× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  • Subject: RE: AS400 user password
  • From: "Bale, Dan" <DBale@xxxxxxxx>
  • Date: Mon, 12 Jun 2000 12:40:43 -0400

Ed, I'm really not into beating dead horses (though many would say this
horse ain't dead yet <g>).  I acknowledge that all developers make mistakes,
so I am not one to cast stones.

However, I _am_ concerned with IBM's *seemingly* lack of speedy resolutions
to security exposures that others have said have been brought to IBM's
attention.  I don't know how long IBM had this information before the uproar
of last week, but only a few days later, you came forward with the PTF
solutions.  It appears that many of the elite group of MI experts that
subscribe to the MI400 list have grown weary of waiting for IBM to even
acknowledge that they know what they're talking about.  They appear to be
genuinely concerned for the AS/400 community, whereas IBM's security team
*appears* to be in the "security by obscurity" camp.

All of this is based on hearsay, although it appears to be coming from
trusted sources.  I am not asking you to divulge information that would
further put the AS/400 community at risk, but I am asking for IBM (whether
it be you or others higher up) to respond publicly to the accusations that
have been flying around the MIDANGE-L & MI400-L.

- Dan Bale

> -----Original Message-----
> From: edfishel@us.ibm.com [SMTP:edfishel@us.ibm.com]
> Sent: Monday, June 12, 2000 9:33 AM
> To:   MIDRANGE-L@midrange.com
> Subject:      RE: AS400 user password
> 
> >Ed -
> >
> >How does this PTF solve the "password sniffing" problem???
> >
> >Kenneth
> 
> Kenneth,
> 
> Subsystem monitor jobs use a single open for each 250 or so display
> devices. So for example, if the subsystem supports 600 display devices,
> there will be three opens and three input/output buffers. Each buffer is
> used for the sign-on screens for only one set of devices.
> 
> The fix provided by the PTFs is to blank out the password in the buffer
> immediately after it is read into a local variable. The program that does
> this already blanked out its local variables when it was done verifying
> the
> users sign-on password.  Not blanking out the password in the input buffer
> was an oversight. I will not try to offer an excuse for why the developer
> missed this. (I am not that developer.)
> 
> Ed Fishel,
> IBM Rochester
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.