|
Chuck, Thanks. Uh.. guess it doesn't need to adopt authority to do damage. But, as you noted, not likely to be a practical consideration. (I wouldn't try LODRUN on a CD I got from some neighborhood kid though... LOL...!) What I'm having a hard time seeing is why Brad's coders would think the vendor of the /drive/, rather than the /vendor of the CD/, would see some downside if this functionality was provided. Maybe they just didn't want to mess with it... jt | -----Original Message----- | From: midrange-l-admin@midrange.com | [mailto:midrange-l-admin@midrange.com]On Behalf Of Chuck Morehead | Sent: Saturday, December 08, 2001 12:54 PM | To: midrange-l@midrange.com | Subject: Re: CD Burning software? | | | See comments in-line. | Chuck | | ----- Original Message ----- | From: "jt" <jt@ee.net> | To: <midrange-l@midrange.com> | Sent: Saturday, December 08, 2001 11:48 AM | Subject: RE: CD Burning software? | | | > Sorry, Chuck, but I'm still not gettin' it... | > | > Does it adopt authority, or something...? Anyway, my | understanding of the | > LODRUN (which is partial) is that it does a restore and a call, | > essentially... | | Correct, and the program that it restores and calls must be owned by QSYS, | so it has some security risk. However, IMHO, this is not an exposure that | is likely to be exploited. To be exploited the vendor providing | the CD must | have either intentionally coded the program to do something bad to your | system, or made a big mistake in coding that caused damage to your system. | Either way, that vendor will be out of business quickly. | | >If you have a device that allows RSTLIB, I'm not sure how | > that's a whole lot MORE secure. (Maybe some...) | > | > Besides which, who's responsible for security of access to the LODRUN | > command? Each shop, or Brad's coders...? | > | > IMV, that's a shop responsibility and you can go WAY too far trying to | save | > somebody from themselves. *May* have cost Brad a sale, in this | particular | > case. So while I may not understand the exposure, I'm not at | all sure of | > the wisdom of leaving this functionality out. | | I personally agree with you - IMV this is not a potential | security exposure | that is worth restricting functionality for. | | > | > Welcome to comments on both issues, of course. | > | > jt | > | | | _______________________________________________ | This is the Midrange Systems Technical Discussion (MIDRANGE-L) | mailing list | To post a message email: MIDRANGE-L@midrange.com | To subscribe, unsubscribe, or change list options, | visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l | or email: MIDRANGE-L-request@midrange.com | Before posting, please take a moment to review the archives | at http://archive.midrange.com/midrange-l. |
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.