----------------------------<snip>------------------------
---------------------------<snip>---------------------------
From one hand people say security by obscurity is no security. From the
other hand, it is easier to find some hole, when you know details
about the system.
--------------------------<unsnip>---------------------------
Most of us here on the list could probably develop a fairly accurate
picture of the configuration just from the information that's in
storage, so "security by obscurity" is a fairly nebulous concept at
best.
Agreed. However sometimes the hacker is not knowledgeable as you.
Sometimes he does not have direct access to the system, rather "kindly
asks" someone to do something.
--------------------------------<unsnip>-----------------------------
Then I must have been in a fairly secure shop. Requests of that nature
had to have supervisory approval, after a discussion of any and all
security implications.
-------------------------------<snip>--------------------------------
On the other hand, knowing about the configuration does NOT
automatically confer the ability to interfere with it. Any shop
that's even moderately secure will have APF-authorized libraries
secured from unauthorized updates, preventing the hacker from
implanting his goodies.
Knowing what datasets are authorized doesn't allow me to update them
with my code. QED ??
Agreed again. However - for example - knowing the IP address of some
host allows me to perform some DoS attacks, or - even better to attack
DNS server (it can be our favorite Windows machine <g>) just to
replace our host with some fake one. Knowing some powerful user name
does not mean you can logon, however you can deny logon for this person.
----------------------------<unsnip>----------------------------------
True, but a DoS attack can come from virtually anywhere and any site
that maintains a WEB page is open to that sort of mischief. I can't
speak for an attack on a DNS, be it a Windoze machine or **UX machine.
----------------------------<snip>----------------------------------
Last but not least: if you know many details you can try "social
engineering" - call operators and talk to them about specific job in
some MVS image. You could "teach" them, you're new staff member. Next
call can be request to do something, i.e. change ftp address for some
report being sent...
---------------------------<unsnip>------------------------------
In my shop at least, those types of requests had to be made by people
that were known, trusted and listed in the operations "call book".
Anyone else wanting a change via operator intervention had to go through
the "trusted" staff members.
------------------------------<snip>------------------------------
Of course, if you are sure, you are 100% secure (I mean both: system and
human procedures), you don't have any security flaws, then you can even
publish your configuration in newspaper. Personally, I won't dare. <g>
-----------------------------<unsnip>----------------------------
Me neither; that would be akin to performing indecent and unnatural acts
in a public place. Not my bag. <BIG G> Nor is professional suicide!
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
