Hal
>> Since you were asking in public, I assumed the reply would be in public.
You could, after all, have asked in private.
> Um, I said I don't discuss off list conversations and gave one reason.
Um, perhaps you didn't notice that I pointed out you asked in public and that
at the very least I would have expected a public post to take us all of
tenterhooks and mention that the question had been addressed in private.
> Please don't infer anything further.
Pleas or no pleas, I intend to infer the following as you might well have
expected:
1. That you responded to my post reviving a topic - for which thanks - which
very much needs an answer and referred to a private conversation ("off list
conversations") indicates that there has indeed been a private conversation.
2. Whether your question was answered or not in that private conversation is
irrelevant. What has not happened is that the famous 20+ ways in which SNA
can be compromised have not seen the light of day. Thus we can conclude
that they cannot stand up to examination.
3. These famous "20+ ways" are only quietly rumoured as a way of promoting
an - until demonstrated otherwise - unnecessary product incurring an
unnecessary expense on top of what is already paid for the SNA products.
Caveat emptor.
Chris Mason
On Tue, 11 Aug 2009 11:52:50 -0500, Hal Merritt
<[email protected]> wrote:
>Um, I said I don't discuss off list conversations and gave one reason. Please
don't infer anything further.
>
>I added that I respect the opinions, but did not say whether or not I agree
with those opinions.
>
>I'm also trying to say that I, personally, cannot add much value to this
>topic.
I'm well out of my league here.
>
>-----Original Message-----
>From: IBM Mainframe Discussion List [mailto:[email protected]] On
Behalf Of Chris Mason
>Sent: Tuesday, August 11, 2009 11:12 AM
>To: [email protected]
>Subject: Re: VTAM security issue
>
>Hal
>
>> As a matter of courtesy I very rarely discuss off list conversations.
>
>Does this mean Jim Marshall passed on the information you requested in
>private? Since you were asking in public, I assumed the reply would be in
>public. You could, after all, have asked in private.
>
>If you did receive the untested claims of "compromise" in private I'm glad you
>at least mentioned your "courtesy" rule.
>
>Now I can request in public and expect to be answered in public. Otherwise
>we must take it as evidence that the claims of "compromise" do nor survive
>the light of day - and, assuming we have exploited all the functions available
>with VTAM and associated products "at no extra cost", those actually
>affected - and I am not really one - can sleep soundly.
>
>From what I can glean from your general comments, you appear to be
>supporting my charge that FUD was being insinuated and groundless FUD at
>that.
>
>Chris Mason
>
>On Tue, 11 Aug 2009 10:50:47 -0500, Hal Merritt
><[email protected]> wrote:
>
>>As a matter of courtesy I very rarely discuss off list conversations.
>>
>>I'm not going to do that now, but I am going to offer an observation: levels
>of 'security' and what, exactly, that means is often in the eye of the
beholder.
>>
>>VTAM et al seems to become aware of and often seeks to interconnect with
>other networks/hosts automatically. To some, any form of intercommunication
>whatsoever is a security issue. I seem to recall one auditor nearly wetting his
>pants because he could access a logon screen of an application on a remote
>host.
>>
>>Whether or not this interaction would be considered a 'compromise' would
be,
>in my opinion, a matter of opinion. I wonder how I can reasonably demand
>credentials without first providing a way to give them to me. On the other
>hand, simply gaining access to a network is the first step in many kinds of
>attack vectors.
>>
>>I respect the opinions of both sides.
>>
>>
>>-----Original Message-----
>>From: IBM Mainframe Discussion List [mailto:[email protected]] On
>Behalf Of Chris Mason
>>Sent: Sunday, August 09, 2009 10:08 AM
>>To: [email protected]
>>Subject: Re: VTAM security issue
>>
>>JM > Right now I understand there are 20+ ways which VTAM/SNA systems
>>have been compromised.
>>
>>HM > Please give us some details on the compromised VTAM/SNA systems.
>>
>>Hal Merritt - and perhaps many others including myself - are still waiting for
>>Jim Marshall's reply.
>>
>>..snip
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
