An adventure in hacking, sort of...
Mar. 23rd, 2008 05:38 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
altivoThe VMS operating system was designed for secure corporate environments with many users and network connections to a central machine. I acknowledge this. Unfortunately, it was later promoted and distributed as a workstation environment to run on MicroVAX and later Alpha hardware. I have two Alpha machines, one at home and one at work, that now operate as workstations. The one at home runs OpenVMS.
The default security policies of VMS are draconian. Users are forced to change passwords every 30 days. Passwords may not be dictionary words. Worse, passwords cannot be the same as one previously used, and by default the system remembers the last 60 passwords you have had. That one is nasty for a casual user. As it happens, my VMS system runs without a login for weeks on end. So nearly every time I log in, it makes me change the password to a new nonsense word, and tries to dictate what passwords I can use by offering me a choice of six or so. If I don't like those, it will offer six more, and so on, until I accept one from the list.
This stuff can be disabled, and I thought I had finally disabled it. Nope. Today it made me change my password to a new nonsense word. "No problem," I thought, "I'll just log in as the system admin account and change it back." Under UNIX or Linux that works, because the admin account can assign any password without reference to all those rules.
Wrong again. First of all, when I tried to log in as "SYSTEM" it made me change that password too. Oh good, now I have two meaningless passwords. Determined to fix both, I used admin privileges to override and set the passwords back to my preferred words for both accounts. "Aha," I thought, "I'll just lock these so the user can't change them. That will foil the system from making me change them." Boy, was that wrong.
Log out. Can't log back in on either account. It seems that when I set the passwords, the system automatically set them to "expired" status to force the users to pick new, secure passwords. Only now the users aren't allowed to choose their own passwords. Catch-22. Any attempt to login fails. Now what?
Well, there's usually a way to recover if you lose the master password, right? And that's also the case with VMS, though it involves standing on your head while booting the system, tugging at your right earlobe at just the right moment, and then inserting your left toe someplace unmentionable all in the right sequence. Do it right, and you end up logged into a command prompt on the system console, with admin privileges, and with all other terminals and logins disabled. What we call a "standalone" boot in UNIX or Linux. I had never had to do this, ever, but I eventually found the right sequence of incantations, and made it to the $ prompt. What they don't tell you is that if you make any novice errors at that prompt, you get logged out and have to start all over again. It took me four or five tries before I managed to reset those passwords and really disable the security features (I hope) so that this won't happen again. Not allowing dictionary words as passwords is OK, but I swear that dictionary must be huge because it was disallowing words in Russian, Greek, and Anglo-Saxon as well as English. It didn't like "leetified" words either (changing O to zero and I to one, for instance.)
So a simple task, reboot the Alpha, ended up taking me 90 minutes. The VMS manuals I have are old, and didn't have all the current details I needed. It was fortunate that I had another machine with access to the web, or might still be puzzling over this. Or worse, formatting a hard disk and reinstalling OpenVMS.
On another but similar topic, could someone please explain to me why FA thinks it has to somehow translate PDF or DOC files into HTML in order to "display" them, and since it doesn't know how, it makes you "download" them instead? Every other website in the world just sends a PDF or DOC or RTF file to the user when clicked, after affixing the proper mime type to it. Most browsers know how to use a plug in or internal interpreter to display PDF or RTF right in the browser window. But on FA, they say "Sorry, we aren't able to display that file" and then make you download it to disk and start up a separate application to view it.
I happened to mention this in a forum discussion there. Bad move. Now I've got one of their coders insisting that they are doing it right and I'm wrong. Only I'm not wrong. My browser will display DOC, RTF, and PDF files right in the browser window as long as the correct mime type is passed with the file. Works everywhere else, guys.
The default security policies of VMS are draconian. Users are forced to change passwords every 30 days. Passwords may not be dictionary words. Worse, passwords cannot be the same as one previously used, and by default the system remembers the last 60 passwords you have had. That one is nasty for a casual user. As it happens, my VMS system runs without a login for weeks on end. So nearly every time I log in, it makes me change the password to a new nonsense word, and tries to dictate what passwords I can use by offering me a choice of six or so. If I don't like those, it will offer six more, and so on, until I accept one from the list.
This stuff can be disabled, and I thought I had finally disabled it. Nope. Today it made me change my password to a new nonsense word. "No problem," I thought, "I'll just log in as the system admin account and change it back." Under UNIX or Linux that works, because the admin account can assign any password without reference to all those rules.
Wrong again. First of all, when I tried to log in as "SYSTEM" it made me change that password too. Oh good, now I have two meaningless passwords. Determined to fix both, I used admin privileges to override and set the passwords back to my preferred words for both accounts. "Aha," I thought, "I'll just lock these so the user can't change them. That will foil the system from making me change them." Boy, was that wrong.
