How to hack AS/400 .. any idea(s) ..?
tho...@inorbit.com
Ositim:
Definitely agreed that a public NG is inappropriate.
OTOH, I've always been bothered that IBM posted the (nearly) complete set of
manuals on the Internet, including security manuals. 'Tips and Techniques for
Securing Your AS/400' is essentially a roadmap for hacking.
Tom Liotta
In article <199806161249...@ladder01.news.aol.com>,
osi...@aol.com (OSITim) wrote:
>
> I don't think a public internet news group is the proper forum for discussing
> methods of hacking into an AS/400.
>
> And yes it is possible for a fairly knowlegeable programmer to plant trojan
> horses and collect passwords.
>
> I have noticed that once a programmer is given access to an AS/400 you do
> leave yourself somewhat vulnerable.
>
-----== Posted via Deja News, The Leader in Internet Discussion ==-----
http://www.dejanews.com/ Now offering spam-free web-based newsreading
tho...@inorbit.com
Charles:
Don't forget DSPOBJD OBJTYPE(*USRPRF) OUTPUT(*OUTFILE) and various list APIs
along with authority to CRTSRCPF and CRTCLPGM/CRTCMD or STRREXPRC or etc.,
etc.
How about uploading a command set to create a source file, then upload a
member and compile it. Locate a *usrprf that *PUBLIC can use with, say,
*SAVRST special authority. Then... well, that's enough on that line.
Of course, if you're lucky enough to find a _really_ good *usrprf, you
compile your program that uses VTerm APIs and goes into SST to poke around in
memory... haven't tried that one yet. Maybe it isn't allowed via VTerm.
In other words, IMHO a good reason to RVKOBJAUT on just about everything that
isn't required.
Tom Liotta
In article <35867B...@vnet.ibm.com>,
"Charles R. Pence" <crp...@vnet.ibm.com> wrote:
>
> Paul Nicolay wrote:
> >
> > Hi,
> > <<SNIP>>
> > Therefore, logon with a *USER, issue a WRKUSRPRF *ALL and check the
> > profiles you see (shouldn't be any at all, at least not the ones with
> > higher authority).
> >
> > Regards,
> > Paul
>
> And IMO a good reason to RVKOBJAUT on WRKUSRPRF and DSPAUTUSR commands
> for which typically there is no reason for any non-secofr user to
> access. This may be part of the security tool.?.?
>
> Regards, Chuck
> -- Comments provided "as is" with no warranties of any kind whatsoever.
Fred A. Kulack
I think I have to disagree. A public newsgroup is the best place to discuss
it.
The discussions ARE occuring anyway. Would you prefer they occur on some
backwoods hacker web page or IRC chat that _YOU_ don't have access to?
OSITim wrote in message <199806161249...@ladder01.news.aol.com>...
John Dobson
A hearty second on this comment. We can do a lot to protect ourselves, if
we just know how. I've learned a few things following this thread.
Yes, these discussions are occuring in the hacker world. So let's do
everything we can to educate ourselves.
John Dobson
Fred A. Kulack wrote in message <6m8h50$vps$1...@news.rchland.ibm.com>...
Richard Knechtel
John Dobson wrote:
>
> A hearty second on this comment. We can do a lot to protect ourselves, if
> we just know how. I've learned a few things following this thread.
>
> Yes, these discussions are occuring in the hacker world. So let's do
> everything we can to educate ourselves.
>
> John Dobson
>
knowing a lot less about how to hack the AS/400. If you openly post
these kinds of things, those who don't use this newsgroup that have
AS/400's are now more open to hacker attacks. (yes, they may not have
their AS4/400 secured correctly, but still your endangering them.) The
hackers monitor this group. I know I have had a few contact me VIA Email
asking me specifics about how to hack into an AS/400, and have told them
politly that I wouldn't give that kind of information out. This is the
flips side of the issue. I think it would probably be best to take those
kinds of discussions to Email where it's a little less open IMHO. True,
less people would see the discussion, but less people would be open to
attack to.
Just my $.03 worth.
Regards,
--
Richard Knechtel
CENTROBE
(an EDS company)
(Systems Engineer/System Administrator)
(Aspiring AS/400 GURU)
(Aspiring Linux GURU)
(Aspiring Visual Basic Programmer)
The contents of this message express only MY opinion.
This message does not necessarily reflect the policy or views of
my employer, EDS. All responsibility for the statements
made in this posting resides solely and completely with the
ME.
I Ex-Spaminate spammers!
See US Code Title 47, Sec.227(a)(2)(B), Sec.227(b)(1)(C)
and Sec.227(b)(3)(C).
ChangAtNYC
Richard,
I don't know whether avoiding the topic in a public forum is the best way to
protect ourselves. IMHO, AS/400 is less hacked than other systems - say Unix -
is because (1.) like you said, hackers don't know OS/400 as good as they know
other OS (2). OS like Unix allows many more "holes" to explore than the OS/400
and (3). AS/400 had been a standalone type of system until the last couple of
years when it can be used a web server and linked to the outside world.
Let face it, if a hacker is determined to hack AS/400, s/he will do so, and I
can guarentee you that they will find the info they need. (Isn't that a common
knowledge (or belief) that hackers are super programmers who are capable of
learning any computer OS far better you and I can?) And if AS/400 is going to
thrive with the Internet, AS/400 can only be more popluar (which is always good
for us), and will therefore attract hackers' attention. (Take NT, when it
first came out, you hardly heard anyone wanted to hack it, but now that it's
popluar, it's the new playground for many).
So, what's the solution, don't use AS/400 as a web server, fax server, Notes
server or any other type of communication server so that nobody would be able
to hack (besides an inside job)? I don't think this is where AS/400 is leading
into with all these new V4Rx coming out. So, we may as well educate ourselves
ahead of time to tighten security.
I'm all for discussing the topic here.
