Re: Rewarding challenge AS/400...

> Phil,
>
> I am a programmer and have the ability to get an AS400 really cheap.  I
mean
> almost free if I wanted to.  So it an old B10 system.  Does it still have
> the same encryption as a 720 running V4R4?

The encryption method **may** change from release to release, but between
machines on the same release, and from what I've played with, it **seems**
the same method but who really knows ?

> If so,  I can hack away until I
> crack the code.  Now I have the program that I can post source for, sell,
or
> install on any system I get sufficient access to.  Gee how many packages
> have you installed that say to sign on as a security officer to install.
> Any one of these packages could load this decryption program, and guess
> what, your system is now hackable.
>
> No, I have no idea of where to start with encryption/decryption or any
> desire to, but how many old AS400s are floating around?  Once a hacker
gets
> a hold of one,  look out.

These were my exact sentiments in my second mail (the reply to Larry)

> One should always check program authorities, adopted vs. owner for all
> packages they install and make sure the owner is not a security
> officer/administrator.  Especially if requested to be installed from
> QSECOFR.

Very sound advice Chris, and vendors have yet to come up with a convincing
reason why I need to be signed on as QSECOFR - if the software needs to
create 'worker usrprfs' then document how I create them (i.e. if they use
special jobds, outqs etc) by hand and I'll create them pre or post
installation.

--phil

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---