Walden,

Again, excellent points.

What I wonder is 1000 folks in the community would be willing to chip in to
find that 1 hole in 1000...?  I would.

If including all the folks work in businesses that run 400s, it may even be
possible for 1 million folks to chip in to find that 1-in-a-million variety
of hole.

The reason I say they **might** is because if that 1 hacker in a million
gets access to the wrong information, the whole stability of e-business is
shaken...  And as the business world gets more and more into e-business, the
target becomes more and more tempting to hackers.  So I think it'd be safer
to assume that the 1 in a million hack WILL happen, than assume it won't, in
the near future.  As this becomes more frequent, it will apply some hard
brakes to e-business reaching it's potential...

jt



| -----Original Message-----
| From: midrange-l-admin@midrange.com
| [mailto:midrange-l-admin@midrange.com]On Behalf Of Walden H. Leverich
| Sent: Monday, December 17, 2001 1:47 PM
| To: 'midrange-l@midrange.com'
| Subject: RE: Where are all of the /400's going. (was RE: QUSER on ODBC
| requests)
| Importance: High
|
|
| I guess it's a question of when are you secure enough? Note that I said
| changing the serial number was "almost trivial" not "almost
| trivial without
| secofr-level access". If someone has secofr-level access then I
| wouldn't be
| too concerned with the serial number issue. <G> Digital certificates,
| encryption (IPSEC, SSL, PGP, DES, etc.) could all add to the level of
| security, but if it's coded somewhere then it's hackable. It's
| not until you
| add in things like bio-metrics (retina, fingerprint, etc.) that
| you get to a
| degree of unhackability and even then, I don't need you, just your eye or
| finger.
|
| Can white-hat hackers help, maybe. But it would also be up to the owner of
| the code to make changes according to the findings of the
| community and the
| owner would need development dollars to make those changes. Would the
| community be willing to spend development money (in the form of
| maintenance
| fees) to fix a hole that 1 in a million people might find? Probably not. A
| hole that 1 in 10 might find, probably yes. A hole that 1 in 1000 might
| find? Hard to say.
|
| As far as details of the Profile Manager tool go, yes that is vb
| code in the
| example. VB makes a great test platform for COM since it's so damn easy.
| I'll contact you off-list with more details on the tool itself since I'd
| hate to be accused of posting something that might tarnish the dignity of
| this forum! <G>
|
| -Walden
|
| ------------
| Walden H Leverich III
| President
| Tech Software
| (516)627-3800 x11
| WaldenL@TechSoftInc.com
| http://www.TechSoftInc.com
|
|
|
| -----Original Message-----
| From: jt [mailto:jt@ee.net]
| Sent: Monday, December 17, 2001 00:20
| To: midrange-l@midrange.com
| Subject: RE: Where are all of the /400's going. (was RE: QUSER on ODBC
| requests)
|
|
| Walden,
|
| Dag...:-( ! !  (But thanks for info.)
|
| I didn't know, but was afraid of that...
|
| So the question becomes, CAN that be prevented...?!?  Most likely by the
| services of white-hat hackers...?  And a method of rapidly delivering new
| security methods, as weaknesses are (hopefully pro-actively) discovered, a
| la DNS...
|
| jt
|
| | -----Original Message-----
| | From: midrange-l-admin@midrange.com
| | [mailto:midrange-l-admin@midrange.com]On Behalf Of Walden H. Leverich
| | Sent: Monday, December 17, 2001 12:02 AM
| | To: 'midrange-l@midrange.com'
| | Subject: RE: Where are all of the /400's going. (was RE: QUSER on ODBC
| | requests)
| |
| |
| | It's late so I'll wait until tomorrow to elaborate on the tool, but as
| | far as hacking the AS/400 serial number, yes it can and has been done.
| | If you know an address or two it's almost trivial.
| |
| | -Walden
| |
| |
| | ------------
| | Walden H Leverich III
| | President
| | Tech Software
| | (516)627-3800 x11
| | WaldenL@TechSoftInc.com
| | http://www.TechSoftInc.com
| |
| |
| |
| | -----Original Message-----
| | From: jt [mailto:jt@ee.net]
| | Sent: Sunday, December 16, 2001 23:01
| | To: midrange-l@midrange.com
