Any PDP-11 RSX-11 fans looking to be horribly underpaid

[seasoned_geek]

https://www.indeed.com/viewjob?jk=6e5513a2c3de92ad&q=vax+basic&tk=1c3hjtroa2spocj6&from=ja&alid=573d33fee4b0daddb56a638e&utm_source=jobseeker_emails&utm_medium=email&utm_campaign=job_alerts&rgtk=1c3hjtroa2spocj6


Sorry, don't have time to pick up on existing threads, just wanted to drop this off because it was rather shocking. What's in the post is all I know, but, given California's blatant disregard for the Patriot Act and federal labor laws, I assume this will offer only a token few coins. Something which would only appeal to an illegal or a terrorist.


Would have ignored the email, but PDP-11 caught my eye. From what I read, they aren't running those worthless inflatable dolls either. (Hardware/software "emulator" = worthless inflatable doll. Go get a real girlfriend!)

[Bob Koehler]

In article <04d97f0f-0964-43ba...@googlegroups.com>, seasoned_geek <rol...@logikalsolutions.com> writes:
>
> Sorry, don't have time to pick up on existing threads, just wanted to drop =
> this off because it was rather shocking. What's in the post is all I know, =
> but, given California's blatant disregard for the Patriot Act and federal l=
> abor laws, I assume this will offer only a token few coins. Something which=

> would only appeal to an illegal or a terrorist.

Given the so called "Patriot's Act" blantant disreguard for the U.S.
Constituion, one tends to think "hooray California".

[terry-...@glaver.org]

On Thursday, January 11, 2018 at 2:05:18 PM UTC-5, seasoned_geek wrote:
> Would have ignored the email, but PDP-11 caught my eye. From what I read, they aren't running those worthless inflatable dolls either. (Hardware/software "emulator" = worthless inflatable doll. Go get a real girlfriend!)

I guess this proves the people who said "no company would be insane enough to run those operating systems in production" wrong, over in the security vulnerability thread.

[Simon Clubley]

On 2018-01-12, terry-...@glaver.org <terry-...@glaver.org> wrote:
>
> I guess this proves the people who said "no company would be insane enough to
> run those operating systems in production" wrong, over in the security
> vulnerability thread.

While it's not exactly a great situation to be in, it is manageable
in some environments to some extent provided you take the proper
precautions and provided you realise that your old systems are
hopelessly insecure.

My real problem is with those people who think they can treat their
old VMS systems as if they were modern secured systems because in
their mindset "those security issues that other operating systems
have don't affect VMS so I don't have to worry about them". :-(

Those are the people who need to be woken up before the third party
security researchers do it for them.

Simon.

--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world

[Bill Gunshannon]

On 01/14/2018 05:17 AM, Simon Clubley wrote:
> On 2018-01-12, terry-...@glaver.org <terry-...@glaver.org> wrote:
>>
>> I guess this proves the people who said "no company would be insane enough to
>> run those operating systems in production" wrong, over in the security
>> vulnerability thread.
>
> While it's not exactly a great situation to be in, it is manageable
> in some environments to some extent provided you take the proper
> precautions and provided you realise that your old systems are
> hopelessly insecure.
>
> My real problem is with those people who think they can treat their
> old VMS systems as if they were modern secured systems because in
> their mindset "those security issues that other operating systems
> have don't affect VMS so I don't have to worry about them". :-(
>
> Those are the people who need to be woken up before the third party
> security researchers do it for them.
>
> Simon.
>

I have never heard of any successful break-ins of an RSX system
thru the Internet and, yes, they do have TCP/IP.

bill

[Scott Dorsey]

Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:
>
>While it's not exactly a great situation to be in, it is manageable
>in some environments to some extent provided you take the proper
>precautions and provided you realise that your old systems are
>hopelessly insecure.

Please stop calling these systems insecure.

Is a can-opener insecure? Anyone who can get into your house and grab it
can use it. But does that make it insecure in any way?

Just because the system is openly accessable to anyone with physical access
does not make it insecure. It seems you have a very very narrow view of the
concept of "security."
--scott

--
"C'est un Nagra. C'est suisse, et tres, tres precis."

[Simon Clubley]

On 2018-01-14, Scott Dorsey <klu...@panix.com> wrote:
> Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:
>>
>>While it's not exactly a great situation to be in, it is manageable
>>in some environments to some extent provided you take the proper
>>precautions and provided you realise that your old systems are
>>hopelessly insecure.
>
> Please stop calling these systems insecure.
>

My comment was in response to Terry's comments about the VMS security
discussion on another thread.

I am willing to give PDP-11 systems a lot more leeway because they have
never been sold as high security systems. There's also a higher chance
that normal operation generally means privileged console access for
the PDP-11.

> Is a can-opener insecure? Anyone who can get into your house and grab it
> can use it. But does that make it insecure in any way?
>
> Just because the system is openly accessable to anyone with physical access
> does not make it insecure. It seems you have a very very narrow view of the
> concept of "security."

Maybe. Maybe not.

When I say hopelessly insecure, I have never said that it only applies
to people who have physical access to the server hardware or the
operator console. Most systems would be "hopelessly insecure" in that
situation.

No, I am talking about normal unprivileged users, especially those with
DCL access, who can come up with various ways to compromise those systems.

