× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. June 2000

Re: AS400 user password (fwd)

  • Subject: Re: AS400 user password (fwd)
  • From: "William Washington III" <w.washington@xxxxxxxx>
  • Date: Sat, 10 Jun 2000 14:08:20 -0500
 
Are the buffers used for a legitimate purpose after login?  It seems to be a
simple matter for IBM to flush the buffers once the job has entered the
subsystem.  Does SECLVL(50) help in any way?

----- Original Message -----
From: "V. LeVeque" <vleveque@earthlink.net>
To: <MIDRANGE-L@midrange.com>
Sent: Saturday, June 10, 2000 12:25 AM
Subject: Re: AS400 user password (fwd)


> This is exactly the point of all those "petty" requirements of a C2
> certification - to ensure that object reuse does not result in sensitive
> information being leaked.  You know, why you shouldn't be able to view
other
> user's QTEMP and things of that sort.
>
> I hate to say "I told you so", but a lot of this difficult and seemingly
> impractical security theory really DOES matter for us "just plain business
> systems folk"
>
> Be grateful this is an AS/400 and not Windows NT, or this code would be
> posted throughout the Internet as we speak.  The only thing saving us with
> this is the relative lack of interest in the AS/400 by the hacking
community.
>
>
> At 07:59 PM 6/9/00 -0500, you wrote:
> >From: William Washington III <w.washington@iols.net>
> >> I'm sure the infamous 17-line RPG IV program is a call to one
> >> of the service routines.  (But I haven't seen it... I could be wrong!)
> >
> >
> >You are in fact wrong. It is much simpler than that. The signon
> >program reads a screen buffer with your user ID and password
> >you just typed. The contents of that buffer hangs around until
> >signoff or another signon (when it will contain yet another
> >password !). A general principle of secure working is the
> >erase the contents of all buffers and variables as soon as
> >they are no longer needed. IBM violated that simple principle.
> >
> >
>
> +---
> | This is the Midrange System Mailing List!
> | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> | To unsubscribe from this list send email to
MIDRANGE-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator:
david@midrange.com
> +---
>

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.