|
Gary, It would seem to me that "keeping a lid" on a hole is a dubious way of dealing with a real issue. That's security by obscurity. Why did you not urge IBM to fix it a long, long time ago rather to allow the hole to exist. The assumption that "the bad guys" would not come across it is not a valid security policy. Leif ----- Original Message ----- From: Gary Guthrie <GaryGuthrie@home.com> To: <MI400@midrange.com> Sent: Friday, June 09, 2000 1:31 PM Subject: Re: setsppfp bug > Dan, > > I've kept a lid on this hole for a long, long time. It appears that it > is now becoming common knowledge. You have almost everything you need to > take care of the problem except perhaps a little work management > knowledge. I'll send you details on plugging this hole (unfortunately, > there are other holes). > > Gary Guthrie > > > > "Bale, Dan" wrote: > > > > Since the startup program can be secured, would this be a good interim step > > until (if?) IBM fixes this bug? Would you be willing to publish this > > "eraser"? > > > > - Dan Bale > > > > > -----Original Message----- > > > From: Leif Svalgaard [SMTP:leif@leif.org] > > > Sent: Friday, June 09, 2000 1:13 PM > > > To: MI400@midrange.com > > > Subject: Re: setsppfp bug > > > > > > From: Bale, Dan <DBale@lear.com> > > > > > > > Well, this has been a fascinating, eye-opening, experience. I have > > > > retrieved several user IDs and passwords now. So now we have a real, > > > live, > > > > working sniffer at level 30 & below. > > > > > > > > Don already asked the general question (and didn't get a direct answer), > > > so, > > > > what are the practical steps a shop can take *NOW* to prevent someone > > > from > > > > using the setsppfp API? Can we slap *exclude authority on the object? > > > > Oops, I see there's no object by that name. Is there a way to sniff the > > > > sniffer? In other words, is there a way to tell if someone else is > > > using > > > > the setsppfp procedure? > > > > > > I think that Steve Glanstein's suggestion about having a startup program > > > that erases the information in the buffer is one way to go. Both Steve and > > > I have written such a program. The hole is that IBM does not erase it, > > > but just lets it sit. > > +--- > > | This is the MI Programmers Mailing List! > > | To submit a new message, send your mail to MI400@midrange.com. > > | To subscribe to this list send email to MI400-SUB@midrange.com. > > | To unsubscribe from this list send email to MI400-UNSUB@midrange.com. > > | Questions should be directed to the list owner/operator: dr2@cssas400.com > > +--- > +--- > | This is the MI Programmers Mailing List! > | To submit a new message, send your mail to MI400@midrange.com. > | To subscribe to this list send email to MI400-SUB@midrange.com. > | To unsubscribe from this list send email to MI400-UNSUB@midrange.com. > | Questions should be directed to the list owner/operator: dr2@cssas400.com > +--- > +--- | This is the MI Programmers Mailing List! | To submit a new message, send your mail to MI400@midrange.com. | To subscribe to this list send email to MI400-SUB@midrange.com. | To unsubscribe from this list send email to MI400-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: dr2@cssas400.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