| | Subject: RE: Where are all of the /400's going. (was RE: QUSER on ODBC
| | requests)
| |
| |
| | Walden,
| |
| | Is that VB?
| |
| | VERY interested in this tool, if you wanna elaborate.
| |
| | ==> But here's the thing:  (I'm NOT contradicting you, but just asking
| | the
| | question.)  Has it ever been done AND/OR IS it theoretically
| | possible: COULD
| | a 400 machine serial number be hacked...?!?  I guess I'm asking
| if there's
| | ANY WAY CONCEIVABLE?  I think this is a key question.
| |
| | jt
| |
| |
| |
| | | -----Original Message-----
| | | From: midrange-l-admin@midrange.com
| | | [mailto:midrange-l-admin@midrange.com]On Behalf Of Walden H.
| | | Leverich
| | | Sent: Sunday, December 16, 2001 4:27 PM
| | | To: 'midrange-l@midrange.com'
| | | Subject: RE: Where are all of the /400's going. (was RE: QUSER on ODBC
| | | requests)
| | | Importance: High
| | |
| | |
| | | I'm not sure if you could keep ahead of the hackers, but I'd guess
| | | not. I forgot about CPU serial number, but my intent is to include
| | | it in the tool too (this isn't theory for me). Since we can safely
| | | say that this tool will be used in the corporate environment I don't
| | | see a problem saying that the PCs involved must allow the retrieval
| | | of the Intel serial number. AFAIK, there is no way to emulate or
| | | override the CPUID machine instruction so this would be very
| | | difficult to hack.
| | |
| | | In a COM environment you'd use to tool something like:
| | |
| | | Dim upm as new ProfileManager
| | | Dim usr as string
| | | Dim pwd as string
| | |
| | | upm.GetProfile("AS400Name", "ServiceName")
| | | Usr = Upm.User
| | | Pwd = Upm.Password
| | | Set upm = nothing
| | |
| | | ServiceName is site-specific and could include things like
| | | "EndOfMonth Accounting FTP" or "VRU Password Download" or whatever
| | | floats your boat.
| | |
| | | -Walden
| | |
| | | ------------
| | | Walden H Leverich III
| | | President
| | | Tech Software
| | | (516)627-3800 x11
| | | WaldenL@TechSoftInc.com
| | | http://www.TechSoftInc.com
| | |
| | |
| | |
| | | -----Original Message-----
| | | From: jt [mailto:jt@ee.net]
| | | Sent: Sunday, December 16, 2001 14:17
| | | To: midrange-l@midrange.com
| | | Subject: RE: Where are all of the /400's going. (was RE: QUSER on
| | | ODBC
| | | requests)
| | |
| | |
| | | Walden,
| | |
| | | Sounds like a keeper, to me...  Thanks...!
| | |
| | | I would add processor serial number to the criteria to validate, at
| | | least amongst 400s and other platforms that support this.  (Intel
| | | could have, but was required by the user community to allow this
| | | feature to be disabled at the user's option.)
| | |
| | |
| | | But I'd like to take this to the next level...  (Again, don't know
| | | the
| | | technology.)  I'd like to know more about the issues surrounding "Can
| | | it be defeated, of course..."...
| | |
| | | I think a part of the answer to this is collaboration amongst
| | | trusted users...  Don't know any specifics, but it would seem that
| | | different methods of security should be rotated, and continually
| | | evolved, to give the hackers a moving target.  Spread the security
| | | methods around, along the
| | lines that
| | | the DNS addresses are spread through the Net (although at a MUCH
| | | quicker rate).
| | |
| | |
| | | My question is whether it's possible (theoretically AND
| | | practically) to keep
| | | the security methods evolving fast enough to **simulate** staying
| | | one step ahead of the hackers...?!?  (You'll always have a small
| | | minority of crooked insiders, so you can only "simulate" staying
| | | ahead of the hackers, AFAIK.)
| | |
| | |
| | | j "outta here for now!" t
| | |
| | |
| | |
| | | | -----Original Message-----
| | | | From: midrange-l-admin@midrange.com
| | | | [mailto:midrange-l-admin@midrange.com]On Behalf Of Walden H.
| | | | Leverich
| | | | Sent: Sunday, December 16, 2001 2:01 PM
| | | | To: 'midrange-l@midrange.com'
| | | | Subject: RE: QUSER on ODBC requests
| | | |
| | | |
| | | | OK, so have the pc program ask the as/400 for a valid userid and
| | | | password. The 400 could validate that the request was valid
| | | | (remote ip, MAC, time,
| | | | etc.) and return a user and password. A 5 second counter would
| | | then start
| | | | and when it expires the password for that user would be
| | | changed. Can it be
| | | | defeated, of course, but you'd have to set your ip, mac address
| | | | and ask for the password at the specific date and time that's much
| | | | more
| | | secure than a
| | | | user called 'transfer' with a password of 'transfer'.
| | | |
| | | | -Walden
| | | |
| | | |
| | | | ------------
| | | | Walden H Leverich III
| | | | President
| | | | Tech Software
| | | | (516)627-3800 x11
| | | | WaldenL@TechSoftInc.com
| | | | http://www.TechSoftInc.com
| | | |
| | | |
| | | |
| | | | -----Original Message-----
| | | | From: jt [mailto:jt@ee.net]
| | | | Sent: Friday, December 14, 2001 14:19
| | | | To: midrange-l@midrange.com
| | | | Subject: RE: QUSER on ODBC requests
| | | |
| | | |
| | | | Rob,
| | | |
| | | | I'd sure like to see an acceptable solution to this one, myself...
| | | |
| | | | Hardcode passwords in code..: no good at all...!  But have
| | | | password keyed in on every batch FTP and Domino app use...:  AIN'T
| | | | GONNA HAPPEN...!
| | | |
| | |
| | | <huge snip of prior messages>
| | |
| | | _______________________________________________
| | | This is the Midrange Systems Technical Discussion (MIDRANGE-L)
| | | mailing list To post a message email: MIDRANGE-L@midrange.com To
| | | subscribe, unsubscribe, or change list options,
| | | visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
| | | or email: MIDRANGE-L-request@midrange.com
| | | Before posting, please take a moment to review the archives
| | | at http://archive.midrange.com/midrange-l.
| | | _______________________________________________
| | | This is the Midrange Systems Technical Discussion (MIDRANGE-L)
| | | mailing list
| | | To post a message email: MIDRANGE-L@midrange.com
| | | To subscribe, unsubscribe, or change list options,
| | | visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
| | | or email: MIDRANGE-L-request@midrange.com
| | | Before posting, please take a moment to review the archives
| | | at http://archive.midrange.com/midrange-l.
| | |
| |
| | _______________________________________________
| | This is the Midrange Systems Technical Discussion (MIDRANGE-L)
| | mailing list
| | To post a message email: MIDRANGE-L@midrange.com
| | To subscribe, unsubscribe, or change list options,
| | visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
| | or email: MIDRANGE-L-request@midrange.com
| | Before posting, please take a moment to review the archives
| | at http://archive.midrange.com/midrange-l.
| | _______________________________________________
| | This is the Midrange Systems Technical Discussion (MIDRANGE-L)
| | mailing list
| | To post a message email: MIDRANGE-L@midrange.com
| | To subscribe, unsubscribe, or change list options,
| | visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
| | or email: MIDRANGE-L-request@midrange.com
| | Before posting, please take a moment to review the archives
| | at http://archive.midrange.com/midrange-l.
| |
|
| _______________________________________________
| This is the Midrange Systems Technical Discussion (MIDRANGE-L)
| mailing list
| To post a message email: MIDRANGE-L@midrange.com
| To subscribe, unsubscribe, or change list options,
| visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
| or email: MIDRANGE-L-request@midrange.com
| Before posting, please take a moment to review the archives
| at http://archive.midrange.com/midrange-l.
| _______________________________________________
| This is the Midrange Systems Technical Discussion (MIDRANGE-L)
| mailing list
| To post a message email: MIDRANGE-L@midrange.com
| To subscribe, unsubscribe, or change list options,
| visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
| or email: MIDRANGE-L-request@midrange.com
| Before posting, please take a moment to review the archives
| at http://archive.midrange.com/midrange-l.
|



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.