On Sun, Jun 19, 2005 at 07:20:36PM +0200, Gil Peleg ([EMAIL PROTECTED]) wrote: > On the other hand, anyone who worked at the same shop for a long time knows > how to "trick" its systems.
Not if the people responsible for security of those systems are doing their jobs properly. [snip] > Of course, all of this comes from bad implementation of the security tools > and not the infrastructure provided by the operating system, Exactly. > but still, IMO, > if mainframes were holding a larger market share, we would be hearing of > more security breaches on mainframes. My feeling on that is that I disagree with the above. > I agree the mainframe has all it takes to be a highly secured platform, but > I have seen not 1 and not 2 shops that just dont facilitate all the required > mechanisms to become highly secured. Simply running on mainframe doesnt make > it harder to breach into your system, it only makes it unlikely. Only > implementing a strong and correct security policy makes it harder to breach > into your system. I think that the architecture of the system (MVS, or whatever it's called this week) makes it much easier for competent administrators to set up a secure system than on any other platform. As has already been discussed, the biggest security loophole on any system is unsecured unattended logons. Even my PC at home has a short timeout to screensaver requiring a password. Back in the days of only hardwired 327x terminals, I worked in a shop where the systems programmers were in a very unsecure area. (Yes, you needed a badge to get into the building. There were 70,000 valid badges.) I wrote a TSO command called LOCK which required the logon password to unlock. To get people to use it, the JWT timeout was set very short, and LOCK had a subtask which woke up every few minutes to prevent timeouts. The whole scheme worked quite well. Many people in the systems group had "TSO LOCK" on an ISPF PFKey -- one keystroke when leaving your workarea. OS/2 had a simple way to bring up the lock screen immediately. (Two clicks, I think, but I'm too lazy to boot up my OS/2 machine and look.) Where is this capability in Windoze? In another shop where any of tens of thousands of people could wander into my office, I had my PC timeout-to-lock set to about 3 minutes. Used to sit there poking it while talking to someone in the office or on the phone. Back in the 1970s when I was a student at UCLA, it was common practice when encountering an unattended logged on terminal in the public area to change the user's password and then log it off. I highly recommend this approach. /Leonard ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
