INFO-VAX Tue, 15 Jan 2008 Volume 2008 : Issue 29 Contents: "Customized HP Technology at Work Linux edition (January 2008)" newsletter with Re: DS10 in need of power supply? Re: F$UNIQUE library function Re: F$UNIQUE library function Re: print queues and IP Re: Security level of SET PASS /GENERATE ? Re: Security level of SET PASS /GENERATE ? Re: Security level of SET PASS /GENERATE ? ---------------------------------------------------------------------- Date: Mon, 14 Jan 2008 15:02:37 -0800 (PST) From: Rich Jordan Subject: "Customized HP Technology at Work Linux edition (January 2008)" newsletter with Message-ID: <6f4db1d5-1b62-4121-846c-8a9470ffa6af@c23g2000hsa.googlegroups.com> The "Linux" newsletter I get from HP as a result of signing up for Alpha linux info some years ago came with a small easter egg this time. There's a link to a customer story from "International Securities Exchange" updating their infrastructure from Alpha to Itanium. No mention of Linux in the story at all. I haven't seen anything about Linux on Alpha for quite some time though. I know its just one of the standard happy stories but it was interesting to see where it was referenced... http://tinyurl.com/36u5e9 ------------------------------ Date: Mon, 14 Jan 2008 19:08:54 +0000 (UTC) From: moroney@world.std.spaamtrap.com (Michael Moroney) Subject: Re: DS10 in need of power supply? Message-ID: VAXman- @SendSpamHere.ORG writes: >In article <478bb0b6@news.langstoeger.at>, peter@langstoeger.at (Peter 'EPLAN' LANGSTOeGER) writes: >> >> >>In article <13on1s2866htid9@news.supernews.com>, "David Turner, Island Computers" writes: >>>Well we have them made for us >>>Our part number is IC-ZDS10-RP >>> >>>Price is $249 NEW with 1 yr warranty >> >>Strange. >>I paid less than Eur 150.- here some years ago >>(when the euro was less than the dollar) >The dollar is less than the euro today! Way less! ~$1.50 to (Euro)1.00! Yes, $249 is worth about 167 Euros now. More expensive than "less than 150 Euros" but not an awful lot more. ------------------------------ Date: Tue, 15 Jan 2008 07:23:35 +0800 From: "Richard Maher" Subject: Re: F$UNIQUE library function Message-ID: Hi, "yyyc186" wrote in message news:f6319479-c318-439b-a034-57c357926d6b@21g2000hsj.googlegroups.com... > Here's a little oddity. I don't find a SYS$ version of F$UNIQUE like > most of the other lexical functions have. Did HP once again breech > the tradition or did they stick it in a LIB$ function some where? As well as sys$create_uid you may want to be aware of: - call "lib$ascii_to_uid" using by descriptor the_ascii_bit by reference the_binary_version giving sys_status. and call "lib$uid_to_ascii" using by reference the_binary_version by descriptor the_ascii_bit giving sys_status. why their existance has never been documented in the mainstream VMS manuals escapes me. (I also wish Rdb made use of them when dumping DECdtm transactions) Maybe it's like that patch release for VMSINSTAL in 8.2 after HP broke it - It's just never been "the right thing to do"? Not too sure how many Kleinsorges (universally accepted units of "rightness") one needs to get something done at VMS, but I guess if the people making decisions at middle-management over the last 10 to 15 years started doing the right thing then there'd be a run on body-bags, so best just let them continue to do whatever it is they want then? Regards Richard Maher PS. *Simply refusing* to fix the bug with $getdti where the full resource manager name is never returned bigger than the search criterisa was a particularly nice touch! PPS. As I've said before, if you want to see what Jim Johnson's been up to in recent years you may wish to have a look at: - http://forums.microsoft.com/MSDN/ShowForum.aspx?ForumID=388&SiteID=1 If you're into SOA and maybe curious as to how transactions play a part with WS-AT and Business Activity transactions then it could well be worth watching. If, on the other hand, your buddies work in RTR or you're trying to eliminate some competition for the slush-fund then I guess getting rid of valuable resources like Jim Johnson and Alan Potter would be "the right thing to do" :-( The fact that the same RTR wankers that I complained about ten years ago (feel free to search this newsgroup for something like "Captain RTR and his syphilitic hoard of cutthroats") are now positioning their snouts at the WS-Transaction trough is an absolute disgrace! Yes VMS needs more and regular DECwindows patch kits and less DECdtm people (hold on - there hasn't been anyone at DECdtm for about ten years Doh!) Umm, how can a popular product like ACMS be first outsourced to EDS and now strategically positioned offshore, yet a domestic presence for DECwindows is mandated? Which workstations are we selling again? As I said "Full steam ahead - You're all doing very well" :-( ------------------------------ Date: Mon, 14 Jan 2008 20:08:00 -0800 (PST) From: yyyc186 Subject: Re: F$UNIQUE library function Message-ID: <7f9bcaab-d37c-46a9-b63b-ca278dd3ca2f@q39g2000hsf.googlegroups.com> On