× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Thanks Ed and I agree.

What I've done too is change the message text for the invalid sign on
attempts (as has been mentioned here and is also in the books).

Chuck

-----Original Message-----
From: midrange-l-admin@midrange.com
[mailto:midrange-l-admin@midrange.com]On Behalf Of Ed Fishel
Sent: Tuesday, March 05, 2002 1:54 PM
To: midrange-l@midrange.com
Subject: Re: OS/400 User Account Name Disclosure Vulnerability



Here are some of my opinions on this topic.

1. Is it a security exposure to know the name of other user profiles on the
system?

No. If it is a security problem to know the names of all the user profiles
on the system then it must be a problem to know the names of  some user
profiles, or even one other user profile. In my opinion, those people that
want to prevent some users from finding the names of other user profiles on
the system are practicing a form of security by obscurity. The system is
designed to compete in the business environment where knowing the name of
other users on the system is allowed.

Knowing, or guessing the name of a user profile is not a security problem,
but being able to sign-on and use that user profile would be a problem.
Good security design requires that even thought a user knows the name of a
user profile, that cannot easily guess the password of the user profile or
even know any other information about that user profile.

2. Do other systems allow users to find the same level of information?

Yes. At least all Unix systems I am aware of allow any signed-on user to
get a list of all users on the system by using a command such as: cat
/etc/passwd | scroll

Ed Fishel,
edfishel@US.IBM.COM

_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@midrange.com
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
or email: MIDRANGE-L-request@midrange.com
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.




As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.