In the process of writing this, Patrick already responded with more
succinct versions. But I'll pretend that "uneven network propagation"
has struck again and I haven't seen what he wrote! ;) (Seriously,
some people always seem to respond the next day to something that
already had 15 answers posted within an hour of the original question.
I can only imagine this is because they truly haven't seen those other
answers, and they are typing in their responses as soon as they very
possibly can.)
On Wed, Jun 2, 2021 at 3:19 PM Rob Berendt <rob@xxxxxxxxx> wrote:
Yes the changes made it to IBM i. However there was this CCSID issue...
The point of this library was to test encrypting objects. Therefore encrypting them to test encryption is necessary.
No, demonstrating something's encryptability does not require actually
encrypting that thing.
If we have demonstrated that the contents of an IBM i object can be
altered from the other side of a share, then we have demonstrated that
the object in question can be encrypted from the other side of the
share.
On Wed, Jun 2, 2021 at 3:35 PM Rob Berendt <rob@xxxxxxxxx> wrote:
I see them fine in Windows Explorer: .pgm, .usrspc, .file, .mbr
Some I can right click on and perform operations. Some I cannot.
What I'm trying to do is to see how one could maliciously encrypt such objects by using a share. Perhaps there are encryption tools which do not differentiate between stuff on a Windows server and stuff on other servers like Windows Explorer does?
If we have demonstrated that Notepad can alter an IBM i object, then
you already have one concrete example of an "encryption tool" right
there: Notepad.
How is it an encryption tool? Let's say that we have an amazing math
genius at our disposal who can design an encryption algorithm which
outputs printable characters (fundamentally, this could simply consist
of doing "regular" encryption and then uuencoding the result, so that
it stays in the printable range), and let's also say that this genius
can do the necessary calculations in their head. Then all they need is
Notepad to type in and save those printable characters in the
crypto-uuencoded version of the content.
Yeah, such a genius is pretty far-fetched, right? Especially the
"encryption in their head" part. Fine, so instead of doing it in their
head, they write some computer program which does the calculations for
them. Then the human becomes merely a transcription device to get the
original content out of the IBM i, put that content through their
crypto-uuencode program, and then transcribe the crypto-uuencoded
content back the other way, through Notepad.
It's still kind of ridiculous that someone would do all that typing by
hand, right? But hopefully you have at least a TINY bit of imagination
to see the point by now. Let's say our genius has the source code for
Notepad. They then create a special version of Notepad that handles
the crypto-uuencoding, so that it's just another option in the
File->Encoding menu (the one where you can choose ANSI, Unicode,
Unicode Big Endian, UTF-8, UTF-8 with Signature, etc.).
We can write programs to do pretty much any arbitrary thing that is
doable by computer. And we have seemingly countless tools at our
disposal to do so. There are a profusion of programming languages,
most of them free and available to anyone, that run on Windows, Linux,
and macOS (or any other platform that might be on the other side of
the share). So if there isn't already an encryption tool, there
certainly could be one if someone wanted. And really, it seems
incredibly unlikely that there aren't already plenty of encryption
tools out there. Maybe *you* don't have any of them right now, but at
a minimum, whatever Notepad can update, *someone* can definitely write
a program that encrypts those very same things.
And, to finally piggyback onto Patrick's responses: Instead of
"encryption tool" you can think "ransomware".
John Y.
midrange.com