Jan 14, 5:23 pm, "Richard Maher" wrote: > If you're into SOA and maybe curious as to how transactions play a part with > WS-AT and Business Activity transactions then it could well be worth > watching. If, on the other hand, your buddies work in RTR or you're trying > to eliminate some competition for the slush-fund then I guess getting rid of > valuable resources like Jim Johnson and Alan Potter would be "the right > thing to do" :-( > > The fact that the same RTR wankers that I complained about ten years ago > (feel free to search this newsgroup for something like "Captain RTR and his > syphilitic hoard of cutthroats") are now positioning their snouts at the > WS-Transaction trough is an absolute disgrace! Thanks for all of the posts. I'm not really interested in looking at anything MS has to say. What they produce is neither technology nor business quality software. Like the rest of the world, I'm moving to Ubuntu. ------------------------------ Date: Mon, 14 Jan 2008 23:21:37 +0100 From: "P. Sture" Subject: Re: print queues and IP Message-ID: In article <32798992-a655-4559-abd9-a0a27a31be8a@d70g2000hsb.googlegroups.com>, H Vlems wrote: > On 14 jan, 14:07, "P. Sture" wrote: > > > > IIRC the 2100 M has Postscript (actually an HP emulation), the plain > > 2100 doesn't. > > > > Correct Paul. Mine is a straight 2100 and doesn't know the difference > between PS and ancient Chinese. I've been meaning to recycle my 2100M for a while (it's broken and I need the space), so if you would like the DIMMs I'd be happy to accept a few beer tokens/postage for them. From the Service Manual: "Enhanced Memory and Memory Expansion The HP LaserJet 2100 printer comes with 4 MB of memory and can be expanded to 52 MB using the three available memory (DIMM) slots. The HPLaserJet 2100M and 2100TN printers come with 8 MB of memory and can be expanded to 40 MB with the two available memory (DIMM) slots. The third slot is used for the HPPostScript language DIMM." Contact me offline if interested. Take out the obvious bit from the address. -- Paul Sture Sue's OpenVMS bookmarks: http://eisner.encompasserve.org/~sture/ovms-bookmarks.html ------------------------------ Date: 14 Jan 2008 13:14:41 -0600 From: briggs@encompasserve.org Subject: Re: Security level of SET PASS /GENERATE ? Message-ID: > On Jan 14, 6:52 am, bri...@encompasserve.org wrote: >> In article <5a8447d4-af7d-42fa-907f-68b55658d...@j78g2000hsd.googlegroups.com>, AEF writes: >> >> > On Jan 11, 1:25 pm, bri...@encompasserve.org wrote: >> >> TheQuickBrownFoxJumpsOverTheLazyDog/Jan2008 >> >> >> Entropy in that password once you guess the password generation scheme >> >> is almost negligible. Given a 90 day password expiration policy >> >> you could brute-force the key space in four tries. >> >> > Please clarify. >> >> Suppose that I as a user choose a password generation scheme: >> >> Whenever I am prompted to change my password, I will change it >> to "TheQuickBrownFoxJumpsOverTheLazyDog/" where the >> is determined from the then-current month and year. >> >> If I've reset the password sometime in the past three months then >> the entropy in the password is no more than 1-2 bits. >> >> If you as an attacker compromise one of my passwords and correctly >> guess the generation scheme then, in July you could crack my then-current >> password in four guesses: >> >> TheQuickBrownFoxJumpsOverTheLazyDog/Apr2008 >> TheQuickBrownFoxJumpsOverTheLazyDog/May2008 >> TheQuickBrownFoxJumpsOverTheLazyDog/Jun2008 >> TheQuickBrownFoxJumpsOverTheLazyDog/Jul2008 > > What does this have to do with longer is stronger? It shows that long passwords can be weak. > Once you correctly > guess the scheme, it doesn't matter whether it's longer or complex. My > point was that assuming the complex scheme enforced by Windows XP, > there is little gain. Most people seem to think there is a log more > gain than there really is. When you do the math, the number of > possible passwords increases much faster with increasing length than > with increasing complexity. If the problem you are having with password security is that users are choosing predictable passwords then neither forcing them to use "complex" passwords nor forcing them to use long passwords is going to force them to choose strong passwords. > I assume you are talking about an advantage of generated passwords, > but you wrote this in response to my claim that longer is stronger. The fact of the mattter is that longer is not stronger until you nail down the questions of "longer than what?", "stronger than what?" and "how do you measure strength?". > Sure it isn't any stronger ONCE you crack the generation scheme, and > unless you've done that from an old backup tape, you're already in at > that point anyway. There are other password attacks that don't involve already having full access to the system that you're atttacking. ------------------------------ Date: 14 Jan 2008 13:36:49 -0600 From: briggs@encompasserve.org Subject: Re: Security level of SET PASS /GENERATE ? Message-ID: In article <3309101e-b18f-4e8c-a697-bc1cb4228bfd@q77g2000hsh.googlegroups.com>, AEF writes: > On Jan 14, 6:56 am, bri...