Great article in ComputerWorld mentioning need for system i personnel

In response to another post on http://developers.slashdot.org, Why Software is Hard: OS/400 has always done this. The entire memory and disk capacity is a single 64 bit address space addressable by RPG or C++ programs with pointers and pointer math. OS/400 does away with files, and instead gives each program a 64-bit address space that persists to disk automatically? Wow! Not the does away with files part. OS/400 has: - DB2/400 built-in, - AIX as part of the address space which I understand could run MySQL and other open source databases along with DB2 if we wanted (Linux and/or AIX partitions also can run concurrently with OS/400 in different address spaces), - a native object based file system - a Unix style IFS file system - Apache / Tomcat - POSIX compliant but OS/400 was architectured as a flat 64 bit address space across all local storage that all users share, with all accesses to the entire space object based, strongly typed, and authority verified. Just as important, it does all this for hundreds to thousands of concurrent users with smooth UI response accessing terabytes of data. But it scales all the way down too. Entry level models are priced competitive with other enterprise equipped servers. As security problems worsen, government would be well served to secure their operations on OS/400, now upgraded as i5/OS on the IBM system i. rd

Great article in ComputerWorld mentioning need for system i personnel

In response to another post on http://developers.slashdot.org, Why Software is Hard: It does sound nice, I shall try OS/400 at one point if it becomes free software (if only for the persistent space). It would be nice, maybe some of the concepts will be tried in open software someday. How does the OS/400 security model work? Is it ACL based? If so (it probably is, as that's the mainstream model) it means that the security failures I mentioned above still exist with it. The fundamentals of user, group, and role ACL's are there in OS/400. But it does have a very impressive record as far as resisting attacks and viruses, partly due to obscurity, partly due to not having the well known Intel instruction set architecture foils to use (in fact, the hardware is abstracted from the OS by an interface layer), but certainly the object based OS architecture is the real impediment to crackers. Files, programs, and other mechanisms such as queues and such aren't just called objects, they are strongly typed objects rather than the universal files with different intended purposes found elsewhere. Access just isn't restricted by ACL, what you can do with access to an object is based on its type. One common example is a program isn't a file that can be modified as a file in a file system. And that applies to every object in OS/400, not just executables. Another big difference is what's called adopted authority. Users are only given authority to execute a high level object, such as certain menu options (a menu is an object in OS/400 like everything else) or startup programs. Then it is the programs that actually have the authority to change data, so a user doesn't have authority to access a program or file directly. Just because they can select a menu option that updates data doesn't mean they could change the data in the file if they could get to it. Of course root is the big bypass in all the OS'es. One thing OS/400 has is a high granularity of roles going toward root, called QSECOFR in OS/400. So there are Programmer and various Operator and Admin roles to be able to access objects across the board as needed for operations. The root QSECOFR is only used by a few people as needed to maintain the system and data. In general most any technique to break in to Windows and Unix/Linux doesn't work against OS/400. It would be onerous if the security were there but slowed the system to a crawl, but all this is done with a combination of ACL, typed objects, and adopted authority with fast response for thousands of concurrent users and jobs. So I don't think the security failures you are suggesting in mainstream ACL models are there in OS/400. rd

Great article in ComputerWorld mentioning need for system i personnel

The object based concept is lost on most people unfamiliar with it. As far as security goes, it means an object categorized as a program is not a file, and a file is not a program. There are only two ways to change a program on an AS/400, one is to restore it, and two is to compile it. Even if you were to use QSYS.LIB in the IFS to break in, you could not do anything to a program object. Try it sometime. Use Notepad, or Wordpad to try an open a program object in QSYS.LIB.. . . . .Won't happen. A few years ago, I was unfortunate enough to get a virus that worked its way into the IFS. But, it was stopped cold at QSYS.LIB. Unix and Windows programmers often refer to programs as program files, for this is what is created with the program. As files, these are subject to being opened and infected with greater ease. Dave

Great article in ComputerWorld mentioning need for system i personnel

There are only two ways to change a program on an AS/400, one is to restore it, and two is to compile it. Or UPDPGM. Or UPDSRVPGM. A program or service program may contain several modules. You plug the changed module into an existing program. Chris

Great article in ComputerWorld mentioning need for system i personnel

I would really like government agencies, Federal and all levels, to "get" the OS object based security of i5/OS and the system i. rd

Great article in ComputerWorld mentioning need for system i personnel

http://www.computerworld.com/action/...intsrc=hm_list Want to win in Vegas? Bet on an IT job, not the Super Bowl IT workers are in demand on the strip Patrick Thibodeau February 02, 2007 (Computerworld) "Some IT skills in Vegas are system-specific, especially those needed for the IBM System i, which is used at Boyd and other gaming companies. To help meet the need for System i skills, IBM is helping UNLV this fall to get Series i training under an initiative that includes new courses." end quote Great news on system i and new training needs for it. Hope to see more of this. rd

Great article in ComputerWorld mentioning need for system i personnel

Interestingly enough, level 5 security was originally instituted on the AS/400 for the purpose of meeting government specification. At the time, I believe, it was the only machine to meet all of the specifications. This goes back to the early 90s. As usual, most agencies ignored their own requirements. Dave

Hey imagine for a moment that i5/OS security was so vulnerable an architecture that you had to download and apply 1 to a dozen security patches a day...!!! Like the OS we all use (almost exclusively) on our personal computers.

Imagine all the jobs it would create as a "cottage" industry to protect your i5 from virus, trojans, addware, spyware by issuing daily updates to that "protecting" software as well to keep up with the latest "signatures" of the above...???

Why didn't the personal computer OS's security architecture learn from what had already been invented and in use for some time...???