Well we start our 4th year touring on Wednesday enclosed is my first load of dribble in the form of a news letter which I am going to try and send every week.
You all take care and stay happy and healthy
At LDC we deal with all sorts of projects from bleeding edge to stuff that I’m sure was written by the same people as made Stonehenge. One such example came our way from a large client and involved communication between an IBM ISeries and a very wide variety of other systems, the user would trigger an item of work on the Iseries which would then call all the other systems, the job its self was not an issue, BUT the security implication of it was,
because of the variety of the systems involved, web services were picked as the most universal communication method available, but the frameworks used by the various systems varied hugely, from up-to-date CXF and .NET thought AXIS 1.4 all the way down to manual text parsing (yes really), this meant that there was no way of doing session security, hell any form of security was going to be hell.
After a bit of head scratching we used a simple solution that solved the problem nicely for all.
Every web service call now contains an additional parameter that contains a hashed text string.
when a request is made from the ISeries it generates a text string according to the rules we laid down, hashes it (we used a MD5 hash*) and adds that to the webservices call, the receiving system knows the rules the Iseries used, so generates its own string to generate a matching hash, compares it to in incoming hash and if it matches then its a valid request, else just discard.
the source string needs to contain a number of different elements to be of any use, I recommend a minimum of
Now I don’t know IBM RPG so this side was done by an extremely talented programmer called Wajid Basha (who I personally think is wasted at his current role)
he did a little generic function to generate the hash on the IBM ISeries MD5 HASH Generator Iseries.txt
and the Java to test the resultant hash:
Problem solved. :)
Now I would not suggest this method for an externally facing system (not with md5), and its not true serious security, but given the definition:
Security is the ability of a system to protect information and system resources with respect to confidentiality and integrity.
then its a way that will hold this system safe from internal attack.
*Yes I know MD5 has known vulnerabilities but it was one of the few hashes that all the systems involved could generate (I hate lowest common denominators but they are a factor of real life), and frankly if someone is going to the level of effort to break the hash, then they are bloody stupid as if they are attached to the internal network then there are a lot better targets.
Now I always classed my self as an equal opportunity’s person when it came to women in IT, I had always worked with women and the majority of my bosses and PMs for projects for major client have always been women ( I prefer women as PM’s in large clients as there is normally less chest beating and more getting on with the job) but recency I have discovered that I had far less of an understanding than I thought I had and to truly work well with the other 50% of mankind you have to do more than think of them as men in dresses you have to see the world and it problems from their point of view, this was down to a number of friends enlightening me and to attending things like the nerd girl talks at IBM conferences.
And indeed I did, I gained a much better understanding of woman’s issues both from a work and from a home life point of view and how to assist with these. how simple decisions that feel like common sense arn’t and in fact re-enforce social stereo types (both male and female) and a bit of empathy can go a long way (this last I already knew)
But much to my surprise I took away far more than just this, I took away,
The book is not perfect, the first and last chapters really have to be battled thought, and the first feels like it is written by a cross between and hippy and a 80’s power manager, but give it time and once Mrs Sandberg gets to the meat of her experiences you will find it most enlightening.