On 2 Apr 2013 14:59:52 -0700, in bit.listserv.ibm-main you wrote: >On 2 April 2013 16:21, John Gilmore <[email protected]> wrote: >> This piece will repay your attention. It is the first open-literature >> discussion of the market for 'exploits' and who is selling what to >> whom for how much that I have seen. > >There have been discussions in less well informed and well written >publications than The Economist over the last year or so. Notably >Forbes and ZDnet both published articles last March: > >http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/ > >http://www.zdnet.com/blog/security/us-government-pays-250000-for-ios-exploit/11044 > >> There is no discussion of z/OS exploits, but I do not find this reassuring. >> Our turn will certainly come. > >Vulnerabilities in the z/OS core certainly appear from time to time, >but we generally learn of them only from the obscure nature of IBM's >fixes. I discovered one a couple of years ago, and demonstrated to >myself, but did not write code for a usable exploit. About the time I >was going to send it to IBM, the fix appeared. But the nature of z/OS >vulnerabilities and any putative market for their exploits is rather >different from those on most other platforms. The general public does >not have the sort of insider access to z/OS that the lowliest COBOL >programmer or operations clerk has, and that is required to even bump >into IBM's statement of system integrity. Guarding against insiders is >worthy and necessary, but it's hard to imagine much of a market for >exploits that they can use, fun as it may be to dream them up. > >Exploits against web servers and other public z/OS interfaces are much >more generic and - despite the dreaded C string buffer overflows - >probably less likely to be successful because of the layering of >privileges within z/OS and its components. One can imagine a complex >Stuxnet-like exploit that targets z/OS, and is spread by USB keys or >system programmers' bad browsing habits, but then really the exploit >target is not z/OS but the intermediate systems and their users.
It may be harder to attack actual system code on z/OS but if the exploit is targeted to Apache and vulnerabilities there, a shop running Apache on z/OS may be vulnerable. If the application is written in a manner that will allow SQL injection, fun may occur regardless of platform. The basic question is what can someone do by taking advantage of the application they are connected to. Clark Morris > >Tony H. > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
