[Info-vax] Problem with Filezilla connecting to OpenVMS

Dave Froble davef at tsoft-inc.com
Tue Dec 11 14:56:17 EST 2018 

On 12/11/2018 2:05 PM, Bill Gunshannon wrote:
> On 12/11/18 1:40 PM, Dave Froble wrote:
>> On 12/11/2018 1:15 PM, Simon Clubley wrote:
>>> On 2018-12-11, Dave Froble <davef at tsoft-inc.com> wrote:
>>>> On 12/11/2018 8:39 AM, Bill Gunshannon wrote:
>>>>> On 12/11/18 8:19 AM, Simon Clubley wrote:
>>>>>>
>>>>>> BSS could run privileged programs just fine, but BSS, unlike DCL,
>>>>>> will never, ever, see the privileges of the program it has just
>>>>>> started.
>>>>>>
>>>>>> The only way for BSS to get privileges is to be run by a privileged
>>>>>> user.
>>>>>>
>>>>>
>>>>> Well, it's probably a matter of semantics, but a Unix Shell can be
>>>>> made to run  with privilege when started by an ordinary user, but
>>>>> that requires using a feature that has been considered dangerous and
>>>>> a bad idea (even by the man who created it) for a long time.
>>>>>
>>>>
>>>>   From what you're writing, he still created it.  Then the question
>>>> becomes, how many use the capability.  Perhaps security is based upon
>>>> usage, regardless of the OS capabilities?
>>>>
>>>
>>> It was a joke David. :-)
>>>
>>> To enable the option Bill is thinking of, Brian would already need
>>> to have root level access.
>>>
>>> In VMS land, it would be like saying yes, I can write a program as
>>> a non-privileged user that runs with full privileges provided you
>>> give me the password to SYSTEM and then let me use INSTALL to install
>>> my program will full privileges. :-)
>>>
>>> Simon.
>>>
>>
>> Our users require SYSLCK.  On VAX it was simple, for me.  On Alpha it
>> was much harder, for me.  Ok, Dave's a dummy.  It was still much
>> harder for me.
>>
>> So, there is a UWSS, installed with privs, on every user system.  Can
>> it be a security issue?  I don't know.  I will admit that just about
>> anything could ultimately be a security issue.
>>
>> First point, there are users with privs, and they can, and do, install
>> images with privs.  It happens.
>>
>> Second point, which you just don't seem to get.  One does what one has
>> to do to get the job done.  Without that, YOU DON'T EXIST!  It's just
>> that simple.
>>
>> So, can there be security issues?  Yes, there can, and most likely
>> are.   We do what we can.  Expect more, if you wish to do so.  Doesn't
>> mean you're being rational.  Doesn't mean you're going to get any
>> satisfaction.
>>
>>
>
> All true and all accurate.  The only thing that has change since
> the good old days is the environment.  All it takes is one slip
> and you could be financially ruined. Or, worse still, in trouble
> with the government who can be relentless and have  infinitely
> deep pockets to come after you.  Security is a serious problem.
>
> Hmmmm.  Now it makes me wonder even more about DISA's move to
> stop approving or even inspecting VMS systems.  Maybe the
> reason was because they determined nothing could make it meet
> the requirements because so  much was deeply ingrained in the
> system design.  Too bad there is no one to ask any more.
>
> bill
>

Social intrusions have always been there, and always will be there.  As 
an example, you call in to make a purchase, and you give your credit 
card information to someone over the phone.  How do you know they aren't 
writing it down for future nefarious activity?  Note, that doesn't even 
get to the computer system(s).

My understanding is that much of today's intrusions are over the 
internet, where the intruders never do have login credentials.  In this 
case, Simon's crusade against DCL has no place.  To some extent, the OS 
may not be part of any fault.  In the case of VMS, most likely not.  Now 
some will claim that the networking (in the past TCP/IP was not part of 
base VMS, and perhaps that could be considered a copout) might be at 
fault.  Or the web server.  Or other apps.  The reality is that the 
total package is the target of the intruders, and, when addressing 
security, one must address the entire package.

But getting back to VMS as an OS.  I feel that it's rather secure.  It's 
possible that other OS's from the same perspective could also be 
considered rather secure.  Don't really know.  Nor does it matter if 
there is a successful intrusion.

I will admit that I'm none too happy with the TCP/IP that has been 
shipped with VMS in the past.  I'm hoping for some major improvements 
with the new product from VSI.

There are things that can be done to make things harder for the 
intruders.  While I was opposed to the concept originally, all this talk 
about security has affected my thoughts.  Codis customers have web 
servers running independently of the core application server(s).  They 
can take orders and such from customers, but, cannot do other than 
specific communications with the core applications.  So, hack the web 
server, fine, disrupt activity, fine, but you ain't getting to anything 
important.  No way you're going to rip off any lawn mowers.

:-)



-- 
David Froble                       Tel: 724-529-0450
Dave Froble Enterprises, Inc.      E-Mail: davef at tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA  15486

More information about the Info-vax mailing list