On 8/21/2022 12:43 PM, Bill Gunshannon wrote:
> On 8/21/22 11:33, Dave Froble wrote:
>> On 8/21/2022 9:54 AM, Alexander Schreiber wrote:
>>> Dave Froble <davef@tsoft-inc.com> wrote:
>>>> On 8/19/2022 4:18 AM, David Wade wrote:
>>>>> On 19/08/2022 03:20, Dave Froble wrote:
>>>>>> On 8/18/2022 6:50 PM, Rich Jordan wrote:
>>>>>>> Wee!, its audit time again!
>>>>>>>
>>>>>>> I reviewed the VSI site and didn't see mention but thought I would ask here
>>>>>>> also.
>>>>>>>
>>>>>>> Last time I looked, VMS, even current VSI versions, can do manual per-file
>>>>>>> encryption/decryption, but not whole disk. That means you couldn't encrypt
>>>>>>> production files and have them usable; you'd have to decrypt, use,
>>>>>>> re-encrypt, then delete the unencrypted version; a no go save perhaps for
>>>>>>> small critical files sync'd by human usage.
>>>>>>>
>>>>>>> And backup savesets can be encrypted, but at the cost of both increased time
>>>>>>> and the loss of compression (which is often a substantial time and space
>>>>>>> saver itself).
>>>>>>>
>>>>>>> I presume that is still the current state of things?
>>>>>>>
>>>>>>> I poked our pc guys to find out if the various hypervisors support running
>>>>>>> VMs whose disk files are on encrypted disks; a possible future option for a
>>>>>>> VMS 9.x VM to keep the auditors happy.
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>
>>>>>> Fire the auditors ...
>>>>>>
>>>>> What difference would that make? They work from the same tick list.
>>>>> Dave
>>>>
>>>> The question is, is that list valid? Perhaps, and perhaps not.
>>>>
>>>> Some auditors might be helpful and have some good advice. But I'm currently
>>>> aware of some auditors that are basically crooks. Accepting everything
>>>> auditors
>>>> might suggest may not be a good thing. And shouldn't their "suggestions" be
>>>> just that, "suggestions"?
>>>
>>> That depends. Any credit card processor who deems the PCI DSS rules to
>>> be mere suggestions will eventually (usually rather quickly) discover
>>> that it doesn't have a business anymore.
>>>
>>> Kind regards,
>>> Alex.
>>>
>>
>> Credit card processing is not just protecting your data, thus being a bit
>> different.
>>
>> A while back we came up with a design to protect credit card data, checking
>> account data, and such. Basically breaking up the data, and storing pieces in
>> different databases, on multiple servers, encrypted. Thus all the information
>> was not in one location. Might get pieces, a tad more difficult to get a
>> complete piece of data.
>>
>> Regardless, had to transmit the data at some point in time, so that exposure
>> is constant.
>>
>> Then we took a look at the third party vendors who would store, and protect,
>> the data, AND take all responsibility. It was a no-brainer, we abandoned all
>> plans to store the data ourselves.
>>
>> Back to auditors. Would not a reasonable person/company determine whether a
>> prospective employee was qualified for a job? Then why would not a reasonable
>> person/company do the same for auditors? But all too often that doesn't
>> happen. If an auditing firm could show reasonable knowledge about VMS, then
>> they might be qualified to perform auditing on a VMS solution.
>
> Of course at the level where the decisions are made (and the auditors
> contracted) your demand for VMS knowledgeable auditors is just more
> ammunition to throw VMS out the door and go with something more in line
> with modern business practice.

Total bullshit!

I'd demand the same expertise of those auditing Unix, Linux, WEENDOZE, and
anything else. Anything else is just total nonsense.

I have no idea of what you refer to as "modern business practice". Perhaps you
refer to "total nonsense"?

Lot of that coming from you these days ...

--
David Froble Tel: 724-529-0450
Dave Froble Enterprises, Inc. E-Mail: davef@tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA 15486

Alexander Schreiber <als@usenet.thangorodrim.de> wrote:
>Scott Dorsey <kludge@panix.com> wrote:
>> Rich Jordan <jordan@ccs4vms.com> wrote:
>>>Last time I looked, VMS, even current VSI versions, can do manual per-file =
>>>encryption/decryption, but not whole disk. That means you couldn't encrypt=
>>> production files and have them usable; you'd have to decrypt, use, re-encr=
>>>ypt, then delete the unencrypted version; a no go save perhaps for small cr=
>>>itical files sync'd by human usage. =20
>>
>> Right, so you go with disks that have hardware encryption. You can buy a
>> number of gadgets where you have to type in a number on a keypad on the disk
>> box before the disk becomes available to the SATA buss.
>
>You named them correctly: gadgets, nothing more.
>
>Because you've got no idea if this is actually any good. Do they actually
>encrypt the data (or just do the equivalent of a shoddy bike lock?), what
>algorithm and key length is used (hint: if it's just a 4 digit pin .. LOL),
>are key derivation and encryption algorithms even implemented properly
>(note: most encrypted systems that got broken where broken not because
>the math or algorithm was attacked, but because the implementation was
>bad and vulnerable)?

You have FIPS certification on some of them which tells you that it's pretty
good. But there are plenty of others which are not certified. Some vendors
(like Aegist) offer certified and uncertified versions.

That said, the original poster doesn't actually care if the encryption is
good, he just wants to allow the consultant to check off the correct box
on their checklist.

>> This gives you the
>> full disk encryption the bean counters want, without any OS changes or
>> overhead, and without impairing the ability to move drives from machine
>> to machine.
>
>So everytime the machine reboots/powercycles someone has to crawl into
>the broom closet (because you won't see nonsense like that in a proper
>production setup) where the "server" lives and type in a number?

You see that in a lot of production setups today. And yes, you do have to
type a number every time the drive is power-cycled... but not every time the
computer itself is power cycled. How often do you reboot anyway? We do it
twice a year to install updates.
--scott

--
"C'est un Nagra. C'est suisse, et tres, tres precis."

Den 2022-08-21 kl. 17:33, skrev Dave Froble:
> On 8/21/2022 9:54 AM, Alexander Schreiber wrote:
>> Dave Froble <davef@tsoft-inc.com> wrote:
>>> On 8/19/2022 4:18 AM, David Wade wrote:
>>>> On 19/08/2022 03:20, Dave Froble wrote:
>>>>> On 8/18/2022 6:50 PM, Rich Jordan wrote:
>>>>>> Wee!, its audit time again!
>>>>>>
>>>>>> I reviewed the VSI site and didn't see mention but thought I would
>>>>>> ask here
>>>>>> also.
>>>>>>
>>>>>> Last time I looked, VMS, even current VSI versions, can do manual
>>>>>> per-file
>>>>>> encryption/decryption, but not whole disk.  That means you couldn't
>>>>>> encrypt
>>>>>> production files and have them usable; you'd have to decrypt, use,
>>>>>> re-encrypt, then delete the unencrypted version; a no go save perhaps
>>>>>> for
>>>>>> small critical files sync'd by human usage.
>>>>>>
>>>>>> And backup savesets can be encrypted, but at the cost of both
>>>>>> increased time
>>>>>> and the loss of compression (which is often a substantial time and space
>>>>>> saver itself).
>>>>>>
>>>>>> I presume that is still the current state of things?
>>>>>>
>>>>>> I poked our pc guys to find out if  the various hypervisors support
>>>>>> running
>>>>>> VMs whose disk files are on encrypted disks; a possible future option
>>>>>> for a
>>>>>> VMS 9.x VM to keep the auditors happy.
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>
>>>>> Fire the auditors ...
>>>>>
>>>> What difference would that make? They work from the same tick list.
>>>> Dave
>>>
>>> The question is, is that list valid?  Perhaps, and perhaps not.
>>>
>>> Some auditors might be helpful and have some good advice.  But I'm
>>> currently
>>> aware of some auditors that are basically crooks.  Accepting everything
>>> auditors
>>> might suggest may not be a good thing.  And shouldn't their
>>> "suggestions" be
>>> just that, "suggestions"?
>>
>> That depends. Any credit card processor who deems the PCI DSS rules to
>> be mere suggestions will eventually (usually rather quickly) discover
>> that it doesn't have a business anymore.
>>
>> Kind regards,
>>             Alex.
>>
>
> Credit card processing is not just protecting your data, thus being a bit
> different.
>
> A while back we came up with a design to protect credit card data, checking
> account data, and such.  Basically breaking up the data, and storing pieces
> in different databases, on multiple servers, encrypted.  Thus all the
> information was not in one location.  Might get pieces, a tad more
> difficult to get a complete piece of data.
>
> Regardless, had to transmit the data at some point in time, so that
> exposure is constant.
>
> Then we took a look at the third party vendors who would store, and
> protect, the data, AND take all responsibility.  It was a no-brainer, we
> abandoned all plans to store the data ourselves.
>
> Back to auditors.  Would not a reasonable person/company determine whether
> a prospective employee was qualified for a job?

