Don't you hate it when reality interferes with theory?  :-)
I hear you.

Rob Berendt
-- 
Group Dekko Services, LLC
Dept 01.073
PO Box 2000
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





"Kurt Goolsbee" <kurt.goolsbee@xxxxxxxxxxxxx> 
Sent by: midrange-l-bounces@xxxxxxxxxxxx
05/18/2005 09:51 AM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>


To
"'Midrange Systems Technical Discussion'" <midrange-l@xxxxxxxxxxxx>
cc

Subject
RE: iSeries FTP security






Yes, the marketing person could pound his chest after wasting QE time to
research the problem while simultaneously Tech Support was wasting R&D 
time
on the same thing. 

I'm only half-empty to counter all the half-full people I'm forced to be
around.

Kurt

> -----Original Message-----
> From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-
> bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx
> Sent: Wednesday, May 18, 2005 8:54 AM
> To: Midrange Systems Technical Discussion
> Subject: RE: iSeries FTP security
> 
> You're a glass is half empty kind of person aren't you?  :-)
> I would think that their marketing team would be able to pound their 
chest
> in pride and say they have it fixed, unlike what they've heard about 
some
> of their competition.
> 
> Rob Berendt
> --
> Group Dekko Services, LLC
> Dept 01.073
> PO Box 2000
> Dock 108
> 6928N 400E
> Kendallville, IN 46755
> http://www.dekko.com
> 
> 
> 
> 
> 
> "Kurt Goolsbee" <kurt.goolsbee@xxxxxxxxxxxxx>
> Sent by: midrange-l-bounces@xxxxxxxxxxxx
> 05/17/2005 07:15 PM
> Please respond to
> Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
> 
> 
> To
> "'Midrange Systems Technical Discussion'" <midrange-l@xxxxxxxxxxxx>
> cc
> 
> Subject
> RE: iSeries FTP security
> 
> 
> 
> 
> 
> 
> What about the software packages that he listed that DO NOT have this
> problem - was it a service to them?  I'm not sure the product marketing
> and
> support folks that had their time wasted by customers wanting fixes for 
a
> non-existent problem would agree.
> 
> Kurt
> 
> > -----Original Message-----
> > From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-
> > bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx
> > Sent: Tuesday, May 17, 2005 4:44 PM
> > To: Midrange Systems Technical Discussion
> > Subject: RE: iSeries FTP security
> >
> > Scott,
> >
> > I think we need to compromise between "any valid, authenticated user"
> and
> > it's only a security issue if it's a Windows specific issue like a
> buffer
> > overflow.
> >
> > I still think, in this case, he provided a service and I appreciate 
the
> > heads up.
> >
> > Rob Berendt
> > --
> > Group Dekko Services, LLC
> > Dept 01.073
> > PO Box 2000
> > Dock 108
> > 6928N 400E
> > Kendallville, IN 46755
> > http://www.dekko.com
> >
> >
> >
> >
> >
> > "Ingvaldson, Scott" <SIngvaldson@xxxxxxxxxxxx>
> > Sent by: midrange-l-bounces@xxxxxxxxxxxx
> > 05/17/2005 08:33 AM
> > Please respond to
> > Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
> >
> >
> > To
> > <midrange-l@xxxxxxxxxxxx>
> > cc
> >
> > Subject
> > RE: iSeries FTP security
> >
> >
> >
> >
> >
> >
> > Of course that would be a serious vulnerability.  But who among us 
does
> > not already know this and should it really be considered an "exploit?"
> > As to the second question, you don't need to write a program to secure
> > FTP, you can just turn it off.
> >
> > The disservice that Mr. Carmel is doing is not in the area of 
educating
> > users on iSeries security, it is in the misposting of these
> > "vulnerabilities" in places like Bugtraq and suggesting that these are
> > weaknesses inherent in the iSeries.  Maybe I'm off base here, but in 
my
> > mind a true exploit reads something like this: "Attackers can exploit 
a
> > buffer overflow in the login to gain root access..."
> >
> > Certainly we can all pay more attention to security and most likely
> > every one of us has multiple back doors and unauthorized access points
> > on our systems that could be locked down a little tighter.  Should
> > something like this really be considered a serious vulnerability: "A
> > valid, authenticated user can access and retrieve all of the files 
that
> > he has authority to..."  Or is that how it's supposed to work?
> >
> > Should someone post to Bugtraq the fact that many newer iSeries models
> > have a port in the back that accepts a standard ethernet cable and 
will
> > allow any "valid, authenticated user" to download all of "the files 
that
> > he has authority to?"  If you unplug your ethernet lines your system
> > will be much more secure (and much more useless.)
> >
> > Regards,
> >
> > Scott Ingvaldson
> > iSeries System Administrator
> > GuideOne Insurance Group
> >
> >
> >
> > -----Original Message-----
> > date: Mon, 16 May 2005 15:38:01 -0600 (MDT)
> > from: James Rich <james@xxxxxxxxxxx>
> > subject: RE: iSeries FTP security
> >
> > On Mon, 16 May 2005, Ingvaldson, Scott wrote:
> >
> > > I'll certainly agree that many, if not most, shops do not pay enough
> > > attention to security.  What I disagree with is that this particular
> > > "exploit" is as serious as is implied, based on the requirement of a
> > > valid, authenticated user to perform it.  That's like saying that
> > > leaving your QSECOFR password set to default and having a direct
> > > internet connection is a "serious vulnerability."
> >
> > Doing so *does* constitute a serious vulnerability.
> >
> > > Certainly, Rob, a sufficiently knowledgeable and talented user could
> > use
> > > FTP to go after
> > >
> > 
/qsys.lib/mylib.lib/myfile.file/mymbr.mbr/../../payroll.file/payroll.mbr
> > > and download the payroll file, but should this user have FTP access 
to
> > > this system at all?  Is this really an "exploit" or, to coin a 
phrase
> > > "Working As Designed?"  How difficult is it to write an Exit Point
> > > Program to restrict all FTP access to authorized FTP users only?
> >
> > So to adequately secure an iSeries I have to write a program?
> >
> > Exploits can take advantage of coding flaws, configuration flaws, and
> > design flaws.  That something is working as designed does not in and 
of
> > itself mean that it not an exploit.  Look no further than ActiveX for
> > proof of that.
> >
> >
> > --
> > This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
> > list
> > To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> > To subscribe, unsubscribe, or change list options,
> > visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> > or email: MIDRANGE-L-request@xxxxxxxxxxxx
> > Before posting, please take a moment to review the archives
> > at http://archive.midrange.com/midrange-l.
> >
> >
> > --
> > This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
> > list
> > To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> > To subscribe, unsubscribe, or change list options,
> > visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> > or email: MIDRANGE-L-request@xxxxxxxxxxxx
> > Before posting, please take a moment to review the archives
> > at http://archive.midrange.com/midrange-l.
> 
> --
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
> list
> To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/midrange-l.
> 
> 
> --
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
> list
> To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/midrange-l.

-- 
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing 
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.