|
Yes, the marketing person could pound his chest after wasting QE time to research the problem while simultaneously Tech Support was wasting R&D time on the same thing. I'm only half-empty to counter all the half-full people I'm forced to be around. Kurt > -----Original Message----- > From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l- > bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx > Sent: Wednesday, May 18, 2005 8:54 AM > To: Midrange Systems Technical Discussion > Subject: RE: iSeries FTP security > > You're a glass is half empty kind of person aren't you? :-) > I would think that their marketing team would be able to pound their chest > in pride and say they have it fixed, unlike what they've heard about some > of their competition. > > Rob Berendt > -- > Group Dekko Services, LLC > Dept 01.073 > PO Box 2000 > Dock 108 > 6928N 400E > Kendallville, IN 46755 > http://www.dekko.com > > > > > > "Kurt Goolsbee" <kurt.goolsbee@xxxxxxxxxxxxx> > Sent by: midrange-l-bounces@xxxxxxxxxxxx > 05/17/2005 07:15 PM > Please respond to > Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx> > > > To > "'Midrange Systems Technical Discussion'" <midrange-l@xxxxxxxxxxxx> > cc > > Subject > RE: iSeries FTP security > > > > > > > What about the software packages that he listed that DO NOT have this > problem - was it a service to them? I'm not sure the product marketing > and > support folks that had their time wasted by customers wanting fixes for a > non-existent problem would agree. > > Kurt > > > -----Original Message----- > > From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l- > > bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx > > Sent: Tuesday, May 17, 2005 4:44 PM > > To: Midrange Systems Technical Discussion > > Subject: RE: iSeries FTP security > > > > Scott, > > > > I think we need to compromise between "any valid, authenticated user" > and > > it's only a security issue if it's a Windows specific issue like a > buffer > > overflow. > > > > I still think, in this case, he provided a service and I appreciate the > > heads up. > > > > Rob Berendt > > -- > > Group Dekko Services, LLC > > Dept 01.073 > > PO Box 2000 > > Dock 108 > > 6928N 400E > > Kendallville, IN 46755 > > http://www.dekko.com > > > > > > > > > > > > "Ingvaldson, Scott" <SIngvaldson@xxxxxxxxxxxx> > > Sent by: midrange-l-bounces@xxxxxxxxxxxx > > 05/17/2005 08:33 AM > > Please respond to > > Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx> > > > > > > To > > <midrange-l@xxxxxxxxxxxx> > > cc > > > > Subject > > RE: iSeries FTP security > > > > > > > > > > > > > > Of course that would be a serious vulnerability. But who among us does > > not already know this and should it really be considered an "exploit?" > > As to the second question, you don't need to write a program to secure > > FTP, you can just turn it off. > > > > The disservice that Mr. Carmel is doing is not in the area of educating > > users on iSeries security, it is in the misposting of these > > "vulnerabilities" in places like Bugtraq and suggesting that these are > > weaknesses inherent in the iSeries. Maybe I'm off base here, but in my > > mind a true exploit reads something like this: "Attackers can exploit a > > buffer overflow in the login to gain root access..." > > > > Certainly we can all pay more attention to security and most likely > > every one of us has multiple back doors and unauthorized access points > > on our systems that could be locked down a little tighter. Should > > something like this really be considered a serious vulnerability: "A > > valid, authenticated user can access and retrieve all of the files that > > he has authority to..." Or is that how it's supposed to work? > > > > Should someone post to Bugtraq the fact that many newer iSeries models > > have a port in the back that accepts a standard ethernet cable and will > > allow any "valid, authenticated user" to download all of "the files that > > he has authority to?" If you unplug your ethernet lines your system > > will be much more secure (and much more useless.) > > > > Regards, > > > > Scott Ingvaldson > > iSeries System Administrator > > GuideOne Insurance Group > > > > > > > > -----Original Message----- > > date: Mon, 16 May 2005 15:38:01 -0600 (MDT) > > from: James Rich <james@xxxxxxxxxxx> > > subject: RE: iSeries FTP security > > > > On Mon, 16 May 2005, Ingvaldson, Scott wrote: > > > > > I'll certainly agree that many, if not most, shops do not pay enough > > > attention to security. What I disagree with is that this particular > > > "exploit" is as serious as is implied, based on the requirement of a > > > valid, authenticated user to perform it. That's like saying that > > > leaving your QSECOFR password set to default and having a direct > > > internet connection is a "serious vulnerability." > > > > Doing so *does* constitute a serious vulnerability. > > > > > Certainly, Rob, a sufficiently knowledgeable and talented user could > > use > > > FTP to go after > > > > > /qsys.lib/mylib.lib/myfile.file/mymbr.mbr/../../payroll.file/payroll.mbr > > > and download the payroll file, but should this user have FTP access to > > > this system at all? Is this really an "exploit" or, to coin a phrase > > > "Working As Designed?" How difficult is it to write an Exit Point > > > Program to restrict all FTP access to authorized FTP users only? > > > > So to adequately secure an iSeries I have to write a program? > > > > Exploits can take advantage of coding flaws, configuration flaws, and > > design flaws. That something is working as designed does not in and of > > itself mean that it not an exploit. Look no further than ActiveX for > > proof of that. > > > > > > -- > > This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing > > list > > To post a message email: MIDRANGE-L@xxxxxxxxxxxx > > To subscribe, unsubscribe, or change list options, > > visit: http://lists.midrange.com/mailman/listinfo/midrange-l > > or email: MIDRANGE-L-request@xxxxxxxxxxxx > > Before posting, please take a moment to review the archives > > at http://archive.midrange.com/midrange-l. > > > > > > -- > > This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing > > list > > To post a message email: MIDRANGE-L@xxxxxxxxxxxx > > To subscribe, unsubscribe, or change list options, > > visit: http://lists.midrange.com/mailman/listinfo/midrange-l > > or email: MIDRANGE-L-request@xxxxxxxxxxxx > > Before posting, please take a moment to review the archives > > at http://archive.midrange.com/midrange-l. > > -- > This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing > list > To post a message email: MIDRANGE-L@xxxxxxxxxxxx > To subscribe, unsubscribe, or change list options, > visit: http://lists.midrange.com/mailman/listinfo/midrange-l > or email: MIDRANGE-L-request@xxxxxxxxxxxx > Before posting, please take a moment to review the archives > at http://archive.midrange.com/midrange-l. > > > -- > This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing > list > To post a message email: MIDRANGE-L@xxxxxxxxxxxx > To subscribe, unsubscribe, or change list options, > visit: http://lists.midrange.com/mailman/listinfo/midrange-l > or email: MIDRANGE-L-request@xxxxxxxxxxxx > Before posting, please take a moment to review the archives > at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.