The auditors are not hired by the company that is being audited.

Usually it is some other entity that enforce the auditing. Can be
a major custumer, a state authority, your insurance company or such.

And the auditing is usually not done on a strictly technical level,
it is more to see that you can prove that you are following what is
general practice on a higher level.

On 8/21/2022 4:36 PM, Jan-Erik Söderholm wrote:
> Den 2022-08-21 kl. 17:33, skrev Dave Froble:
>> On 8/21/2022 9:54 AM, Alexander Schreiber wrote:
>>> Dave Froble <davef@tsoft-inc.com> wrote:
>>>> On 8/19/2022 4:18 AM, David Wade wrote:
>>>>> On 19/08/2022 03:20, Dave Froble wrote:
>>>>>> On 8/18/2022 6:50 PM, Rich Jordan wrote:
>>>>>>> Wee!, its audit time again!
>>>>>>>
>>>>>>> I reviewed the VSI site and didn't see mention but thought I would ask here
>>>>>>> also.
>>>>>>>
>>>>>>> Last time I looked, VMS, even current VSI versions, can do manual per-file
>>>>>>> encryption/decryption, but not whole disk. That means you couldn't encrypt
>>>>>>> production files and have them usable; you'd have to decrypt, use,
>>>>>>> re-encrypt, then delete the unencrypted version; a no go save perhaps for
>>>>>>> small critical files sync'd by human usage.
>>>>>>>
>>>>>>> And backup savesets can be encrypted, but at the cost of both increased time
>>>>>>> and the loss of compression (which is often a substantial time and space
>>>>>>> saver itself).
>>>>>>>
>>>>>>> I presume that is still the current state of things?
>>>>>>>
>>>>>>> I poked our pc guys to find out if the various hypervisors support running
>>>>>>> VMs whose disk files are on encrypted disks; a possible future option for a
>>>>>>> VMS 9.x VM to keep the auditors happy.
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>
>>>>>> Fire the auditors ...
>>>>>>
>>>>> What difference would that make? They work from the same tick list.
>>>>> Dave
>>>>
>>>> The question is, is that list valid? Perhaps, and perhaps not.
>>>>
>>>> Some auditors might be helpful and have some good advice. But I'm currently
>>>> aware of some auditors that are basically crooks. Accepting everything
>>>> auditors
>>>> might suggest may not be a good thing. And shouldn't their "suggestions" be
>>>> just that, "suggestions"?
>>>
>>> That depends. Any credit card processor who deems the PCI DSS rules to
>>> be mere suggestions will eventually (usually rather quickly) discover
>>> that it doesn't have a business anymore.
>>>
>>> Kind regards,
>>> Alex.
>>>
>>
>> Credit card processing is not just protecting your data, thus being a bit
>> different.
>>
>> A while back we came up with a design to protect credit card data, checking
>> account data, and such. Basically breaking up the data, and storing pieces in
>> different databases, on multiple servers, encrypted. Thus all the information
>> was not in one location. Might get pieces, a tad more difficult to get a
>> complete piece of data.
>>
>> Regardless, had to transmit the data at some point in time, so that exposure
>> is constant.
>>
>> Then we took a look at the third party vendors who would store, and protect,
>> the data, AND take all responsibility. It was a no-brainer, we abandoned all
>> plans to store the data ourselves.
>>
>> Back to auditors. Would not a reasonable person/company determine whether a
>> prospective employee was qualified for a job?
>
> The auditors are not hired by the company that is being audited.
>
> Usually it is some other entity that enforce the auditing. Can be
> a major custumer, a state authority, your insurance company or such.
>
> And the auditing is usually not done on a strictly technical level,
> it is more to see that you can prove that you are following what is
> general practice on a higher level.
>
>
>

The question here is, what if the "suggestions" do not fit your activities?
Should one change their business to be "like everyone else", thus perhaps losing
advantages?

I have no problem with auditors, as long as they are reasonable, and have some
clue of what they are looking at. The burden should be on the auditors to show
they are competent.

--
David Froble Tel: 724-529-0450
Dave Froble Enterprises, Inc. E-Mail: davef@tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA 15486

On 8/21/2022 2:58 PM, Dave Froble wrote:
> On 8/21/2022 12:43 PM, Bill Gunshannon wrote:
>> On 8/21/22 11:33, Dave Froble wrote:
>>> Back to auditors.  Would not a reasonable person/company determine
>>> whether a
>>> prospective employee was qualified for a job?  Then why would not a
>>> reasonable
>>> person/company do the same for auditors?  But all too often that doesn't
>>> happen.  If an auditing firm could show reasonable knowledge about
>>> VMS, then
>>> they might be qualified to perform auditing on a VMS solution.
>>
>> Of course at the level where the decisions are made (and the auditors
>> contracted) your demand for VMS knowledgeable auditors is just more
>> ammunition to throw VMS out the door and go with something more in line
>> with modern business practice.
>
> Total bullshit!
>
> I'd demand the same expertise of those auditing Unix, Linux, WEENDOZE,
> and anything else.  Anything else is just total nonsense.

I don't think Bill was saying that there should be a difference in
skills to audit VMS vs audit Linux and Windows.

I think he is saying that if there is 100 companies that have
skills to audit Linux and Windows but only 10 companies with
skill to audit VMS then it is sending a bad signal to
senior management about VMS having a support problem.

Arne

On 8/21/2022 11:33 AM, Dave Froble wrote:
> On 8/21/2022 9:54 AM, Alexander Schreiber wrote:
>> Dave Froble <davef@tsoft-inc.com> wrote:
>>> On 8/19/2022 4:18 AM, David Wade wrote:
>>>> On 19/08/2022 03:20, Dave Froble wrote:
>>>>> Fire the auditors ...
>>>>>
>>>> What difference would that make? They work from the same tick list.
>>>
>>> The question is, is that list valid?  Perhaps, and perhaps not.
>>>
>>> Some auditors might be helpful and have some good advice.  But I'm
>>> currently
>>> aware of some auditors that are basically crooks.  Accepting
>>> everything auditors
>>> might suggest may not be a good thing.  And shouldn't their
>>> "suggestions" be
>>> just that, "suggestions"?
>>
>> That depends. Any credit card processor who deems the PCI DSS rules to
>> be mere suggestions will eventually (usually rather quickly) discover
>> that it doesn't have a business anymore.
>
> Credit card processing is not just protecting your data, thus being a
> bit different.

> Then we took a look at the third party vendors who would store, and
> protect, the data, AND take all responsibility.  It was a no-brainer, we
> abandoned all plans to store the data ourselves.

