× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MI400
  3. June 2000

Re: More PTFs to fix sign-on password exposure

  • Subject: Re: More PTFs to fix sign-on password exposure
  • From: "Al Barsa, Jr." <barsa2@xxxxxxx>
  • Date: Thu, 15 Jun 2000 13:49:09 -0400
At 10:40 AM 06/15/2000 -0500, edfishel@us.ibm.com wrote:

I have been silent on this thread up until this point, and now I think it's time to put this in perspective.

1.      The AS/400 is, and continues to be, a highly secure system.

2.      This password in the clear situation is (was) a bug that has likely existed since 2-level signon was introduced to the System/38 (Release 8.0), and possibly since the beginning of the System/38 architecture.  So, IMHO,  it's likely that this problem has either existed for either 14 or 22 years.

3.      To see a password in the clear, as referenced by this bug, you must have:
        a.      Enough authority to run DMPSYSOBJ.
        b.      Enough knowledge to find this "needle in the haystack".

4.      IBM responded to this problem with lightning speed in my opinion.  This problem came up about two weeks ago (I could be wrong about this, I don't keep the old messages.) and PTFs are out.  If this were a Micro$oft problem, it clearly would have been fixed within two years (with luck).

5.      I think that for the average AS/400 account, that doesn't have people knowledgeable about AS/400 internals and/or MI, this is a "so what" problem.  (So that means 99.99% of all accounts that have an AS/400.) I think that it is relative "nit" problem.  Putting in the fix is important, and it should hit the next CUME CD.  Telling users to change their passwords because the AS/400 has been compromised is an unfair hit to the system, unless you know that someone in a particular shop knows about the exposure.  BTW, do these shops have all users change their own passwords, run with Level 40 turned on and have QPWDEXPITV set to something other than *NONE (at both the system value level and in every user profile).

Notwithstanding everything else above mentioned, IBM even went back and fixed this on several unsupported releases.  Do you know that creating a PTF costs a lot of money?  A PTF seems like a nothing to us, but to IBM, it costs many thousands of dollars.  It's not just the cost for the PTF, and the testing.  There is translation of cover letters, and telephone costs for users who dial in to get the PTF.  For users that don't have phone access, IBM will cut and Airborne CDs, which is extremely costly.  (Don't get me started about downloading over the Internet, because then I would really go into RANT MODE.)  IBM could have better spent the money for the unsupported releases on AS/400 advertising. (God forbid they might sell some systems to new users, or prop up the confidence level of the installed base with some advertising.)

Ladies and gentlemen, put this into perspective.  This is a nit, a nothing.  Figuratively speaking, this is a tiny zit on the AS/400's unblemished security face.  IBM popped it, and the face has healed.  For all practical purposes, this episode came and went, and no one noticed.

Let's shut up about this and move on.

Al


I informed you on Monday that IBM had decided to provide fixes for several
non-supported releases.  Those PTFs are now available. Here is the complete
set of PTFs to fix this problem on both supported and non-supported
releases. The V3R2 PTF number is SF62947, the V4R1 PTF number is SF62944,
the V4R1M4 PTF number is SF62945, the V4R2 PTF number is SF62946, V4R3 PTF
number is SF62894, the V4R4 PTF is SF62895, and the V4R5 PTF is SF62896.

Normally just applying the PTF to the system is not sufficient to
immediately fix the problem. The PTF must be activated to remove the
exposure. It can be activated by terminating and then restarting all
subsystems that perform interactive work. It can also be activated by doing
an IPL. Because of other PTFs in the supersede chain, the PTFs for V3R2 and
V4R2 are delayed PTFs that will require an IPL to apply the PTF. Therefore,
you do not need to follow the above activation instructions for V3R2 and
V4R2.

This password exposure has received a great deal of attention and it is
likely that several people know how to use it. Therefore, since your
passwords may have been compromised, after applying and activating the fix,
you may wish to change the passwords on your systems.

Ed Fishel
IBM Rochester


+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---



+--------------------------------------------------+
| Please do not send private mail to this address. |
| Private mail should go to barsa@ibm.net.         |
+--------------------------------------------------+

Al Barsa, Jr. - Account for Midrange-L
Barsa Consulting, LLC.  
400 > 390

Phone:          914-251-1234
Fax:            914-251-9406
http://www.barsaconsulting.com
http://www.taatool.com

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.