your colleagues have given them no useful tools for accomplishing the task. How many of your "solutions" have come and gone over the last 10 years? How many of the current offerings have you seen succesfully implemented in the field? And there's that word again "Integrate"; what's it all about eh? Could it be: - a) Allowing PC/Browser GUI/Web access to the rich herritage of VMS data, business-rules, and 3GL code, by inserting hooks into a corporation's existing *nix/IIS web-server architecture. - or - b) Integrate: - See "Emulate" i) We can do Apache (Sort of) ii) We can do Java (poorly performin old versions anyway) iii) We can do garbage-collection (What else CPU for?) iv) We can do kernel-threads (processes are crap) v) Funny how none of this ever faces the internet vi) We can keep rewriting every useless *nix utility for VMS as long as you suckers keep footing the bill! vii) We can do everything for half the performance and 100x the cost Full steam ahead. You're all doing very well! Cheers Richard Maher "Main, Kerry" wrote in message news:9D02E14BC0A2AE43A5D16A4CD8EC5A593ED5DE5F5D@GVW1158EXB.americas.hpqcorp.net... > -----Original Message----- > From: jferraro [mailto:jferraro@gmail.com] > Sent: August 24, 2008 2:04 PM > To: Info-VAX@Mvb.Saic.Com > Subject: Re: DEFCON 16 and Hacking OpenVMS > > > More seriously though: VAX 7000s in production? Has anyone looked at > > how much they're costing vs more recent kit? Maintenance, power, > > cooling and square-footage (?) on kit (including storage?) from that > > era won't be cheap; when I last looked, in most environments, moving > > to something current whilst staying with VMS (and therefore > > introducing relatively little risk) would typically have a very short > > payback time, maybe a year or two? How often can you get a payback > > time of that length? It can get more interesting if the business is > > organised in a way where revenue spend and capital spend come under > > separate stovepipes, but even that shouldn't be insurmountable. > > > It is interesting, I assure you. As it goes, several folks over the > years have put together business cases to port the existing COBOL (and > other) code to JAVA and the like, with the end goal in mind to > eliminate VMS. Costs to do so have been exorbitant and so it has made > more sense, so to speak, to put VMS back in the corner and forget > about it - and continue on our merry way. > Do not get caught up in the "we need to keep up with the Jones" mentality that often drives companies to spend huge sums of IT $'s over many years which in the end is not successful anyway. Yes, there may be a place for Java and/or other new technologies, but there is nothing wrong with continuing to use Cobol or Basic or Fortran because in the end, the business you are supporting really could not care less which language you use. What the business does care about is drastically reducing IT costs (not increasing) and IT focussed on providing real value to the business i.e. providing new functionality which makes them more competitive. Hence, this is why many Cust's choose an upgrade and integrate model vs. a replace everything from scratch strategy. Certainly the upgrade and integrate (e.g. web enable existing applications with connectors created to allow sharing of code/data with other app environments) is typically a small fraction of the costs when compared to a rip & replace everything strategy. > Being primarily an HP shop, several of us were sitting around one day > as the topic of VMS arose. At that point, I decided to fire up VMS on > one of the rx6600s we had sitting around as a simple proof of concept > (while I awaited media from HP, I got hold of Wherry's simh docs and > brought myself up to speed on the install). Interestingly, I > approached our [single remaining] VMS admin and really got very little > enthusiasm (which may be typical from the crowd :) ) about the > experiment. I currently have VMS running atop HPVM on HPUX 11.31 (yes, > its pre-release), and have convinced him to "take a look"... > > ...but that would most certainly be my end goal.... I'd love to be > able to bring an IA box along side the VAX systems we have and let > them "parallel" for a while (for lack of better terms) to garner some > trust in the newer technology (both for myself and our VMSer). > [snip ...] If the VAX application is written mostly in Cobol and/or other higher Level apps, then moving to Integrity is likely a very easy move that might be justified by simply looking at the VAX maint contract and DC power / space savings over a 3-4 years period. With current versions of OpenVMS, if it were required, you would then be able to use Java and other web services technologies for new stuff to integrate with other environments as appropriate while at the same time maintaining your existing code in their current languages. Regards Kerry Main Senior Consultant HP Services Canada Voice: 613-254-8911 Fax: 613-591-4477 kerryDOTmainAThpDOTcom (remove the DOT's and AT) OpenVMS - the secure, multi-site OS that just works. ------------------------------ Date: Sun, 31 Aug 2008 08:43:52 +0800 From: "Richard Maher" Subject: Re: OT Legacy was: DEFCON 16 and Hacking OpenVMS Message-ID: Hi Tom, > On mainframes, Websphere makes legacy applications current On VMS boxes, Tier3 does the same thing. Having said that I had thought WebLogic (and possibly WebSphere?) was available on VMS. Now that Oracle own WebLogic and VMS Middle-Management has given them half of VMS by way of appeasement, people should be falling all over themselves to implement a VMS WebLogic server, shouldn't they? But don't discount those stealth-project, job-creation schemes that so many VMS employees get to indulge themselves in: - gSOAP, WSIT and GlassFish. Ya just can't have too much technology Tom! (And they had to have somewhere to stick all those useless twats that spawned Bridgeworks. Couldn't tell 'em to just piss-off and get a real job!) Regardss Richard Maher PS. If you'd like to write a TIP<->LU6.2 translator for MVS then tha'd be useful! "Tom Linden" wrote in message news:op.ugjr4remhv4qyg@murphus.hsd1.ca.comcast.net... > On Wed, 27 Aug 2008 05:09:11 -0700, Bill Gunshannon > wrote: > > > Actually, "legacy" is a term the industry has for any system who's > > owners have let slide to the point that it is irrelevant to the rest > > of the industry. It isn't VMS's detractors who have labeled it > > "legacy". That is totally the result of DEC, Compaq and HP's treatment > > of the product. > > On mainframes, Websphere makes legacy applications current > > -- > PL/I for OpenVMS > www.kednos.com ------------------------------ End of INFO-VAX 2008.476 ************************