On Sun, 28 Nov 2010 15:56:36 -0600, Russell Witt wrote: >Easy to say "do not share your RACF db"; harder in reality. Most sites >believe they are safe because their RACF db is security protected and the >dasd is not shared. And then completely forget that backups (to physical or >virtual tape) contain the exact same information. And quite often the DSN >used for the backup tapes is some type of dasd-manager HLQ, since it was >most likely a full-volume backup that happen'ed to contain the RACF db. And >even if the HLQ for the full-volume backups is read-protected; it is still >far easier to hack a tape dataset. Often, tape libraries (physical and >virtual) are shared with less-secure test machines and quite often even with >non z/OS systems. Granted, you will need the physical layout of the RACF db; >but not the entire layout. Just enough to identify where the passphrases are >maintained. > Aren't the passwords encrypted? But how strong is the encryption?
It would be peculiarly pointless to store fewer bits of the encrypted password than are used in the encrypting key. -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