@encompasserve.org wrote: >> In article <006f275c-f86e-48f7-9b9f-96203bf35...@j78g2000hsd.googlegroups.com>, AEF writes: >> >> >> >> > On Jan 11, 3:23 pm, bri...@encompasserve.org wrote: >> >> In article <4786ee9e$0$16170$c3e8...@news.astraweb.com>, JF Mezei writes: >> >> >> > AEF wrote: >> >> >> >> Tell "them", whoever they are: LONGER IS STRONGER. PERIOD. COMPLEX IS >> >> >> MORE PAIN THAN GAIN. >> >> >> > Having a mandated password length is however a weakness since anyone >> >> > with some insider knowledge will know how to configure his password >> >> > guessing program to only try passwords of the mandated length. >> >> >> > Having variable password lengths means that the hackers don't know how >> >> > long a password will be and thus greatly increases the number of >> >> > attempts they must make before they get to the password. >> >> >> That turns out not to be true. >> >> >> Given any alphabet, the number of variable length strings with >> >> maximum length n is no more than twice the number of fixed length >> >> strings with length exactly equal to n. >> >> >> To put it another way, variable length buys you at most one bit of >> >> entropy. >> >> >> [There are some assumptions of uniformity needed to formalize the >> >> latter statement properly] >> >> >> Consider a decimal alphabet. >> >> >> There's one possible string of length 0 >> >> There are ten possible strings of length 1 >> >> There are 100 possible strings of length 2 >> >> and so on. >> >> >> If you have a length 6 password and your attacker searches the variable >> >> length search space then on average he'll have to search through >> >> >> 111,111 possibilities with length <= 5 >> >> > Wouldn't that be 111,111/2 ? >> >> Nope. Note the stipulation. The password is length 6. The search >> through the space of 5 digit passwords is guaranteed to be fruitless. > > I assumed you meant the password could be up to length 6. I said 6 and I meant 6. > Additionally, you said an AVERAGE of 111111. I had meant that "on average" to apply to the search of the <= 5 digit space and the =6 digit search space taken together. > Well, it's ALWAYS going > to be 111111 if there are no passwords with L < 6. So why say average? > Therefore, I thought you meant the password had L .LE. 6. As above. > I also got confused by your use of the word 'search'. If you have N > passwords to search through, on average you have to _try_ N/2 of them. > But you sometimes used "search" when I would have used "try". If I have to search through half the house to find my car keys, you would say that I've searched the entire house? That's an interesting [and quite viable!] point of view. I had not thought of using the terminology in that fashion though. >> >> >> 500,000 possibilities with length = 6 >> >> ------- >> >> 611,111 guesses on average before guessing right Ahh. So I used "on average" twice. Once above and once below. I can see how that would make my intent unclear. >> >> >> If the attacker knows that your password is length 6 then it >> >> takes him just 500,000 guesses on average. >> >> >> That's a 22% increase in work factor. About 1/4 of a bit of entropy. >> >> Not what I'd call a "great increase". > > 500000 is not 22% greater than 611111. OK, you meant the opposite. 611,111 is 22% greater than 500,000 The attacker searching the space of 1-6 character passwords has to make 611,111 guesses on average. The attacker who knows to just search the 6 character space has to make 500,000 guesses on average. JF seemed to claim that variable length search spaces required a "great increase" in attacker effort versus fixed length search spaces. My example quantified that "great increase" as 22% in a simplified example situation. > Yeah, I suppose these are all minor points, but they added up to > confusing me. Sorry. I count you as an intelligent reader. If I've succeeded in confusing you, the fault almost certainly lies with me. ------------------------------ Date: Mon, 14 Jan 2008 18:06:37 -0800 (PST) From: AEF Subject: Re: Security level of SET PASS /GENERATE ? Message-ID: <298c30ec-a48d-4164-8f94-28cb68e0650d@e23g2000prf.googlegroups.com> On Jan 14, 2:36 pm, bri...@encompasserve.org wrote: > In article <3309101e-b18f-4e8c-a697-bc1cb4228...@q77g2000hsh.googlegroups.com>, AEF writes: > > > > > On Jan 14, 6:56 am, bri...@encompasserve.org wrote: > >> In article <006f275c-f86e-48f7-9b9f-96203bf35...@j78g2000hsd.googlegroups.com>, AEF writes: > > >> > On Jan 11, 3:23 pm, bri...@encompasserve.org wrote: > >> >> In article <4786ee9e$0$16170$c3e8...