David, I am 40+ years developer in assembler. I believe I wrote and used SVCs before you. If you read my previous emails you would see that modernisation is a must. However, you haven't given any sample of breach caused by standard mvs code, while I gave two.
*| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: [email protected] **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|* On Sun, Jan 30, 2022 at 3:58 AM David Crayford <[email protected]> wrote: > On 29/1/22 11:53 pm, Itschak Mugzach wrote: > > It seems you haven't read the link you sent... This article says exactly > > what I claim. It was a UUS (aka UNIX) vulnerability that helped them get > > UID 0. This is how it started. > > You've changed direction now from open source to z/OS UNIX. Are you > aware of what a "magic SVC" is? There have been many such "magic SVC's" > shipped by vendors over the years > which could easily be exploited to grant an unauthorizd user access to > RACF SPECIAL without running in z/OS UNIX. You say you have a scanner. > Does it scan the SVC table? > > I'm confused by what your agenda is. Should be get rid of anything > modern, including z/OS UNIX which dates back to the 90s? Should we get > rid of TCP/IP and bunker down in caves like > a bunch of troglodytes punching out code using 1950s/60s programming > languages on terminal attached 3270 green screens using TSO? > > > > ITschak > > > > *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere > > Platform* *|* *Information Security Continuous Monitoring for Z/OS, > zLinux > > and IBM I **| * > > > > *|* *Email**: [email protected] **|* *Mob**: +972 522 986404 > **|* > > *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|* > > > > > > > > > > > > On Sat, Jan 29, 2022 at 5:49 PM Raphaël Jacquot <[email protected]> > wrote: > > > >> Le 29/01/2022 à 16:12, Itschak Mugzach a écrit : > >>> David, > >>> > >>> Prove your claim reg. "Enterprise software". Give at least one sample. > My > >>> claim is already proved. Nordea bank was penetrated from USS, LOG4J is > an > >>> open source. > >>> > >>> ITschak > >> here is an article about the Nordea hack. > >> > >> https://badcyber.com/a-history-of-a-hacking/ > >> > >> now go read it, in particular the details about RACF not being good > >> enough and stop blaming opensource for the failings > >> > >> ---------------------------------------------------------------------- > >> For IBM-MAIN subscribe / signoff / archive access instructions, > >> send email to [email protected] with the message: INFO IBM-MAIN > >> > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