Most come to that conclusion. Storing credit card info is as desirable
as having the plague and cholera.

> Back to auditors.  Would not a reasonable person/company determine
> whether a prospective employee was qualified for a job?  Then why would
> not a reasonable person/company do the same for auditors?  But all too
> often that doesn't happen.  If an auditing firm could show reasonable
> knowledge about VMS, then they might be qualified to perform auditing on
> a VMS solution.

The auditors should definitely have skills in what they audit -
otherwise they can't perform a good audit.

But there are some reasons why this sometimes becomes
a problem.

First there is the level where decisions are made. If a company
got a lot of stuff and audit need to cover Linux servers, Windows
servers, Windows PC's, network, some devices, organizational stuff
etc. besides a few VMS systems, then sometimes the CxO of the
company requesting the audit (which may be different from the company
being audited) and the CxO of the audit company may not discuss
VMS at all when signing agreement.

Second the IT security industry has a huge skill problem. The demand
for IT security people have exploded over the last decade and
there are simply not enough good people available. So they hire
people with a few months of training for IT security. And
obviously they know very little. Everybody knows about this
problem but just because we know about it does not make
a half million IT security people with years of experience
fall down from the sky. And those few months of training
obviously only focus on the most widely used stuff - for
OS that means Linux and Windows.

Arne

On 8/21/2022 7:08 PM, Arne Vajhøj wrote:
> On 8/21/2022 2:58 PM, Dave Froble wrote:
>> On 8/21/2022 12:43 PM, Bill Gunshannon wrote:
>>> On 8/21/22 11:33, Dave Froble wrote:
>>>> Back to auditors. Would not a reasonable person/company determine whether a
>>>> prospective employee was qualified for a job? Then why would not a reasonable
>>>> person/company do the same for auditors? But all too often that doesn't
>>>> happen. If an auditing firm could show reasonable knowledge about VMS, then
>>>> they might be qualified to perform auditing on a VMS solution.
>>>
>>> Of course at the level where the decisions are made (and the auditors
>>> contracted) your demand for VMS knowledgeable auditors is just more
>>> ammunition to throw VMS out the door and go with something more in line
>>> with modern business practice.
>>
>> Total bullshit!
>>
>> I'd demand the same expertise of those auditing Unix, Linux, WEENDOZE, and
>> anything else. Anything else is just total nonsense.
>
> I don't think Bill was saying that there should be a difference in
> skills to audit VMS vs audit Linux and Windows.
>
> I think he is saying that if there is 100 companies that have
> skills to audit Linux and Windows but only 10 companies with
> skill to audit VMS then it is sending a bad signal to
> senior management about VMS having a support problem.
>
> Arne

But there would be those 10 companies, and the service most likely will be good.

--
David Froble Tel: 724-529-0450
Dave Froble Enterprises, Inc. E-Mail: davef@tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA 15486

On 8/21/2022 7:20 PM, Arne Vajhøj wrote:
> On 8/21/2022 11:33 AM, Dave Froble wrote:
>> On 8/21/2022 9:54 AM, Alexander Schreiber wrote:
>>> Dave Froble <davef@tsoft-inc.com> wrote:
>>>> On 8/19/2022 4:18 AM, David Wade wrote:
>>>>> On 19/08/2022 03:20, Dave Froble wrote:
>>>>>> Fire the auditors ...
>>>>>>
>>>>> What difference would that make? They work from the same tick list.
>>>>
>>>> The question is, is that list valid? Perhaps, and perhaps not.
>>>>
>>>> Some auditors might be helpful and have some good advice. But I'm currently
>>>> aware of some auditors that are basically crooks. Accepting everything
>>>> auditors
>>>> might suggest may not be a good thing. And shouldn't their "suggestions" be
>>>> just that, "suggestions"?
>>>
>>> That depends. Any credit card processor who deems the PCI DSS rules to
>>> be mere suggestions will eventually (usually rather quickly) discover
>>> that it doesn't have a business anymore.
>>
>> Credit card processing is not just protecting your data, thus being a bit
>> different.
>
>> Then we took a look at the third party vendors who would store, and protect,
>> the data, AND take all responsibility. It was a no-brainer, we abandoned all
>> plans to store the data ourselves.
>
> Most come to that conclusion. Storing credit card info is as desirable
> as having the plague and cholera.
>
>> Back to auditors. Would not a reasonable person/company determine whether a
>> prospective employee was qualified for a job? Then why would not a reasonable
>> person/company do the same for auditors? But all too often that doesn't
>> happen. If an auditing firm could show reasonable knowledge about VMS, then
>> they might be qualified to perform auditing on a VMS solution.
>
> The auditors should definitely have skills in what they audit -
> otherwise they can't perform a good audit.
>
> But there are some reasons why this sometimes becomes
> a problem.
>
> First there is the level where decisions are made. If a company
> got a lot of stuff and audit need to cover Linux servers, Windows
> servers, Windows PC's, network, some devices, organizational stuff
> etc. besides a few VMS systems, then sometimes the CxO of the
> company requesting the audit (which may be different from the company
> being audited) and the CxO of the audit company may not discuss
> VMS at all when signing agreement.
>
> Second the IT security industry has a huge skill problem. The demand
> for IT security people have exploded over the last decade and
> there are simply not enough good people available. So they hire
> people with a few months of training for IT security. And
> obviously they know very little. Everybody knows about this
> problem but just because we know about it does not make
> a half million IT security people with years of experience
> fall down from the sky. And those few months of training
> obviously only focus on the most widely used stuff - for
> OS that means Linux and Windows.
>
> Arne
>

And this justifies the know nothing idiots attempting to audit anything they are
not trained in in what manner.

Going down this path is just wrong, and people should "just say no".

--
David Froble Tel: 724-529-0450
Dave Froble Enterprises, Inc. E-Mail: davef@tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA 15486

On 8/21/2022 7:57 PM, Dave Froble wrote:
> On 8/21/2022 7:08 PM, Arne Vajhøj wrote:
>> On 8/21/2022 2:58 PM, Dave Froble wrote:
>>> On 8/21/2022 12:43 PM, Bill Gunshannon wrote:
>>>> On 8/21/22 11:33, Dave Froble wrote:
>>>>> Back to auditors.  Would not a reasonable person/company determine
>>>>> whether a
>>>>> prospective employee was qualified for a job?  Then why would not a
>>>>> reasonable
>>>>> person/company do the same for auditors?  But all too often that
>>>>> doesn't
>>>>> happen.  If an auditing firm could show reasonable knowledge about
>>>>> VMS, then
>>>>> they might be qualified to perform auditing on a VMS solution.
>>>>
>>>> Of course at the level where the decisions are made (and the auditors
>>>> contracted) your demand for VMS knowledgeable auditors is just more
>>>> ammunition to throw VMS out the door and go with something more in line
>>>> with modern business practice.
>>>
>>> Total bullshit!
>>>
>>> I'd demand the same expertise of those auditing Unix, Linux,
>>> WEENDOZE, and
>>> anything else.  Anything else is just total nonsense.
>>
>> I don't think Bill was saying that there should be a difference in
>> skills to audit VMS vs audit Linux and Windows.
>>
>> I think he is saying that if there is 100 companies that have
>> skills to audit Linux and Windows but only 10 companies with
>> skill to audit VMS then it is sending a bad signal to
>> senior management about VMS having a support problem.
>
> But there would be those 10 companies, and the service most likely will
> be good.

I believe there would still be audit companies either with
VMS skills in house or smart enough to hire external VMS
expertise when needed (someone like Robert Gezelter comes
to my mind as a proper expert for something like this).

But senior management doesn't like stuff that require
special consideration. The smart ones can be convinced
to accept something requiring special consideration if
there are good reasons for it.

