z.sch...@gmail.com (z/OS scheduler) writes: > IMHO TCP/ip is part and parcel of this new "Open Source / Written by > Hackers" we are living in. > I cannot believe that C.C.I.T.T.would have recommended to IBM to make their > product more hack-able - unless Microsoft or SUN had big influence on > C.C.I.T.T.
The original mainframe TCP/IP implementation was done in VS/PASCAL which had none of the typical exploits found commonly in C-language TCP/IP implementatins. The communication group fought fierce battle to prevent its release. When they lost the battle, they then changed their story and said that since it was "communication" it had to be released through the communication group. What shipped would used nearly a whole 3090 processor to get 44kbytes/sec aggregate throughput. I then did the enhancements to support RFC044 and in tuning tests at Cray Research between a Cray and 4341 ... got channel speed sustained throughput using only modest amount of 4341 processor (something like 500 times improvement in bytes moved per instruction executed). Later the communication group hired a silicon valley contractor to implement TCP/IP support directly in VTAM. He initially demonstrated TCP/IP running significantly faster than LU6.2. He was then told that *everybody* knows that a *valid* TCP/IP implementation runs significantly slower than LU6.2 and they would only be paying for a *valid* TCP/IP implementation. After leaving IBM, I was brought in as consultant to small client/server startup that wanted to do payment transactions on their server (two Oracle people that I had worked with at IBM when we were doing IBM's HA/CMP product were then at startup responsible for something called "commerce server). The startup had invented this technology they called "SSL" they wanted to use, the result is now frequently called "electronic commerce". I had complete responsibility for the server to payment networks ... but could only make recommendations on the client/server side ... some of which were almost immediately violated ... continues to account for some number of exploits. At the time, internet exploits were about half C-language related programming problems and half social enginnering ... with a few misc. other items. Then at 1996 m'soft moscone MDC conference, all the banners said "Internet" ... but the constant refrain in every session was "protect your investment" ... aka Visual Basic applications embedded in data files that would be automagically executed. They were going to transition from the safe, small closed LANs network environments to the wild anarchy of the Internet w/o any additional countermeasures. By the end of the decade over 1/3rd of "internet" exploits were these automagically executed code snippets (the numbers of the other exploits didn't decrease, there was just an explosion of this new category of exploits). Early part of the century I did some work on categorizing exploits in the NIST CVE exploit database ... and tried to get MITRE to require additional information in exploit reports. At the time MITRE said that they had hard enough time getting reports to have any information ... and additional requirements would just inhibit people writting anything. Some archived posts about CVE exploit categrizing http://www.garlic.com/~lynn/2004e.html#43 http://www.garlic.com/~lynn/2005d.html#0 http://www.garlic.com/~lynn/2005d.html#67 http://www.garlic.com/~lynn/2005k.html#3 http://www.garlic.com/~lynn/2007q.html#20 old posts about IBM evaluation of the 30yr old gov. MULTICS security evaluation ... implemented in PLI and having none of the exploitable bugs typical in C-lanugage implementations. http://www.garlic.com/~lynn/2002l.html#42 http://www.garlic.com/~lynn/2002l.html#44 The copy of the IBM paper was originally on IBM website ... but all such websites have since disappeared and I had to find copy at other locations. -- virtualization experience starting Jan1968, online at home since Mar1970 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN