System name and all that stuff can be created by someone with sufficient
intent to create a tape that looks legitimate. Think of it like email
spam. The headers and all can look just like the message came from your
bank but it's all been spoofed. When you have block-by-block control of
what gets written to the tape you can make a tape look like it came from
anywhere. This isn't an iSeries limitation; it's a technology limitation.

IMO the best solution is to encrypt. Via either hardware or software. The
backup can then only have come from a system that knows the encryption key.
Which means the tape can't be spoofed unless the "bad guy" has also gotten
hold of your encryption key. BRMS can do the encryption with an add-on, or,
LTO4 and possibly other tape libraries have an optional encryption option.
We're starting to go down the path of letting the LTO4 library handle our
backup encryption.


On Fri, Apr 16, 2010 at 10:49 AM, Antonio Fernandez-Vicenti <
afvaiv@xxxxxxxxxxxxxx> wrote:

Thanks to all who answered.
I just has a meeting with customer, and in the light of all your
comments we're going to consider alternatives you suggested.
Nevertheless, we (customer a myself) are quite surprised:
AS/400, iSeries, i5 ... such a powerful beast... Journals of all kinds,
HA programs (MIMIX, etc) and so many good things, ...
and something so "basic" as to identify the System's SYSNAME /
MachineSerialNo when you do a SAVxxx is not kept anywhere!!!
As mentioned, we shall reconsider checksum, hash, php, ... but this
should be "in addition to"...
Anybody can give me a reason why writing SYSNAME/Machine SerialNo. to
the first few tape blocks would be a bad idea?
So many years since S/38 was born, I had never thought tapes were ALL
UNidentified , as per their origin!
TIA

El 14/04/2010 18:05, Antonio Fernandez-Vicenti escribió:
Assume you have several iSeries systems.
Some has stolen one of your tapes with LIBxxx objects (files, etc).
Restores it to a different system. Modifies some / much of the data,
then does a SAVLIB.

If the case arrives, ... Can you positively, strictly, identify that
tape as being NOT-one-of-ours-for-sure?

e.g., by means of dumping control blocks at the beginnig of the tape, or
any other similar ways.
I guess System's SYSNAME or SerialNo. are not kept in the tape's data
control blocks.
And, even if it is, can you strictly prove "it-is-NOT-our-tape"?

TIA




--
Antonio Fernández-Vicenti
afvaiv@xxxxxxxxxxxxxx

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.





As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.