I see a much bigger issue, knowledge, once we old timers cash it in, like Walt was lucky enough to do, then who will 'carry the touch'....the newer 'kids' don't want the responsibility or know how, just the cash, sorry not trying to mean or negative, I am second generation IT....
Hopefully, schools like Steve and others will have an influx to train the youngsters.. Sent from my iPad Scott Ford Senior Systems Engineer www.identityforge.com On Mar 27, 2012, at 3:23 PM, Scott Ford <[email protected]> wrote: > All, > > I think we all agree that every system has vulnerabilities, where Windows, > Unix,VM, or Z/OS, > the methods make it difficult for hackers to get into the systems, ,no > different than protecting a home from robbers. By using a big dog and a 12 > gauge ..or electronic security system..many of us > firewalls,routers,RACF,acf2, TSS, pass-phrases, encryption to slow down the > intruder. > > Sent from my iPad > Scott Ford > Senior Systems Engineer > www.identityforge.com > > > > On Mar 27, 2012, at 2:49 PM, David Cole <[email protected]> wrote: > >> I'm sorry Tom. I did not intend my remarks to be personal. I deeply regret >> that you feel hurt by them. Please don't let my words deter you from future >> contributions. Your thoughts generally are more valuable than most. >> >> I just wanted to emphasize the APF Trojan horse vulnerability. It is real, >> it is serious, yet for decades everyone seems to want to pretend that it >> does not exist... It mystifies me. >> >> >> >> >> >> >>> www.zassure.com is the closest thing I've seen to an MVS anti-virus >>> program. After seeing a demo, I would have bought it, or recommended it to >>> a client. Check it out, you will be surprised, if not shocked. >> >> Thank you for this. I will check it out. >> >> >> >> >> >> >>> [Regarding SAF] I do take issue with your last sentence. SAF and an ESM >>> have everything to do with anti-virus protection, provided they are >>> configured to correctly protect APF-authorized resources. >> >> Perhaps. However, all an APF authorized program has to do is flip a bit or >> two in certain RACF control blocks, and voilĂ ! He's suddenly a supervisory >> program and, as such, is given a pass on all RACF calls... Alternatively, a >> malicious APF program can simply dynamically front-end certain supervisory >> programs, and again voilĂ ! (As I'm sure you know, APF programs can fairly >> easily defeat all hardware storage protections.) >> >> Yes, SAF is still called even for APF programs, but an APF program can still >> subvert those calls. >> >> >> >> >> >> >>> I've never forgotten this [APF libraries]. That's why my APF-authorized >>> libraries are severely limited in scope, and audited for any and all >>> updates. >> >> Enforcing trust is a technical issue. RACF is very good at that. Deciding >> who to trust is a management issue. Even at shops that allow only trusted >> vendor software into APF authorized libraries is implicitly trusting the >> hundreds or even thousands of people involved in the development of that >> software. >> >> Again, I go into more detail about this in my prior post: >> "<https://bama.ua.edu/cgi-bin/wa?A2=ind0608&L=IBM-MAIN&P=R63457&I=-3&X=6EB01556E36E4D9CAC&Y=dbcole%40colesoft.com&d=No+Match%3BMatch%3BMatches>https://bama.ua.edu/cgi-bin/wa?A2=ind0608&L=IBM-MAIN&P=R63457&I=-3&X=6EB01556E36E4D9CAC&Y=dbcole%40colesoft.com&d=No+Match%3BMatch%3BMatches >> ". >> >> >> >> >> >> >> Again, please accept my apology, Tom. It was not intended to be personal. >> I'm sorry it came out that way. >> >> Dave Cole REPLY TO: [email protected] >> ColeSoft Marketing WEB PAGE: http://www.colesoft.com >> 736 Fox Hollow Road VOICE: 540-456-8536 >> Afton, VA 22920 FAX: 540-456-6658 >> >> >> >> >> >> >> At 3/27/2012 02:21 PM, Pinnacle wrote: >>> Replies like this are why I seldom post to IBM-Main anymore. The fact that >>> it comes from someone who I respect and consider a friend hurts all the >>> more. Bottom line is that I work for a living, and I often don't have time >>> to respond in gory detail to everything posted. My primary objective here >>> was to stress that the z/OS architecture is inherently hardened against >>> viruses. The fact that I did not go into explicit protections for >>> APF-authorized programs appears to have been my fatal flaw, according to >>> Mr. Cole. Regardless of what comes back, this will be my last post on the >>> subject. My comments below. >>> >>> Regards, >>> Tom Conley >>> >>> >>> >>> >>> On 3/27/2012 1:06 PM, David Cole wrote: >>>> At 3/27/2012 11:19 AM, Pinnacle wrote: >>>>> There is a mainframe product that protects against malicious software. >>>>> It's called SAF, and it interfaces with ESM's like RACF, or ACF2, or >>>>> TopSecret. >>>> >>>> "SAF" is not a product. It stands for "System Access Facility" and it is >>>> nothing more than an interface within z/OS into which a security system >>>> (such as ACF2, TopSecret and any ryo security system) can plug into to >>>> receive and respond to security calls. It really has nothing to do with >>>> anti-virus protection. >>> >>> SAF is not a product, you're right. Please forgive my use of the term >>> "product", I should have said "feature". I do take issue with your last >>> sentence. SAF and an ESM have everything to do with anti-virus protection, >>> provided they are configured to correctly protect APF-authorized resources. >>> >>>>> It [z/OS] is the only operating system out there with built-in anti-virus >>>>> protection. On top of that, the hardware itself actively protects against >>>>> damage through storage keys, protected memory, etc. >>>>> You have to explain to the auditors that anti-virus software is not >>>>> needed on z/OS, because it's intrinsic to the operating system and the >>>>> hardware. >>>> >>>> I think you seriously misunderstand what a virus is... >>>> >>>> Yes, z/OS has exceptional security (and integrity and reliability) >>>> features for protecting against non-authorized programs. But I must >>>> emphasize... -->NON<--authorized programs! >>>> >>>> When it comes to AUTHORIZED programs, z/OS's integrity (which is what you >>>> are talking about with "storage keys" and such) is very good, but of >>>> course not bulletproof. Worse though, when it comes to SECURITY, there are >>>> some real problems! Because with the proper knowledge, it is TRIVIALLY >>>> EASY FOR AN AUTHORIZED PROGRAM TO SUBVERT SECURITY COMPLETELY! >>>> >>>> This is what mainframers constantly forget regarding security. For >>>> authorized programs there is no security. All that is necessary for a >>>> malicious program to do is to Trojan-horse its way (with the AC(1) >>>> attribute) into an authorized library, and you're done for! >>> >>> I've never forgotten this. That's why my APF-authorized libraries are >>> severely limited in scope, and audited for any and all updates. >>> >>>> >>>> As far as I know there is no serious anti-virus program for mainframes. I >>>> believe strongly that there needs to be one, but I don't know of one. And >>>> at this stage of the mainframe culture, I would be seriously suspicious of >>>> the efficacy of any program that claimed to be anti-virus. I don't think >>>> that a serious mainframe anti-virus program can exist unless and until IBM >>>> itself makes a commitment to support an effort to make the mainframe >>>> anti-virus proof. >>>> >>> >>> www.zassure.com is the closest thing I've seen to an MVS anti-virus >>> program. After seeing a demo, I would have bought it, or recommended it to >>> a client. Check it out, you will be surprised, if not shocked. >>> >>> ---------------------------------------------------------------------- >>> For IBM-MAIN subscribe / signoff / archive access instructions, >>> send email to [email protected] with the message: INFO IBM-MAIN >> >> ---------------------------------------------------------------------- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