David Chang
Parade Publications
> Well, A lot of the "less hacking" of the AS/400's is due to the Hackers<BR>
>knowing a lot less about how to hack the AS/400. If you openly post<BR>
>these kinds of things, those who don't use this newsgroup that have<BR>
>AS/400's are now more open to hacker attacks. (yes, they may not have<BR>
>their AS4/400 secured correctly, but still your endangering them.) The<BR>
>hackers monitor this group. I know I have had a few contact me VIA Email<BR>
>asking me specifics about how to hack into an AS/400, and have told them<BR>
>politly that I wouldn't give that kind of information out. This is the<BR>
>flips side of the issue. I think it would probably be best to take those<BR>
>kinds of discussions to Email where it's a little less open IMHO. True,<BR>
>less people would see the discussion, but less people would be open to<BR>
>attack to.<BR>
><BR>
>Just my $.03 worth.<BR>
OSITim
I know of a way that a programmer can write a program to steal passwords on the
AS/400 that no amount of security can prevent. And that can go virtually
undetected, Other than to keep the programmer off the system completely.>
>Hi Tim,
>
>If the programmer is able to plant a trojan horse and collect passwords, I
>would say that security is already not in place. I once sealed of an
>AS/400 at a school (and believe me, students might be stupid these days,
>but when it comes to hacking the college computer they're all awake). So
>far, none of these "programmers" has succeeded in hacking the system....
>
>Kind regards,
>Paul
>__________________
>OSITim <osi...@aol.com> wrote in article
><199806161249...@ladder01.news.aol.com>...
>> I don't think a public internet news group is the proper forum for
>discussing
>> methods of hacking into an AS/400.
>>
>> And yes it is possible for a fairly knowlegeable programmer to plant
>trojan
>> horses and collect passwords.
>>
>> I have noticed that once a programmer is given access to an AS/400 you
>do
>> leave yourself somewhat vulnerable.
>>
>
>
> The contents of this message express only the sender's opinion.
> This message does not necessarily reflect the policy or views of
> my employer, Merck & Co., Inc. All responsibility for the statements
> made in this Usenet posting resides solely and completely with the
> sender.
John Selph
When our 36 turned into an AS/400 V3R05 I was curious, so I dug around some.
Hackers were aware of all the common OS/400 username/password combinations.
From time to time I still check hacker pages for info. Why? Well, you can
either stick your head in the sand and then tell your boss "well I didn't
know about that hack method" or you can do something about it with up front
knowledge. You have to beat these people at their own game. Hackers just
aren't as dumb as we would all like to pretend they are. They won't give up
just because you don't talk about what they're doing.
tho...@inorbit.com wrote in message <6m7got$r0o$1...@nnrp1.dejanews.com>...
Neil Wood
OSITim wrote in message <199806180108...@ladder01.news.aol.com>...
>I know of a way that a programmer can write a program to steal passwords on
the
>AS/400 that no amount of security can prevent. And that can go virtually
>undetected, Other than to keep the programmer off the system completely.>
>
Depends on what you mean "on the AS/400". Actually logged in or watching
the network bytes?
If you mean actually logged in, it depends on what special authorities are
granted to programmers doesn't it? If you grant them powerful special
authorities such as *ALLOBJ and/or *SERVICE you have opened alot of doors.
Doing a communications trace from the 400 requires special authority
(*service), but from another system there may be holes.
Unfortunately a hacker doesn't even have to write a program to steal
passwords. He can call one of your users and pose as someone in I.S. and
garner the password that way. And that, no amount of security can prevent.
Even if you tell your users to never give them out, they will.
Neil Wood
Programmer Analyst
IBM Certified Specialist
Richard Knechtel
John Selph wrote:
>
> When our 36 turned into an AS/400 V3R05 I was curious, so I dug around some.
> Hackers were aware of all the common OS/400 username/password combinations.
> From time to time I still check hacker pages for info. Why? Well, you
read the text files they put out there (some of it is pure BS written by
chilidish wanna be's). Read all four of the legion of doom tech
journals, all 40+ issues of Phrack, also TAP. there are some others and
check out CUD. There is ALL kinds of information on HP stuff in these.
don't just worry about if there is only AS/400 information in them, the
telephone stuff, the Network stuff still applies. And if your system
connects to Unix, PC's etc.. you would want to know some of that stuff
to. And get a subscription to 2600 magaizine. Alot of the latest
greatest stuff comes in articles in there.
can
> either stick your head in the sand and then tell your boss "well I didn't
> know about that hack method" or you can do something about it with up front
> knowledge. You have to beat these people at their own game. Hackers just
> aren't as dumb as we would all like to pretend they are. They won't give up
> just because you don't talk about what they're doing.
>
The best way to secure your system is to try to hack it yourself. If you
can you know you have a hole. If you can't still doesn't mean you don't
have a hole. My thought on it is if you know how to hack a system your
better prepared to secure it.
Regards,
--
Richard Knechtel
CENTROBE
(an EDS company)
(Systems Engineer/System Administrator)
(Aspiring AS/400 GURU)
(Aspiring Linux GURU)
(Aspiring Visual Basic Programmer)
The contents of this message express only MY opinion.
This message does not necessarily reflect the policy or views of
Fred A. Kulack
>Would you be interested in me posting a technique for replacing a trigger
on
>one of your PFs that does _NOT_ require using the appropriate commands? No
>auditing and essentially undetectable unless you continuously monitor every
>PF you have by visual inspection. Since you have no protection, why post it
>publicly?
>
>Tom Liotta
I see your point and respect your opinion, but ultimately, I disagree.
Yes, I'd be very interested in seeing that kind of information posted
publicly.
Perhaps if these problems were discussed globally (like Netscape,
Unix, NT, etc. security problems), fixes would be forthcoming
and more young people would get education or excited about
the AS/400 instead of thinking of it (or NOT thinking of it) as
most do.
In my opinion, knowledge and freedom have always made it easier
for evil people to do MORE evil. Fortunately, it has also made it
easier for good people to do MORE good.
I think the good outweighs the bad.
(BTW, this is all my personal opinions and definitely not that of
my employer)
sami...@bix.com
This logic appears extensible to all technical discussion of the AS/400.
Why then are we all here?
On Thu, 18 Jun 1998 02:50:11 GMT thomas of Deja News - The Leader in
Internet Discussion wrote this re Re: How to hack AS/400 .. any idea(s)
.?:
>Because the AS/400 is a business system, I believe the discussions should
>take
>place in a business environment.
Scott A. Miller
sami...@bix.com sami...@cyberenet.net
Have a new Java product? Annouce it @ www.javalobby.org/javawire
Hussain Akbar
I have tried out 4 ways which worked on the system I was administering.
1. On level 30, simply connect using CA and use the CRTUSRPRF API to create
a user with *ALLOBJ. I haven't tried this program under V4 but it worked
under V3.
2. FTP on V3 allowed profiles which had been marked as DISABLED.
3. Simplest trick in the book: Write a CL program to SNDRCVF file QDSIGNON
on someone's terminal when he isn't looking and SNDMSG the results to
yourself.
