|
Caution: This is a somewhat lengthy message, and probably more than a tad off-topic (what's a tad? ;) On Sun, Nov 14, 1999 at 03:40:38PM -0000, Roger Bowler wrote: > -----Original Message----- > From: Jason M. Felice <jasonf@Baldwingroup.COM> > > > >In any case, given how the 5250 protocol is designed, the AS/400 being > >susceptible to a buffer overflow attack is very possible given all the > >differnet structures expected to be different sizes in the 5250 data > stream. > >It's a much more complicated protocol than plain telnet, and therefore much > >more likely to have weeknesses. > > > I would draw the opposite conclusion, Jay. The rigorous definition of the > SNA > datastream, with each field strictly bounded by its length, IMO is designed > to > reduce rather than increase the scope for errors. Of course I haven't seen > the OS/400 source code but I'd be willing to bet that it's 100% rock solid > in > this respect. While on the one hand, this is probably implemented in MI assembly on the OS/400, and the structures are rigidly definied in memory and loaded from the code, that precise idea is what will require the code to check for a buffer- overflow attempt (or even accident) in every instance there is a fixed structure and every instance there is a fixed sub-structure or field or what not. ... and there's no such thing as 100% rock solid ;) My experience with security (inluding being hacked a few times and thwarting hacks a few times) has taught me that it really is an evolution ... you can never be perfectly secure, but only more secure than the majority of hackers out there. One example is when they were able to crack implementations of DES. DES, at that time, was known to be perfectly secure; however, they found that with most implementation, if you time the rate of output and latencies in the transmitted data, you can deduce the key. Now everybody is upgrading to implementations of DES or other crypto algorithms which work in constant time. This just blows my mind, but makes me have to accept as a general fact that you can't really gauruntee _anything_ is secure, even if you *can* read the source code, you can only gauruntee that there is no publicly known method of hacking it right now. I can certainly see areas where the IBM philosophy would lead to more secure software, especially since the protocols are so rigidly and well definied before implemented, but also because most 'nix type protocols need a parser of some sort, where as in IBM land the client pretty much parses the protocol into the strucures and sends everything pre-parsed. There are other reasons I think so as well. I just (for the above reasons) wouldn't ever put my live business data plugged into the Internet. Just way too much to loose. > > What you've got to remember is that OS/400 was built by IBM programmers > working in a culture where this kind of highly structured data had been the > norm for 20 years. When I first saw Unix after 15 years of mainframe > programming, I couldn't believe how loosely defined protocols like SMTP and > Telnet could be made to work. Now I've got more experience of Unix I > understand how it's possible for seasoned Unix programmers to design > reasonably robust implementations around these protocols. I was (am) likewise facinated by the IBM way of doing things ... pretty crazy how different they can be. I probably know a good 15 computer languages, counting scripting languages and shells, and because of that, have enough background to learn another computer language *very* quickly. This is somewhat why I was confident in starting an RPG compiler and walking into that large project even though I had never written an RPG program before. And, while I'm still making much progress, and still learning RPG, I can honestly say that with the exception of the first computer languages I learned (BASIC and Pascal), RPG has been one of the most difficult: many concepts in RPG are just completely alien despite my varied background. They aren't difficult concepts at all; RPG is relatively simple language on purpose, there's just a lot about it that strikes me as very odd. I can't wait until quantum computing becomes a reality, then we'll all be blown away <g> > > Mainframe and Unix are quite simply at poles apart in their philosophy -- > that's why I find the fusion of the two cultures so fascinating. Absolutely agreed. Now if they can just make the AS/400 TCP/IP interface stay alive if the default gateway goes down temprorarily ;) Kidding aside, they really have done a good job -- I just have to scratch my head every so often and say "Huh?!?" > > Cheers, Roger Bowler > -Jay 'Eraserhead' Felice +--- | This is the LINUX5250 Mailing List! | To submit a new message, send your mail to LINUX5250@midrange.com. | To subscribe to this list send email to LINUX5250-SUB@midrange.com. | To unsubscribe from this list send email to LINUX5250-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
