When I worked for a large computer manufacturing company in 1984, I would go with their corporate audit team to attempt to penetrate their in house MVS systems. We would, depending on the site managers wishes, either attempt to access critical data from normal TSO userid's, or we would attempt to access the mainframe without any TSO id's given to us. In the case of working without any TSO id's we still had physical access to terminals and programmers offices, so unlocked desks and trash cans were fair game. In 8 audits of sites all over the world, we never failed to gain access to critical data. The ways in which we penetrated the systems lead to many of the changes implemented in the way RACF was suggested to be used. We also had lists of hundreds of ways to penetrate the system from unauthorized userids, using "clever" attacks and unprotected control elements or restricted utilities. Since 1984 the list of areas that can be exploited to gain access to data, both protected and unprotected, has grown proportionally and though the systems can be secured much more tightly now, any system that is accessible by users who are not inside a secured area, in my humble opinion, can be hacked, if you define hacked as gaining unauthorized access to sensitive data. We sometimes sat down with dumps and disassembled user written SVC's and exit modules to exploit programming errors. A patient hacker can gain access eventually. I think, the time, knowledge, and effort to do this today, is simply not worth the potential penalties when caught after the fact IMHO. Those who have the knowledge to do the break in's are usually employed in positions to stop the break in's. but with zIIP's and IFL's and zAAP's there are just getting to be so many places to keep track of....
---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