4. Look into the terminal line memory from SST.
And yes, I agree that a public NG is where this discussion should be. There
are administrators who read this as well as hackers. We need to be aware of
weak points.
Hussain
boo...@ibm.net
Tom, I have no doubt of what you say, but it is my understanding that if
you can do that in IBM's plant, someone there will buy you a cup of
coffee.
In <6m9v93$hbj$1...@nnrp1.dejanews.com>, on 06/18/98
at 02:50 AM, tho...@inorbit.com said:
>Would you be interested in me posting a technique for replacing a trigger
>on one of your PFs that does _NOT_ require using the appropriate
>commands? No auditing and essentially undetectable unless you
>continuously monitor every PF you have by visual inspection. Since you
>have no protection, why post it publicly?
>Tom Liotta
--
-----------------------------------------------------------
boo...@ibm.net
Booth Martin
-----------------------------------------------------------
Charles M. Wilt
> 1. On level 30, simply connect using CA and use the CRTUSRPRF API to
create
> a user with *ALLOBJ. I haven't tried this program under V4 but it worked
> under V3.
Did the user profile you were logged in under have *ALLOBJ if so then that
explains why this worked.
>
> 2. FTP on V3 allowed profiles which had been marked as DISABLED.
>
I'm on v3r7 and FTP would NOT allow me to log on with a disabled profile
--
Charles Wilt
Miami Luken, Inc.
Springboro, OH. 45066
e-mail: charle...@worldnet.no.spam.att.net
--remove the .no.spam
Njål Fisketjøn (Njal Fisketjon)
>
>3. Simplest trick in the book: Write a CL program to SNDRCVF file QDSIGNON
>on someone's terminal when he isn't looking and SNDMSG the results to
>yourself.
>
Or, even simpler: Use the SDA test option on the QDSIGNON display file
overridden to the device you want.
Njål Fisketjøn, FIGU DATA AS
njal.fi...@figu.no
http://www.robin.no/~nfisketj
news.compuserve.com
Actually the method I know about requires no comm traces and no contact with
the user and the programmer needs only to be able to compile a program.
Bob Gilsdorf
OSITim wrote:
>
> I don't think a public internet news group is the proper forum for discussing
> methods of hacking into an AS/400.
>
> And yes it is possible for a fairly knowlegeable programmer to plant trojan
> horses and collect passwords.
>
> I have noticed that once a programmer is given access to an AS/400 you do
> leave yourself somewhat vulnerable.
One of the easiest ways to get in is using the QSRV user profile. Many
shops don't change the QSRV password from its default.
QSRV can run STRSST and do comm line traces. Comm line traces on lines
containing remote control units hosting terminals will show the password
in the line trace. You see some interesting passwords that way.
Remember always change all IBM supplied profile passwords!!!
--
R. Gilsdorf
AS/400 System Engineer
Sophisticated Systems Inc.
R...@centuryinter.net
tho...@inorbit.com
Fred:
I believe that that kind of info is best spread by reporting it to IBM rather
than the world at large, possibly through an organization such as COMMON and
its security project. Definitely a number of voices have larger impact than
just one, but some fixes require fundamental changes and may not be possible
until the "release after next". In the meantime, endangering every AS/400 on
the planet cannot be wise.
Granted, there are a number of issues such as the notorious QCPFMSG problem
that are relatively trivial to fix, for both IBM and individual customers.
Once these reach any kind of public awareness, they should be spread as far
and fast as possible through the AS/400 world. But what about a relatively
simple technique for switching a program from user to system state? To fix it
could require reworking internal structures, retranslating programs (e.g.,
moving from CISC to RISC). Not the kind of thing that gets fixed quickly.
My personal belief in public education has to take a back seat to my
professional responsibility to my employers (unless I go back to independent
status). It takes quite a bit of time to secure networks of AS/400s that've
been running menu-based security from the beginning. Until I feel
comfortable, I sure have no interest in making things worse. And every time a
new VRM comes out, there's a whole new bunch of areas to learn.
If an organization wants the knowledge, there are sources (the manuals, IBM
training, 3rd-party seminars, etc., etc.) Since the knowledge is there,
what's the point in discussing it here? I guess if an exposure is posted to a
newsgroup (or printed in a magazine or...), then it's time to fix it at work.
But if it's only printed in an IBM manual, then it can't be important.
You generally agreed that describing a trigger exposure publicly wouldn't be
good. So, what kinds of things _SHOULD_ be posted publicly? And if they're
already in the security manuals, why post them? I mentioned the QCPFMSG
issue. I think that was one that deserved to be spread around but only
because the knowledge of how to exploit it had already reached into the
public domain, no matter how lightly, and because the fix was possible for
the customer. There are similar ones, many already addressed by IBM in
current releases. So, what else? What would be your criteria for announcing
an exposure publicly?
I'd actually very much like to find a way to discuss such things. So far, the
only choice I've seen that had a good chance was Forum/400. In its first
couple of years, that was a laughable proposition. Maybe by now, however,
it'd be acceptable. Any better choices?
Tom Liotta
In article <6mb6nk$14au$1...@news.rchland.ibm.com>,
"Fred A. Kulack" <kulack@X!us.ibm.com> wrote:
>
> >Would you be interested in me posting a technique for replacing a trigger
> on
> >one of your PFs that does _NOT_ require using the appropriate commands? No
> >auditing and essentially undetectable unless you continuously monitor every
> >PF you have by visual inspection. Since you have no protection, why post it
> >publicly?
> >
> >Tom Liotta
> I see your point and respect your opinion, but ultimately, I disagree.
>
> Yes, I'd be very interested in seeing that kind of information posted
> publicly.
>
> Perhaps if these problems were discussed globally (like Netscape,
> Unix, NT, etc. security problems), fixes would be forthcoming
> and more young people would get education or excited about
> the AS/400 instead of thinking of it (or NOT thinking of it) as
> most do.
>
> In my opinion, knowledge and freedom have always made it easier
> for evil people to do MORE evil. Fortunately, it has also made it
> easier for good people to do MORE good.
> I think the good outweighs the bad.
>
> (BTW, this is all my personal opinions and definitely not that of
> my employer)
>
>
tho...@inorbit.com
Booth:
Up until around 1995, IBM would hardly listen to such statements. But to their
credit, they have actively changed much in how they respond. Even so, I doubt
that even they would appreciate it if such a technique would be posted here
first.
Tom Liotta
In article <35895b56$1$obbguz$mr2...@news-s01.ny.us.ibm.net>,
boo...@ibm.net wrote:
>
> Tom, I have no doubt of what you say, but it is my understanding that if
> you can do that in IBM's plant, someone there will buy you a cup of
> coffee.
