john gilmore wrote:
Gilbert Saint-Flour writes:
What you describe is "security through obscurity". I believe most
people on this list agree that it is
an ineffective way to protect a computer system.
and he may well be right that they do, although how he knows this is not
clear to me.
I would venture a guess that he is judging from empirical data.
Microsoft takes great pains not to divulge Windows code, or even all the
available interfaces, yet doing this does very little to deter
determined miscreants from releasing worms and viruses.
I have myself been writing mainframe assembly language routines since
OS/PCP, and in this now long interval I cannot recall ever having spent
time attempting to circumvent a security provision, but I have
nevertheless discovered a number of plasces where such circumventions
are possible, sometimes by blundering upon them and sometimes by
observing the black-box behavior of OCO modules for other, wholly
practical reasons.
In the beginning, in my case with 704/709 FAP as with PCP, there was
neither security nor rudimentary system protection; a misbehaved program
could overwrite the system, and ruin files. However, I consider some
circumventions essential, related to the way a facility is operated. For
example, opening a data set sets the access date in the format 1 DSCB;
at my installation(s) we routinely copied and compressed data on
selected volumes as a service to the user. Doing so with normal OS
facilities invalidates meaningful information, whereas bypassing
security by opening an entire volume as a data set avoids perturbing
information. And yes, use of the program was restricted to a few
specific system staffers by our security system.
'Decent obscurity' makes some things unavailable, or at least very much
more difficult of access, to the unlearned; and this is useful.
I agree that RACF and similar facilities are vital to our industry,
since a single breach could impact millions of people. And that
"security through obscurity" serves the useful function of deterring all
but determined individuals from creating problems; the majority tends to
be intellectually lazy, and won't go out of its way to acquire
information not of immediate benefit. How many people do you know who
have used the Internet to find information on explosives (or in some
cases remember their college chemistry)? Our society is lucky in that
most of us with intellectual curiosity are not evil.
Gerhard Postpischil
Bradford, VT
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
