|
Are the buffers used for a legitimate purpose after login? It seems to be a simple matter for IBM to flush the buffers once the job has entered the subsystem. Does SECLVL(50) help in any way? ----- Original Message ----- From: "V. LeVeque" <vleveque@earthlink.net> To: <MIDRANGE-L@midrange.com> Sent: Saturday, June 10, 2000 12:25 AM Subject: Re: AS400 user password (fwd) > This is exactly the point of all those "petty" requirements of a C2 > certification - to ensure that object reuse does not result in sensitive > information being leaked. You know, why you shouldn't be able to view other > user's QTEMP and things of that sort. > > I hate to say "I told you so", but a lot of this difficult and seemingly > impractical security theory really DOES matter for us "just plain business > systems folk" > > Be grateful this is an AS/400 and not Windows NT, or this code would be > posted throughout the Internet as we speak. The only thing saving us with > this is the relative lack of interest in the AS/400 by the hacking community. > > > At 07:59 PM 6/9/00 -0500, you wrote: > >From: William Washington III <w.washington@iols.net> > >> I'm sure the infamous 17-line RPG IV program is a call to one > >> of the service routines. (But I haven't seen it... I could be wrong!) > > > > > >You are in fact wrong. It is much simpler than that. The signon > >program reads a screen buffer with your user ID and password > >you just typed. The contents of that buffer hangs around until > >signoff or another signon (when it will contain yet another > >password !). A general principle of secure working is the > >erase the contents of all buffers and variables as soon as > >they are no longer needed. IBM violated that simple principle. > > > > > > +--- > | This is the Midrange System Mailing List! > | To submit a new message, send your mail to MIDRANGE-L@midrange.com. > | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. > | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. > | Questions should be directed to the list owner/operator: david@midrange.com > +--- > +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.