|
Alistair Rooney wrote: > Yes well, Linux, OK. Pffffftwahahaha! What colour is the sky in your world. > Any properly setup 400 is virtually unhackable. The only way you could > possibly get in cold (by cold I mean without getting the sysadmin drunk in a > bar and getting a password out of him) is a) If security has not been setup > properly (QSRV still active) or b)The old PC Support exploit which has now > been closed. There are a number of ways to get in "cold". For starters, DDM allows access as QUSER without a password (unless you've modified your communication subsystem to prevent that). > But don't believe me. Forrester group says it's the most secure machine. I don't know what Forrester said, but I would argue with the word "secure". Substitute "securable" (as in _you_ have to actually do something), and I'm ok with that statement. > Gartner says it's the most reliable. The As/400 goes way beyond DoD Orange > Book security. I don't know what you mean by this, could you explain? C2 is a process that involves continuous auditing as much (or even more so) than configuration settings. > Yes, you can tighten Linux up to an impressive degree, but I > would make an educated guess here and say that 90% of Linux machines are not > set up with impressive security. 90% of AS/400's are. Your experience is obviously completely different than mine. My experience is that well over 90% of AS/400's are so loose as to be a hazard to the company that owns them. Vendors send applications where the Owner Profile=Group Profile, too many users have *ALLOBJ, every user is allowed to assume every other users identity, etc. etc. etc. I don't know what you call impressive security, but if you're refering to the typical box where QSECURITY level is 30, and menu security protects objects that users have ownership rights to and *PUBLIC has *CHANGE rights to, you're sorely mistaken. > At least with Linux > you can *find* the password file, any ideas on where it is on the 400? Yup. Lot's of other folks know too. Alistair, be humble about security. Everytime you convince yourself you've got it right, some overly clever 13 year-old will come along and put you back in your place. The AS/400 can be an extremely secure box, but due (I think) to the insular nature of the AS/400 community I don't think that many systems have actually attained the high level of security that you attach to it. If the reason AS/400's haven't been hacked is because few in the hacking community are AS/400 aware, then it is only a matter of time. There is still much for us to do. IMHO, jte -- John Earl johnearl@400security.com The PowerTech Group --> new number --> 253-872-7788 PowerLock Network Security www.400security.com -- +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