Log out. Can't log back in on either account. It seems that when I set the passwords, the system automatically set them to "expired" status to force the users to pick new, secure passwords. Only now the users aren't allowed to choose their own passwords. Catch-22. Any attempt to login fails. Now what?
Well, there's usually a way to recover if you lose the master password, right? And that's also the case with VMS, though it involves standing on your head while booting the system, tugging at your right earlobe at just the right moment, and then inserting your left toe someplace unmentionable all in the right sequence. Do it right, and you end up logged into a command prompt on the system console, with admin privileges, and with all other terminals and logins disabled. What we call a "standalone" boot in UNIX or Linux. I had never had to do this, ever, but I eventually found the right sequence of incantations, and made it to the $ prompt. What they don't tell you is that if you make any novice errors at that prompt, you get logged out and have to start all over again. It took me four or five tries before I managed to reset those passwords and really disable the security features (I hope) so that this won't happen again. Not allowing dictionary words as passwords is OK, but I swear that dictionary must be huge because it was disallowing words in Russian, Greek, and Anglo-Saxon as well as English. It didn't like "leetified" words either (changing O to zero and I to one, for instance.)
So a simple task, reboot the Alpha, ended up taking me 90 minutes. The VMS manuals I have are old, and didn't have all the current details I needed. It was fortunate that I had another machine with access to the web, or might still be puzzling over this. Or worse, formatting a hard disk and reinstalling OpenVMS.
On another but similar topic, could someone please explain to me why FA thinks it has to somehow translate PDF or DOC files into HTML in order to "display" them, and since it doesn't know how, it makes you "download" them instead? Every other website in the world just sends a PDF or DOC or RTF file to the user when clicked, after affixing the proper mime type to it. Most browsers know how to use a plug in or internal interpreter to display PDF or RTF right in the browser window. But on FA, they say "Sorry, we aren't able to display that file" and then make you download it to disk and start up a separate application to view it.
I happened to mention this in a forum discussion there. Bad move. Now I've got one of their coders insisting that they are doing it right and I'm wrong. Only I'm not wrong. My browser will display DOC, RTF, and PDF files right in the browser window as long as the correct mime type is passed with the file. Works everywhere else, guys.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2008-03-24 11:33 am (UTC)To my perception, it's a folly. MVS 3.8 works just fine in its 24-bit address space. The reason it originally had to expand back in the 80s was not because the program code was getting that huge. It was to handle more volume. More tasks at once, more large I/O buffers. Now that most non-commercial MVS processing runs on multiple small processors under emulation, it's easy to just add another CPU or two.
The issue seems to be the desire of some people to run gcc generated code, which is incredibly bulky and inefficient with memory. It's MVS, folks. It isn't supposed to support a dense graphical environment or anything like that. It's supposed to crunch batch jobs or do forms-based database operations. XD
It's sorta like saying "Hey, we could add a windows-based user environment to CP/M. We just need to expand the address space to 64 Meg, add support for parallel processors, and build S-100 style video hardware." Well, yeah, you could. But why? o.O
no subject
Date: 2008-03-25 08:42 am (UTC)I know just about bugger all about MVS, but I do know that it wasn't intended to provide a rich user interface. What exactly is the aim of these improvements? Who's gonna use them?
no subject
Date: 2008-03-25 11:06 am (UTC)Due to various legal blunders or whatever, several IBM mainframe operating systems from the 1980s have been officially placed in the public domain by IBM itself. MVS 3.8j, the one I first used as a trainee back in 1980, is among them. It's spooky and amusing to start the thing up and have the operator's console, multiple terminals, and printer outputs each appear in their own window and all of them working exactly as they always did.
The installation I worked on had more than 700 user terminals, and a disk and tape farm that occupied two floors of a high rise building. All of it could be duplicated and actually run at full bore on a modern dual core machine with a couple of big drives. It really makes you appreciate how much bloat and waste there is in the typical "modern" desktop OS.
Yeah, some of these guys are thinking in terms of Gnome and KDE, which is kinda silly, because the Hercules emulation already has a Linux implementation if that's what they want. The Linux for IBM 390 systems runs on it just fine. In fact, people have put VM 370 on Hercules, and then run Linux under it as a guest, and then another Hercules host under the Linux, and MVS on that Hercules. This sounds absurd but back when hardware was expensive (like millions of dollars) that was the kind of testing environment we used to get.
However, others have practical goals in mind. IBM mainframes are still out there, though the current editions are about the size of a small file cabinet and ten times more capable than they were 20 years ago. Why use resources on your production box for testing if you can run multiple instances of Hercules on cheap PC hardware to duplicate the production environment for testing purposes?