Ah, yes, Mr. Svalgaard. Remember, Philip, that Leif's issues are different.
Because of his intimate understanding of the single-level store, Leif is
able to exploit things in ways that make my hair curl. For the most part,
though, you do have to be at a command line to pull of what Leif does, so it
is a very different class of security issues. I'm not saying they're not
problems, just saying they're not what we're talking about here.

Again, I challenge anyone to exploit that particular weakness (or indeed any
weakness) by using a buffer overrun exploit.

In fact, I'll do this: if someone is willing to bet me $1000, I'll give you
a static route to an HTTP server on my machine, and I'll let you do what you
can for 24 hours. If you can't overrun it, if the best you can do is some
lame denial of service attack, you owe me a thousand dollars.

This challenge is outstanding forever. I guarantee that I will never pay
off on it. And until then, let's drop the nonsense that Windows security is
equivalent to i5/OS security. That's simply rubbish.


From: Hall, Philip

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-
bounces@xxxxxxxxxxxx] On Behalf Of Walden H. Leverich

This is simply untrue.
The buffer overrun exploits that allow you to raise your security level
thus take over a machine are not possible in i5/OS.

I'll say it, since Patrick is probably too nice to do so...

Joe, taking on Patrick Botz, IBM's lead security architect for i5/OS and
the IBM Virtualization Engine, about what's possible and not possible in
i5/OS security is probably a losing battle. IF, and I stress, IF, there
are possible exploits for i5/OS, he's the one to know!


And although he's not actively about in the lists anymore, I'd take what
Leif (Svalgaard) says over any IBM personnel, who ever it was.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2020 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].