@news.astraweb.com>, JF Mezei writes: > > >> >> > AEF wrote: > > >> >> >> Tell "them", whoever they are: LONGER IS STRONGER. PERIOD. COMPLEX IS > >> >> >> MORE PAIN THAN GAIN. > > >> >> > Having a mandated password length is however a weakness since anyone > >> >> > with some insider knowledge will know how to configure his password > >> >> > guessing program to only try passwords of the mandated length. > > >> >> > Having variable password lengths means that the hackers don't know how > >> >> > long a password will be and thus greatly increases the number of > >> >> > attempts they must make before they get to the password. > > >> >> That turns out not to be true. > > >> >> Given any alphabet, the number of variable length strings with > >> >> maximum length n is no more than twice the number of fixed length > >> >> strings with length exactly equal to n. > > >> >> To put it another way, variable length buys you at most one bit of > >> >> entropy. > > >> >> [There are some assumptions of uniformity needed to formalize the > >> >> latter statement properly] > > >> >> Consider a decimal alphabet. > > >> >> There's one possible string of length 0 > >> >> There are ten possible strings of length 1 > >> >> There are 100 possible strings of length 2 > >> >> and so on. > > >> >> If you have a length 6 password and your attacker searches the variable > >> >> length search space then on average he'll have to search through > > >> >> 111,111 possibilities with length <= 5 > > >> > Wouldn't that be 111,111/2 ? > > >> Nope. Note the stipulation. The password is length 6. The search > >> through the space of 5 digit passwords is guaranteed to be fruitless. > > > I assumed you meant the password could be up to length 6. > > I said 6 and I meant 6. You're right. > > > Additionally, you said an AVERAGE of 111111. > > I had meant that "on average" to apply to the search of the <= 5 digit > space and the =6 digit search space taken together. > > > Well, it's ALWAYS going > > to be 111111 if there are no passwords with L < 6. So why say average? > > Therefore, I thought you meant the password had L .LE. 6. > > As above. > > > I also got confused by your use of the word 'search'. If you have N > > passwords to search through, on average you have to _try_ N/2 of them. > > But you sometimes used "search" when I would have used "try". > > If I have to search through half the house to find my car keys, you > would say that I've searched the entire house? No, but I'd say that when you start you have to search the house: you have the entire house to search. Just like you have all possible passwords of a given length to "search". I'd also say you looked in places that compose half the house, but you were searching the entire house, but didn't finish once you found your keys. IOW, while you're searching the house, your searching the entire house. You're definitely not going to say, "I'm searching half of the house" or "I have half the house to search". Or in VMS terms: $ SEARCH file1,file2,file3 exciting_string You're searching all 3 files, but you can abort once you find your string. Of course, maybe there's another occurrence of the string, in which case you have to let it run to normal completion. I guess my view of "search" just differs from yours in this respect. Not a big deal. I checked -- you clarified. OK. > > That's an interesting [and quite viable!] point of view. I had > not thought of using the terminology in that fashion though. > > > > >> >> 500,000 possibilities with length = 6 > >> >> ------- > >> >> 611,111 guesses on average before guessing right > > Ahh. So I used "on average" twice. Once above and once below. I can > see how that would make my intent unclear. > > > > >> >> If the attacker knows that your password is length 6 then it > >> >> takes him just 500,000 guesses on average. > > >> >> That's a 22% increase in work factor. About 1/4 of a bit of entropy. > >> >> Not what I'd call a "great increase". > > > 500000 is not 22% greater than 611111. OK, you meant the opposite. > > 611,111 is 22% greater than 500,000 Right. > The attacker searching the space of 1-6 character passwords has to > make 611,111 guesses on average. > > The attacker who knows to just search the 6 character space has to > make 500,000 guesses on average. > > JF seemed to claim that variable length search spaces required a "great > increase" in attacker effort versus fixed length search spaces. > > My example quantified that "great increase" as 22% in a simplified > example situation. Your point was always 100% right. I wasn't disputing that. I was misinterpreted what space was allowed for passwords (in this example, exactly 6-character space). > > > Yeah, I suppose these are all minor points, but they added up to > > confusing me. Sorry. > > I count you as an intelligent reader. If I've succeeded in confusing > you, the fault almost certainly lies with me. I was just explaining what threw me off the track. You made an excellent point and I was just trying to be sure I understood by trying to resolve my 111111/2 as compared to your 111111. Thanks for clearing it up. I'll comment on your other post this weekend, perhaps. Not enough time now. Thanks for your helpful posts on this topic. AEF ------------------------------ End of INFO-VAX 2008.029 ************************