Rexx and Security

I found a couple of articles rather interesting in terms of how it culturally impacts Rexx.

http://www.infoworld.com/article/05/08/04/HNvistaviruses_1.html

http://addict3d.org/index.php?page=viewarticle&type=news&ID=8816

I surmise from the text that the thought is that simply having an interpretive / scripting language installed in computers is dangerous as someone might develop an evil script / program with that tool. I would conclude that the only secure computing model in the opinions of the writers is that of the Linux / Unix environment which has the execute bit in the filesystem, and that the only programs allowed to be installed are statically compiled C/C++ programs. Further, programs which are written can not accept any sort of "plugin" that allows third party developers to add functionality... such as web browser plugins which is utilized as simple as dropping the binary (w/o execute bit) into the plugins directory and restarting the program.

You know, as I look back 10+ years... which I have done quite a bit of lately... I sure don't see what was so insecure about OS/2 2.x, 3.x, etc... To me, I have to conclude that since the software back then had great potential to allow people to rapidly develop their own software, that the problem today is not the tool, but that the world we live in has further deteriorated and now people use these "high level languages" to do very destructive things.

Think of the virus world back then... boot sector viruses written in assembly that used the insecurity of DOS to directly gain access to hardware. OS/2 requiring hardware access only through API's and device drivers solved a lot of that, thus there were not viruses on OS/2.

Ah, but now the virus community turns to a new set of tools which is on every computer... interpretive / script languages! And so the "ostrichism" solution is to take away these interpretive / script languages as they are "too dangerous" to leave on computers? I find that a most ignorant remedy to the problem!

This sort of thinking has led companies which in general once allowed "LAN Group Managers", who were responsible for a group of computers on the LAN, to develop their own applications in spreadsheets, databases, word processors, or stand along interpretive languages like Rexx to say that is not allowed and that all software must be vendor shrink wrap software. I am talking about "the good old days" when people like Nicholas Petreley wrote for InfoWorld and raved about tools like VisPro Rexx. It's not that the security / productivity and functionality / vendor support is that great... typically the software licensing for the modern replacement to "home brew" far exceeds the salary of the employee who formerly did this work in their spare time while doing other work assignments. Over and over I see project replacements for neat little "home brew" projects end up requiring teams of 20+ people and large sums of money to implement the vendor written software. What an insult to the employee! If the firms spent 1/10th the time and resources finding ways to leverage that employee than they spend worrying about them resigning or retiring what amazing things their organization could realize! I know, brainless middle managers do not think that way. They rely on long and frequent unproductive meetings to justify their existence as that is all they are capable of contributing to the organization. Wake up USA... why do you think the jobs go overseas... it's not the fault of the few talented administrators and engineers that do great things on non-existent budgets!

So the answer is digital signatures on program files, right? WRONG!!! If you rely on those, then hackers learn to create their own digital signature. I mean sure, change the language interpreter to require digitally signed "tokenized" files to interpret. Bad guys will still find a way to execute their code... you've gone and made it harder to execute code thus there is all the bigger prize to earn once they find a way to do it. Requiring the interpreter to only interpret source files with the execute bit set is an option that comes to my mind... ha ha, Windows still does not have that basic level of security!

Rant and rave as I will... I am not going to buy that simply removing interpretive / scripting languages is the solution to the problems which exist. People that develop email programs to automatically look for application / script code included in emails and then will execute it upon seeing it... there are no excuses for that level of stupidity! But don't go shooting the languages because some idiot linked their software to the language in an inappropriate way.

So, one vote that the entire IT industry pause for a moment, stop creating idiotic linkages between untrusted domains (email in box, html web pages from web servers, etc...) and powerful tools that allow intelligent administrators to "work smarter not harder."

--
Michael Lueck
Lueck Data Systems
http://www.lueckdatasystems.com/

Remove the upper case letters NOSPAM to contact me directly.
.