>
> In <6m9v93$hbj$1...@nnrp1.dejanews.com>, on 06/18/98
> at 02:50 AM, tho...@inorbit.com said:
>
> >Would you be interested in me posting a technique for replacing a trigger
> >on one of your PFs that does _NOT_ require using the appropriate
> >commands? No auditing and essentially undetectable unless you
> >continuously monitor every PF you have by visual inspection. Since you
> >have no protection, why post it publicly?
>
> >Tom Liotta
> --
> -----------------------------------------------------------
> boo...@ibm.net
> Booth Martin
> -----------------------------------------------------------
>
>
tho...@inorbit.com
Scott:
I think the tenor of discussion in this newsgroup should tend to "I don't
know how to make this work better. Any ideas?" But "How do I hack an AS/400?"
is the opposite; it's "How do I break these?", not "How do I fix them?"
I have no problem seeing the difference.
Tom Liotta
In article <6mbh1u$l...@lotho.delphi.com>,
Neil Wood
tho...@inorbit.com wrote in message <6mckob$hgq$1...@nnrp1.dejanews.com>...
>Scott:
>
>I think the tenor of discussion in this newsgroup should tend to "I don't
>know how to make this work better. Any ideas?" But "How do I hack an
AS/400?"
>is the opposite; it's "How do I break these?", not "How do I fix them?"
>
>I have no problem seeing the difference.
"How do I hack an AS/400?" = "How do I fix my Security Holes?"
Seems pretty simple to me too. ;)
Richard Knechtel
Neil Wood wrote:
>
> tho...@inorbit.com wrote in message <6mckob$hgq$1...@nnrp1.dejanews.com>...
> >Scott:
> >
> >I think the tenor of discussion in this newsgroup should tend to "I don't
> >know how to make this work better. Any ideas?" But "How do I hack an
> AS/400?"
> >is the opposite; it's "How do I break these?", not "How do I fix them?"
> >
> >I have no problem seeing the difference.
>
> "How do I hack an AS/400?" = "How do I fix my Security Holes?"
>
> Seems pretty simple to me too. ;)
>
Yes, but it also means:
"How do I hack an AS/400?" = "hey, joe qhacker here's how to break into
an AS/400."
and if any AS/400's that aren't secured get broken into because of
posting of ways to break into the AS/400 in this newsgroup. You will
find some pissed off people at this newsgroup. the "How do I hack an
AS/400?" stuff belongs in alt.2600 or alt.hacker newsgroups. IMHO.
If you want to know "How do I fix my Security Holes?". Ask this. not how
to hack your AS/400. Personnaly you should find someone that knows what
there doing and via private email exchange information. This will less
endanger others systems.
Just my $.03 worth (inflation you know)
tho...@inorbit.com
Neil:
If we accept that equality, then the answer is also simple: Follow the
guidelines in the security manuals.
Tom Liotta
In article <6mdmgt$gbe$1...@chile.it.earthlink.net>,
"Neil Wood" <ne...@neilNOSPAM.org> wrote:
>
> tho...@inorbit.com wrote in message <6mckob$hgq$1...@nnrp1.dejanews.com>...
> >Scott:
> >
> >I think the tenor of discussion in this newsgroup should tend to "I don't
> >know how to make this work better. Any ideas?" But "How do I hack an
> AS/400?"
> >is the opposite; it's "How do I break these?", not "How do I fix them?"
> >
> >I have no problem seeing the difference.
>
> "How do I hack an AS/400?" = "How do I fix my Security Holes?"
>
> Seems pretty simple to me too. ;)
>
> Neil Wood
> Programmer Analyst
> IBM Certified Specialist
>
>
Tom Harding
Njål Fisketjøn (Njal Fisketjon) wrote:
>
> Or, even simpler: Use the SDA test option on the QDSIGNON display file
> overridden to the device you want.
Njål --
That's downright insidious. And hard to protect against, short of
revoking authority to SDA.
Securing device descriptions to certain users might work.
Tom Harding
sami...@bix.com
And I think that there is a continuum of technical discussion here that
will suffer if everyone tries to self-censor information that will be
useful to a hacker, or cracker, or whatever they want to be called these
days. There is IMO very little technical data that can't contribute in
some measure to a hacking effort. While I wouldn't be fond of someone who
posted an explicit and detailed "AS/400 Hacking for Beginners" here, I've
not seen any posts of that type. Furthermore, any serious hacker-to-hacker
exchanges are going to take place on other venues than this ng. The value
of an exchange of information about AS/400 security risks in this group is
high, and IMO the risk of disseminating techniques to hackers _that they
couldn't easily find elsewhere_ is low.
On Fri, 19 Jun 1998 03:08:59 GMT thomas of Deja News - The Leader in
Internet Discussion wrote this re Re: How to hack AS/400 .. any idea(s)
.?:
>know how to make this work better. Any ideas?" But "How do I hack an
>AS/400?"
>is the opposite; it's "How do I break these?", not "How do I fix them?"
Richard Lasater
The smartest thing we can do to protect our machines from hackers - actually
crackers, is to learn how to exploit security holes before they do. In essence
we have to be the ones cracking our own machines.
Crackers using a manual to learn where system operators might leave a door open
is not the problem. - unless the sysop hasn't taken the time to read it. The
real problem will come from real "holes" that are found in applications. I.E the
Unix SendMail breech that was found a while ago. Luckily, we all have a very
securable system to start with, but waiting on IBM to propagate reports from us
about security holes is dangerous - they just don't move fast enough. If I found
a way to crack our own system I belive I would post the *complete* details here,
right after securing my own systems - so that you can secure yours. (less
information that any AS/400 sysop should know - no need to make it easy for
crackers reading the NG.)
I agree that this action would might endanger non-readers of this newsgroup -
but this type of information is one of the main reasons I subscribe to it. Any
"machine room only" sysop that has hooked his machine to the net and isn't using
resources like NGs to keep up is not qualified and will get cracked eventually
anyway.
Perhaps IBM should setup a forum for this information similar to the one that
reports security breech points to ISP's.
Best to all,
R Lasater
On Wed, 17 Jun 1998 10:38:30 -0700, Richard Knechtel <richard....@eds.com>
wrote:
>John Dobson wrote:
>>
>> A hearty second on this comment. We can do a lot to protect ourselves, if
>> we just know how. I've learned a few things following this thread.
