Emulator license issues boot up discussion
Rare MPE admin gem glitters to lift careers

3000 gets HP security alert. What the heck?

3000 users who still employ HP's support services got a bit of a jolt this week. The vendor that's still selling MPE support sent an email bulletin about an MPE/iX Security Alert. Even while HP was supporting 3000 customers without caveats, these notices were as rare as rain in a July Texas.

But how can security become an issue with an OS that HP hasn't touched in more than three years? Plainly put, the alert is a mistake. It's got to be, because a drill down into the details doesn't mention the OS by name. Instead, it's a problem with something called HP Data Protector, built for HP's laptops and desktops.

The corrected version of the alert still reads "Content Type: MPE/iX, PRIORITY: Critical." HP's new Support Center website has spewed out problems all summer, but this is the first mess-up marked critical. If you're paying HP to oversee your 3000, even during a migration project, you might take this as a sign that the level of support has fallen fall below classic standards.

Pivital Solutions is an HP 3000-strong shop (kind of like "plant-strong" to describe vegan diets.) President Steve Suraci was at the latest HP3000 Reunion, and he updated his competitive situation while signing up 3000 sites for many more years of suppor -- without caveats. HP, it seems, is still the chief competitor when companies size up support plans for the future of their 3000s.

There hasn't been a security bulletin on MPE in more than three years. DNS poisoning drifted through the websphere, and HP didn't make any change to BIND to resolve the issue -- it simply advised customers to move their DNS work to a non-3000 server.
Brian Edminster, who specializes in such open source software as it relates to the 3000, said updating the BIND part of MPE/iX to fix that 2008 problem would've been no small project.
Getting BIND updated is a non-trivial exercise -- because the existing version for MPE/iX is several major releases behind  (from an effort standpoint, it would be wise consider it a new port). Since it's easy to implement an 'up to the minute' version of BIND on a cheap Linux server, I don't blame HP for not expending the effort to re-do the port. [HP's] Mark Bixby did a fairly good job of documenting what he had to do to get the current version running, but we can't just re-apply the patches he submitted to get the latest versions to run.  
It's a lot like when car manufacturers do a major model change -- where the car name is the same, but just about everything else changes. When you have a major design change, you often no longer have parts commonality. Same thing with portable software. When a major version change occurs, it's often due to major changes in the software's internal design. Ergo, it's like starting over.
Edminster noted that there's an opportunity for a customer to sponsor this kind of work, but that's probably outside everybody's budget who's homesteading. (Although we might be surprised to learn what the pricing would be on that work, considering that $30/hour consulting has been advertised.)
There's been a two-day gap in HP's ability to catch its false-critical report. Since the technical details are far from easy to comprehend in the HP website's advice, managers who followed this trail wasted time on something which HP explained away as follows:

Note: This Security Bulletin was released with the MP (MPE/iX) software product category. It should have been released with the MU (Multi-Platform Software) product category. Please refer to Document ID c03058866 - HPSBMU02716 SSRT100651.

If HP is still the chief competition out there for support dollars on existing 3000s, perhaps this kind of critical alert could serve as evidence. Even the automated parts of HP's database are mis-tuned to the needs of the server. It's bound to be better to work with companies who see a long future in 3000 service.

Comments