Done that many times during security assessments at customers sites. for example, Look at your SYS1.UADS dataset and compare it to RACF. You probably will find users that are defined in your UADS dataset, but not in RACF. More then that, IBM's ships UADS dataset with few users that probably not defined in your racf... There are many other ways we use, but this is not the proper place to discuss them ;-)
ITschak On Thu, Oct 14, 2010 at 7:14 AM, Ron Hawkins <[email protected]>wrote: > Ed, > > Your dates may be a little out. The site where I was an Operator turned on > RACF in 1983. I remember because we were able to browse SYS1.UADS and get > everyone's passwords after the conversion. > > Ron > > > -----Original Message----- > > From: IBM Mainframe Discussion List [mailto:[email protected]] On > Behalf Of > > Ed Gould > > Sent: Wednesday, October 13, 2010 9:17 PM > > To: [email protected] > > Subject: Re: [IBM-MAIN] Mainframe hacking? > > > > --- On Wed, 10/13/10, Ricc Harding <[email protected]> wrote: > > > > From: Ricc Harding <[email protected]> > > Subject: Re: Mainframe hacking? > > To: [email protected] > > Date: Wednesday, October 13, 2010, 3:56 PM > > > > When I worked for a large computer manufacturing company in 1984, I would > go > > > > ---------------SNIP----------------------------- > > Were the shops using any security product ie RACF/ACF2/Top Secret ?I > suspect > > at that point in time they probably did not. I certainly did not know of > any > > installations that were using them, except perhaps 1 and I think that one > got > > the ACF/2 free (UIC). Also I think at that time from my rather poor > memory > was > > that even with a security package the systems were just not locked as > they > > should have been. Somewhere in the late 80's (if memory serves me) > companies > > really got serious about security. > > Of course if people posted the passwords with stickem notes then all bets > are > > off on any security package. My vague recollection is that the first few > years > > of RACF were pretty bad (for security) I just remember hearing people > saying > > RACF can't ddo this or that and ***** could. My impression of these > complaints > > were at best poor as even the product that claimed to be able to do the > > requested item was at best iffy and was very prone PTF retrofits and zaps > on > > top of IBM modules. I am not so much as defending RACF (or any of the > other > > products) as saying IBM had not put in SAF entirely every where it needed > to > > go. I guess I would make this statement as far as any security product. > If > IBM > > doesn't make the insertion of the SAF call trying to insert any vendors > codes > > is doomed to failue. > > Ed > > > > > > > > > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: GET IBM-MAIN INFO > > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
