Rick Fochtman wrote:
---------------------------<snip>---------------------------
From one hand people say security by obscurity is no security. From the
other hand, it is easier to find some hole, when you know details about
the system.
--------------------------<unsnip>---------------------------
Most of us here on the list could probably develop a fairly accurate
picture of the configuration just from the information that's in
storage, so "security by obscurity" is a fairly nebulous concept at
best.
Agreed. However sometimes the hacker is not knowledgeable as you.
Sometimes he does not have direct access to the system, rather "kindly
asks" someone to do something.
On the other hand, knowing about the configuration does NOT
automatically confer the ability to interfere with it. Any shop that's
even moderately secure will have APF-authorized libraries secured from
unauthorized updates, preventing the hacker from implanting his goodies.
Knowing what datasets are authorized doesn't allow me to update them
with my code. QED ??
Agreed again. However - for example - knowing the IP address of some
host allows me to perform some DoS attacks, or - even better to attack
DNS server (it can be our favorite Windows machine <g>) just to replace
our host with some fake one. Knowing some powerful user name does not
mean you can logon, however you can deny logon for this person.
Last but not least: if you know many details you can try "social
engineering" - call operators and talk to them about specific job in
some MVS image. You could "teach" them, you're new staff member. Next
call can be request to do something, i.e. change ftp address for some
report being sent...
Of course, if you are sure, you are 100% secure (I mean both: system and
human procedures), you don't have any security flaws, then you can
even publish your configuration in newspaper. Personally, I won't dare. <g>
Regards
--
Radoslaw Skorupka
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
