× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. September 2000

Re: Why do software companies always want ALLOBJ

  • Subject: Re: Why do software companies always want ALLOBJ
  • From: MacWheel99@xxxxxxx
  • Date: Wed, 13 Sep 2000 15:03:29 EDT
 
From Al Macintyre V4R3 running BPCS 405 CD

I think this sort of thing is far too common & it usually is not obvious that 
a software package is brain dead for host platform security until after the 
buying company has invested considerable in definitely going to that package.

Some responsibility lies with the buying company ... their RFQ needs to have 
some minimal security demands such that they have the right to get all their 
money back if the package turns out to be one of the brain dead security ones.

We need a Ralph Nader that will identify which vendor packages are brain dead 
in the computer security department, or some kind of IBM sponsored security 
rating of software. 

The right hand of IBM brags to high heaven about the great OS/400 security.
The left hand of IBM is in marketing bed with software suppliers that demand 
that OS/400 security be totally trashed or they will not work.

As to WHY software vendors do this sort of thing or do they UNDERSTAND?

The #1 driving force, in my opinion, for software vendors is market demand.

There is NO market demand at TIME OF SOFTWARE PURCHASE for competent computer 
security.  By deliberately supplying software that is brain dead in areas 
that company purchasing is not smart enough to ask for, the software vendors 
guarantee a life time of extra money allegedly fixing such unnecessary 
problems.

With respect to developers, I went direct to top management to complain about 
abuse of master security officer privileges.  This software is supposed to 
work WITH SECURITY.  If you want the developers to create software that only 
works if the user has security to access everything, let's just remove all 
security from our system right now & let anyone in the world do anything they 
please.  This developer behavior makes security a farce.

Well the very top management of the developers denied my accusation & wanted 
me to prove it ... within a few days I had the proof that developers were 
using master security to do their testing.  My suspicion was that all the 
developers were using master security to do everything & that they did not 
understand user environments & the very notion of why a computer should have 
security of any kind.

At the next meeting I was told that they needed ACCESS to master security to 
help trouble shoot problems ... we are paying a small fortune for the 
developers & do not want to hold them up due to a security problem.  Fine, I 
agreed with that principle but disagreed with the notion that we should be 
providing deliverables that required that kind of access.

The end result of many go arounds was that the developers STARTED doing what 
they SAID they had been doing all along ... only using Master Security for 
trouble shooting & fixing problems ... while I was in a bit of trouble for 
raising a stink about what management considered a non-problem, because 
management did not understand computer security internals ... but I had 
achieved my primary objectives, the developers were no longer providing 
software that required Master Security in the hands of end users to function.

After the developers left, I disabled their sign-on because far too many 
co-workers knew their password, which had been passed around the project team 
... the developers notion of fixing problems was to sign on as Master 
Security officer & ignore the problem.  My notion was that occasionally 
someone might look at the documentation, and read the error message 2nd level.

>  From:    mgraziano@badgermeter.com (Graziano, Marie)

>  I am currently working with a software vendor that is asking for the 
> userid
>  for the software to have ALLOBJ.  Now we all know that this is a very very
>  bad move.  However, in order to get the product up and running I had to do
>  it.  What are other companies doing?  And why do the software vendors not
>  understand what ALLOBJ is and does.  IF the user id was not used to sign 
in,
>  then I would not have a problem, but the software signs in with the userid
>  each day.
>  
>  Marie Graziano

Al Macintyre  ©¿©
MIS Manager Green Screen Programmer & Computer Janitor of BPCS 405 CD Rel-02 
running on AS/400 V4R3 http://www.cen-elec.com Central Industries of 
Indiana--->Quality manufacturer of wire harnesses and electrical 
sub-assemblies
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.