RE: No single case of hacking... -- MI400

The original post was to successfully hack an AS/400 "from the outside".  My
AS/400 is accessible from the Internet, which is definitely "the outside",
yet cannot be hacked.  That seems to me to fall squarely into the category
as stated and is indeed what most people mean when they talk about security,
at least Internet security.

As to access, there are other ways to access an AS/400 than by direct
Telnet.  VPN access, SSH access, web-based 5250 emulation are just a few off
the top of my head.

As to whether Apache has holes or not, I haven't done the research yet.
That's why I don't run Apache yet.  If you run Apache (or any webserver)
without knowing the risks, you are, to put it politely, a danger to your
company.  Just as you are if you open up ODBC access to a machine that
doesn't have object-level security.  Or enable FTP without exit programs.
Or any of a number of other stupid things.

CAN there be holes in security?  Yes.  That's a rather obvious statement.
If you give me physical access to your machine you pretty much have zero
security.  Duh.  The point is NOT whether you can set your machine up in
some lame way as to make it vulnerable.

My point is that you can have a machine on the Internet yet still have
security, and I am backing up my words with proof.  My machine is absolute
proof that you can have a secure web server.  If someone can hack it, great,
but until then, I have done something nobody else in this discussion has
done: put action behind my words.

Anybody can talk.  I've acted.

Joe


> -----Original Message-----
> From: owner-mi400@midrange.com [mailto:owner-mi400@midrange.com]On
> Behalf Of Leif Svalgaard
> Sent: Thursday, June 07, 2001 10:38 AM
> To: MI400@midrange.com
> Subject: Re: No single case of hacking...
>
>
>
> ----- Original Message -----
> From: Joe Pluta <joepluta@PlutaBrothers.com>
> To: <MI400@midrange.com>
> Sent: Thursday, June 07, 2001 10:12 AM
> Subject: RE: No single case of hacking...
>
>
> > Leif, while I agree my machine doesn't prove much about AS/400
> security, it
> > does prove a lot about Internet security. <grin>
> >
> > My machine is not "locked down too tight".
>
> ===> I said: "for this", i.e. the experiment.
>
> > On the other hand, if I were to give you the appropriate
> passwords, etc.,
> > you could also access my machine through 5250 - I just don't
> make that sort
> > of information public.  Which is the way it's supposed to be.
>
> ===> assume that I knew the passwords, I still cannot telnet to your box,
> so what do you mean by "you could also access my machine" ?
>
>
> >
> > On the third hand, if this were a Microsoft IIS server, you could break
> > through one of the many known security holes and get into my server and
> thus
> > my system, even with just port 80 access.  In this regard, the IBM HTTP
> > server is a much more secure web server than IIS.
> >
>
> agree that IIS is junk, but as the AS/400 slides more and more
> into Unix land
> maybe some of the holes will appear. How abbot running Apache on the box?
> No holes in Apache?
>
>
> +---
> | This is the MI Programmers Mailing List!
> | To submit a new message, send your mail to MI400@midrange.com.
> | To subscribe to this list send email to MI400-SUB@midrange.com.
> | To unsubscribe from this list send email to MI400-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator:
> dr2@cssas400.com
> +---
>

+---
| This is the MI Programmers Mailing List!
| To submit a new message, send your mail to MI400@midrange.com.
| To subscribe to this list send email to MI400-SUB@midrange.com.
| To unsubscribe from this list send email to MI400-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: dr2@cssas400.com
+---