× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. JAVA400-L
  3. July 2000

Re: URGENT !! PTFs to fix another integrity problem

  • Subject: Re: URGENT !! PTFs to fix another integrity problem
  • From: cujo@xxxxxxxxxx
  • Date: Fri, 28 Jul 2000 12:35:30 -0500
 
This thread has gone on far too long, but now I feel compelled to write. :)

Re:  "A keynote speaker at the Black Hat Briefings conference argued that
the full disclosure of software holes is only encouraging more security
attacks..."

Even if this is true, is this a bad thing?  Find a hole.  Let everyone know
about it.  Fix it.  This is called progress.  I think the right thing to do
is to give praise to people that find software holes and bring everyone's
attention to them.  They help to make software safe.  The alternative is to
try to keep everything covered up and then only the people that want to
access computers illegally will know the details.

Think about it like this:  If there is a security problem with Internet
Explorer, do you want Microsoft to quickly and quietly fix the problem and
make a patch available.  Or do you want full disclosure of the issue so
that people working on Netscape can determine if they have similar issues?

Secrecy is no way to secure a system.

Sorry about that completely non-Java related rant.  Now, could we get back
to the issue of Java issues?

Regards,

Richard D. Dettinger
AS/400 Java Data Access Team

"TRUE! nervous, very, very dreadfully nervous I had been and am; but why
WILL you say that I am mad?
The disease had sharpened my senses, not destroyed, not dulled them. "

- Edgar Allan Poe
"The Tell-Tale Heart"




Chuck Lewis <clewis@iquest.net> on 07/28/2000 06:07:53 AM

Please respond to JAVA400-L@midrange.com

To:   JAVA400-L@midrange.com
cc:
Subject:  Re: URGENT !! PTFs to fix another integrity problem




Yep,

Was JUST reading that at lunch Dan !

Chuck

"Eyers, Daniel" wrote:

> Interesting article from Compuworld that has some merit, given the recent
> discussion...
>
> Debate erupts over disclosure of software security holes
>
> A keynote speaker at the Black Hat Briefings conference argued that the
full
> disclosure of software holes is only encouraging more security attacks -
a
> claim
> that other attendees, including well-known security expert Mudge,
disputed.
>
>
http://www.computerworld.com/cwi/story/0%2C1199%2CNAV47_STO47589%2C00.html?p

> m
>
> dan
>
> -----Original Message-----
> From: Eric Merritt [mailto:cyberlync@yahoo.com]
> Sent: Thursday, July 27, 2000 4:23 PM
> To: JAVA400-L@midrange.com
> Subject: Re: URGENT !! PTFs to fix another integrity problem
>
> Here is the deal guys. Be aware there are two sets of
> ptfs. This is strait from the AS400 Network ->
>
> New PTFs Plug Password Security Hole
> By Gary Guthrie
> Tech Editor
> JUNE 14, 2000 - A serious AS/400 security exposure was
> recently brought to IBM's attention. Though IBM
> encrypts passwords before storing them permanently,
> your users' passwords may have been compromised by the
> fact that unencrypted passwords are also stored in
> another location temporarily. If a hacker discovers
> where and when the unencrypted passwords are stored,
> he can use a simple technique to capture the
> passwords, giving him access to your network
> resources.
>
> IBM responded to this revelation in an expedient
> manner and has issued the following PTFs:
>
> V3R2 - SF62947
> V4R1 - SF62944
> V4R1M4 - SF62945
> V4R2 - SF62946
> V4R3 - SF62894
> V4R4 - SF62895
> V4R5 - SF62896
> Because of the other PTFs in the supercede chain, the
> PTFs for V3R2 and V4R2 are delayed PTFs. You must IPL
> to apply the PTFs for these releases.
>
> You should load and apply the appropriate PTF
> immediately. You can download these PTFs on the
> Internet using IBM's iPTF facility at
> http://as400service.ibm.com. Click the "Fixes,
> Downloads and Updates" link and follow the links for
> the AS/400 Internet PTF facility (iPTF).
>
> After loading and applying the PTF, you must end and
> restart all subsystems to fully activate the fix.
> Because passwords may have been compromised prior to
> the PTF being applied to your system, it is strongly
> recommended that after you activate the fix, you
> require all users to change their passwords.
>
> -------------------------------------------------------
> Tech Talk: More PTFs for More Password Security Holes
> By Gary Guthrie
> Tech Editor
> JULY 26, 2000 - You may recall that last month we
> reported a serious security exposure in which your
> passwords may have been compromised, along with a list
> of PTFs to address the issue. Well, the AS/400
> security fires continue to heat up with another round
> of PTFs to address yet another serious security
> exposure. As with last month's problem, your passwords
> may have been compromised by the fact that another
> location has been found that contains easily obtained
> unencrypted passwords. Again, IBM responded quickly to
> this issue and released the following PTFs:
>
> V3R2 - SF63352
> V4R1 - SF63350
> V4R1M4 - SF63351
> V4R2 - SF63357
> V4R3 - SF63347
> V4R4 - SF63349
> But be aware; this security hole isn't the same as the
> one discussed last month. Even if you've applied the
> PTFs from last month's fix, the exposure still exists.
>
> My advice this month is that same as last month. You
> should load and apply the appropriate PTF immediately.
> You can download these PTFs on the Internet using
> IBM's iPTF facility at http://as400service.ibm.com.
> Click the "Fixes, Downloads and Updates" link and
> follow the links for the AS/400 Internet PTF facility
> (iPTF).
>
> Because passwords may have been compromised prior to
> the PTF being applied to your system, it is strongly
> recommended that after you activate the fix, you
> require all users to change their passwords.
>
> __________________________________________________
> Do You Yahoo!?
> Kick off your party with Yahoo! Invites.
> http://invites.yahoo.com/
> +---
> | This is the JAVA/400 Mailing List!
> | To submit a new message, send your mail to JAVA400-L@midrange.com.
> | To subscribe to this list send email to JAVA400-L-SUB@midrange.com.
> | To unsubscribe from this list send email to
JAVA400-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner: joe@zappie.net
> +---
> +---
> | This is the JAVA/400 Mailing List!
> | To submit a new message, send your mail to JAVA400-L@midrange.com.
> | To subscribe to this list send email to JAVA400-L-SUB@midrange.com.
> | To unsubscribe from this list send email to
JAVA400-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner: joe@zappie.net
> +---

+---
| This is the JAVA/400 Mailing List!
| To submit a new message, send your mail to JAVA400-L@midrange.com.
| To subscribe to this list send email to JAVA400-L-SUB@midrange.com.
| To unsubscribe from this list send email to JAVA400-L-UNSUB@midrange.com.
| Questions should be directed to the list owner: joe@zappie.net
+---



+---
| This is the JAVA/400 Mailing List!
| To submit a new message, send your mail to JAVA400-L@midrange.com.
| To subscribe to this list send email to JAVA400-L-SUB@midrange.com.
| To unsubscribe from this list send email to JAVA400-L-UNSUB@midrange.com.
| Questions should be directed to the list owner: joe@zappie.net
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.