[Info-vax] Problem with Filezilla connecting to OpenVMS

Kerry Main kemain.nospam at gmail.com
Sun Dec 9 23:07:32 EST 2018 

> -----Original Message-----
> From: Info-vax <info-vax-bounces at rbnsn.com> On Behalf Of Simon Clubley
> via Info-vax
> Sent: December 9, 2018 8:01 PM
> To: info-vax at rbnsn.com
> Cc: Simon Clubley <clubley at remove_me.eisner.decus.org-Earth.UFP>
> Subject: Re: [Info-vax] Problem with Filezilla connecting to OpenVMS
> 
> On 2018-12-09, Stephen Hoffman <seaohveh at hoffmanlabs.invalid> wrote:
> > On 2018-12-09 14:37:44 +0000, Hans Blom said:
> >
> >> On Friday, December 7, 2018 at 12:25:11 PM UTC+1, DuncanMorris wrote:
> >>>
> >>> Filezilla 3.36 works with HP's V8.4 / TCPIP V5.7-ECO05, provided you
> >>> also have the TCPIP-SSH-'arch'_V57-ECO5G patches installed.
> >>
> >> unfortunately it's not up to me to even recommend an upgrade to 8.4,
> >> customer is stuck with it.
> 
> If the customer is "stuck" with it, then I hope they have taken
precautions to
> secure the VMS system against current and future vulnerabilities.
> 
> >
> > You can and should recommend it.  Whether the decision is made to
> > upgrade or not is the customer's decision.  In some organizations,
> > this sort of detail can end up being relevant to SEC filings, and you
> > really don't want to be left holding that bag all by yourself.
> >
> 
> I very strongly agree with this. The OP _really_ needs to raise the issue
with
> the customer and to do it formally. The customer can always reject the
> recommendation, but the customer can't then say "why didn't you warn us
> ?" if the customer gets compromised.
> 
> >
> > As I've commented elsewhere, we're on a treadmill of updates here,
> > which means staying current.  Or accruing risk.  That trade-off being
> > one that management is paid to make.
> >
> 
> Also agree. I would hope people realise their VMS systems are just as
> vulnerable as non-VMS systems are. If the decision is taken to freeze VMS
> systems at a specific version, that needs to be a specific management
> decision and it needs to be formally signed off by management after they
> have been made aware of the risks involved.
> 

Simon,

The OpenVMS Customers you are talking about are, in most cases, very
seasoned and experienced professionals. They take their roles serious.

Lecturing these seasoned pro's on how to protect their systems is analogous
to criticizing someone's poor taste in the way they dress their kids. 

You can make the statement, and you may be right, but the likelihood of the
conversation ending well is not high.


Regards,

Kerry Main
Kerry dot main at starkgaming dot com

More information about the Info-vax mailing list