On Mon, 25 Feb 2002, Dr Syd Nicholson wrote:

> Are we not all missing the point here??
>
> In order to use the use the System Request menu the user has signed on.
> They have a user ID and password. If this is an unauthorised person the
> system is already compromised. The system has already been hacked!!!

Not all vulnerabilities are remote or can be exploited without a valid
login.  A vulnerability is a situation where some user can do something
that that user is not allowed to do.  The fact that a certain
vulnerability cannot be exploited remotely or requires a valid login
to be exploited does not mean that it is not a security breach.

> If the signed-on user is authorised to use the system, they probably
> know the other User IDs anyway.
>
> If your system has been hacked - 5250 sessions are the least of the
> problem - check out FTP and ODBC, these are MUCH more dangerous. If the
> installed applications do not allow sufficient flexibility regarding
> configuring the security of OS/400, consider using exit point security
> programs to close back door access to the system.

That there are many methods to break into systems is not the point.  That
this particular exploit requires a valid login is not the point.  That
some program or service can be tricked into doing something it was not
designed to do is the point.

Who's clever sig is it that says, "there are two types of programs...
those that do what they are supposed and those that don't.  I use the
latter." ?

James Rich
james@eaerich.com



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.