Arpeggio Goes for the ‘Hacker Shutdown’ with 2FA Offering for IBM i

April 22, 2014 Alex Woodie

If you haven’t heard of Arpeggio Software, you’re missing out on cool stuff for your IBM i server. The latest batch of mostly free goodness comes in the forms of ARP-SMS, which provides an IBM i interface for sending messages via the Short Messaging Service. It’s also gearing up ARP-AUTH, which uses that SMS function to implement two-factor authentication on your lovely, lonely server.

Arpeggio unveiled ARP-SMS in late March to enable organizations to effectively “use their IBM i like a smartphone,” the company says. The software integrates with Twilio‘s cloud-based service, and provides an IBM i version of Twilio’s API for receiving SMS messages on the IBM i platform. Arpeggio provides a CL command for sending SMS text messages from the IBM i server to a phone number or a list of phone numbers. Customers must purchase a Twilio subscription to make this work.

There are a variety of uses for ARP-SMS. With a little configuration work, a customer could use the software to automatically send text alerts to smartphones when certain messages hit the QSYSOPR message queue, such as an abnormally ending job or a failed backup.

With a little more work (and money–see below), users can also configure the software to trigger commands on the IBM i server. In this capacity, IBM i commands could be set up to execute automatically in response to text alerts send from the administrator’s smart phone.

Twilio also supports voice messaging, and ARP-SMS provides this capability to convert text messages into voice messages. This could potentially be used as the backbone for using the IBM i server to send out audio communications or marketing material.

ARP-SMS is available in free and not-free editions. The free edition gives users the capability to send SMS messages to one or more recipients. The Standard Paid Edition gives users the capability to receive SMS messages on the IBM i to trigger processes.

Two-Factor Authentication

ARP-SMS is also the basis for Arpeggio’s latest offering, ARP-AUTH. Currently in beta, ARP-AUTH is a two-factor authentication solution designed to provide another layer of security protection when users are signing onto the IBM i server.

When a user attempts to log in to the IBM i server, ARP-AUTH intercepts the request and sends a PIN number (via the Twilio network) to the user’s smartphone. Unless the user correctly enters the PIN number in a certain amount of time, the user will not be granted access.

But that is just the start. Arpeggio has also added a “hacker shutdown” feature that allows a user to initiate emergency security precautions in the event that he receives a PIN on his smartphone when he hasn’t attempted to log onto the server. By simply replying to the SMS PIN message, the user can initiate the hacker shutdown procedures, which include blocking IP addresses, disabling user profiles, and sending alerts to the security officer.

When it’s available, ARP-AUTH will come in a free edition and a Standard Paid Edition. The free edition provides the two-factor authentication feature for a limited number of users, while the Standard Paid Edition supports an unlimited number of users, as well as the hacker shutdown feature.

ARP-AUTH could be a huge hit for Arpeggio, especially in light of the Heartbleed vulnerability in OpenSSL and the revelation that billions of passwords were potentially compromised. The software hasn’t even been released in GA form, and yet it is already the most requested download on the company’s website.

Arpeggio, which was founded several years ago by Rich Brown and others from TrailBlazer Systems fame, has quietly assembled an impressive roster of free and low-cost IBM i utilities that leverage open source tools and inexpensive Web services, such as Twilio and Dropbox, including ARP-DROP, ARP-SFTP, ARP-ZIP, ARP-SAVE, ARP-MAIL, and SIFT-IT. The company primarily makes money by charging for maintenance and technical support. For more information see its website at www.arpeggiosoftware.com.