On-Line Meeting Etiquette

By Rich Loeber

I occasionally like to take this space to write about something other than IBM i security concerns and this is just such a time.  With the shelter-at-home orders in place for several weeks now, I have been having lots of meetings on-line using video conferencing tools.  My tool of choice has been Zoom, but I’m sure this can apply to any such service.

This blog entry is the result of observations of behavior during on-line meetings from people who are mostly new to the genre.  I hope that these “etiquette” tips are helpful for my readers as they get used to new ways of meeting and socializing on-line.

Lighting

Keep in mind that this is not only an audio conference call, but a video (ie: visual) conference call.  As such, your lighting is important.  A major benefit of video meetings is that you can better “read” others in the meeting because you can see them.  If the lighting for your image in the meeting is such that your face is in shadow, then the benefits are lost.  I have poor lighting in my office with a big window on one side and glaring florescent lights in the ceiling.  After some experimentation, I bought a bright LED desk lamp which I now use while turning the overhead lights off.  It produces a much better image.

One thing I’ve noticed that frequently happens is that someone sets up their camera (or laptop) so that there is a window behind them.  This invariably results with their face in shadow.  I was in a meeting of local relief organizations recently where one participant, who had a lot to say, was just a shadow on the screen for the entire meeting.  It was very frustrating.

Eating

I know you’re working from home and it is convenient to try and multi-task by having your lunch during the meeting, but I point out again that this is a visual medium.  If you were at an in-person meeting in a conference room, would you want to be the only participant having lunch while all the others sat there and watched you eat?  I doubt it.  The same is true of your virtual meeting.  For me, I think this even extends to chewing gum during the meeting.  During another meeting last month, someone actually spent part of the meeting in the kitchen cooking themselves lunch which they then proceeded to eat on camera.

Sound

Another good practice is to keep your microphone on mute when you are not talking or being called on to talk.  My office is located on a state highway.  I get big trucks rumbling by and the occasional emergency vehicle screaming past, so I stay on mute as much as possible.  If you’re working from home, it is not uncommon for a barking dog, a ringing telephone or any one of a myriad to audible interruptions to intrude that will detract from the meeting.

Attention

During the meeting, stay engaged.  If you are trying to process email or do other things during the meeting, it will show in your level of attention and participation.  Another behavior that I’ve observed is someone who spends an entire meeting propping up their head with their arm.  During that meeting, I wrote them off as bored to death and not interested in what was going on.  That may not have been true, but do you want to send that message to the others in attendance?

Rehearse

I have also been in several meetings where one or more participants had no idea what they were doing and how to control their conference session.  If you’re a host, take the time before any meetings to understand the tool that you will be using.  I can commend Zoom for the plethora of aids that they have available, including on-line orientation sessions for hosts and even meeting guests.  My solution is to have a dry run with a friend.  Take the time to understand how to turn your mic off and on.  Learn how to share content and then un-share it.  Learn the various display modes that you can use.  Get comfortable with the tool.  I was in yet another meeting recently when someone in the meeting accidentally shared their screen and then no amount of coaching them during the meeting could get the shared screen turned off.

If you have questions or comments, feel free to contact me directly by email: rich at kisco.com.

IBM i Security Concerns While You’re Working From Home

By Rich Loeber

During this time of Covid-19 crisis, most of our customers are reporting in that they are working from home and will probably be doing so for several months.  We are working independently here too where I find myself the only one in the office.

With so many people working with remote access, what are the security risks to your IBM i as a result?  If you aren’t mindful of security during this crisis, you could expose your system unnecessarily and create issues for you that will last a lot longer than the current crisis.

Here are a few that come to my mind right away ….