>>
>> Yes, these discussions are occuring in the hacker world. So let's do
>> everything we can to educate ourselves.
>>
>> John Dobson
>>
> Well, A lot of the "less hacking" of the AS/400's is due to the Hackers
>knowing a lot less about how to hack the AS/400. If you openly post
>these kinds of things, those who don't use this newsgroup that have
>AS/400's are now more open to hacker attacks. (yes, they may not have
>their AS4/400 secured correctly, but still your endangering them.) The
>hackers monitor this group. I know I have had a few contact me VIA Email
>asking me specifics about how to hack into an AS/400, and have told them
>politly that I wouldn't give that kind of information out. This is the
>flips side of the issue. I think it would probably be best to take those
>kinds of discussions to Email where it's a little less open IMHO. True,
>less people would see the discussion, but less people would be open to
Richard Lasater
Oh yea I almost forgot. I will soon begin trying to exploit our new IBM Network
station, which seems to be running (Insert potencially crackable OS name here.
If you have one you know what it is. If your a cracker, well just guess!) as an
entry point to a system. If I can trick it into sending me anything juicy I'll
let you know. The NS, (like a PC) can be a trusted address to the 400 while also
running cute java snippets in a browser. Hmmm I wonder....
This information should be helpful to sysops with out being overly helpful to
amateur crackers. Really good crackers already know, and now you do to - thanks
to the newsgroup.
Rlasater
Bob Cancilla
I too agree with this. If we put it out in the public we can protect
ourselves.
There is no protection from ignorance. In this business it's what you don't
know
that can hurt you.
Bob C.
John Dobson wrote in message ...
Charles R. Pence
Richard Lasater wrote:
> <<SNIP>>
> ..., but waiting on IBM to propagate reports from us about security
> holes is dangerous - they just don't move fast enough. If I found a way
> to crack our own system I belive I would post the *complete* details here,
> right after securing my own systems - so that you can secure yours. (less
> information that any AS/400 sysop should know - no need to make it easy for
> crackers reading the NG.)
>
> I agree that this action would might endanger non-readers of this newsgroup
Of course <IMO>, not notifying IBM and only posting here, would be like
posting in a neighborhood bulletin, that the prison on the edge of town
has a hole in its fence. And what about when you do not have a solution
or circumvention which enables you to secure the hole you have found?
Just something to think about; I agree with sharing information, but I
prefer that those responsible for effecting a correction are given the
first notification. Besides, there may already be a fix provided, which
you could include in your post to the newsgroup.
Regards, Chuck
-- Comments provided "as is" with no warranties of any kind whatsoever.
Richard Lasater
To add and clarify, I would also notify IBM or the persons responsible for the
application.
Additionally I have received an article from the June news/400 about hacking the
400. It mentions that CERT (Computer Emergency Response Team) does not disperse
holes in OS/400, only Unix and WinNT. I think we should lobby to get OS/400
added to the list.
The article BTW staged an attack against the 400 with "published methods" (the
400 passed). As I have said before, the problem is not with hacks people know
about - its the unknown new ones that scare me!
Best
RLasater
On Tue, 23 Jun 1998 09:50:13 -0500, "Charles R. Pence" <crp...@vnet.ibm.com>
wrote:
Obelix
On 16 Jun 1998 12:49:59 GMT, osi...@aol.com (OSITim) wrote:
>I don't think a public internet news group is the proper forum for discussing
>methods of hacking into an AS/400.
i disagree with this. as long as you show us way they can came in,
we'll know what to close.
Obelix
Obelix
>Actually the method I know about requires no comm traces and no contact with
>the user and the programmer needs only to be able to compile a program.
I know there was this possibility using the 'password validation'
program, howerver it seems to me that IBM removed this in latest
version of OS. Is there any other way?? and how can we prevent this???
Obelix
tho...@inorbit.com
Scott:
Sigh. You've just described exactly why this NG is a dumb place for such
discussion. Because the Security Reference manual and similar ones are already
owned by every AS/400 site, there's absolutely zero value in posting their
contents here. And even if a site has lost its copies, the manuals are freely
available on the Web.
Therefore, the _ONLY_ possible valuable security items to post here would be
those that are _NOT_ found easily elsewhere; and those are the ones most
likely to have no circumvention or fix available yet. If you want info on
_those_, check the PSP reports, not the NG. When a fix arrives, it'll be in
the form of a PTF. And _NO ONE_ is going to be able to post that here before
the PTF is announced.
Which brings us to: If there is no fix, why post it publicly? To force IBM to
fix it? Just tell them about it and they'll fix it or explain why not.
I mentioned elsewhere that the QCPFMSG issue was an example of what I thought
would be worth posting here. I've yet to see anyone else give examples of
what they believe should be posted -- except of course general statements
that claim _EVERYTHING_ should be posted. I chose that issue because it was
not clearly described in security references at the time and because a
fix/circumvention was easily put in place. I'm willing to go farther and
include items that have been reported to IBM and rejected by them (but
nowadays that's going to be a rare happening).
I also mentioned Forum/400 as a possible forum for discussion; I haven't seen
anyone else disagree nor have I seen any alternatives -- except general
statements that _EVERYTHING_ should be posted here. I named Forum/400 because
it was available directly through your AS/400 and only to AS/400 sites, via a
1-800 number; about all it takes is a service contract. Hosted and monitored
by IBM -- how could this NG be better? In there, you have real chances of
getting dialogs going with IBM.
Okay, sure, somebody poses a question: "How do I secure a program in the IFS?"
or "How can I grant access to _some_ fields in a file but not others?" No
problem; the answers are easy to supply just by referencing the right manuals
and topic numbers. Public posting is a worthwhile service, even the posting of
the basic techniques of implementation. But "How do you break object
encapsulation?" or "How do I view comm traffic _without_ SST and comm traces?"
(Ever wonder how the PEEK programs got their screen images in realtime without
relying on STRCPYSCN?) These are the questions asked by "How do I hack an
AS/400?"
Simply put, the security issues in question _ARE_ ones "_that they couldn't
easily find elsewhere_". And that's where this thread came from. Check the
subject.
Tom Liotta
In article <6mlipv$1...@lotho.delphi.com>,
dbi
Bad news Thomas, FORUM400 is defunct, it's been replaced with one of
those gunky browser based forums, off the AS400 service home page. You can
fill out a HTML form and they'll email you a password if you have a
service contract.
Regards, Worley
Bill Guenthner
That's right. God forbid anyone without a service contract learn anything
about the AS/400. They might decide to use one.
dbi @imagine.net (Worley Barry) wrote in message ...
