Re: Anti-virus for i5OS

Joe,

You made a sweeping statement about something that cannot be done on i5/OS
(i.e. copy a file to IFS and have it cause the system to arbitrarily
execute native i5/OS code). I showed you one way to do that. And rather
than correct your statement to something a little more accurate, you claim
your statement is still true because YOU don't happen to run PHP on your
machine? Your statement didn't say it can't happen on my machine, it said
it can't happen on system i.

As far as using the BIND code, you do resolve TCP/IP addresses on your
system i, don't you? If so, you are using the BIND program. It's not
about using your system i as a DNS, it's about resolving IP addresses.

And what about those people that DO use i5/OS as a DNS. Surely you are not
claiming that i5/OS is not secure enough to be a DNS server????

Now why is it, if i5/OS is so inherently secure, you tell you customers to
run these security sensitive applications on those non-secure systems like
UNIX and Windows? Wouldn't it make much more sense to run them on i5/OS?

I do, however agree with you on one thing, nobody would need a security
consultant if they didn't run:
* web servers,
* web applications (e.g. cgi, etc)
* DNS,
* PHP,
* Java,
* web application servers
These programs are obviously not secure enough to run on i5/OS; therefore,
people should run them on Windows and Unix instead...

Joe Pluta wrote:

Patrick Botz wrote:


Try copying a PHP file to IFS and overwrite an existing one. If the PHP
you copy contains a call to native i5/OS commands, then you CAN copy a
file to IFS and use it to execute arbitrary native i5/OS code.


Not on my machine. I don't have PHP installed. And while the DNS issue
is troubling, I don't use my System i for DNS so that's not an issue either.

But I'm not going to argue with you. i5/OS simply is more secure than
any other operating system. It's the one platform that you really don't
need a security consultant to secure.

Joe