× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. June 2000

Re: AS400 user password

  • Subject: Re: AS400 user password
  • From: booth@xxxxxxxxxxxx
  • Date: Tue, 13 Jun 2000 22:02:19 GMT
 
John you are absolutely right excepting in one detail.   Remember the 
message about the proper channel to supply this information from the IBM 
person (I shan't name him)?   His response was accurate, timely and 
proper.  Unfortunately this is a citizen running in the firehouse door 
hollering "Fire, fire!!" and having the chief tell us to please use the 
approved methods for reporting fires.  IBM is re-learning her agility but 
it is a plodding pace at best.

But you are right  -  The AS/400 guys are reacting fast and well.  It is 
fun to watch them begin to shine.
_______________________
Booth Martin
booth@martinvt.com
http://www.MartinVT.com
_______________________




John Earl <johnearl@400security.com>
Sent by: owner-midrange-l@midrange.com
06/13/2000 07:48 AM
Please respond to MIDRANGE-L

 
        To:     MIDRANGE-L@midrange.com
        cc: 
        Subject:        Re: AS400 user password

Dan,

"Bale, Dan" wrote:

> Ed, I'm really not into beating dead horses (though many would say this
> horse ain't dead yet <g>).  I acknowledge that all developers make 
mistakes,
> so I am not one to cast stones.
>
> However, I _am_ concerned with IBM's *seemingly* lack of speedy 
resolutions
> to security exposures that others have said have been brought to IBM's
> attention.  I don't know how long IBM had this information before the 
uproar
> of last week, but only a few days later, you came forward with the PTF
> solutions.

I don't think this is a fair read of the situation.   The first that many 
(*ALL?)
of us heard of this was last Monday, and now we have PTF's this Monday.  I 
think
IBM should be commended for a fast response.  (It should be noted that 
Gary
Guthrie said that he had "mentioned" it to an undisclosed IBMer some time 
in the
past, but I don't beleive that anyone ever opened about an APAR or other 
official
report prior to publication on the MI list last week).  A week's time for 
three
PTF's is not what I would term "IBM's *seemingly* lack of speedy 
resolutions".


>  It appears that many of the elite group of MI experts that
> subscribe to the MI400 list have grown weary of waiting for IBM to even
> acknowledge that they know what they're talking about.  They appear to 
be
> genuinely concerned for the AS/400 community, whereas IBM's security 
team
> *appears* to be in the "security by obscurity" camp.

Gene Gaunt is a talented programmer and writes some great stuff and I 
don't wish
to bash him, but IMHO it was a mistake to post the code the way he did.  I 
would
think that a genuine concern for security would dictate that an Securty 
APAR
would be opened prior to posting this very serious exposure publicly (And 
as a
programmer, wouldn't you rather be told personally about your bugs before 
they
get posted on an internet forum?).  During the time that it took IBM to 
respond,
we were all hanging out there with our passwords available to anyone with
programmer abilities and a subscription to the MI list.

I don't think that IBM is ignoring security or putting their head in the 
sand,
they just got blind-sided on this issue.  What I'd like to see is a 
reporting
infrastructure that will allow word to get to the right people in a timely
fashion, so that IBM (and all of us!) doesn't get blind-sided again.  If 
the
reporting mechanizm for security breaches is lacking, then I want to see 
it
fixed.  Security is important enough to deserve a fast path through the 
support
infrastructure, and a more visible and easier to use reporting mechanizm 
for
security may have got word to the right people at the right time.

jte


--
John Earl                               johnearl@400security.com
The PowerTech Group                     206-575-0711
PowerLock Network Security              www.400security.com
--


+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to 
MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: 
david@midrange.com
+---




+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.