After reading through this thread I suspect that your and Patrick's
position are closer than you may realize.
Windows is not secure, I5/OS is not secure, none of the *nix's are
secure, and Z/OS is not secure. No vendor can send you a "secure"
operating system (because they don't know how you are going to use it)
and they certainly can't guarantee that no matter how you tweak it, the
OS will stay secure.
I've said it before, but I really mean it this time :) Secure is a verb.
It's something you do, not somewhere you reside.
I'm not interested in taking your $1000 bet because I guess that you
have stacked the odds in your favor by securing your machine very well
(and to Patrick's point, you probably did that for very little cost and
time). You took proactive steps to secure your machine, and I would
probably be out the $1000 if I took the bet. I am quite sure that I
could find a windows admin who had secured his system such that it would
take an equal pounding and still not be compromised.
As our State of the System i Security Study has demonstrated for the
last 4 years, there are an awful lot of systems out there ("the
majority" again) that are not well managed from a security point of
view. A story I have been telling a lot lately came from the Omni
Conference last year. I sat at a lunch table with a seasoned System i
manager, and when I told him I was there to speak on Security he got a
puzzled look on his face and said "Why? I thought the AS/400 was
already secure?" As if. It's a pretty good bet that his system is wide
Ultimately security is more about people than it is about technology. I
really like the base package that OS/400 provides when it comes to
security, but it isn't secure enough right out of the box to put on a
public network (is this where I plug my Hardening i5/OS session at your
November 13th conference? :). Therefore the people responsible for the
machine have to exercise due care in protecting it (as I suspect you
have already done). Anyone who thinks the OS will magically protect
their machine (and many people do), could find their system I
compromised faster than you can say Windows IIS.
But that's JMHO.
John Earl, VP and Chief Technology Officer
Email is an excellent way to communicate material that is not time
sensitive. If your communication is of a more urgent nature, please
This email message and any attachments are intended only for the use of
the intended recipient named above and may contain information that is
privileged and confidential. If you are not the intended recipient, any
dissemination, distribution, or copying is strictly prohibited. If you
received this email message in error, please immediately notify the
sender by replying to this email message or by telephone and delete the
message from your email system. Thank you.