Re: More PTFs to fix sign-on password exposure -- MI400

Al,

I've added to some of your comments. Read my comments in-line.



> 1.      The AS/400 is, and continues to be, a highly secure system.


Translated: The AS/400 is thought of as, and continues to be, a highly
secure system even in light of the fact that there are several ways to
compromise passwords (some of the blatantly simple).

Of course, those who don't bury their head in the sand know that maybe
now some folks think of the AS/400 as less secure.

 
> 3.      To see a password in the clear, as referenced by this bug, you
> must have:
>         a.      Enough authority to run DMPSYSOBJ.
>         b.      Enough knowledge to find this "needle in the
> haystack".

DMPSYSOBJ as shipped has plenty of authority for groups of users. Al,
when you learn a little more about internals, you might see that there
are other ways to get the information, too.

It doesn't take any knowledge at all. It just takes an e-mail reader.
That's where you found out about it.

 
> 4.      IBM responded to this problem with lightning speed in my
> opinion.  This problem came up about two weeks ago (I could be wrong
> about this, I don't keep the old messages.) and PTFs are out.  If this
> were a Micro$oft problem, it clearly would have been fixed within two
> years (with luck).


You only THINK they responded with lightning speed. It was reported ages
ago and brushed off. Only after it showed up in the list here, did IBM
respond.

 
> 5.      I think that for the average AS/400 account, that doesn't have
> people knowledgeable about AS/400 internals and/or MI, this is a "so
> what" problem.  (So that means 99.99% of all accounts that have an
> AS/400.) I think that it is relative "nit" problem.

"so what"???
 "nit"???

So you really believe that compromising passwords is acceptable for your
"highly secure" system? I'll repeat it, Al. A KNOWLEDGEABLE PERSON ISN'T
REQUIRED -- ONLY A MODERATELY LITERATE ONE!!! It's been published for
crying out loud! And even if you presume a knowledgeable person is
required and that 99.99% of AS/400 shops don't have one -- what
percentage of those shops do you think might allow a consultant to come
in and do a little work? Gee, hope our consultant doesn't know his
$@@!#$ from a hole in the ground.


> Telling users
> to change their passwords because the AS/400 has been compromised is
> an unfair hit to the system, unless you know that someone in a
> particular shop knows about the exposure.

Unfair hit to the system? Yeah, that'll drain an AS/400 socks.

Unless you KNOW that someone in a particular shop knows about the
exposure? Al, these folks that know about the exposure aren't taking
turns, swapping shifts with the "Eat at Joe's" walking billboard, being
sure to give the "I know how to steal your AS/400 password" billboard
equal time.

If a shop is concerned about security at all, they darn well better make
the presumption that the exposure is known and do EVERYTHING they
possibly can to shut it down. 

> Notwithstanding everything else above mentioned, IBM even went back
> and fixed this on several unsupported releases.  Do you know that
> creating a PTF costs a lot of money?  A PTF seems like a nothing to
> us, but to IBM, it costs many thousands of dollars.  It's not just the
> cost for the PTF, and the testing.  There is translation of cover
> letters, and telephone costs for users who dial in to get the PTF.
> For users that don't have phone access, IBM will cut and Airborne CDs,
> which is extremely costly.  (Don't get me started about downloading
> over the Internet, because then I would really go into RANT MODE.)
> IBM could have better spent the money for the unsupported releases on
> AS/400 advertising. (God forbid they might sell some systems to new
> users, or prop up the confidence level of the installed base with some
> advertising.)

Hmm... This argument seems to indicate that, finally, IBM thinks it's
more important than the "so what", "nit" status you've assigned to it. 
 


> Ladies and gentlemen, put this into perspective.  This is a nit, a
> nothing.  Figuratively speaking, this is a tiny zit on the AS/400's
> unblemished security face.  IBM popped it, and the face has healed.
> For all practical purposes, this episode came and went, and no one
> noticed.

Al, they noticed. Did you not notice them noticing or are you practicing
denial?


> 
> Let's shut up about this and move on.

    
                                 |����������������������������|�\__
We're movin' on, allright, Al.   |   Keep on truckin' baby!  
|__|_\____+
                                
|____________________________|__|_|__\||
                                 /***(@)(@)*           *(@)(@)*****(@)** 


Gary Guthrie
+---
| This is the MI Programmers Mailing List!
| To submit a new message, send your mail to MI400@midrange.com.
| To subscribe to this list send email to MI400-SUB@midrange.com.
| To unsubscribe from this list send email to MI400-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: dr2@cssas400.com
+---