[Info-vax] Problem with Filezilla connecting to OpenVMS

[Simon Clubley]

On 2018-12-09, Kerry Main <kemain.nospam at gmail.com> wrote:
>
> Simon,
>
> The OpenVMS Customers you are talking about are, in most cases, very
> seasoned and experienced professionals. They take their roles serious.
>

They are certainly well adapted to the security issues of the 1980s and
1990s. Whether they are adapted to the security issues of the 21st century
is very much an open question.

> Lecturing these seasoned pro's on how to protect their systems is analogous
> to criticizing someone's poor taste in the way they dress their kids. 
>

These are the seasoned pro's that had to have security terminology such
as shellcode explained to them during the fallout from DEFCON 16.

These are the seasoned pro's who went into a state of denial and
attacking the researchers during that fallout.

After I later found out just how bad my initial supervisor mode discovery
was, these are the people for whom I had to give an additional 3 months
to install the patch before releasing details of how to exploit VMS from
supervisor mode.

This BTW was on top of the month I had already given them to install
the patch before releasing details of the first (benign) phase of my
research.

3 Months! These days, that's the length of time a vendor gets from initial
reporting of the issue to them to release of details by the researcher.

It's also a community with people like you Kerry who like to go on about
the number of patches other operating systems have to install even when
it's pointed out to you that VMS will have comparable levels of patches
issued against it if VMS had the level of security researcher's attention
and product ranges that those other operating systems have.

Oh yes, and it's also a community which has a vendor which likes to
do meaningless CVE count marketing and then which you have to drag
a CVE out of. It's also the vendor which likes to say things (VMS is
the most secure operating system on the planet) that even a San Francisco
millennial would probably be embarrassed to say.

> You can make the statement, and you may be right, but the likelihood of the
> conversation ending well is not high.
>

That conversion may indeed not end well if people refuse to listen
to the warnings, especially given the idiotic language that VSI
management are putting out about VMS being the most secure operating
system on the planet.

All that does is to paint a stonking huge target on the VMS systems
out there and for the VMS people who may not be well prepared
to handle what is likely to happen when the security researchers
notice VMS and the VSI marketing language.

The people looking to teach VSI a lesson in humility are not very
likely to be as flexible as I have been which is something those
VMS sites may end up finding out the hard way.

My goal has been to try and help people before they get taught the
same lessons in a much more painful and harsh way. This is no longer
the 1980s and 1990s when it comes to computer security.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world