|
Thanks Ed and I agree. What I've done too is change the message text for the invalid sign on attempts (as has been mentioned here and is also in the books). Chuck -----Original Message----- From: midrange-l-admin@midrange.com [mailto:midrange-l-admin@midrange.com]On Behalf Of Ed Fishel Sent: Tuesday, March 05, 2002 1:54 PM To: midrange-l@midrange.com Subject: Re: OS/400 User Account Name Disclosure Vulnerability Here are some of my opinions on this topic. 1. Is it a security exposure to know the name of other user profiles on the system? No. If it is a security problem to know the names of all the user profiles on the system then it must be a problem to know the names of some user profiles, or even one other user profile. In my opinion, those people that want to prevent some users from finding the names of other user profiles on the system are practicing a form of security by obscurity. The system is designed to compete in the business environment where knowing the name of other users on the system is allowed. Knowing, or guessing the name of a user profile is not a security problem, but being able to sign-on and use that user profile would be a problem. Good security design requires that even thought a user knows the name of a user profile, that cannot easily guess the password of the user profile or even know any other information about that user profile. 2. Do other systems allow users to find the same level of information? Yes. At least all Unix systems I am aware of allow any signed-on user to get a list of all users on the system by using a command such as: cat /etc/passwd | scroll Ed Fishel, edfishel@US.IBM.COM _______________________________________________ This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@midrange.com To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l or email: MIDRANGE-L-request@midrange.com Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.