Charles R. Pence
Worley Barry wrote:
>
> Bad news Thomas, FORUM400 is defunct, it's been replaced with one of
> those gunky browser based forums, off the AS400 service home page. You can
> fill out a HTML form and they'll email you a password if you have a
> service contract.
>
> Regards, Worley
So that was not just an *additional* interface; actually a
replacement.?.?
dbi
"Charles R. Pence" <crp...@vnet.ibm.com> wrote:
Ah, well, it's not really a replacement, FORUM400 with it's 5250
interface deteriorated into a social club for a small group of people and
the new roundtable excludes that kind of posts.
I stayed with it to the bitter end, just to see what happened. I
suspect the new roundtable will fare no better and simply fulfill it's
role as a bullet on the benefits of a service contract.
The activity is too low (I know it's new) and the majority of the
questions are not answered. If I read it's documentation it correctly, IBM
employees are discouraged, if not prohibited from participating. That's
where FORUM400 failed, more IBM employees participate in this news group
than either of these IBM sponsored services.
I'm sure the official line is that Forum400 failed because it's an
old 'green screen' application and everbody will flock to the roundtable
because it's using the latest GUI fads of HTML browsers. But I say the
lack of content was and will be the downfall of both of them.
A wonderful experiment would be to make FORUM400 available through
the internet with TELNET(TN5250) and see which interface is the most
popular. Me, I'll take function keys over mice every time.
Regards, Worley
crashshw
(OSITim) wrote:
>
>>I don't think a public internet news group is the proper forum for
discussing
>>methods of hacking into an AS/400.
>i disagree with this. as long as you show us way they can came in,
>we'll know what to close.
>
>Obelix
Hmm, this thread is getting pretty hot....maybe we should have a secured
security forum secured by IBM running on an fully advertised secured
firewall AS400 for these issues and another secured AS400 just for some kind
of pass through which actually would act as the secured site. That way
IBM'll see hackers, crackers, and wannabes who want to try,test the security
attempting to pop open the system security; they won't have to advertise
when somebody gets in through the security, just deliver the security fixes
to whoever is a licensed AS400 user through the standard PTF cycle. If
licensed users want to get more knowledge about AS400 security holes, they
would securely logon to the other "secure" system to get to the security
forum and security information...;>)
Perhaps, we should ask IBM to cobble together an AS400 just for this kind of
forum though and limit it the licensed users (which we all are of course),
hook it into an AS400 VPN with dial up/back security. Then we could use this
environment a little more "securely"?
On the other hand, maybe we should stay with pure SNA....after all,
physically limiting the network design alone should deter all but the most
determined and desperate violators...;>))
tho...@inorbit.com
Yo, Worley!
How ya' been?
Too bad. Now that you mention it, I recall something about it. But even so,
with a secure connection, it should still beat... hmmm... wait a minute...
Well, so much for that idea. I can't find a reference to it anywhere. Maybe it
no longer exists in any form. Unless someone knows what happened to it...?
Tom Liotta
In article <oLLk1wGQ...@imagine.net>,
Worley...@dbi.e-mail.com wrote:
>
>
> Bad news Thomas, FORUM400 is defunct, it's been replaced with one of
> those gunky browser based forums, off the AS400 service home page. You can
> fill out a HTML form and they'll email you a password if you have a
> service contract.
>
> Regards, Worley
>
tho...@inorbit.com
Worley:
Ah! "roundtable" was the search word I needed. Thanks.
Too bad the connection is 'in the open'. Kind of reduces the value for serious
discussion.
And the bit about IBMers being discouraged from participating... maybe that's
okay as long as they can still interject comments needed to keep things
accurate or to keep participants informed of developments. Still, given that
a service contract should be in place for customer participants and also
given that _THIS_ NG exists for free, why discourage IBMers at all -- as long
as it doesn't drift over into conflict with Consult Line, etc.? Weird.
Tom Liotta
In article <N+Uk1wGQ...@imagine.net>,
Worley...@dbi.e-mail.com wrote:
>
> "Charles R. Pence" <crp...@vnet.ibm.com> wrote:
>
> >Worley Barry wrote:
> >>
> >> Bad news Thomas, FORUM400 is defunct, it's been replaced with
> >> one of those gunky browser based forums, off the AS400 service home
> >> page. You can fill out a HTML form and they'll email you a password if
> >> you have a service contract.
> >>
> >> Regards, Worley
> >
> >So that was not just an *additional* interface; actually a
> >replacement.?.?
> >
> >Regards, Chuck
> > -- Comments provided "as is" with no warranties of any kind whatsoever.
>
> Ah, well, it's not really a replacement, FORUM400 with it's 5250
> interface deteriorated into a social club for a small group of people and
> the new roundtable excludes that kind of posts.
>
> I stayed with it to the bitter end, just to see what happened. I
> suspect the new roundtable will fare no better and simply fulfill it's
> role as a bullet on the benefits of a service contract.
>
> The activity is too low (I know it's new) and the majority of the
> questions are not answered. If I read it's documentation it correctly, IBM
> employees are discouraged, if not prohibited from participating. That's
> where FORUM400 failed, more IBM employees participate in this news group
> than either of these IBM sponsored services.
>
> I'm sure the official line is that Forum400 failed because it's an
> old 'green screen' application and everbody will flock to the roundtable
> because it's using the latest GUI fads of HTML browsers. But I say the
> lack of content was and will be the downfall of both of them.
>
> A wonderful experiment would be to make FORUM400 available through
> the internet with TELNET(TN5250) and see which interface is the most
> popular. Me, I'll take function keys over mice every time.
>
tho...@inorbit.com
Richard:
CERT will gladly receive information on AS/400s assuming the submissions meet
their guidelines. However, CERT is dedicated to _Internet_ related issues, not
specific platform issues. CERT is probably not the right vehicle.
Also, OS/400 _HAS_ been named in security alerts from other sources. Internet
Security Systems' ISS Security Alert, for example, included OS/400 v3r7 a few
months ago as a vulnerable platform in one case. (But I think I had the fixing
PTF from IBM before the alert was even sent.)
Tom Liotta
In article <358fd8f2....@news.neosoft.com>,
rlas...@neosoft.com (Richard Lasater) wrote:
>
> To add and clarify, I would also notify IBM or the persons responsible for the
> application.
>
> Additionally I have received an article from the June news/400 about hacking
the
> 400. It mentions that CERT (Computer Emergency Response Team) does not
disperse
> holes in OS/400, only Unix and WinNT. I think we should lobby to get OS/400
> added to the list.
>
> The article BTW staged an attack against the 400 with "published methods" (the
> 400 passed). As I have said before, the problem is not with hacks people know
> about - its the unknown new ones that scare me!
>
> Best
>
> RLasater
>
> On Tue, 23 Jun 1998 09:50:13 -0500, "Charles R. Pence" <crp...@vnet.ibm.com>
> wrote:
>
> >Richard Lasater wrote:
> >> <<SNIP>>
> >> ..., but waiting on IBM to propagate reports from us about security
> >> holes is dangerous - they just don't move fast enough. If I found a way
> >> to crack our own system I belive I would post the *complete* details here,
> >> right after securing my own systems - so that you can secure yours. (less
> >> information that any AS/400 sysop should know - no need to make it easy for
> >> crackers reading the NG.)
> >>
> >> I agree that this action would might endanger non-readers of this
newsgroup
> >> but this type of information is one of the main reasons I subscribe to it.
> >> <<SNIP>>
> >
> >Of course <IMO>, not notifying IBM and only posting here, would be like
> >posting in a neighborhood bulletin, that the prison on the edge of town
> >has a hole in its fence. And what about when you do not have a solution
> >or circumvention which enables you to secure the hole you have found?
> >Just something to think about; I agree with sharing information, but I
> >prefer that those responsible for effecting a correction are given the
> >first notification. Besides, there may already be a fix provided, which
> >you could include in your post to the newsgroup.
> >
> >Regards, Chuck
> > -- Comments provided "as is" with no warranties of any kind whatsoever.
>
>
boo...@ibm.net
This isn't to be seen as a challenge, but in a meeting today an IBM
speaker again said "The AS/400 has never yet been hacked." Is he being
blind?
In <35a9b3bc...@news.interbusiness.it>, on 06/23/98
at 09:21 PM, nbr...@box.seven.it (Obelix) said:
>>I don't think a public internet news group is the proper forum for discussing
>>methods of hacking into an AS/400.
>i disagree with this. as long as you show us way they can came in, we'll
>know what to close.
Richard Knechtel
boo...@ibm.net wrote:
>
> This isn't to be seen as a challenge, but in a meeting today an IBM
> speaker again said "The AS/400 has never yet been hacked." Is he being
> blind?
>
YES!
This type of comment was publicly made at COMMOM as well. except it was
more on the lines of "The AS/400 is un-hackable". STUPID remarks. NO
system is totally secure. I don't care if it is AS/400, mainframe, NT,
Unix. The only secure system is one turned off, and welded shut in a 6
foot think uranium safe. When will some people understand that.
Regards,
--
Richard Knechtel
richard .dot knechtel @at eds .dot com
EDS
Patrick Townsend
Yes, I wonder what they mean when they say the AS/400 has never been
hacked? Do they think no one has ever guessed a password on the AS/400?
Gee, I've done that. Or do they mean that no one has ever maliciously
damaged an AS/400? I know of more than one instance of this.
I suspect they are taking a *very* narrow definition of the term.
Perhaps they've never encountered an instance of a break-in using
standard tools like Satan, etc.
Curious....
Patrick
--
Patrick Townsend mailto:town...@patownsend.com
Patrick Townsend & Associates, Inc. http://www.patownsend.com
David Abramowitz
I think the correct expression was "There has never been a virus
reported on an AS/400"
This appears to be the truth.
--
David Abramowitz
tho...@inorbit.com
BoothM:
The statement is ridiculous. See NEWS/400, March '98, NewsWatch item titled
"IBM Ethical Hacking Team Exposes Customer's Security Holes'. As an example,
read the section that begins "In one otherwise secure AS/400 shop that
Vance's team broke into...". I know of a specific AS/400 run by a
knowledgeable school district that was hacked by university students nearby.
_MY_ AS/400 was hacked right in front of my eyes. Twice. And three years
later, I still haven't figured out how he did it the second time even though
I was watching on the system as it happened.
In general, simply ask yourself why IBM offers such a service. For info on the
service, see http://www.ibm.com/security/html/consult.html .
But keep in mind that the speaker was probably trying to say that AS/400
security has never been _broken_ or something like that, which is a more
reasonable statement. When an AS/400 is properly secured, it does not break
easily.
Further, earlier releases were progressively easier. Nowadays, particularly
on RISC machines, it might be getting close to unbreakable -- the ethical
hack sponsored by NEWS/400 last month eased my mind significantly; if Steve
Glanstein couldn't do it, the chances get pretty small.
Tom Liotta
In article <359308f0$3$obbguz$mr2...@news-s01.ny.us.ibm.net>,
boo...@ibm.net wrote:
>
> This isn't to be seen as a challenge, but in a meeting today an IBM
> speaker again said "The AS/400 has never yet been hacked." Is he being
> blind?
>
> In <35a9b3bc...@news.interbusiness.it>, on 06/23/98
> at 09:21 PM, nbr...@box.seven.it (Obelix) said:
>
> >>I don't think a public internet news group is the proper forum for
discussing
> >>methods of hacking into an AS/400.
> >i disagree with this. as long as you show us way they can came in, we'll
> >know what to close.
> --
> -----------------------------------------------------------
> boo...@ibm.net
> Booth Martin
> -----------------------------------------------------------
>
>
-----== Posted via Deja News, The Leader in Internet Discussion ==-----
http://www.dejanews.com/rg_mkgrp.xp Create Your Own Free Member Forum
Richard Knechtel
tho...@inorbit.com wrote:
>
>
> Further, earlier releases were progressively easier. Nowadays, particularly
> on RISC machines, it might be getting close to unbreakable -- the ethical
> hack sponsored by NEWS/400 last month eased my mind significantly; if Steve
> Glanstein couldn't do it, the chances get pretty small.
>
Yes, Steve is GOOD. I went to one of his security seminars and you
should have seen how many jaws dropped in the room when he was showing
off some of the ways people could get into your AS/400.
Pedro Manuel Rodrigues
Actually, if things were published anywhere, Ibm would move faster.
Look how they run and jump when someone posts in a public mailing list
a security glitch in their AIX OS (sendmail, nfs, or whatever). Hot
fixes next day. By the way, Forum/400 is dead. My option would be a
mailing list, instead of a web based forum .But that is a personal
view. YET, if there is enough momentum to fire it up, i can set up a
AS/400 security mailing list. Any thoughts/ideas to go with it?
Pedro Rodrigues
tho...@inorbit.com
Richard:
I had the honor of working with Steve for a year on an AS/400 security issues
project. It changed my career. And consider: There are a couple of other
people out there that _Steve_ is impressed by.
Tom Liotta
In article <3597B0...@eds.com>,
Richard Knechtel
tho...@inorbit.com wrote:
>
> Richard:
>
> I had the honor of working with Steve for a year on an AS/400 security issues
> project. It changed my career. And consider: There are a couple of other
> people out there that _Steve_ is impressed by.
>
God, I didn't think there were that many people were that good. I got to
talk with steve some after the conference. I would love to have a chance
to work with him some time. He knows the AS/400 pretty well.
--
Richard Knechtel
email(richard dot knechtel at eds dot com)
Christopher An
Well. Compared to other systems, AS/400 has well-designed security
procedure. However, I can see just a few companies properly set their
system security. AS/400 has different security levels, but I don't see any
company who set the security level 40 which provide secure system (but not
un-hackable). Maybe it cost too much money to maintain a system with this
high security level.
Chris
tho...@inorbit.com wrote in message <6n1j39$r0e$1...@nnrp1.dejanews.com>...
>BoothM:
>
>The statement is ridiculous. See NEWS/400, March '98, NewsWatch item titled
>"IBM Ethical Hacking Team Exposes Customer's Security Holes'. As an
example,
>read the section that begins "In one otherwise secure AS/400 shop that
>Vance's team broke into...". I know of a specific AS/400 run by a
>knowledgeable school district that was hacked by university students
nearby.
>_MY_ AS/400 was hacked right in front of my eyes. Twice. And three years
>later, I still haven't figured out how he did it the second time even
though
>I was watching on the system as it happened.
>
>In general, simply ask yourself why IBM offers such a service. For info on
the
>service, see http://www.ibm.com/security/html/consult.html .
>
>But keep in mind that the speaker was probably trying to say that AS/400
>security has never been _broken_ or something like that, which is a more
>reasonable statement. When an AS/400 is properly secured, it does not break
>easily.
>
>Further, earlier releases were progressively easier. Nowadays, particularly
>on RISC machines, it might be getting close to unbreakable -- the ethical
>hack sponsored by NEWS/400 last month eased my mind significantly; if Steve
>Glanstein couldn't do it, the chances get pretty small.
>
>Tom Liotta
>
>In article <359308f0$3$obbguz$mr2...@news-s01.ny.us.ibm.net>,
> boo...@ibm.net wrote:
>>
>> This isn't to be seen as a challenge, but in a meeting today an IBM
>> speaker again said "The AS/400 has never yet been hacked." Is he being
>> blind?
>>
>> In <35a9b3bc...@news.interbusiness.it>, on 06/23/98
>> at 09:21 PM, nbr...@box.seven.it (Obelix) said:
>>
>> >>I don't think a public internet news group is the proper forum for
>discussing
>> >>methods of hacking into an AS/400.
>> >i disagree with this. as long as you show us way they can came in, we'll
>> >know what to close.
>> --
>> -----------------------------------------------------------
>> boo...@ibm.net
>> Booth Martin
>> -----------------------------------------------------------
>>
>>
>
>
boo...@ibm.net
Security level 40 is not hard to do. Anyone that doesn't do 40 is
inviting trouble. A few software vendors don't write to level 40 but
they shouldn't be rewarded for sloppiness; buy elsewhere.
In <MKcm1.182$qd1.6...@bunson.tor.sfl.net>, on 06/30/98
at 09:27 PM, "Christopher An" <a...@idirect.com> said:
>AS/400 has different security levels, but I don't see any
>company who set the security level 40 which provide secure system (but
>not un-hackable). Maybe it cost too much money to maintain a system with
>this high security level.
David Abramowitz
It is not always necessary to set security to level 40.
For instance: What if there are no Comm lines at all? Not even an
ECS line!!
--
David Abramowitz
tho...@inorbit.com
Chris:
For an average AS/400, the effort is in typing in the following command:
===> chgsysval sysval(qsecurity) value(40)
In practice, however, the system audit values should first be set to detect
programs that are violating OS/400 integrity rules. Monitoring of the audit
journal can then warn you of potential problems before changing the security
level. I.e., you then have necessary info to contact software authors and
request compliant code (or, less likely, to rewrite your own programs to use
documented interfaces).
The cost/effort essentially comes down to checking for problems before making
the change; fortunately, IBM made that easy.
Tom Liotta
In article <MKcm1.182$qd1.6...@bunson.tor.sfl.net>,
"Christopher An" <a...@idirect.com> wrote:
>
> Well. Compared to other systems, AS/400 has well-designed security
> procedure. However, I can see just a few companies properly set their
> system security. AS/400 has different security levels, but I don't see any
> company who set the security level 40 which provide secure system (but not
> un-hackable). Maybe it cost too much money to maintain a system with this
> high security level.
>
> Chris
>
[ etc ]
boo...@ibm.net
Attacks only come down the wires? never from disgruntled employees, or
departing employees? Never from remote locations, even remotely within
the same building?
In <ebvUVYN...@nih2naab.prod2.compuserve.com>, on 07/01/98
at 05:53 AM, David Abramowitz <10544...@CompuServe.COM> said:
>It is not always necessary to set security to level 40.
>For instance: What if there are no Comm lines at all? Not even an ECS
>line!!
--
Ian Stewart
<snip>
> Would you be interested in me posting a technique for replacing a
> trigger on
> one of your PFs that does _NOT_ require using the appropriate
> commands? No
> auditing and essentially undetectable unless you continuously monitor
> every
> PF you have by visual inspection. Since you have no protection, why
> post it
> publicly?
Well, I for one would rather know the risk (or opportunity, should such
a technique have any legitimate use).
Ignorance may well be bliss, until you get zapped, at least. Even if
the only defense (in your hypothetical example above) was to mount a
regular monitoring process (which could be automated) it would then be
up to me to decide what my personal exposure was, and whether it was
worth the effort.
And as most of the ways of "hacking" into a machine probably involve a
lack of awareness on the part of systems administrators rather than bugs
in the system, I'd rather be aware of as many of the risks as possbile.
Perhaps if you discovered a vast (but extremely obscure) hole against
which there was no defense, you should report it to IBM first and let
them come up with a PTF before publicising it widely. I'd expect people
to exercise a certain amount of judgement on this ... on the whole, I'd
rather be informed.
--
Ian Stewart
i...@incognito.co.nz