Re: Fw: Rewarding challenge AS/400...

["Phil Hall" <hallp@xxxxxxxx>]

Larry,

> > This doesn't stop a brute force attack.
>
>   Unless QMAXSIGN is set to *NOMAX, I disagree.  Once the QMAXSIGN
> value is reached, there is no way to do any more compares to the
> encrypted version.

Yes, that's true. But someone serious enough to really pose a threat to
AS/400 security would not be trying a brute force method of attack on a
remote AS/400 they've just discoverd on the net. Remember, most of the
security flaws, back doors, holes, etc are found by people who have a
machine (in most cases an Unix machine, more recently Windows/NT) of their
own to play with and work on finding the weaknesses without the worry of
being caught in the early stages of probing. Also ported code causes/carries
issues across platforms (remember 'sendmail' ? and more recently some of the
denial of service attacks caused by the source to the low level TCP/IP code
being readily available - the denial attacks also effect the AS/400, because
of the code port from AIX)

I'd be wary of putting the newly ported Netscape Web Server on a AS/400, not
because of the quality of the port, but because it's a daily target on other
platforms.

>   If you are refering to the QPWDRQDDGT and all it's friends and
> neighbors these are enforced before the password is encrypted I
> beieve.  Changes to those values have no affect on passwords already
> on the system (and therefore already encrypted)
>

I hope I answered this in a previous mail...

--phil

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---