Telnet

If your users/programmers/system administrators are using 5250 terminal sessions to access your system, make certain that they are all using SSL for the connection.  Last month, I posted an update to a prior blog post on this topic.  If your terminal sessions are not using SSL, then your user profiles and passwords are traveling over the Internet as plain text.  Given that programmers and administrators tend to have super user profile privileges, this could be catastrophic.  In my opinion, this should be your number one concern.  http://www.kisco.com/ibm-i-security-tips/?p=312

Browser Based Applications

When you are in the office and working on browser based applications hosted on your IBM i system, you might consider yourself to be safe if you are running the application using an HTTP address.  While that may be true, when you run that same browser based application from home using HTTP, the data that transfers back and forth to your desktop environment will be sent in plain text.  Since most applications require a sign-on process, then your user profile and password are again exposed while in transit.

The solution is to update your HTTP application to use HTTPS protocols.  By making this change, the browser data streams will be encrypted, adding the necessary security that you will need.  Several years ago, I posted a tip here on how to make that change.

File Transfer Protocol (FTP)

While working in the office and hiding behind a firewall, bringing up a quick FTP session on your desktop to transfer IBM i information to/from your personal computer is a quick and easy way to get things done.  Doing that same thing while working remotely can, like telnet and the browser applications, expose your user profile and password as open text.

The solution is to change your access to use SFTP (Secure File Transfer Protocol).  The good news is that IBM i supports SFTP.  I found this article at an IBM website on how to set this up for your use.

This quick tip just scratches the surface of these issues.  These were the issues that came to mind as being highest on a list of concerns.  I would love to hear from any of my readers who have more ideas on areas where we should have serious concerns.

If you have questions about details of this tip, feel free to contact me directly by email: rich at kisco.com.

More About Controlling Access to Spool Files

By Rich Loeber

In my last tip, I talked about controlling access to spool files through implementation of IBM i OS object authority at the output queue level.  In this tip, I’ll be taking a look at three additional parameters that are associated with IBM i output queues that can extend the level of control you have over sensitive reports on your system.

The three parameters in question are:

  • Display any file (DSPAUT)
  • Operator controlled (OPRCTL)
  • Authority to check (AUTCHK)

These three work to give you more control over access to spool files beyond what is available through object level controls on the output queue.

One thing to keep in mind is the proliferation of user profiles with special authority of *SPLCTL.  This is the equivalent of the evil *ALLOBJ authority, but as applied to spool files.  You should restrict granting of *SPLCTL to only those user profiles where it is absolutely required.  As you read on in this tip, remember that if a user profile has *SPLCTL authority, then they can cut through these restrictions as they will not apply (with one exception as noted).

“Display any file” (DSPDTA) is intended to protect the contents of a spool file by setting authority requirements.  There are three values available, *YES, *NO and *OWNER.  Each of these provides progressively increased levels of authority requirements to view, copy or send spool files in the output queue. *YES allows anyone with READ authority to work with files in the output queue. *NO restricts that to the owner, those with *CHANGE authority and those with *SPLCTL special authority. *OWNER further limits this to just the owner profile and any profile with *SPLCTL authority.

“Operator controlled” (OPRCTL) controls whether or not a user with *SPLCTL special authority is allowed open access to this output queue.  The default value on the Create Output Queue (CRTOUTQ) command in the IBM i OS is *YES which is why most output queues are open season for users with *SPLCTL authority.  Changing this value to *NO will force normal object authority rules to control access to the output queue.  If you have an output queue with sensitive information stored and you are concerned about *SPLCTL users gaining access, this is the key parameter value that can save the day for you.

“Authority to check” (AUTCHK) controls how users with *CHANGE authority to the output queue will be given access to change, delete or copy spool files in the queue.  When this is set to *OWNER, only the owner profile of the spool file can change or delete spool files.  Using the value of  *DTAAUT changes this control so that it looks at object level controls for the output queue.

Using these parameters intelligently can give you much added control over how users access (or don’t access) spool files on your system.  Using them in combination can be a little confusing, but if you look in your IBM i OS Security Reference manual under the Work Management section on Securing Spool Files, you will find a full page chart for this set of parameters and how they can be used in combination to achieve your specific objectives.

If you have any specific questions about this topic, you can reach me at rich at kisco.com,  I’ll try to answer your questions.  All email messages will be answered.