Arne

On 8/21/2022 8:00 PM, Dave Froble wrote:
> On 8/21/2022 7:20 PM, Arne Vajhøj wrote:
>> Second the IT security industry has a huge skill problem. The demand
>> for IT security people have exploded over the last decade and
>> there are simply not enough good people available. So they hire
>> people with a few months of training for IT security. And
>> obviously they know very little. Everybody knows about this
>> problem but just because we know about it does not make
>> a half million IT security people with years of experience
>> fall down from the sky. And those few months of training
>> obviously only focus on the most widely used stuff - for
>> OS that means Linux and Windows.
>
> And this justifies the know nothing idiots attempting to audit anything
> they are not trained in in what manner.
>
> Going down this path is just wrong, and people should "just say no".

You can't wave a magic wand and have an extra half million experienced
IT security people tomorrow.

So the industry use what they can get.

And it can be painful.

But it is not just VMS.

And most consider an audit by less than desired experienced
people better than no audit.

Arne

On 8/21/2022 8:47 PM, Arne Vajhøj wrote:
> On 8/21/2022 7:57 PM, Dave Froble wrote:
>> On 8/21/2022 7:08 PM, Arne Vajhøj wrote:
>>> On 8/21/2022 2:58 PM, Dave Froble wrote:
>>>> On 8/21/2022 12:43 PM, Bill Gunshannon wrote:
>>>>> On 8/21/22 11:33, Dave Froble wrote:
>>>>>> Back to auditors. Would not a reasonable person/company determine whether a
>>>>>> prospective employee was qualified for a job? Then why would not a
>>>>>> reasonable
>>>>>> person/company do the same for auditors? But all too often that doesn't
>>>>>> happen. If an auditing firm could show reasonable knowledge about VMS, then
>>>>>> they might be qualified to perform auditing on a VMS solution.
>>>>>
>>>>> Of course at the level where the decisions are made (and the auditors
>>>>> contracted) your demand for VMS knowledgeable auditors is just more
>>>>> ammunition to throw VMS out the door and go with something more in line
>>>>> with modern business practice.
>>>>
>>>> Total bullshit!
>>>>
>>>> I'd demand the same expertise of those auditing Unix, Linux, WEENDOZE, and
>>>> anything else. Anything else is just total nonsense.
>>>
>>> I don't think Bill was saying that there should be a difference in
>>> skills to audit VMS vs audit Linux and Windows.
>>>
>>> I think he is saying that if there is 100 companies that have
>>> skills to audit Linux and Windows but only 10 companies with
>>> skill to audit VMS then it is sending a bad signal to
>>> senior management about VMS having a support problem.
>>
>> But there would be those 10 companies, and the service most likely will be good.
>
> I believe there would still be audit companies either with
> VMS skills in house or smart enough to hire external VMS
> expertise when needed (someone like Robert Gezelter comes
> to my mind as a proper expert for something like this).
>
> But senior management doesn't like stuff that require
> special consideration. The smart ones can be convinced
> to accept something requiring special consideration if
> there are good reasons for it.

Is "these apps run our company better than anything else" a good reason?

Many executives are smart enough to not screww up things that are working well.

--
David Froble Tel: 724-529-0450
Dave Froble Enterprises, Inc. E-Mail: davef@tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA 15486

On 8/21/2022 8:51 PM, Arne Vajhøj wrote:
> On 8/21/2022 8:00 PM, Dave Froble wrote:
>> On 8/21/2022 7:20 PM, Arne Vajhøj wrote:
>>> Second the IT security industry has a huge skill problem. The demand
>>> for IT security people have exploded over the last decade and
>>> there are simply not enough good people available. So they hire
>>> people with a few months of training for IT security. And
>>> obviously they know very little. Everybody knows about this
>>> problem but just because we know about it does not make
>>> a half million IT security people with years of experience
>>> fall down from the sky. And those few months of training
>>> obviously only focus on the most widely used stuff - for
>>> OS that means Linux and Windows.
>>
>> And this justifies the know nothing idiots attempting to audit anything they
>> are not trained in in what manner.
>>
>> Going down this path is just wrong, and people should "just say no".
>
> You can't wave a magic wand and have an extra half million experienced
> IT security people tomorrow.
>
> So the industry use what they can get.
>
> And it can be painful.
>
> But it is not just VMS.
>
> And most consider an audit by less than desired experienced
> people better than no audit.

And if the idiots tell you to do something that you know is wrong?

--
David Froble Tel: 724-529-0450
Dave Froble Enterprises, Inc. E-Mail: davef@tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA 15486

On 22/08/2022 04:53, Dave Froble wrote:
> On 8/21/2022 8:47 PM, Arne Vajhøj wrote:
>> On 8/21/2022 7:57 PM, Dave Froble wrote:
>>> On 8/21/2022 7:08 PM, Arne Vajhøj wrote:
>>>> On 8/21/2022 2:58 PM, Dave Froble wrote:
>>>>> On 8/21/2022 12:43 PM, Bill Gunshannon wrote:
>>>>>> On 8/21/22 11:33, Dave Froble wrote:
>>>>>>> Back to auditors.  Would not a reasonable person/company
>>>>>>> determine whether a
>>>>>>> prospective employee was qualified for a job?  Then why would not a
>>>>>>> reasonable
>>>>>>> person/company do the same for auditors?  But all too often that
>>>>>>> doesn't
>>>>>>> happen.  If an auditing firm could show reasonable knowledge
>>>>>>> about VMS, then
>>>>>>> they might be qualified to perform auditing on a VMS solution.
>>>>>>
>>>>>> Of course at the level where the decisions are made (and the auditors
>>>>>> contracted) your demand for VMS knowledgeable auditors is just more
>>>>>> ammunition to throw VMS out the door and go with something more in
>>>>>> line
>>>>>> with modern business practice.
>>>>>
>>>>> Total bullshit!
>>>>>
>>>>> I'd demand the same expertise of those auditing Unix, Linux,
>>>>> WEENDOZE, and
>>>>> anything else.  Anything else is just total nonsense.
>>>>
>>>> I don't think Bill was saying that there should be a difference in
>>>> skills to audit VMS vs audit Linux and Windows.
>>>>
>>>> I think he is saying that if there is 100 companies that have
>>>> skills to audit Linux and Windows but only 10 companies with
>>>> skill to audit VMS then it is sending a bad signal to
>>>> senior management about VMS having a support problem.
>>>
>>> But there would be those 10 companies, and the service most likely
>>> will be good.
>>
>> I believe there would still be audit companies either with
>> VMS skills in house or smart enough to hire external VMS
>> expertise when needed (someone like Robert Gezelter comes
>> to my mind as a proper expert for something like this).
>>
>> But senior management doesn't like stuff that require
>> special consideration. The smart ones can be convinced
>> to accept something requiring special consideration if
>> there are good reasons for it.
>
> Is "these apps run our company better than anything else" a good reason?
>

Bot if they cost ten times more than apps that "run the company passably
well"

> Many executives are smart enough to not screww up things that are
> working well.
>
>

I find post execs want to change things to prove they are adding value.
Another problem for VMS

