On 2017-12-23, at 10:09:47, Walt Farrell wrote: > On Fri, 22 Dec 2017 21:26:07 +0000, Jon Perryman wrote: > >> Charles broke the cardinal rule in security ( never say never ). Viruses >> rely on dynalloc. This vulnerability was used against Target where they >> >were recently fined $18 million and lost millions in revenues for their >> data breach. > > Can you point to reports that talk about how the Target breach occurred? I > have not seen any descriptions of it publicly that could allow one to draw > the conclusions you've made. > > (I'm assuming, by the way, that you don't literally mean that z/OS, and > dynalloc, were involved. If you do mean that, the reports should also > specifically describe the system that was breached, the OS, etc.) > Sometimes IBM, for example, delays issuing such reports not only until patches are available for all supported OS versions, but longer lest customers be dilatory applying such patches, and longer yet to protect customers running OS versions out-of-support. In particular:
>On Wed, 14 Apr 2010 09:46:01 -0500, Walt Farrell wrote: >> ... >>"regardless of any data set protections you may have in place." > >In the original discussion, it was speculated that IBM obviously did not >understand that one should protect the data sets rather than trying to >protect the program or functions. And that therefore anyone who did have >proper data set protections is safe. > >In most cases that is true. In this case it is not (that's why there is an >exposure, and that's why we had the System Integrity APAR IO11698 and its >PTF(s).). > >Some of you are trying to guess what the exposure is, or speculating about >what it may be. We will not participate in such speculation or confirm >anything about it. > >What is important is that you understand that you are at risk if you do not >carefully control who can run those SMP/E functions, and that your users who >can run those functions must be very trusted users. And that's why we have >the new APAR IO12263. I'll note that years later the reference manuals came to describe the exposure with reasonable clarity. -- gil
