× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. November 2006

RE: iSeries Security in Computerworld

John, I don't have a single client where one out of eight user profiles has
a default password.  I also don't have a single client at security level 10
or even 20.  There may be a few at 30, but 30 is a perfectly acceptable
level.  Other than filling the old JOBD exploit (which is still an issue at
security level 40 if you have *USE authority to a job description), the
primary thing QSECURITY 40 buys you is system state enforcement.  In
general, not an issue for people who can't install things on your system.

The number of shops at 20 and below is quite small.  And I'll bet that if
you get rid of the people in your survey running at security level 20 (who
are nearly running without security anyway), that the percentage of default
passwords drops as well -- I'm sure the few systems at level 20 skew some of
your other numbers.

It's not that your numbers are inaccurate, it's just that from what I can
see your statistical presentations lack context and your conclusions thus
tend towards the alarmist.  I'd really like to see your studies broken down
by security level: how many systems with security level 30 have 12% default
passwords?  From my own personal knowledge of my users, that number is tiny.

We do agree on one thing: unfettered ODBC access is anathema to security.
There are FAR more people opening up their machines via ODBC access than
those that need to worry about weak passwords.

And strong passwords aren't all that and a bag of chips anyway: as you well
know, John, strong passwords often lead to the post-it exploit.  Until we
get those retinal scanners on our workstations (or maybe the implanted
biochips), there's really no security at all.

Joe



From: John Earl


One thing to remember is that the study was authored by
someone who sells solutions that address the issues
raised.  Is it any surprise that their study finds that
people with System i's need their software to fix the
issue raised?


While it is true that PowerTech sells solutions to _some_ of the
problems that were outlined in the study, it would be a mistake to
conclude that this study only looks at problems that our software
corrects.

For example, the study found that 41% of shops are still at QSECURITY
level 30 and below. This is significant from a security perspective, but
PowerTech doesn't sell a product that will migrate your machine to level
40.  The same is true for the 12% of user ID's that carry default
passwords, and the 25% of systems that haven't turned on the security
audit journal (QAUDJRN).  PowerTech doesn't sell software solutions to
these problems.  You are going to have to fix them with the tools
provided in OS/400.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.