× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. September 2000

Re: Why do software companies always want ALLOBJ

  • Subject: Re: Why do software companies always want ALLOBJ
  • From: "Robert E. Burger" <rburger@xxxxxxxx>
  • Date: Wed, 13 Sep 2000 21:07:51 -0500
 
----- Original Message -----
From: <MacWheel99@aol.com>
To: <MIDRANGE-L@midrange.com>
Sent: Wednesday, September 13, 2000 2:03 PM
Subject: Re: Why do software companies always want ALLOBJ


> From Al Macintyre V4R3 running BPCS 405 CD
>
> I think this sort of thing is far too common & it usually is not obvious
that
> a software package is brain dead for host platform security until after
the
> buying company has invested considerable in definitely going to that
package.

That is exactly what happened to us.  We didn't know ANYTHING about the
AS/400 other than it was required to run the application we "decided" to
buy so that we could comply with a state mandate.

> Some responsibility lies with the buying company ... their RFQ needs to
have
> some minimal security demands such that they have the right to get all
their
> money back if the package turns out to be one of the brain dead security
ones.

That is certainly an excellent suggestions.  We were unable to do much of
anything since our purchase was an eleventh-hour deal at the end of the
biennium when we had been told to buy a system that does "this" or else and
that there would be no money available in the following biennoium (which
was a few weeks away at the time)!

> We need a Ralph Nader that will identify which vendor packages are brain
dead
> in the computer security department, or some kind of IBM sponsored
security
> rating of software.
>
> The right hand of IBM brags to high heaven about the great OS/400
security.
> The left hand of IBM is in marketing bed with software suppliers that
demand
> that OS/400 security be totally trashed or they will not work.

Very keen observation!  But, applications can be designed securely on the
AS/400, as a matter of fact, perhaps more securely than any other
environment.  As other have said, many developers are lazy and even more
are unwilling to "redevlop" thier applications to properly utilize AS/400
security.

> As to WHY software vendors do this sort of thing or do they UNDERSTAND?
>
> The #1 driving force, in my opinion, for software vendors is market
demand.
>
> There is NO market demand at TIME OF SOFTWARE PURCHASE for competent
computer
> security.  By deliberately supplying software that is brain dead in areas
> that company purchasing is not smart enough to ask for, the software
vendors
> guarantee a life time of extra money allegedly fixing such unnecessary
> problems.

Yep!

> With respect to developers, I went direct to top management to complain
about
> abuse of master security officer privileges.  This software is supposed
to
> work WITH SECURITY.  If you want the developers to create software that
only
> works if the user has security to access everything, let's just remove
all
> security from our system right now & let anyone in the world do anything
they
> please.  This developer behavior makes security a farce.

I had a problem with my Business Partner in that when the IBM CE set up the
machine (under a SmoothStart consulting agreement), the BP had him set up
thier accounts with *ALLOBJ and *SECADM.  I thought I understood what that
meant at the time but was soo unsure of myself (I had not had ANY exposure
to or training on the AS/400 at that point).  But, I was so unsure of
myself and so afraid I would screw something up and need them to bail me
out that I left it alone.  18 months later, when we finally got into
production with this application that was "ready for use" when we bought
it, I couldn't convince them that they didn't need those authorities.

However, I recently came up with the excuse that got the job done.  I told
them that our Commissioners had ordered an external security audit of all
of our systems and that there was no way that I wouldn't get gigged on the
audit for an external user having *ALLOBJ or *SECADM authority.  Though
they didn't like it, they caved in and they no longer have uneccessary
special authorities.

> Well the very top management of the developers denied my accusation &
wanted
> me to prove it ... within a few days I had the proof that developers were
> using master security to do their testing.  My suspicion was that all the
> developers were using master security to do everything & that they did
not
> understand user environments & the very notion of why a computer should
have
> security of any kind.

I've had this battle with our vendor many times -- "It works for us!  Yeah,
it works for me to (since I have *ALLOBJ) but it doesn't work for a lowly
user so why don't you log in on an account without special authorities and
you'll see what I mean!!!!!"  ARGH!!!!!!!!!!!!!!!!!!

> At the next meeting I was told that they needed ACCESS to master security
to
> help trouble shoot problems ... we are paying a small fortune for the
> developers & do not want to hold them up due to a security problem.
Fine, I
> agreed with that principle but disagreed with the notion that we should
be
> providing deliverables that required that kind of access.
>
> The end result of many go arounds was that the developers STARTED doing
what
> they SAID they had been doing all along ... only using Master Security
for
> trouble shooting & fixing problems ... while I was in a bit of trouble
for
> raising a stink about what management considered a non-problem, because
> management did not understand computer security internals ... but I had
> achieved my primary objectives, the developers were no longer providing
> software that required Master Security in the hands of end users to
function.

I have never been one to mince words and I am always pissing somebody off.
But, I go to sleep every night knowing that I've done what I think is in
the best interest of my agency.  My bosss almost dreads talking to me
because I am one of the few people in the organization that has the guts to
tell him the whole story, even if it is laced with bad news.  But, he knows
that I don't feed him crap either!

> After the developers left, I disabled their sign-on because far too many
> co-workers knew their password, which had been passed around the project
team
> ... the developers notion of fixing problems was to sign on as Master
> Security officer & ignore the problem.  My notion was that occasionally
> someone might look at the documentation, and read the error message 2nd
level.

Robert E. Burger
Information Systems Coordinator
Tarrant County CSCD
Fort Worth, Texas, USA
=============================
AS/400 9406-620 running OS/400 V4R4
AS/400 9406-170 running OS/400 V4R4


+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.