On 8/22/2022 4:12 AM, David Wade wrote:
> On 22/08/2022 04:53, Dave Froble wrote:
>> On 8/21/2022 8:47 PM, Arne Vajhøj wrote:
>>> On 8/21/2022 7:57 PM, Dave Froble wrote:
>>>> On 8/21/2022 7:08 PM, Arne Vajhøj wrote:
>>>>> On 8/21/2022 2:58 PM, Dave Froble wrote:
>>>>>> On 8/21/2022 12:43 PM, Bill Gunshannon wrote:
>>>>>>> On 8/21/22 11:33, Dave Froble wrote:
>>>>>>>> Back to auditors. Would not a reasonable person/company determine
>>>>>>>> whether a
>>>>>>>> prospective employee was qualified for a job? Then why would not a
>>>>>>>> reasonable
>>>>>>>> person/company do the same for auditors? But all too often that doesn't
>>>>>>>> happen. If an auditing firm could show reasonable knowledge about VMS,
>>>>>>>> then
>>>>>>>> they might be qualified to perform auditing on a VMS solution.
>>>>>>>
>>>>>>> Of course at the level where the decisions are made (and the auditors
>>>>>>> contracted) your demand for VMS knowledgeable auditors is just more
>>>>>>> ammunition to throw VMS out the door and go with something more in line
>>>>>>> with modern business practice.
>>>>>>
>>>>>> Total bullshit!
>>>>>>
>>>>>> I'd demand the same expertise of those auditing Unix, Linux, WEENDOZE, and
>>>>>> anything else. Anything else is just total nonsense.
>>>>>
>>>>> I don't think Bill was saying that there should be a difference in
>>>>> skills to audit VMS vs audit Linux and Windows.
>>>>>
>>>>> I think he is saying that if there is 100 companies that have
>>>>> skills to audit Linux and Windows but only 10 companies with
>>>>> skill to audit VMS then it is sending a bad signal to
>>>>> senior management about VMS having a support problem.
>>>>
>>>> But there would be those 10 companies, and the service most likely will be
>>>> good.
>>>
>>> I believe there would still be audit companies either with
>>> VMS skills in house or smart enough to hire external VMS
>>> expertise when needed (someone like Robert Gezelter comes
>>> to my mind as a proper expert for something like this).
>>>
>>> But senior management doesn't like stuff that require
>>> special consideration. The smart ones can be convinced
>>> to accept something requiring special consideration if
>>> there are good reasons for it.
>>
>> Is "these apps run our company better than anything else" a good reason?
>>
>
> Bot if they cost ten times more than apps that "run the company passably well"

They do not cost so much more, sometimes even less. There can be many hidden
costs to "passably well".

>> Many executives are smart enough to not screww up things that are working well.
>>
>>
>
> I find post execs want to change things to prove they are adding value. Another
> problem for VMS

Of course some think that way. Then get some bonus for the next quarter's
results, then be on their way. I think we've seen how that usually works out
for the company, it's employees, and it's customers. Only one winner, and
that's not deserved.

--
David Froble Tel: 724-529-0450
Dave Froble Enterprises, Inc. E-Mail: davef@tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA 15486

On 8/21/2022 11:54 PM, Dave Froble wrote:
> On 8/21/2022 8:51 PM, Arne Vajhøj wrote:
>> On 8/21/2022 8:00 PM, Dave Froble wrote:
>>> On 8/21/2022 7:20 PM, Arne Vajhøj wrote:
>>>> Second the IT security industry has a huge skill problem. The demand
>>>> for IT security people have exploded over the last decade and
>>>> there are simply not enough good people available. So they hire
>>>> people with a few months of training for IT security. And
>>>> obviously they know very little. Everybody knows about this
>>>> problem but just because we know about it does not make
>>>> a half million IT security people with years of experience
>>>> fall down from the sky. And those few months of training
>>>> obviously only focus on the most widely used stuff - for
>>>> OS that means Linux and Windows.
>>>
>>> And this justifies the know nothing idiots attempting to audit
>>> anything they
>>> are not trained in in what manner.
>>>
>>> Going down this path is just wrong, and people should "just say no".
>>
>> You can't wave a magic wand and have an extra half million experienced
>> IT security people tomorrow.
>>
>> So the industry use what they can get.
>>
>> And it can be painful.
>>
>> But it is not just VMS.
>>
>> And most consider an audit by less than desired experienced
>> people better than no audit.
>
> And if the idiots tell you to do something that you know is wrong?

There are a few options:
1) Crying.
2) Turning violent.
3) Arguing as good as you can and if no luck then tell yourself that
you can still win the war even though you lost the battle.

:-)

Arne

On 8/21/22 19:57, Dave Froble wrote:
> On 8/21/2022 7:08 PM, Arne Vajhøj wrote:
>> On 8/21/2022 2:58 PM, Dave Froble wrote:
>>> On 8/21/2022 12:43 PM, Bill Gunshannon wrote:
>>>> On 8/21/22 11:33, Dave Froble wrote:
>>>>> Back to auditors.  Would not a reasonable person/company determine
>>>>> whether a
>>>>> prospective employee was qualified for a job?  Then why would not a
>>>>> reasonable
>>>>> person/company do the same for auditors?  But all too often that
>>>>> doesn't
>>>>> happen.  If an auditing firm could show reasonable knowledge about
>>>>> VMS, then
>>>>> they might be qualified to perform auditing on a VMS solution.
>>>>
>>>> Of course at the level where the decisions are made (and the auditors
>>>> contracted) your demand for VMS knowledgeable auditors is just more
>>>> ammunition to throw VMS out the door and go with something more in line
>>>> with modern business practice.
>>>
>>> Total bullshit!
>>>
>>> I'd demand the same expertise of those auditing Unix, Linux,
>>> WEENDOZE, and
>>> anything else.  Anything else is just total nonsense.
>>
>> I don't think Bill was saying that there should be a difference in
>> skills to audit VMS vs audit Linux and Windows.
>>
>> I think he is saying that if there is 100 companies that have
>> skills to audit Linux and Windows but only 10 companies with
>> skill to audit VMS then it is sending a bad signal to
>> senior management about VMS having a support problem.
>>
>> Arne
>
> But there would be those 10 companies, and the service most likely will
> be good.
>

In this day and age the number is much more likely to be zero
rather than even 10. I am not against VMS, I am just a realist
and, apparently, have a better grip on the reality of the IT
business today than you do. I learned a lot during my beltway
bandit days. Most of what I learned applies today as well as
it did 30 years ago.

bill

On 8/21/22 23:53, Dave Froble wrote:
> On 8/21/2022 8:47 PM, Arne Vajhøj wrote:
>> On 8/21/2022 7:57 PM, Dave Froble wrote:
>>> On 8/21/2022 7:08 PM, Arne Vajhøj wrote:
>>>> On 8/21/2022 2:58 PM, Dave Froble wrote:
>>>>> On 8/21/2022 12:43 PM, Bill Gunshannon wrote:
>>>>>> On 8/21/22 11:33, Dave Froble wrote:
>>>>>>> Back to auditors.  Would not a reasonable person/company
>>>>>>> determine whether a
>>>>>>> prospective employee was qualified for a job?  Then why would not a
>>>>>>> reasonable
>>>>>>> person/company do the same for auditors?  But all too often that
>>>>>>> doesn't
>>>>>>> happen.  If an auditing firm could show reasonable knowledge
>>>>>>> about VMS, then
>>>>>>> they might be qualified to perform auditing on a VMS solution.
>>>>>>
>>>>>> Of course at the level where the decisions are made (and the auditors
>>>>>> contracted) your demand for VMS knowledgeable auditors is just more
>>>>>> ammunition to throw VMS out the door and go with something more in
>>>>>> line
>>>>>> with modern business practice.
>>>>>
>>>>> Total bullshit!
>>>>>
>>>>> I'd demand the same expertise of those auditing Unix, Linux,
>>>>> WEENDOZE, and
>>>>> anything else.  Anything else is just total nonsense.
>>>>
>>>> I don't think Bill was saying that there should be a difference in
>>>> skills to audit VMS vs audit Linux and Windows.
>>>>
>>>> I think he is saying that if there is 100 companies that have
>>>> skills to audit Linux and Windows but only 10 companies with
>>>> skill to audit VMS then it is sending a bad signal to
>>>> senior management about VMS having a support problem.
>>>
>>> But there would be those 10 companies, and the service most likely
>>> will be good.
>>
>> I believe there would still be audit companies either with
>> VMS skills in house or smart enough to hire external VMS
>> expertise when needed (someone like Robert Gezelter comes
>> to my mind as a proper expert for something like this).
>>
>> But senior management doesn't like stuff that require
>> special consideration. The smart ones can be convinced
>> to accept something requiring special consideration if
>> there are good reasons for it.
>
> Is "these apps run our company better than anything else" a good reason?
>
> Many executives are smart enough to not screww up things that are
> working well.
>
>

