× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Don, 

Why would you not like to "see that source code posted here to God and the
world."?

This entire mess originated on this list with a description of the hole, how
to use DMPSYSOBJ to exploit it, and an MI program to do the same.  The list
members then went on to help Gene perfect it and to help him get the RPG
version of the program working.  Then it was promptly posted to the
Midrange-L list.

I can't help but think that we (the list) has done a bad thing here.  Look
at the number of folks that have compiled and are running this program at
their shop.  If it were only reported to IBM when it was discovered a long
time ago IBM could & would have fixed it.  Its too easy not to fix. 

I don't know if these messages are approved before being propagated to the
list members but I think they should be when they deal with security issues
and show how to exploit a security flaw complete with working examples.
Messages of that nature should be forwarded to the security folks @ IBM.  

Kurt Goolsbee  

> -----Original Message-----
> From: Don [SMTP:dr2@cssas400.com]
> Sent: Friday, June 09, 2000 12:58 PM
> To:   Dan
> Cc:   MIDRANGE-L@midrange.com; mi400@midrange.com
> Subject:      Re: AS400 user password
> 
> 
> 
> Dan,
> 
> I'm glad you took that point of reason.  I know that there are IBM'ers on
> the MI400 list and I'm frankly not going to commit them to comment.  I
> would not like to see that source code posted here to God and the world.
> I think and HOPE (tellme I'm not ignoring history:) that the proper cages
> are being shaken with sufficient vigor to let the proper folks realize
> that the knowledgeable end user has enough concern for his/her system and
> enough warrant to express concern to a recalcitrant IBM and now has the
> big enough stick to make them sit up and take notice.  
> 
> I've had alot of off list discourse and several phone calls with some of
> the priciples bringing up these points.  And before we open the world to
> another and bigger problem than we had back in CPF 7/7.1 days, I think
> that IBM needs to reply openly and quickly.  Frankly, I'ld be very happy
> to see the problems fixed and for both sides to keep the rest of their
> armaments in storeage vs. the front line.
> 
> If we learned anything from the cold war it was that mutually assured
> distruction is not a winning tactic...but then, neither is recalcitrance.
> 
> We've seen the head of BOTH monsters.  Frankly, I'm not sure I want to
> have the world seeing the rest of them.
> 
> Don in DC
> 
> 
> On 9 Jun 2000, Dan wrote:
> 
> > Just a few days ago, a 17-line RPG-IV program was posted to MI400-L that
> > sniffs user IDs and passwords as they sign on to the system.  I tried
> it, it
> > works.
> 
> > Even though the code was published on MI-400, I will leave it to the
> original
> > author to republish it here.  I agree that security-by-obscurity is not
> > security at all, but don't feel it is my place to throw this hot potato
> any
> > further.
> 
> +---
> | This is the MI Programmers Mailing List!
> | To submit a new message, send your mail to MI400@midrange.com.
> | To subscribe to this list send email to MI400-SUB@midrange.com.
> | To unsubscribe from this list send email to MI400-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator:
> dr2@cssas400.com
> +---
+---
| This is the MI Programmers Mailing List!
| To submit a new message, send your mail to MI400@midrange.com.
| To subscribe to this list send email to MI400-SUB@midrange.com.
| To unsubscribe from this list send email to MI400-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: dr2@cssas400.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.