RE: Why NOT the web? -- MIDRANGE-L

>MY job to slip into my spandex....

AAARRRRRRRRRGHHHHHHHHHHHHHH, my eyes, my eyes, I'm blinded! <G>

>...will allow a malicious user...

Impressive, most of the ones I've seen "may" allow. Basically it's a
report of a situation where IF you did this and then you did that and
then you did the other thing then you could take control. But regardless
of semantics... A properly configured/secured server wouldn't allow the
access necessary to take advantage of most of these issues.

>I get the idea that this problem might be apocryphal.

I said it wasn't "my bug" but I do trust the source and veracity of the
bug. 

>You can't even recreate it using a web interface.

Perhaps. My understanding is that it's caused down in the bowels of the
query processor, so I would think that it could happen for a batch job
too, but perhaps you are correct (I hope you are). But since you bring
up the web interface, the vast majority of windows issues aren't
exploitable via port 80 either.

-Walden
------------
Walden H Leverich III
President & CEO
Tech Software
(516) 627-3800 x11
WaldenL@xxxxxxxxxxxxxxx
http://www.TechSoftInc.com

Quiquid latine dictum sit altum viditur.
(Whatever is said in Latin seems profound.)
  


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Joe Pluta
Sent: Thursday, 30 December, 2004 11:50
To: 'Midrange Systems Technical Discussion'
Subject: RE: Why NOT the web?

> From: Walden H. Leverich

Walden, I'll let you have your fun, but there a couple of areas where
you simply cross the line.  And of course, it's then MY job to slip into
my spandex with the big letter "A"--oops, little letter "i"--on the
front, and address your brazen foolishness!  (Then again, it may be a
bit cheeky for a fat guy in spandex to be talking about brazen
foolishness...)


> John mentioned the "732 reasons not to use .NET" but Rob had a valid
> counter, isn't this the same as "integrity ptfs"? Beyond that, if you
> want to count apples and apples, don't forget to count WebSphere, Java
> and Apache issues in that mix, because you need all that to cover the
> .NET universe.

I just updated my machine last week.  Looking at it now, there are about
a dozen "Windows Security Updates" that say that not installing this
patch will allow a malicious user to completely take over my machine.

There is NOTHING like that on ANY IBM bug I have ever heard, with the
possible exception of the passwords being stored in the clear in
temporary storage.  So, one bug versus dozens or more a month - no,
there is no similarity.


> How many know
> about a "small problem" where you can crash and entire high-end
iSeries
> by doing a System Request 2 during a query? We're not taking about an
> old bug, we're talking about V4R4 to V5R3 problem that isn't PTFd yet.

Never had it happen.  Haven't been able to do it here, Walden.  I get
the idea that this problem might be apocryphal.  But even if it isn't,
it requires physical access to the 5250 terminal.  You can't even
recreate it using a web interface.

Joe

-- 
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.