I did not make the discovery; and I will therefore respect, for now at least, the discoverer's decision not make the miscreant's name public.
I believe, however, that this name should be made public. This information should not be confined to the priesthood Trapdoors are not new, and I suspect that those of us who know how to do so have all made transitory use of similar devices in testing our own code. For an ISV to leave such devices in distributed code, in effect to compromise the integrity of its customers' systems is very different; it is, at best, despicable. There had been a tacit assumption that notionally respectable ISVs do not do such things. That assumption has been undermined, and even responsible ISVs will now have to spend time and energy reassuring their customers that they are not guilty too. They are all now in the position of a locksmith suspected of burglary. On 2/24/12, Martin Truebner <[email protected]> wrote: >>> I'd prefer to not name names. << > > But it is out in the public already- > > Here is the story - a certain wellknown german (now doing what GSF did > before) and I were talking in a sauna of a hotel in (I forgot the city) > about how to hack an MVS system I found with the url ending with > nyc.org. > > That system had barns doors wide open (in CICS) in 2009 for more than > 6 month and we considered this a good chance to show how > vulnerable even z/OS is (*). > > We both are freelancers and there was not enough funding ;-( > > (*) with the right/wrong people on the appropriate side of > the fence. > > -- > Martin > > Pi_cap_CPU - all you ever need around MWLC/SCRT/CMT in z/VSE > more at http://www.picapcpu.de > -- John Gilmore, Ashland, MA 01721 - USA
