The message below is one of a set of messages on a topic relating to the security of the zOS operating system. Based on my knowledge of the internals of the operating system, I would say there exists, at minimum, a reputation risk if it were known that Tsys had installed software from a vendor (in this case alleged to be CA - see the email stream) that uses a questionable practice as the one represented by the set of emails.
The high level is this: IBM zOS uses a strategy for system security that classifies all "programs" as trusted or not-trusted. The facility for trusting is the APF (Authorized Program Facility). A trusted program can do trusted things. One of the trusted things a trusted program can do is impart the trusted property to non-trusted programs. This set of emails alleges that the vendor code creates a facility to do this. The facility itself is protected by obscurity only. The set of emails says that a person who can view storage (likely to be any online user) can find the facility in memory. Anyone with knowledge of machine code can reverse engineer it. The email below indicates that a person monitoring "chatter" in places where security breaches are a topic of interest has seen mention of this topic.. My advice is: Look at the traffic on the list [email protected]. LISTSERV.UGA.EDU is the website. Select Browse, Subscribe, Post, Search ... Find ASSEMBLER-LIST Create a signon to the list Search the archives for FLIH in the title At the moment there are 24 messages. Have someone knowledgeable in system internals to look at memory on Tsys mainframes and see if the hook is in place on Tsys machines. Raise this issue with the vendor to see if they acknowledge the issue and ask for a response. Richard Kuebbing LPA TSYS Intl Products & Svcs Dev Phone: 678-797-8711 Fax: 678-797-8836 email:[email protected] Efforts and courage are not enough without purpose and direction. - John F. Kennedy Fasten your seat belts, it's going to be a bumpy ride. - Bette Davis (as character Margo Channing) _All About Eve_1950 Our greatest danger in life is in permitting the urgent things to crowd out the important. - Charles E. Hummel The probability of error in a change is inversely proportional to the size of the change. - B.I Kahn's First Law The probability of error in a one character change is approximately 100%. If the possibility of collateral damage exists, the probably of error can appear to exceed 100%. - corollary to B.I Kahn's First Law IBM Mainframe Assembler List <[email protected]> wrote on 02/24/2012 02:56:46 PM: > From: John Gilmore <[email protected]> > To: [email protected] > Date: 02/24/2012 02:59 PM > Subject: Re: Program FLIH > Sent by: IBM Mainframe Assembler List <[email protected]> > Edward Jaffe wrote: > <begin snippet> > I think John meant PUBLIC--as opposed to known among| a small > minority, including those involved in this discussion. > </end snippet> > I did. I know very well who the culprit is. > I have also been chided for failing to provide an apposite quotation. > Here then is one: > C'est pire qu'un crime, c'est une faute. > --Charles-Maurice de Talleyrand-PĂ©rigord. > [It's worse than a crime; it's a mistake.] > The notion that it would be uneconomic to eliminate this device seems > to me to miss the point. > One of my colleagues has already found some internet chatter about it, > and it is a question of hours before prepackaged exploitations become > available to every clicker. Then, since its use is negligent (in the > sense that secure alternatives to it are readily available, known to > anyone "learned in the art"), there is a strong likelihood that the > courts will hold the culprit liable for consequential and perhaps even > punitive damages. > John Gilmore, Ashland, MA 01721 - USA ----------------------------------------- The information contained in this communication (including any attachments hereto) is confidential and is intended solely for the personal and confidential use of the individual or entity to whom it is addressed. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this communication in error and that any review, dissemination, copying, or unauthorized use of this information, or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. Thank you
