z.sch...@gmail.com (z/OS scheduler) writes:
> IMHO TCP/ip is part and parcel of this new "Open Source / Written by
> Hackers" we are living in.
> I cannot believe that C.C.I.T.T.would have recommended to IBM to make their
> product more hack-able - unless Microsoft or SUN had big influence on
> C.C.I.T.T.

The original mainframe TCP/IP implementation was done in VS/PASCAL which
had none of the typical exploits found commonly in C-language TCP/IP
implementatins. The communication group fought fierce battle to prevent
its release. When they lost the battle, they then changed their story
and said that since it was "communication" it had to be released through
the communication group. What shipped would used nearly a whole 3090
processor to get 44kbytes/sec aggregate throughput.

I then did the enhancements to support RFC044 and in tuning tests at
Cray Research between a Cray and 4341 ... got channel speed sustained
throughput using only modest amount of 4341 processor (something like
500 times improvement in bytes moved per instruction executed).

Later the communication group hired a silicon valley contractor to
implement TCP/IP support directly in VTAM. He initially demonstrated
TCP/IP running significantly faster than LU6.2. He was then told that
*everybody* knows that a *valid* TCP/IP implementation runs
significantly slower than LU6.2 and they would only be paying for a
*valid* TCP/IP implementation.

After leaving IBM, I was brought in as consultant to small client/server
startup that wanted to do payment transactions on their server (two
Oracle people that I had worked with at IBM when we were doing IBM's
HA/CMP product were then at startup responsible for something called
"commerce server). The startup had invented this technology they called
"SSL" they wanted to use, the result is now frequently called
"electronic commerce". I had complete responsibility for the server to
payment networks ... but could only make recommendations on the
client/server side ... some of which were almost immediately violated
... continues to account for some number of exploits.

At the time, internet exploits were about half C-language related
programming problems and half social enginnering ... with a few
misc. other items. Then at 1996 m'soft moscone MDC conference, all the
banners said "Internet" ... but the constant refrain in every session
was "protect your investment" ... aka Visual Basic applications embedded
in data files that would be automagically executed. They were going to
transition from the safe, small closed LANs network environments to the
wild anarchy of the Internet w/o any additional countermeasures. By the
end of the decade over 1/3rd of "internet" exploits were these
automagically executed code snippets (the numbers of the other exploits
didn't decrease, there was just an explosion of this new category of
exploits).

Early part of the century I did some work on categorizing exploits in
the NIST CVE exploit database ... and tried to get MITRE to require
additional information in exploit reports. At the time MITRE said that
they had hard enough time getting reports to have any information
... and additional requirements would just inhibit people writting
anything.

Some archived posts about CVE exploit categrizing
http://www.garlic.com/~lynn/2004e.html#43
http://www.garlic.com/~lynn/2005d.html#0
http://www.garlic.com/~lynn/2005d.html#67
http://www.garlic.com/~lynn/2005k.html#3
http://www.garlic.com/~lynn/2007q.html#20

old posts about IBM evaluation of the 30yr old gov. MULTICS security
evaluation ... implemented in PLI and having none of the 
exploitable bugs typical in C-lanugage implementations.
http://www.garlic.com/~lynn/2002l.html#42
http://www.garlic.com/~lynn/2002l.html#44

The copy of the IBM paper was originally on IBM website ... but all such
websites have since disappeared and I had to find copy at other
locations.

-- 
virtualization experience starting Jan1968, online at home since Mar1970

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Reply via email to