In my own exploit, a non-privileged DCL user can totally compromise
a VAX or Alpha system and that vulnerability has been in VMS since
the mid 1980s. What about all the vulnerabilities which have been quietly
fixed in recent versions without all the fuss that I am deliberately
making about this one ?

All that quietly fixing vulnerabilities does is to give people a false
sense of security.

[Johnny Billquist]

While I don't have any reports of break-ins to tell, I do have an
example of a crashed RSX system through the internet. This was many
years ago, on a RSX-11M-PLUS V4.4 system back in the mid 90s.
Magica.Update.UU.SE actually, which is still available online, and since
there are guest accounts, break-ins are sort of a non-issue.

But anyway, some russians found out about the system, and logged in.
Funnily enough, they had quite some experience with RSX, from working on
russian clones, and a russified version of RSX. They had found some
security issues back in time, which they were curious if they were still
around, and they tested them, and crashed the system.
They mailed me and apologized a lot, and told me about the issues, which
I forwarded to Mentec. At least some of them were fixed in the next RSX
release. :-)
But I know a way or two to crash an RSX system straight away even today.
If I ever get to do a new release of RSX, a few more of those holes will
be fixed.

But, all that said, Magica.Update.UU.SE (a real 11/70) and
Mim.Update.UU.SE (an emulated 11/74) are online on the internet, and
constantly being hit by people and bots from all over the world, with no
issues so far. And believe me, they get hit *a lot*.

Mostly funny to see how confused people and bots get.

Johnny

--
Johnny Billquist || "I'm on a bus
|| on a psychedelic trip
email: b...@softjar.se || Reading murder books
pdp is alive! || tryin' to stay hip" - B. Idol

[Johnny Billquist]

On 2018-01-14 19:49, Simon Clubley wrote:
> On 2018-01-14, Scott Dorsey <klu...@panix.com> wrote:
>> Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:
>>>
>>> While it's not exactly a great situation to be in, it is manageable
>>> in some environments to some extent provided you take the proper
>>> precautions and provided you realise that your old systems are
>>> hopelessly insecure.
>>
>> Please stop calling these systems insecure.
>>
>
> My comment was in response to Terry's comments about the VMS security
> discussion on another thread.
>
> I am willing to give PDP-11 systems a lot more leeway because they have
> never been sold as high security systems. There's also a higher chance
> that normal operation generally means privileged console access for
> the PDP-11.

If you have console access, it's a totally different story, for most any
system.

>> Is a can-opener insecure? Anyone who can get into your house and grab it
>> can use it. But does that make it insecure in any way?
>>
>> Just because the system is openly accessable to anyone with physical access
>> does not make it insecure. It seems you have a very very narrow view of the
>> concept of "security."
>
> Maybe. Maybe not.
>
> When I say hopelessly insecure, I have never said that it only applies
> to people who have physical access to the server hardware or the
> operator console. Most systems would be "hopelessly insecure" in that
> situation.

Right.

> No, I am talking about normal unprivileged users, especially those with
> DCL access, who can come up with various ways to compromise those systems.
>
> In my own exploit, a non-privileged DCL user can totally compromise
> a VAX or Alpha system and that vulnerability has been in VMS since
> the mid 1980s. What about all the vulnerabilities which have been quietly
> fixed in recent versions without all the fuss that I am deliberately
> making about this one ?

Same story for any OS. I don't know how many vulnerabilities have been
found and fixed in Unix over the years which allows normal users to gain
root access. There still pops up several a year even today.

And this is really a perspective we should put this in. The number of
exploits in well known, and commonly used systems, outrun VMS by
ridiculous numbers.

Now, if VMS would get some more attention, I'm sure we would find more
problems there too. But your one exploit is not really raising my
eyebrow much.

> All that quietly fixing vulnerabilities does is to give people a false
> sense of security.

All sense of security is false.

[seasoned_geek]

On Friday, January 12, 2018 at 10:58:44 PM UTC-6, terry-...@glaver.org wrote:
>
> I guess this proves the people who said "no company would be insane enough to run those operating systems in production" wrong, over in the security vulnerability thread.

Well, I don't know how that post got spun into another security conversation. I'm not surprised they are running the actual PDP instead of those worthless emulation products. Why? If I remember the post properly, they are a medical device company. They built something which went through a very long (many years) FDA approval process, most likely some kind of surgical robot. The tool chain and manufacturing facility, once certified by FDA, has to remain unchanged such that the very first unit to ever roll off the line is exactly the same as the last unit.

Minor product enhancements can be proposed to the FDA with all of the proper paperwork created. This gets you a much shorter (months) QA testing and approval process. Change out the tools or modify the product by what the FDA considers a significant amount and you go all the way back to multi-year clinical trials.

IF that machine is on a network, it is air-gapped from the world. It has been my experience that the vast majority of systems involved in the production of medical devices are such. I suspect so are the machines involved with in the creation of medicines. Doesn't matter what country they are manufactured in. If you want to sell it here, the FDA has to certify the place.

IF you have a breach that means production has to stop, usually with a significant disposal cost for those making medicines, an investigation and recertification process has to occur.

Despite the "wisdom of the crowd" in here, an incredibly large number of systems at non-government entities are air gapped.