Re: Preparing for a High-profile Termination

Sometimes it doesn't show up with either the keyword (USRPRF or such) or the profile.

Some years ago I wrote a simple automated procedure to FTP "stuff" on one system to another one automatically. My profile and password were hard-coded in the INPUT file.


Needless to say I didn't like my password being "out in the open" even though I secured the PF-Src file with *Public *Exclude and allowed only my boss and me to have access to it.

So I later re-wrote it to use a datafile where the profile and password were scrambled (crude encryption) and a program read the file, unscrambled it and built the FTP script. And the script was whacked upon completion. There is no obvious trace of my profile and password anywhere in the string today that one could find by scanning source or database files. And the process runs flawlessly every night.


* Jerry C. Adams
*IBM System i Programmer/Analyst
B&W Wholesale Distributors, Inc.* *
voice
615.995.7024
fax
615.995.1201
email
jerry@xxxxxxxxxxxxxxx <mailto:jerry@xxxxxxxxxxxxxxx>



rob@xxxxxxxxx wrote:

Scanning source could be a problem. A clever person would do something like
usrprf = x'..' +x'...' +x'...';
and probably not name the variable USRPRF. And if it was a command string not build it so that 'USRPRF' was scannable either.

It's probably not a bad idea to scan (helps to avoid that egg on your face if they actually did leave it plain text and you didn't notice it but an auditor did), but do not assume you're then in the clear.

Rob Berendt