• Subject: Re: AS400 user password (fwd)
  • From: "Leif Svalgaard" <leif@xxxxxxxx>
  • Date: Sat, 10 Jun 2000 14:41:45 -0500

They are not used afterwards and it is a simple matter to erase the content
and think that is precisely what IBM has done (will do) in the PTF to fix
this.

----- Original Message -----
From: William Washington III <w.washington@iols.net>
To: <MIDRANGE-L@midrange.com>
Sent: Saturday, June 10, 2000 2:08 PM
Subject: Re: AS400 user password (fwd)


> Are the buffers used for a legitimate purpose after login?  It seems to be
a
> simple matter for IBM to flush the buffers once the job has entered the
> subsystem.  Does SECLVL(50) help in any way?
>
> ----- Original Message -----
> From: "V. LeVeque" <vleveque@earthlink.net>
> To: <MIDRANGE-L@midrange.com>
> Sent: Saturday, June 10, 2000 12:25 AM
> Subject: Re: AS400 user password (fwd)
>
>
> > This is exactly the point of all those "petty" requirements of a C2
> > certification - to ensure that object reuse does not result in sensitive
> > information being leaked.  You know, why you shouldn't be able to view
> other
> > user's QTEMP and things of that sort.
> >
> > I hate to say "I told you so", but a lot of this difficult and seemingly
> > impractical security theory really DOES matter for us "just plain
business
> > systems folk"
> >
> > Be grateful this is an AS/400 and not Windows NT, or this code would be
> > posted throughout the Internet as we speak.  The only thing saving us
with
> > this is the relative lack of interest in the AS/400 by the hacking
> community.
> >
> >
> > At 07:59 PM 6/9/00 -0500, you wrote:
> > >From: William Washington III <w.washington@iols.net>
> > >> I'm sure the infamous 17-line RPG IV program is a call to one
> > >> of the service routines.  (But I haven't seen it... I could be wrong!)
> > >
> > >
> > >You are in fact wrong. It is much simpler than that. The signon
> > >program reads a screen buffer with your user ID and password
> > >you just typed. The contents of that buffer hangs around until
> > >signoff or another signon (when it will contain yet another
> > >password !). A general principle of secure working is the
> > >erase the contents of all buffers and variables as soon as
> > >they are no longer needed. IBM violated that simple principle.
> > >
> > >
> >
> > +---
> > | This is the Midrange System Mailing List!
> > | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> > | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> > | To unsubscribe from this list send email to
> MIDRANGE-L-UNSUB@midrange.com.
> > | Questions should be directed to the list owner/operator:
> david@midrange.com
> > +---
> >
>
> +---
> | This is the Midrange System Mailing List!
> | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> | To unsubscribe from this list send email to
MIDRANGE-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator:
david@midrange.com
> +---
>

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.