If that were true products like Banner or even SAP would not even
exist. It is debatable that they offer any improvement and they
certainly require a complete change from the way you used to do
things.

bill

On 8/22/22 09:15, Dave Froble wrote:
> On 8/22/2022 4:12 AM, David Wade wrote:
>> On 22/08/2022 04:53, Dave Froble wrote:
>>> On 8/21/2022 8:47 PM, Arne Vajhøj wrote:
>>>> On 8/21/2022 7:57 PM, Dave Froble wrote:
>>>>> On 8/21/2022 7:08 PM, Arne Vajhøj wrote:
>>>>>> On 8/21/2022 2:58 PM, Dave Froble wrote:
>>>>>>> On 8/21/2022 12:43 PM, Bill Gunshannon wrote:
>>>>>>>> On 8/21/22 11:33, Dave Froble wrote:
>>>>>>>>> Back to auditors.  Would not a reasonable person/company determine
>>>>>>>>> whether a
>>>>>>>>> prospective employee was qualified for a job?  Then why would
>>>>>>>>> not a
>>>>>>>>> reasonable
>>>>>>>>> person/company do the same for auditors?  But all too often
>>>>>>>>> that doesn't
>>>>>>>>> happen.  If an auditing firm could show reasonable knowledge
>>>>>>>>> about VMS,
>>>>>>>>> then
>>>>>>>>> they might be qualified to perform auditing on a VMS solution.
>>>>>>>>
>>>>>>>> Of course at the level where the decisions are made (and the
>>>>>>>> auditors
>>>>>>>> contracted) your demand for VMS knowledgeable auditors is just more
>>>>>>>> ammunition to throw VMS out the door and go with something more
>>>>>>>> in line
>>>>>>>> with modern business practice.
>>>>>>>
>>>>>>> Total bullshit!
>>>>>>>
>>>>>>> I'd demand the same expertise of those auditing Unix, Linux,
>>>>>>> WEENDOZE, and
>>>>>>> anything else.  Anything else is just total nonsense.
>>>>>>
>>>>>> I don't think Bill was saying that there should be a difference in
>>>>>> skills to audit VMS vs audit Linux and Windows.
>>>>>>
>>>>>> I think he is saying that if there is 100 companies that have
>>>>>> skills to audit Linux and Windows but only 10 companies with
>>>>>> skill to audit VMS then it is sending a bad signal to
>>>>>> senior management about VMS having a support problem.
>>>>>
>>>>> But there would be those 10 companies, and the service most likely
>>>>> will be
>>>>> good.
>>>>
>>>> I believe there would still be audit companies either with
>>>> VMS skills in house or smart enough to hire external VMS
>>>> expertise when needed (someone like Robert Gezelter comes
>>>> to my mind as a proper expert for something like this).
>>>>
>>>> But senior management doesn't like stuff that require
>>>> special consideration. The smart ones can be convinced
>>>> to accept something requiring special consideration if
>>>> there are good reasons for it.
>>>
>>> Is "these apps run our company better than anything else" a good reason?
>>>
>>
>> Bot if they cost ten times more than apps that "run the company
>> passably well"
>
> They do not cost so much more, sometimes even less.  There can be many
> hidden costs to "passably well".
>
>>> Many executives are smart enough to not screww up things that are
>>> working well.
>>>
>>>
>>
>> I find post execs want to change things to prove they are adding
>> value. Another
>> problem for VMS
>
> Of course some think that way.  Then get some bonus for the next
> quarter's results, then be on their way.  I think we've seen how that
> usually works out for the company, it's employees, and it's customers.
> Only one winner, and that's not deserved.
>

But it is the reality of how business is done today. Like it or not.

bill

On 8/22/2022 10:17 AM, Bill Gunshannon wrote:
> On 8/22/22 09:15, Dave Froble wrote:
>> On 8/22/2022 4:12 AM, David Wade wrote:
>>> On 22/08/2022 04:53, Dave Froble wrote:
>>>> On 8/21/2022 8:47 PM, Arne Vajhøj wrote:
>>>>> On 8/21/2022 7:57 PM, Dave Froble wrote:
>>>>>> On 8/21/2022 7:08 PM, Arne Vajhøj wrote:
>>>>>>> On 8/21/2022 2:58 PM, Dave Froble wrote:
>>>>>>>> On 8/21/2022 12:43 PM, Bill Gunshannon wrote:
>>>>>>>>> On 8/21/22 11:33, Dave Froble wrote:
>>>>>>>>>> Back to auditors. Would not a reasonable person/company determine
>>>>>>>>>> whether a
>>>>>>>>>> prospective employee was qualified for a job? Then why would not a
>>>>>>>>>> reasonable
>>>>>>>>>> person/company do the same for auditors? But all too often that doesn't
>>>>>>>>>> happen. If an auditing firm could show reasonable knowledge about VMS,
>>>>>>>>>> then
>>>>>>>>>> they might be qualified to perform auditing on a VMS solution.
>>>>>>>>>
>>>>>>>>> Of course at the level where the decisions are made (and the auditors
>>>>>>>>> contracted) your demand for VMS knowledgeable auditors is just more
>>>>>>>>> ammunition to throw VMS out the door and go with something more in line
>>>>>>>>> with modern business practice.
>>>>>>>>
>>>>>>>> Total bullshit!
>>>>>>>>
>>>>>>>> I'd demand the same expertise of those auditing Unix, Linux, WEENDOZE, and
>>>>>>>> anything else. Anything else is just total nonsense.
>>>>>>>
>>>>>>> I don't think Bill was saying that there should be a difference in
>>>>>>> skills to audit VMS vs audit Linux and Windows.
>>>>>>>
>>>>>>> I think he is saying that if there is 100 companies that have
>>>>>>> skills to audit Linux and Windows but only 10 companies with
>>>>>>> skill to audit VMS then it is sending a bad signal to
>>>>>>> senior management about VMS having a support problem.
>>>>>>
>>>>>> But there would be those 10 companies, and the service most likely will be
>>>>>> good.
>>>>>
>>>>> I believe there would still be audit companies either with
>>>>> VMS skills in house or smart enough to hire external VMS
>>>>> expertise when needed (someone like Robert Gezelter comes
>>>>> to my mind as a proper expert for something like this).
>>>>>
>>>>> But senior management doesn't like stuff that require
>>>>> special consideration. The smart ones can be convinced
>>>>> to accept something requiring special consideration if
>>>>> there are good reasons for it.
>>>>
>>>> Is "these apps run our company better than anything else" a good reason?
>>>>
>>>
>>> Bot if they cost ten times more than apps that "run the company passably well"
>>
>> They do not cost so much more, sometimes even less. There can be many hidden
>> costs to "passably well".
>>
>>>> Many executives are smart enough to not screww up things that are working well.
>>>>
>>>>
>>>
>>> I find post execs want to change things to prove they are adding value. Another
>>> problem for VMS
>>
>> Of course some think that way. Then get some bonus for the next quarter's
>> results, then be on their way. I think we've seen how that usually works out
>> for the company, it's employees, and it's customers. Only one winner, and
>> that's not deserved.
>>
>
> But it is the reality of how business is done today. Like it or not.
>
> bill
>

"Business", or scams? Yes, some, but not all.

