[Info-vax] Problem with Filezilla connecting to OpenVMS

Kerry Main kemain.nospam at gmail.com
Mon Dec 10 21:26:37 EST 2018 

> -----Original Message-----
> From: Info-vax <info-vax-bounces at rbnsn.com> On Behalf Of Simon Clubley
> via Info-vax
> Sent: December 10, 2018 8:58 AM
> To: info-vax at rbnsn.com
> Cc: Simon Clubley <clubley at remove_me.eisner.decus.org-Earth.UFP>
> Subject: Re: [Info-vax] Problem with Filezilla connecting to OpenVMS
> 
> On 2018-12-09, Kerry Main <kemain.nospam at gmail.com> wrote:
> >
> > Simon,
> >
> > The OpenVMS Customers you are talking about are, in most cases, very
> > seasoned and experienced professionals. They take their roles serious.
> >
> 
> They are certainly well adapted to the security issues of the 1980s and
1990s.
> Whether they are adapted to the security issues of the 21st century is
very
> much an open question.
> 
> > Lecturing these seasoned pro's on how to protect their systems is
> > analogous to criticizing someone's poor taste in the way they dress
their
> kids.
> >
> 
> These are the seasoned pro's that had to have security terminology such as
> shellcode explained to them during the fallout from DEFCON 16.
> 
> These are the seasoned pro's who went into a state of denial and attacking
> the researchers during that fallout.
> 
> After I later found out just how bad my initial supervisor mode discovery
> was, these are the people for whom I had to give an additional 3 months to
> install the patch before releasing details of how to exploit VMS from
> supervisor mode.
> 
> This BTW was on top of the month I had already given them to install the
> patch before releasing details of the first (benign) phase of my research.
> 
> 3 Months! These days, that's the length of time a vendor gets from initial
> reporting of the issue to them to release of details by the researcher.
> 
> It's also a community with people like you Kerry who like to go on about
the
> number of patches other operating systems have to install even when it's
> pointed out to you that VMS will have comparable levels of patches issued
> against it if VMS had the level of security researcher's attention and
product
> ranges that those other operating systems have.
> 

The very high number of commodity OS security patches (not bugs, but
security issues) released each and every month is fact. Surely you do not
dispute this?

Whether most or any of these also apply to OpenVMS is pure speculation. 

Some may apply. Having stated this, every platform is different and yes,
while some issues are common, many are not.

Just because a security issue is found with a Windows kernel issue, does not
mean it also applies to a Linux OS. And vice versa. Same for OpenVMS.

In the past, even the HW was different, so past X86-64 related issues does
not apply to OpenVMS (yet).

Yes, now that OpenVMS X86-64 is going to soon become available, additional
focus will also have to be paid to X86-64 specific issues. Spectre etc.

Yes, additional focus is required to enhance OpenVMS security. Contrary to
what you seem to be spreading, no one here that I can recall has stated
OpenVMS is 100% secure. 

No platform is.

VSI has stated numerous times here that more security work is required and
it is on their roadmap.

In the meantime, like all OS platforms, for those with sensitive
applications, they continue to harden their defences with such things as
higher end firewalls (external/internal), internal zoning, IPS/IDS
appliances, SIEM technologies, ACL's on switches etc.


Regards,

Kerry Main
Kerry dot main at starkgaming dot com

More information about the Info-vax mailing list