[Info-vax] What to do with my VAX.....

seasoned_geek roland at logikalsolutions.com
Fri Nov 20 07:35:20 EST 2020 

On Wednesday, November 11, 2020 at 6:16:54 PM UTC-6, Arne Vajhøj wrote:
> On 11/11/2020 11:52 AM, seasoned_geek wrote: 
> > On Tuesday, November 3, 2020 at 8:24:16 PM UTC-6, Arne Vajhøj wrote: 
> >> On 10/18/2020 7:33 PM, seasoned_geek wrote: 
> >>> On Sunday, October 18, 2020 at 12:34:14 PM UTC-5, Grant Taylor 
> >>> wrote: 
> >>>> On 10/18/20 3:17 AM, seasoned_geek wrote: 
> > 
> 
> But I hope that server installation does not rely on those. 
> Having a system protect itself is not as good as having 
> another system in front. 

A very large number are, that is why there is so much documentation on how to set it up.

> 
> > Even when one has a firewall in a router, PASSTHROUGH PORTS ARE ENABLED for many things.
> Hopefully all ports inbound are closed.

They generally cannot be.

> > A firewall is not taking a free-form XML/whatever "open" Internet 
> > message and chopping it down into a fixed field length fixed record 
> > width message for a queue. This means the people stuffing a billing 
> > characters or some other nonsense into that free format message to 
> > trigger an overrun so they can perform an SQL injection or some other 
> > hack physically can't happen. When someone tries to move a billion 
> > characters into a COBOL PIC X(25) field, what happens? The first 25 
> > characters make it and the rest land in the bit bucket.
> Protocol conversion is sometimes used. 
> 
> But then it will typical be: 
> 
> --firewall--protocol conversion--firewall--backend system 
> 
> For the same reason as firewall in front of system is better 
> than "software firewall" on system. Better isolation - less risk 
> in case something bad happens in the protocol conversion. 
> 
> And stuffing into fixed length format is totally insufficient 
> as data validation.

Nobody said it was data validation. It is protection. By itself it stops 100% of the data overrun exploits and an extremely high number of SLQ injection techniques. I won't say all because I cannot be certain there isn't one that can do it within the 35 characters allowed for a street address line.


> > You are completely incorrect about Security by Obscurity as well. ALL 
> > ENCRYPTION is security by obscurity. Period.
> Not by the definition of security by obscurity commonly used. 

Not by _your_ definition. 

Encryption is simply bragging about the size of the forest one is about to hide a tree in, falsely believing the tree cannot be found.

AGILE is not software engineering. It is so far from software engineering it cannot even mail a letter to software engineering, yet _your_ definition of software engineering allows for it.

Chanting the mantra of "no known vulnerabilities" does not make something secure.

More information about the Info-vax mailing list