--
David Froble Tel: 724-529-0450
Dave Froble Enterprises, Inc. E-Mail: davef@tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA 15486

Scott Dorsey <kludge@panix.com> wrote:
> Alexander Schreiber <als@usenet.thangorodrim.de> wrote:
>>Scott Dorsey <kludge@panix.com> wrote:
>>> Rich Jordan <jordan@ccs4vms.com> wrote:
>>>>Last time I looked, VMS, even current VSI versions, can do manual per-file =
>>>>encryption/decryption, but not whole disk. That means you couldn't encrypt=
>>>> production files and have them usable; you'd have to decrypt, use, re-encr=
>>>>ypt, then delete the unencrypted version; a no go save perhaps for small cr=
>>>>itical files sync'd by human usage. =20
>>>
>>> Right, so you go with disks that have hardware encryption. You can buy a
>>> number of gadgets where you have to type in a number on a keypad on the disk
>>> box before the disk becomes available to the SATA buss.
>>
>>You named them correctly: gadgets, nothing more.
>>
>>Because you've got no idea if this is actually any good. Do they actually
>>encrypt the data (or just do the equivalent of a shoddy bike lock?), what
>>algorithm and key length is used (hint: if it's just a 4 digit pin .. LOL),
>>are key derivation and encryption algorithms even implemented properly
>>(note: most encrypted systems that got broken where broken not because
>>the math or algorithm was attacked, but because the implementation was
>>bad and vulnerable)?
>
> You have FIPS certification on some of them which tells you that it's pretty
> good. But there are plenty of others which are not certified. Some vendors
> (like Aegist) offer certified and uncertified versions.

I wonder if that certification actually involves handing over hardware
designs and source code - because that's pretty much the only way you
can verify any claims.

> That said, the original poster doesn't actually care if the encryption is
> good, he just wants to allow the consultant to check off the correct box
> on their checklist.

I've seen that in some places. Tends to work ok until it doesn't.

>
>>> This gives you the
>>> full disk encryption the bean counters want, without any OS changes or
>>> overhead, and without impairing the ability to move drives from machine
>>> to machine.
>>
>>So everytime the machine reboots/powercycles someone has to crawl into
>>the broom closet (because you won't see nonsense like that in a proper
>>production setup) where the "server" lives and type in a number?
>
> You see that in a lot of production setups today. And yes, you do have to
> type a number every time the drive is power-cycled... but not every time the
> computer itself is power cycled. How often do you reboot anyway? We do it
> twice a year to install updates.

I've seen large production setups that reboot a _lot_ more frequently than
that. But they also have proper key management setups - which they need,
since the "dude with a keyboard" approach doesn't scale beyond a small
handful of machines.

Kind regards,
Alex.
--
"Opportunity is missed by most people because it is dressed in overalls and
looks like work." -- Thomas A. Edison

Bill Gunshannon <bill.gunshannon@gmail.com> wrote:
> On 8/21/22 11:33, Dave Froble wrote:
>> On 8/21/2022 9:54 AM, Alexander Schreiber wrote:
>>> Dave Froble <davef@tsoft-inc.com> wrote:
>>>> On 8/19/2022 4:18 AM, David Wade wrote:
>>>>> On 19/08/2022 03:20, Dave Froble wrote:
>>>>>> On 8/18/2022 6:50 PM, Rich Jordan wrote:
>>>>>>> Wee!, its audit time again!
>>>>>>>
>>>>>>> I reviewed the VSI site and didn't see mention but thought I would
>>>>>>> ask here
>>>>>>> also.
>>>>>>>
>>>>>>> Last time I looked, VMS, even current VSI versions, can do manual
>>>>>>> per-file
>>>>>>> encryption/decryption, but not whole disk.  That means you
>>>>>>> couldn't encrypt
>>>>>>> production files and have them usable; you'd have to decrypt, use,
>>>>>>> re-encrypt, then delete the unencrypted version; a no go save
>>>>>>> perhaps for
>>>>>>> small critical files sync'd by human usage.
>>>>>>>
>>>>>>> And backup savesets can be encrypted, but at the cost of both
>>>>>>> increased time
>>>>>>> and the loss of compression (which is often a substantial time and
>>>>>>> space
>>>>>>> saver itself).
>>>>>>>
>>>>>>> I presume that is still the current state of things?
>>>>>>>
>>>>>>> I poked our pc guys to find out if  the various hypervisors
>>>>>>> support running
>>>>>>> VMs whose disk files are on encrypted disks; a possible future
>>>>>>> option for a
>>>>>>> VMS 9.x VM to keep the auditors happy.
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>
>>>>>> Fire the auditors ...
>>>>>>
>>>>> What difference would that make? They work from the same tick list.
>>>>> Dave
>>>>
>>>> The question is, is that list valid?  Perhaps, and perhaps not.
>>>>
>>>> Some auditors might be helpful and have some good advice.  But I'm
>>>> currently
>>>> aware of some auditors that are basically crooks.  Accepting
>>>> everything auditors
>>>> might suggest may not be a good thing.  And shouldn't their
>>>> "suggestions" be
>>>> just that, "suggestions"?
>>>
>>> That depends. Any credit card processor who deems the PCI DSS rules to
>>> be mere suggestions will eventually (usually rather quickly) discover
>>> that it doesn't have a business anymore.
>>>
>>> Kind regards,
>>>             Alex.
>>>
>>
>> Credit card processing is not just protecting your data, thus being a
>> bit different.
>>
>> A while back we came up with a design to protect credit card data,
>> checking account data, and such.  Basically breaking up the data, and
>> storing pieces in different databases, on multiple servers, encrypted.
>> Thus all the information was not in one location.  Might get pieces, a
>> tad more difficult to get a complete piece of data.
>>
>> Regardless, had to transmit the data at some point in time, so that
>> exposure is constant.
>>
>> Then we took a look at the third party vendors who would store, and
>> protect, the data, AND take all responsibility.  It was a no-brainer, we
>> abandoned all plans to store the data ourselves.
>>
>> Back to auditors.  Would not a reasonable person/company determine
>> whether a prospective employee was qualified for a job?  Then why would
>> not a reasonable person/company do the same for auditors?  But all too
>> often that doesn't happen.  If an auditing firm could show reasonable
>> knowledge about VMS, then they might be qualified to perform auditing on
>> a VMS solution.
>
> Of course at the level where the decisions are made (and the auditors
> contracted) your demand for VMS knowledgeable auditors is just more
> ammunition to throw VMS out the door and go with something more in line
> with modern business practice.

"Modern business practice" appears to be:
- run Windows on everything (bonus points for running old versions
because some critical software only runs on that 10y old Windows)
- don't bother too much with the patching
- don't bother with access/network restrictions or
secure system design because "security just gets in the way"
- get your stuff encrypted by some ransomware gang
- bonus points for getting juicy data published
- claim "there was nothing we could do"
- do the same again

When in fact it is possible to run solid reliable infrastructure that
doesn't get 0wned by some random drive-by bot. But doing so has a price,
a price that some companies are willing to pay since not paying it can
be a lot more expensive.

