× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Yep, and Sony.  :) 


John A. Jones, CISSP
Americas Information Security Officer
Jones Lang LaSalle, Inc.
V: +1-630-455-2787 F: +1-312-601-1782
john.jones@xxxxxxxxxx

-----Original Message-----
From: midrange-l-bounces+john.jones=am.jll.com@xxxxxxxxxxxx
[mailto:midrange-l-bounces+john.jones=am.jll.com@xxxxxxxxxxxx] On Behalf
Of rob@xxxxxxxxx
Sent: Thursday, June 15, 2006 7:34 AM
To: Midrange Systems Technical Discussion
Subject: Re: Installing 3rd Party Software using QSECOFR??

So we should trust an established vendor to not install back doors, etc?

You mean like Microsoft?

Rob Berendt
--
Group Dekko Services, LLC
Dept 01.073
PO Box 2000
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





Keith Carpenter <carpcon@xxxxxxx> 
Sent by: midrange-l-bounces@xxxxxxxxxxxx
06/15/2006 12:05 AM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>


To
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
cc

Subject
Re: Installing 3rd Party Software using QSECOFR??






QSCANFSCTL wrote:
After installing vendor software signed on with *ALLOBJ authority you 
should
run a CHKOBJITG to look for IBM objects that fail a signature check. 
There
are several 3rd party vendors that modify QSYS objects using
unsupported
interfaces. A CHKOBJITG will detect that. If something was changed
that 
was
not documented or disclosed then I would question that.

Supposedly patching programs is harder to do on V5R4.  Vendors depending
on things like system state patches may run into trouble.


To answer your question, yes I know of malicious code that ran/runs on
OS/400. And back doors can be installed by QPGMR just as easily as 
QSECOFR.
Since this is an open forum I'm going to leave it at that.

I'll just take your word on this.  I can't image why a vendor would want
to create "malware" or how they could stay in business for very long.
Word would get out and that would be the end of them.


Some types of software, especially security software, is going to 
require
you to run programs at some time or another signed on with *ALLOBJ
authority. Whether that is at install time or any other time its all
the
same. It would be nice if we could just have customers run commands we

need
using standard IBM commands from a command line. But many APIs can't
be 
run
from a command line because they require a complex set of parameters
and
data structures. For example, how you would call an API from a command

line
and pass on open file descriptor? You can't. So that requires you to 
sign on
with *ALLOBJ authority and run a menu option or vendor-supplied
command.

A good argument for the value of an installation program.


Theoretically a back door could be installed at that time just as
easily 
as
during install time.

Yes, just running (executing) an unknown (not verified) program is
risky.  This is why the truly paranoid only run open source software.


In the end you should have a good trusting relationship with your 
software
vendor (or be dealing with an established business partner) when using
*ALLOBJ authority. Perhaps I would be suspicious of downloading 
something
off the Internet from an unknown company. On the other hand, I would
be 
less
suspicous of installing SAP, or JDE, or any other advanced level IBM
business partner product, using *ALLOBJ authority. An established
vendor 
is
not likely to risk their entire business to intentionally install a
back
door on your computer for malicous purposes.

Makes sense to me.

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.