Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Opinions pls: Tango04 install

8 views
Skip to first unread message

Thomas

unread,
Dec 24, 1999, 3:00:00 AM12/24/99
to
Today I downloaded/installed Tango04's Visual Debugger on one of our
development AS/400s and my PC. Very impressive install and the pieces of
code that I could get to work also seemed impressive.

However, minutes after the install, I found an odd spoolfile on the
AS/400, 449 pages of a 5250 hex dump.

Apparently, part of the install on the AS/400 is where it opens a
virtual terminal connection, signs on (using the profile doing the
install), runs STRSST and goes into Display/Alter/Dump. I haven't
interpreted much of it yet, but it's at least accessing one of the
programs it installed.

I have another 400 pages to go through so it'll be a while before I
figure out everything it did. But what bothers me is that I see nothing
in any Tango04 documentation that discusses this. Nor can I come up with
a decent reason why it should be done; everything (reasonable) that
comes to mind seems possible using more conventional methods.

Anybody have any ideas on why it would be done this way? I have a few
ideas, but I'm not happy about any of them.

Thanks.

Tom Liotta


--
Tom Liotta
AS/400 systems programmer


Sent via Deja.com http://www.deja.com/
Before you buy.

Herbert Groot Jebbink

unread,
Dec 24, 1999, 3:00:00 AM12/24/99
to
Thomas wrote:

> Apparently, part of the install on the AS/400 is where it opens a
> virtual terminal connection, signs on (using the profile doing the
> install), runs STRSST and goes into Display/Alter/Dump. I haven't
> interpreted much of it yet, but it's at least accessing one of the
> programs it installed.

Check this program to see if it is still running in the User
Domain, maybe it is changed to run in System state and thats the
end of your security.

Opinion: Dump it.

hgj

--
IPFLT, Monitor the TCP/IP connects to your AS/400
http://www.xs4all.nl/~hgj/ipflt/

Tim

unread,
Dec 25, 1999, 3:00:00 AM12/25/99
to
It is probably modifying the program to run in system state to avoid
Security Level 40 problems. Although it could also be modifying the SEPT for
its own Nefarious needs. You can never know. Such shenanigans should not be
rewarded. I say dump the company.

I reviewed the product some time ago, and it isn't all that great.

"Thomas" <tho...@inorbit.com> wrote in message
news:83utji$j6h$1...@nnrp1.deja.com...


> Today I downloaded/installed Tango04's Visual Debugger on one of our
> development AS/400s and my PC. Very impressive install and the pieces of
> code that I could get to work also seemed impressive.
>
> However, minutes after the install, I found an odd spoolfile on the
> AS/400, 449 pages of a 5250 hex dump.
>

> Apparently, part of the install on the AS/400 is where it opens a
> virtual terminal connection, signs on (using the profile doing the
> install), runs STRSST and goes into Display/Alter/Dump. I haven't
> interpreted much of it yet, but it's at least accessing one of the
> programs it installed.
>

Tim

unread,
Dec 28, 1999, 3:00:00 AM12/28/99
to
I just got this private email from someone at Tango/04 defending their
program's installation


----- Original Message -----
From: "Alex Mera Orellana" <am...@tango04.net>
To: <scot...@home.com>
Sent: Tuesday, December 28, 1999 4:54 AM
Subject: Re: Opinions pls: Tango04 install