Kind regards,
Alex.
--
"Opportunity is missed by most people because it is dressed in overalls and
looks like work." -- Thomas A. Edison

Dave Froble <davef@tsoft-inc.com> wrote:
> On 8/21/2022 8:47 PM, Arne Vajhøj wrote:
>> On 8/21/2022 7:57 PM, Dave Froble wrote:
>>> On 8/21/2022 7:08 PM, Arne Vajhøj wrote:
>>>> On 8/21/2022 2:58 PM, Dave Froble wrote:
>>>>> On 8/21/2022 12:43 PM, Bill Gunshannon wrote:
>>>>>> On 8/21/22 11:33, Dave Froble wrote:
>>>>>>> Back to auditors. Would not a reasonable person/company determine whether a
>>>>>>> prospective employee was qualified for a job? Then why would not a
>>>>>>> reasonable
>>>>>>> person/company do the same for auditors? But all too often that doesn't
>>>>>>> happen. If an auditing firm could show reasonable knowledge about VMS, then
>>>>>>> they might be qualified to perform auditing on a VMS solution.
>>>>>>
>>>>>> Of course at the level where the decisions are made (and the auditors
>>>>>> contracted) your demand for VMS knowledgeable auditors is just more
>>>>>> ammunition to throw VMS out the door and go with something more in line
>>>>>> with modern business practice.
>>>>>
>>>>> Total bullshit!
>>>>>
>>>>> I'd demand the same expertise of those auditing Unix, Linux, WEENDOZE, and
>>>>> anything else. Anything else is just total nonsense.
>>>>
>>>> I don't think Bill was saying that there should be a difference in
>>>> skills to audit VMS vs audit Linux and Windows.
>>>>
>>>> I think he is saying that if there is 100 companies that have
>>>> skills to audit Linux and Windows but only 10 companies with
>>>> skill to audit VMS then it is sending a bad signal to
>>>> senior management about VMS having a support problem.
>>>
>>> But there would be those 10 companies, and the service most likely will be good.
>>
>> I believe there would still be audit companies either with
>> VMS skills in house or smart enough to hire external VMS
>> expertise when needed (someone like Robert Gezelter comes
>> to my mind as a proper expert for something like this).
>>
>> But senior management doesn't like stuff that require
>> special consideration. The smart ones can be convinced
>> to accept something requiring special consideration if
>> there are good reasons for it.
>
> Is "these apps run our company better than anything else" a good reason?

More likely: "These internal applications have decades of development in them,
there aren't really any turnkey solutions that you can buy to replace them
and switching to a different platform would mean $lots of investment to make
them useful replacements - investments in time, money and people"

> Many executives are smart enough to not screww up things that are working well.

Sadly, there are just enough that "need to leave their mark" (i.e. piss on
something) to be a problem.

Kind regards,
Alex.
--
"Opportunity is missed by most people because it is dressed in overalls and
looks like work." -- Thomas A. Edison

On 8/22/2022 11:21 AM, Alexander Schreiber wrote:
> Scott Dorsey <kludge@panix.com> wrote:
>> Alexander Schreiber <als@usenet.thangorodrim.de> wrote:
>>> Scott Dorsey <kludge@panix.com> wrote:
>>>> Right, so you go with disks that have hardware encryption. You can buy a
>>>> number of gadgets where you have to type in a number on a keypad on the disk
>>>> box before the disk becomes available to the SATA buss.
>>>
>>> You named them correctly: gadgets, nothing more.
>>>
>>> Because you've got no idea if this is actually any good. Do they actually
>>> encrypt the data (or just do the equivalent of a shoddy bike lock?), what
>>> algorithm and key length is used (hint: if it's just a 4 digit pin .. LOL),
>>> are key derivation and encryption algorithms even implemented properly
>>> (note: most encrypted systems that got broken where broken not because
>>> the math or algorithm was attacked, but because the implementation was
>>> bad and vulnerable)?
>>
>> You have FIPS certification on some of them which tells you that it's pretty
>> good. But there are plenty of others which are not certified. Some vendors
>> (like Aegist) offer certified and uncertified versions.
>
> I wonder if that certification actually involves handing over hardware
> designs and source code - because that's pretty much the only way you
> can verify any claims.

That is usually what that type of certification involves.

Arne

On 8/22/2022 11:28 AM, Alexander Schreiber wrote:
> Bill Gunshannon <bill.gunshannon@gmail.com> wrote:
>> Of course at the level where the decisions are made (and the auditors
>> contracted) your demand for VMS knowledgeable auditors is just more
>> ammunition to throw VMS out the door and go with something more in line
>> with modern business practice.
>
> "Modern business practice" appears to be:
> - run Windows on everything (bonus points for running old versions
> because some critical software only runs on that 10y old Windows)

(I assume we are talking servers here)

Most run Linux and are trying to move to k8s.

> - don't bother too much with the patching

Most are trying to keep up with patches but there are a lot
of patches today.

> - don't bother with access/network restrictions or
> secure system design because "security just gets in the way"

Almost everybody got firewalls in place everywhere today.

Arne

On Monday, August 22, 2022 at 11:08:05 AM UTC-5, Alexander Schreiber wrote:
> Scott Dorsey <klu...@panix.com> wrote:
> > Alexander Schreiber <a...@usenet.thangorodrim.de> wrote:
> >>Scott Dorsey <klu...@panix.com> wrote:
> >>> Rich Jordan <jor...@ccs4vms.com> wrote:
> >>>>Last time I looked, VMS, even current VSI versions, can do manual per-file =
> >>>>encryption/decryption, but not whole disk. That means you couldn't encrypt=
> >>>> production files and have them usable; you'd have to decrypt, use, re-encr=
> >>>>ypt, then delete the unencrypted version; a no go save perhaps for small cr=
> >>>>itical files sync'd by human usage. =20
> >>>
> >>> Right, so you go with disks that have hardware encryption. You can buy a
> >>> number of gadgets where you have to type in a number on a keypad on the disk
> >>> box before the disk becomes available to the SATA buss.
> >>
> >>You named them correctly: gadgets, nothing more.
> >>
> >>Because you've got no idea if this is actually any good. Do they actually
> >>encrypt the data (or just do the equivalent of a shoddy bike lock?), what
> >>algorithm and key length is used (hint: if it's just a 4 digit pin .. LOL),
> >>are key derivation and encryption algorithms even implemented properly
> >>(note: most encrypted systems that got broken where broken not because
> >>the math or algorithm was attacked, but because the implementation was
> >>bad and vulnerable)?
> >
> > You have FIPS certification on some of them which tells you that it's pretty
> > good. But there are plenty of others which are not certified. Some vendors
> > (like Aegist) offer certified and uncertified versions.
> I wonder if that certification actually involves handing over hardware
> designs and source code - because that's pretty much the only way you
> can verify any claims.
> > That said, the original poster doesn't actually care if the encryption is
> > good, he just wants to allow the consultant to check off the correct box
> > on their checklist.
> I've seen that in some places. Tends to work ok until it doesn't.
> >
> >>> This gives you the
> >>> full disk encryption the bean counters want, without any OS changes or
> >>> overhead, and without impairing the ability to move drives from machine
> >>> to machine.
> >>
> >>So everytime the machine reboots/powercycles someone has to crawl into
> >>the broom closet (because you won't see nonsense like that in a proper
> >>production setup) where the "server" lives and type in a number?
> >
> > You see that in a lot of production setups today. And yes, you do have to
> > type a number every time the drive is power-cycled... but not every time the
> > computer itself is power cycled. How often do you reboot anyway? We do it
> > twice a year to install updates.
> I've seen large production setups that reboot a _lot_ more frequently than
> that. But they also have proper key management setups - which they need,
> since the "dude with a keyboard" approach doesn't scale beyond a small
> handful of machines.
> Kind regards,
> Alex.
> --
> "Opportunity is missed by most people because it is dressed in overalls and
> looks like work." -- Thomas A. Edison

Ummm just to be clear, OP _does_ care about the quality of available encryption, but the question was not about quality, it was about availability.

And right now encryption support of the type required (which means running programs accessing data on encrypted disks but not needing to care about that because the OS takes care of it) is not currently available.

Also, it is not, at this time, a requirement. Its a question that got asked by the auditors about all of the site's servers, including two linux boxes, a ton of window servers, and the VMS server. The site does not need to encrypt its windows servers at this time. They _do_ encrypt data connections between sites (on top of that provided by the VPN tunnels) but a lot of traffic on the local LANs is not required to be encrypted either. More of that may be coming, but so far it is not required.

Thanks!