|
They are not used afterwards and it is a simple matter to erase the content and think that is precisely what IBM has done (will do) in the PTF to fix this. ----- Original Message ----- From: William Washington III <w.washington@iols.net> To: <MIDRANGE-L@midrange.com> Sent: Saturday, June 10, 2000 2:08 PM Subject: Re: AS400 user password (fwd) > Are the buffers used for a legitimate purpose after login? It seems to be a > simple matter for IBM to flush the buffers once the job has entered the > subsystem. Does SECLVL(50) help in any way? > > ----- Original Message ----- > From: "V. LeVeque" <vleveque@earthlink.net> > To: <MIDRANGE-L@midrange.com> > Sent: Saturday, June 10, 2000 12:25 AM > Subject: Re: AS400 user password (fwd) > > > > This is exactly the point of all those "petty" requirements of a C2 > > certification - to ensure that object reuse does not result in sensitive > > information being leaked. You know, why you shouldn't be able to view > other > > user's QTEMP and things of that sort. > > > > I hate to say "I told you so", but a lot of this difficult and seemingly > > impractical security theory really DOES matter for us "just plain business > > systems folk" > > > > Be grateful this is an AS/400 and not Windows NT, or this code would be > > posted throughout the Internet as we speak. The only thing saving us with > > this is the relative lack of interest in the AS/400 by the hacking > community. > > > > > > At 07:59 PM 6/9/00 -0500, you wrote: > > >From: William Washington III <w.washington@iols.net> > > >> I'm sure the infamous 17-line RPG IV program is a call to one > > >> of the service routines. (But I haven't seen it... I could be wrong!) > > > > > > > > >You are in fact wrong. It is much simpler than that. The signon > > >program reads a screen buffer with your user ID and password > > >you just typed. The contents of that buffer hangs around until > > >signoff or another signon (when it will contain yet another > > >password !). A general principle of secure working is the > > >erase the contents of all buffers and variables as soon as > > >they are no longer needed. IBM violated that simple principle. > > > > > > > > > > +--- > > | This is the Midrange System Mailing List! > > | To submit a new message, send your mail to MIDRANGE-L@midrange.com. > > | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. > > | To unsubscribe from this list send email to > MIDRANGE-L-UNSUB@midrange.com. > > | Questions should be directed to the list owner/operator: > david@midrange.com > > +--- > > > > +--- > | This is the Midrange System Mailing List! > | To submit a new message, send your mail to MIDRANGE-L@midrange.com. > | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. > | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. > | Questions should be directed to the list owner/operator: david@midrange.com > +--- > +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
