|
Yep, and Sony. :) John A. Jones, CISSP Americas Information Security Officer Jones Lang LaSalle, Inc. V: +1-630-455-2787 F: +1-312-601-1782 john.jones@xxxxxxxxxx -----Original Message----- From: midrange-l-bounces+john.jones=am.jll.com@xxxxxxxxxxxx [mailto:midrange-l-bounces+john.jones=am.jll.com@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx Sent: Thursday, June 15, 2006 7:34 AM To: Midrange Systems Technical Discussion Subject: Re: Installing 3rd Party Software using QSECOFR?? So we should trust an established vendor to not install back doors, etc? You mean like Microsoft? Rob Berendt -- Group Dekko Services, LLC Dept 01.073 PO Box 2000 Dock 108 6928N 400E Kendallville, IN 46755 http://www.dekko.com Keith Carpenter <carpcon@xxxxxxx> Sent by: midrange-l-bounces@xxxxxxxxxxxx 06/15/2006 12:05 AM Please respond to Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx> To Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx> cc Subject Re: Installing 3rd Party Software using QSECOFR?? QSCANFSCTL wrote:
After installing vendor software signed on with *ALLOBJ authority you
should
run a CHKOBJITG to look for IBM objects that fail a signature check.
There
are several 3rd party vendors that modify QSYS objects using
unsupported
interfaces. A CHKOBJITG will detect that. If something was changed
that was
not documented or disclosed then I would question that.
Supposedly patching programs is harder to do on V5R4. Vendors depending on things like system state patches may run into trouble.
To answer your question, yes I know of malicious code that ran/runs on OS/400. And back doors can be installed by QPGMR just as easily as
QSECOFR.
Since this is an open forum I'm going to leave it at that.
I'll just take your word on this. I can't image why a vendor would want to create "malware" or how they could stay in business for very long. Word would get out and that would be the end of them.
Some types of software, especially security software, is going to
require
you to run programs at some time or another signed on with *ALLOBJ authority. Whether that is at install time or any other time its all
the
same. It would be nice if we could just have customers run commands we
need
using standard IBM commands from a command line. But many APIs can't
be run
from a command line because they require a complex set of parameters
and
data structures. For example, how you would call an API from a command
line
and pass on open file descriptor? You can't. So that requires you to
sign on
with *ALLOBJ authority and run a menu option or vendor-supplied
command. A good argument for the value of an installation program.
Theoretically a back door could be installed at that time just as
easily as
during install time.
Yes, just running (executing) an unknown (not verified) program is risky. This is why the truly paranoid only run open source software.
In the end you should have a good trusting relationship with your
software
vendor (or be dealing with an established business partner) when using *ALLOBJ authority. Perhaps I would be suspicious of downloading
something
off the Internet from an unknown company. On the other hand, I would
be less
suspicous of installing SAP, or JDE, or any other advanced level IBM business partner product, using *ALLOBJ authority. An established
vendor is
not likely to risk their entire business to intentionally install a
back
door on your computer for malicous purposes.
Makes sense to me.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.