× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. JAVA400-L
  3. November 1997

Internet Security (was Re: frame question)

  • Subject: Internet Security (was Re: frame question)
  • From: DAsmussen@xxxxxxx
  • Date: Fri, 14 Nov 1997 18:02:50 -0500 (EST)
 
Gary,

In a message dated 97-11-14 08:55:35 EST, you write:

> Am I wrong in assuming that you have no faith in SSL or encryption
strategies
>  to deter cybercrime?  What about Virtual Private Networks via the
>  Internet?  How will this be any different from E-commerce in security?

Well, I won't say that I have _NO_ faith in SSL or encryption strategies to
deter cybercrime -- I just don't have _as much_ faith in them as I do with my
SNA network or Virtual Private Networks (to which my earlier Advantis mention
alluded).  I think the key word here is "deterrence".  In the USA, the death
penalty is supposed to be a "deterrent" to capital crime -- yet people kill
each other every day (and usually it's their own relatives).  Think about it,
how often do you see an announcement in "the trades" that Micro$oft, or
NetScape, AOL, or some other major vendor has plugged some Internet security
hole that _YOU_ didn't even know existed in the software you use every day?
 Now how often for IBM?  They "major" Internet vendors don't even send these
"fixes" to you automatically -- you have to either download or _order_ them!
 This happens far too often for my clients to risk major exposures to them,
IMO.

What _really_ bothers me is that most of the "high profile" Internet security
breaches to date have been pulled off by what most of us on MIDRANGE or
JAVA-L would consider "amateur" programmers.  Most of the latter couldn't
write a business application to save their lives, and didn't know what to do
with the data that they managed to access ("Whoa, posted hate messages on my
web page, _I'm_ scared").

Now suppose, for the sake of argument, that someone...I don't know, perhaps a
hostile nation or major software vendor...approached an equally talented,
 but less scrupulous list member.  Suppose further that this theoretical
"someone" provided this also theoretical "less scrupulous" list member with a
room full of "state of the art" hardware/software, all the books/CD ROM's
they needed to learn everything there was to know about the
hardware/software, unlimited communications access (both telephone and
Internet),  unlimited funds that could be used for bribery, enough salary to
make them independently wealthy, and a target.  Given that this talented
individual would have everything they needed from a resource standpoint, and
nothing else to work on, how long do you think that it would take them to
compromise "the target"?

Were it me (and being generous with the time line), I'd say that I could get
anything I want from the targeted systems without detection in 36 months or
less.  Probably 12 in a poorly implemented Internet situation.  Why less time
for the Internet breach?  Because most Internet software is in the public
domain (hey, just download JAVA/400 off the web!).  There are people running
lists just like this one that tell you the latest ways to circumvent popular
fire walls and operating system security systems.  Heck, they publish
MAGAZINES on the subject in foreign countries!  If this prospect doesn't
scare the "beejeezus" out of your management, I don't know what will.

The AS/400 has been largely immune to attack largely because of its (much
maligned by the competition) proprietary nature, the fact that OS/400 isn't
for sale on any other platforms, its _EXCELLENT_ security sytem, and the fact
that your average hacker doesn't have the cash to plump down on one.  You can
run many flavors of UNIX and TCP/IP (some of which are also free) on your
desktop PC.  The same cannot be said of OS/400.  Most "Fire Wall" software is
cheap compared to an OS/400 license.

I'm not saying that companies should not consider "e-business", just that
they should consider their implementation _very carefully_.  They should also
consider the fact that the IS management that they are asking to make this
decision, in most cases, _HAS_ no Internet experience.  They should also
consider the fact that the majority of consulting help that they would
usually rely on in this instance may have lots of Internet experience, but
little-to-no business (and very little "structured" security) experience.  At
a _minimum_, I would insist on a full security review on all systems by
_proven_ professionals from an independent agency prior to implementation.  A
completely isolated box would be preferred...

JMHO,

Dean Asmussen
Enterprise Systems Consulting, Inc.
Fuquay-Varina, NC  USA
E-Mail:  DAsmussen@aol.com

"One never notices what has been done; one can only see what remains to be
done." -- Marie Curie
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to "JAVA400-L@midrange.com".
| To unsubscribe from this list send email to MAJORDOMO@midrange.com
|    and specify 'unsubscribe JAVA400-L' in the body of your message.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.