An engaging reply.  You cover a lot here, but it is early on Sunday
morning and I have limited time before the family wakes up, so I'll try
to address just your major themes:

The number of shops at 20 and below is quite small.  And
I'll bet that if
you get rid of the people in your survey running at
security level 20 (who
are nearly running without security anyway), that the
percentage of default
passwords drops as well -- I'm sure the few systems at
level 20 skew some of
your other numbers.

My theoretical answer is:  Like it or not, systems that run level 10 or
20 are still part of this community and I think they should be included
in the study.  IBM sold 225,000 S/36's, and a vast number of those
applications were brought over to OS/400, and the overwhelming number
would have been migrated to QSECUIRTY level 20.  If something bad were
to happen to their machine and the story end up on the front page of the
WSJ, you can bet that the wrap would go against System i and not S/36.

But my practical answer is that there were no Level 10 boxes included in
the study, and as you expected, only about 7 or 8 level 20 boxes (I
don't have the raw data in front of me this morning, so I am just
looking at a graph).  That's less than 5% at QSECURITY Level 20 and
below.  Given the number of S/36 environments that are still out there,
I would not consider this to skew the numbers terribly.  I'll understand
if you disagree.

We do agree on one thing: unfettered ODBC access is
anathema to security.
There are FAR more people opening up their machines via
ODBC access than
those that need to worry about weak passwords.

I agree that unfettered network access (ODBC, ftp, RMTCMD, etc.) is a
really, really big problem in this community, and the study does address
that aspect of security.  But we designed the study to take a broad look
at security and explore multiple areas.  After someone does one of these
assessments, the trick is for them to decide which area is, for them,
most critical and/or most easily corrected.  If you have a lot of users
with default passwords, that is something that is pretty easy to
correct, and you could have it completed in a day's time (more if you
are a really bureaucratic organization :) ).  One of the values of the
individual assessment is that it focuses your attention on your largest
security exposure and gives you some direction on what to do first.  For
some folks it will be regulating ODBC, for other people it will be
password strength.  You can't boil the ocean, so you have to break the
problem into manageable pieces.

A couple of miscellaneous points.  First, you can read the study for
your self - it is on our web site ( , and I encourage
you to do so.  We're not saying that the OS/400 has major security
flaws, what we are saying is that most shops are not managing security
well enough to be compliant with the various regulations that are being
set for IT.

Second, you mentioned that none of you clients would show as bad as the
average, and I don't doubt that.  It is, after all an average and we
would expect some customers to come in above the line and some below the
line.  If you (or any Midrange-L member) want to actually measure your
customers against the average, send me a private note and I'll arrange
for an assessment for you.  Who knows, you could skew next year's
numbers in a more positive direction.  That's OK with me, we are not
trying to achieve a particular number, we're just reporting the numbers
we receive.

And Third, relative to the JOBD exploit at QSECURITY level 30 and 40, if
you have a JOBD with a user ID attached (Such as QGPL/QBATCH, which has
QPGMR attached), and you are at QSECURITY level 30, and the user has
*USE authority to just the JOBD, the user could submit a job as user
QPGMR.  At QSECURITY level 40 or 50 the user needs not only *USE
authority to the JOBD, but also *USE authority to the user ID QPGMR in
order to submit a job as QPGMR.  That is a pretty significant difference
between level 30 and higher.

Also at QSECURITY level 30, it is possible to do pointer manipulation
and hijack a pointer that has more authority than what you should have -
effectively giving yourself *ALLOBJ.  It used to be that you had to code
in MI to accomplish this, but now you can use C or RPG to do pointer
manipulation.  All good reasons to abandon QSECURITY level 30.


John Earl | Chief Technology Officer
The PowerTech Group
19426 68th Ave. S
Seattle, WA 98032
(253) 872-7788 ext. 302
Celebrating our 10th Anniversary Year!
This email message and any attachments are intended only for the use of
the intended recipients and may contain information that is privileged
and confidential. If you are not the intended recipient, any
dissemination, distribution, or copying is strictly prohibited. If you
received this email message in error, please immediately notify the
sender by replying to this email message, or by telephone, and delete
the message from your email system.

This thread ...


Return to Archive home page | Return to MIDRANGE.COM home page