> We all at Tango/04 are very surprised about all the comments that have
> appeared on this newsgroup related to the installation procedure on VISUAL
> Debugger for Windows. Just to keep you all confident with the security
> issues on the installation procedure, I would like to clarify what it is
all
> about:
>
> As all of you should know if you have ever tried any AS/400 product,
> most of them need to be installed on security level 30 or lower . If your
> system is in security level 40 or above, the installation will just not
> work, and you will need to change the security level, power down your
> system, make an IPL and then install the product. We know how tedious this
> could be. What the installation procedure of VISUAL Debugger for WIndows
> does is to change the security attributes of some objects at "install
time".
> It is very important for you all to note that: this is only changed to
allow
> the product to be installed in higher security levels, without forcing the
> IS administrators to change the security level make an IPL.
>
> Related to the "449 pages of a 5250 hex dump", we force the dump
process
> in case that the installation procedure detects any failure, so we have a
> detailed report of what is going on, and we can provide the fastest and
best
> technical support to our customers.
>
> The fact is that we are very concerned about security issues. VISUAL
> Debugger for Windows runs even under security level 50, and has a
> bullet-proof user profile-based security management system: only
authorized
> users will be allowed to use the product, and even more, the capabilities
of
> the product can be limited depending on the user profile which is using
the
> product.
>
> Tango/04 has been providing leading edge system tools for years, we
are
> an IBM bussines partner company, awared several times with the IBM All
Star
> Award. So I just would like to point that the best way to answer any
> question you may have is to directly address yourself to Tango04
> (mailto:sup...@tango04.net, or visit our web site http://www.tango04.com)
.
>
> Best regards,
>
>
>
> Alex Mera Orellana
>
> VISUAL Debugger for Windows Lead Programmer
> Tango/04 Computing Group
> mailto:am...@tango04.net

Security Level 40 and 50 were developed to protect systems from hacks such
as you are using. When you force an install to be done through Security
Officer and then use SST to modify your own program objects to run in the
System Domain, you have defeated any protection that the OS provides us.
Essentially you are asking your users to give you the keys to the system.

Obviously, I do not *BELIEVE* you are doing anything unethical, however, I
do not know your company, and certainly I do not know your programmers. Can
you certify that every line of your code is checked to ensure that none of
your programmers are installing back doors and trojan horses on my system?
Even if you did certify it, how can I know that you actually have reviewed
the code you are installing?

And, NO, most software absolutely does *NOT* require security level 30 or
below. Products that do require it are using "unsupported interfaces" and
are generally poorly behaved and prone to failure as new OS releases are
installed. And since your product finds it necessary to change the domain of
your programs, then it must be assumed that it too is using "unsupported
interfaces" and is poorly behaved and prone to failures as new OS Releases
are installed.

Your whole email missed the entire point. While you expound the security
features in your product to keep unauthorized users out, which no one
doubts, you forgot that it is *YOUR* software's misuse of security that has
me concerned.

I don't trust your software, it asks for *TOO MUCH* for what it does.

Herbert Groot Jebbink

unread,
Dec 28, 1999, 3:00:00 AM12/28/99
to
"Tim" <scot...@home.com.xyz> wrote:

> I just got this private email from someone at Tango/04 defending
> their program's installation

Me to :-) Here's my reply:


Quoting Alex Mera Orellana <am...@tango04.net>:

> As all of you should know if you have ever tried any AS/400 product,

> most of them need to be installed on security level 30 or lower. If


> your system is in security level 40 or above, the installation will

> just not work.

Installing 'normal' end-user applications is very good possible
with level 40 security. I agree with you that when you install
developer tools like your product then level security 30 could be a
problem.

If you can generate a 'secret 5250 session' where you start SST to
change things you can also create a 'manual actions after install'
document.

- Explain what the security changes are.
- Explain why your product need them.
- Create manual instruction how to apply those security changes.
Or if it's a lot, create a post-install program and deliver it
whith the source.

Your real problem is not the fact there are some security adjustments
needed after the install, your problem is that you did try to do this
hidden.

> Related to the "449 pages of a 5250 hex dump", we force the dump

> process in case that the installation procedure detects any failure.

So the only reason there is a log is the fact that there was a failure
in the installation procedure? If everything went ok then he would
never know you did start SST to change security settings?
(ok, its also in the QAUDJRN journal).

