Re: IBM's benevolent hacking -- MIDRANGE-L

Rob-

You almost sound like an IBM salesman:

"We know that there is a vulnerability in the OS for which there exists a current PTF, but you'll have to buy our service and spend thousands of dollars before we'll tell you what it is..."

Steve

----- Original Message ----- From: <rob@xxxxxxxxx> To: "Midrange Systems Technical Discussion" <midrange-l@xxxxxxxxxxxx> Sent: Thursday, January 27, 2005 1:34 PM Subject: RE: IBM's benevolent hacking

A "level of service" of a particular TCP/IP service is determined by a
standards body.  Thus if there is a higher one than is currently supported
by OS/400 then it is my belief that someone out there is actually using
it.

Now, IBM does have a PTF that is supposed "to fix some vulnerability
problems" with the service in question.  Would it raise the level of
service to that currently offered on other platforms?  No.  Is this good
enough, meaning, does it lock down the holes?  That I am still trying to
determine.  Did I have this PTF on before their last foray?  Yes.  What
ptf was it?  Sorry, but that points out what service we're talking about.

Rob Berendt
--
Group Dekko Services, LLC
Dept 01.073
PO Box 2000
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com

"Joe Pluta" <joepluta@xxxxxxxxxxxxxxxxx>
Sent by: midrange-l-bounces@xxxxxxxxxxxx
01/27/2005 02:11 PM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>


To
"'Midrange Systems Technical Discussion'" <midrange-l@xxxxxxxxxxxx>
cc

Subject
RE: IBM's benevolent hacking


Let me get this straight.  You contracted with IBM for a security
assessment, and they gave you a document in which there was at least one
issue that was a TCP/IP security problem.

This is where I get confused.  I don't know what a "TCP/IP level of
service" is, but from your post, it seems there is a fix that involves
some sort of patch to TCP/IP that is not available and will never be
made available on OS/400.

In summary, IBM has informed you of a security risk in the OS/400
implementation of TCP/IP that IBM has said will not be fixed.  Is that
correct?  If so, I'm sure I can find someone who has an opinion on that
matter.

A couple of other questions may help.  Is this problem fixed in pSeries
or xSeries boxes?  Is it fixed by other OS vendors?  Is this problem
something inherent in the RFC793 specification?  Has there been some
additional RFC written that addresses this deficiency?

Joe

From: rob@xxxxxxxxx
Some are OS/400 TCP/IP specific. I've opened PMR's and was told the

newer

level of service is not offered under OS/400. There was no plan on

going

to that level of service. So I don't know if I should throw chairs,

open

DCR's or both.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

-- This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/midrange-l or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.