Re: Security Level 50

[Vincent leVeque <vleveque@xxxxxxxxxxxxx>]

I went to Wayne Evan's talk too.  I don't think C2 is totally useless 
- a lot of C2 is based on vulnerabilities found on other systems.  
Sending "garbage" to UNIX commands or APIs is a common way to cause 
the system to hiccup & thereby get arbitrary commands executed by the 
Kernal.  I would hope the AS/400 is better designed than this, but you 
never know what someone might try (and succeed at).  Likewise, wiping 
out all temporary storage and memory is a way to prevent clever 
systems programmers from seeing what they shouldn't (no one on this 
list knows how to view another user's QTEMP, right?)

While level 50 is definitely way too much for the majority of AS/400 
sites, I would still consider it in some circumstances.  You may want 
to look at it if:

- You are using an AS/400 as a firewall, or otherwise directly 
connecting it to the Internet.  There is a high and uncontrollable 
risk here.

-  You are storing information that is really really confidential and 
has to be protected no matter what, and where it is worth a lot of 
trouble for someone to try to get this information (credit card 
numbers, maybe)

- You hired Steve Glanstein as a security consultant.

Remember, you pick your security measures based on your risk/cost 
trade-offs.  In some cases this may mean level 50.

- Vincent LeVeque

PS. Steve, I was just kidding - I know you have the highest degree of 
integrity.  You wouldn't throw me out of COMMON for making a joke, 
would you?  YOU WOULD?
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to "MIDRANGE-L@midrange.com".
| To unsubscribe from this list send email to MAJORDOMO@midrange.com
|    and specify 'unsubscribe MIDRANGE-L' in the body of your message.
| Questions should be directed to the list owner/operator: david@midrange.com
+---