Chuck,

Thanks.  Uh.. guess it doesn't need to adopt authority to do damage.

But, as you noted, not likely to be a practical consideration.  (I wouldn't
try LODRUN on a CD I got from some neighborhood kid though...  LOL...!)
What I'm having a hard time seeing is why Brad's coders would think the
vendor of the /drive/, rather than the /vendor of the CD/, would see some
downside if this functionality was provided.  Maybe they just didn't want to
mess with it...

jt

| -----Original Message-----
| From: midrange-l-admin@midrange.com
| [mailto:midrange-l-admin@midrange.com]On Behalf Of Chuck Morehead
| Sent: Saturday, December 08, 2001 12:54 PM
| To: midrange-l@midrange.com
| Subject: Re: CD Burning software?
|
|
| See comments in-line.
| Chuck
|
| ----- Original Message -----
| From: "jt" <jt@ee.net>
| To: <midrange-l@midrange.com>
| Sent: Saturday, December 08, 2001 11:48 AM
| Subject: RE: CD Burning software?
|
|
| > Sorry, Chuck, but I'm still not gettin' it...
| >
| > Does it adopt authority, or something...?  Anyway, my
| understanding of the
| > LODRUN (which is partial) is that it does a restore and a call,
| > essentially...
|
| Correct, and the program that it restores and calls must be owned by QSYS,
| so it has some security risk.  However, IMHO, this is not an exposure that
| is likely to be exploited.  To be exploited the vendor providing
| the CD must
| have either intentionally coded the program to do something bad to your
| system, or made a big mistake in coding that caused damage to your system.
| Either way, that vendor will be out of business quickly.
|
| >If you have a device that allows RSTLIB, I'm not sure how
| > that's a whole lot MORE secure.  (Maybe some...)
| >
| > Besides which, who's responsible for security of access to the LODRUN
| > command?  Each shop, or Brad's coders...?
| >
| > IMV, that's a shop responsibility and you can go WAY too far trying to
| save
| > somebody from themselves.  *May* have cost Brad a sale, in this
| particular
| > case.  So while I may not understand the exposure, I'm not at
| all sure of
| > the wisdom of leaving this functionality out.
|
| I personally agree with you - IMV this is not a potential
| security exposure
| that is worth restricting functionality for.
|
| >
| > Welcome to comments on both issues, of course.
| >
| > jt
| >
|
|
| _______________________________________________
| This is the Midrange Systems Technical Discussion (MIDRANGE-L)
| mailing list
| To post a message email: MIDRANGE-L@midrange.com
| To subscribe, unsubscribe, or change list options,
| visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
| or email: MIDRANGE-L-request@midrange.com
| Before posting, please take a moment to review the archives
| at http://archive.midrange.com/midrange-l.
|



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.