Greetings, Herbert

Alex Mera Orellana

unread,
Dec 28, 1999, 3:00:00 AM12/28/99
to
We all at Tango/04 are very surprised about all the comments that have
appeared on this newsgroup related to the installation procedure on VISUAL
Debugger for Windows. Just to keep you all confident with the security
issues on the installation procedure, I would like to clarify what it is all
about:

As all of you should know if you have ever tried any AS/400 product,
most of them need to be installed on security level 30 or lower . If your


system is in security level 40 or above, the installation will just not

work, and you will need to change the security level, power down your
system, make an IPL and then install the product. We know how tedious this
could be. What the installation procedure of VISUAL Debugger for WIndows
does is to change the security attributes of some objects at "install time".
It is very important for you all to note that: this is only changed to allow
the product to be installed in higher security levels, without forcing the
IS administrators to change the security level make an IPL.

Related to the "449 pages of a 5250 hex dump", we force the dump process


in case that the installation procedure detects any failure, so we have a
detailed report of what is going on, and we can provide the fastest and best
technical support to our customers.

The fact is that we are very concerned about security issues. VISUAL
Debugger for Windows runs even under security level 50, and has a
bullet-proof user profile-based security management system: only authorized
users will be allowed to use the product, and even more, the capabilities of
the product can be limited depending on the user profile which is using the
product.

Tango/04 has been providing leading edge system tools for years, we are
an IBM bussines partner company, awared several times with the IBM All Star
Award. So I just would like to point that the best way to answer any
question you may have is to directly address yourself to Tango04
(mailto:sup...@tango04.net, or visit our web site http://www.tango04.com) .

Best regards,

Alex Mera Orellana

VISUAL Debugger for Windows Lead Programmer
Tango/04 Computing Group

mailto:am...@tango40.net


Tim wrote in message ...

Thomas

unread,
Dec 29, 1999, 3:00:00 AM12/29/99
to
Tim:

Well said. I'd start this off with something like "In other words...",
but you hit the exact words. You covered the situation as it should have
been in a public newsgroup.

Gwecnal

unread,
Dec 29, 1999, 3:00:00 AM12/29/99
to
In article <dN2a4.1$U4....@news1.rdc1.ne.home.com>, "Tim"
<scot...@home.com.xyz> writes:

>Your whole email missed the entire point. While you expound the security
>features in your product to keep unauthorized users out, which no one
>doubts, you forgot that it is *YOUR* software's misuse of security that has
>me concerned.
>
>I don't trust your software, it asks for *TOO MUCH* for what it does.

I feel the same way.

We just got a copy of IBMs Via Voice for NT. It can only be USED by someone
with Administrator authority. So, to deploy this product, we have to give all
our users Administrator access to the PCs. As if!

What do people think security is for?

John Earl

unread,
Dec 30, 1999, 3:00:00 AM12/30/99
to
Amera,

On Tue, 28 Dec 1999 11:49:42 +0100, "Alex Mera Orellana"
<am...@ibm.net> wrote:


> As all of you should know if you have ever tried any AS/400 product,
>most of them need to be installed on security level 30 or lower . If your
>system is in security level 40 or above, the installation will just not
>work, and you will need to change the security level, power down your
>system, make an IPL and then install the product.

This is the exception rather than the rule. I know of very few
AS/400 products that won't run at QSECURITY level 40 and above.
And I only know of one product (yours would be the second) that
manipulate object domain in order to bypass the level 40 security
features.

I don't think that it is necessarily bad to maipulate object
domains, but to do so without first informing the customer and
providing the customer with a choice as to whether to proceed is
not, In my opinion, the right thing to do.

All most customers ask for is notification. At the end of the
day, they are the ones that are responsible for their own
systems... If you make a mistake, they are the ones who pull the
all-nighter putting things back together. If you're manipulating
objects, you chpould tell the customer up front.

IMHO

jte


--
John Earl - john...@400security.com * 206-575-0711
The PowerTech Group - Seattle - 206-575-0711
PowerLock - AS/400 Security - www.400security.com
400School - AS/400 Education - www.400school.com
--


0 new messages