× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  • Subject: Re: INCREDIBLE - what am I missing here... ??? !!!
  • From: John Earl <johnearl@xxxxxxxxxxxxxxx>
  • Date: Thu, 28 Sep 2000 08:56:42 -0700
  • Organization: The PowerTech Group


Alistair Rooney wrote:

> Yes well, Linux, OK. Pffffftwahahaha! What colour is the sky in your world.
> Any properly setup 400 is virtually unhackable. The only way you could
> possibly get in cold (by cold I mean without getting the sysadmin drunk in a
> bar and getting a password out of him) is a) If security has not been setup
> properly (QSRV still active) or b)The old PC Support exploit which has now
> been closed.

There are a number of ways to get in "cold".  For starters, DDM allows access as
QUSER without a password (unless you've modified your communication subsystem to
prevent that).


> But don't believe me. Forrester group says it's the most secure machine.

I don't know what Forrester said, but I would argue with the word "secure".
Substitute "securable" (as in _you_ have to actually do something), and I'm ok
with that statement.

> Gartner says it's the most reliable. The As/400 goes way beyond DoD Orange
> Book security.

I don't know what you mean by this, could you explain?   C2 is a process that
involves continuous auditing as much (or even more so) than configuration
settings.


> Yes, you can tighten Linux up to an impressive degree, but I
> would make an educated guess here and say that 90% of Linux machines are not
> set up with impressive security. 90% of AS/400's are.

Your experience is obviously completely different than mine.  My experience is
that well over 90% of AS/400's are so loose as to be a hazard to the company 
that
owns them.  Vendors send applications where the Owner Profile=Group Profile, too
many users have *ALLOBJ, every user is allowed to assume every other users
identity, etc. etc. etc. I don't know what you call impressive security, but if
you're refering to the typical box where QSECURITY level is 30, and menu 
security
protects objects that users have ownership rights to and *PUBLIC has *CHANGE
rights to, you're sorely mistaken.


> At least with Linux
> you can *find* the password file, any ideas on where it is on the 400?

Yup.  Lot's of other folks know too.

Alistair, be humble about security.  Everytime you convince yourself you've got
it right, some overly clever 13 year-old will come along and put you back in 
your
place.  The AS/400 can be an extremely secure box, but due (I think) to the
insular nature of the AS/400 community I don't think that many systems have
actually attained the high level of security that you attach to it.  If the
reason AS/400's haven't been hacked is because few in the hacking community are
AS/400 aware, then it is only a matter of time.

There is still much for us to do.

IMHO,

jte


--
John Earl                    johnearl@400security.com
The PowerTech Group      --> new number --> 253-872-7788
PowerLock Network Security   www.400security.com
--


+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.