RE: Green-screen versus browser -- MIDRANGE-L

midrange-l-request@xxxxxxxxxxxx wrote:

> 3. RE: Green-screen versus browser (Lim Hock-Chai)
>
>I'm not security expert, but how would a green screen app be more secure that
>GUI app? Is it because you isolate the AS400 from the internet world? If so,
>how is that different from isolate the a GUI app from internet?

Lim:

I wouldn't call myself a "security expert" in this area either, but I'll add
some thoughts. These are mostly impractical, so they're not presented as
anything most of us will ever see examples of.

I believe that the primary assumption when speaking of 'green-screen' is that
the app is executed through a non-programmable terminal (NPT). Things change
when NPTs are the base.

When the app runs through iSeries Access emulation (and perhaps any number of
other emulators), then security can easily be compromized from the client side
(e.g., Windows).

See for example:

http://publib.boulder.ibm.com/infocenter/iseries/v5r3/ic2924/index.htm?info/rzaik/rzaikemulator.htm
or
http://makeashorterlink.com/?J1D1428FA

Unless there's a guarantee that there is no rogue app that implements those and
other related APIs, there's no guarantee of security in this area.

Of course, there is and always has been significant 'security by obscurity'.
Since the market for such rogue applications has been so limited, there is a
vanishingly small risk. Not zero, but pretty close for most practical purposes.
(Some of our customers would disagree.)

I used to create simple little apps that did stuff to my 5250 (and 3270)
sessions such as helping to ensure that I never experienced inactivity
timeouts. That app would hang around while I was doing work and become active
if I was away for a while. It would then send some keystrokes on a regular
basis, perhaps the <Home> key or similar, to make the session think it was
still attended. I used this mostly for sessions to IBMLink I think because I
liked to have it open all day. It's been years, but capabilities always seem to
grow. Nowadays I can only imagine what _could_ be done -- screen-scraping
passwords is perhaps the least of the risks.

This aspect of security is one that green-screen apps rarely if ever address.
I'm not sure of any decent way it even could be addressed by the green-screen
app. It covers actions that might happen without the knowledge of the active
user.

The alternative aspect of security against actions taken by the active user is
easier to anticipate and is what green-screen apps traditionally (historically
rightly so) cover. I imagine that this is the aspect that is intended when
green-screen security is touted over GUI and related access technology.

iSeries Access emulation sessions are essentially GUI, even if the 24x80 and
27x132 sections of the window are rendered as characters. I suppose most
emulators can be thought of similarly.

Tom Liotta

--
Tom Liotta
The PowerTech Group, Inc.
19426 68th Avenue South
Kent, WA 98032
Phone 253-872-7788 x313
Fax 253-872-7904
http://www.powertech.com

__________________________________________________________________
Switch to Netscape Internet Service.
As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register

Netscape. Just the Net You Need.

New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp