On Wednesday 06 February 2002 09:46, LK-FM Tech Assistances wrote: > Their argument is that the servers are AS/400 and they claim that the > platform does not have any security holes or vulnerabilities that a > potential hacker could exploit. So they feel they don't need a firewall. > Although I am aware of 2 vulnerabilities on the Domino AS/400 (They are > using DOMINO too) I don't have adequate knowledge and can not site > incidents on hacking the AS/400.
I'm not sure if you can convince ignorant people, esp. if they're management. :-) The fact that OS/400 is unbreakable (which, by default - is NOT true, because there is no such thing as 100% safe operating system) doesn't mean the OS can protect everything running on top of it from hacking in. Domino is really good piece of software, but out of the box it is prone to DoS attacks, spam relaying and unauthorised access to some databases. Once you fix that it is pretty secure, yet still it doesn't mean there are no more holes in it. There's one story you can tell them. You can find reference on Slashdot at http://slashdot.org/articles/99/08/04/205226.shtml This was about one Linux PPC box that people put on the Internet to give to anyone who hack into it. After several weeks of high load and unsuccesful attempts, one guy managed to own the machine. But not using Linux kernel security holes, but exploiting vulnerability in just one, single, small third party CGI script! That story suits those people. You can tell them real life story that proves that, while OS might be bulletproof (as much as an OS can be bulletproof), there are many other things that can compromise a server. They will tell you then that they can strip out everything not needed, but you can ask them if they really want a machine that has just 10% of it's abilities, and isn't buying a firewall much cheaper than hiring real experts to work on such "highly-secured" machine, not to mention added security on the whole network. ;-) And you can ask them as well - to tell you what are all the things that have to be removed from the machine to make it "secure".. >;-) -- Radoslav Dejanovic Senior Associate to Mayor's Office City of Zagreb, Croatia
