> it's hard to imagine much of a market for exploits that they can use, fun as it may be to dream them up.
The huge Bank of America account data theft in 2011 involved a prison gang arranging for payments to BofA employees in return for stealing account numbers that were then used for identity theft, or more specifically, to loot the accounts. Given that scenario, it is not hard to imagine some group paying for a z/OS, possibly DB2, exploit that could be passed to an inside accomplice. http://www.bankinfosecurity.com/id-theft-scam-run-from-prison-a-5327/op-1 Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Tony Harminc Sent: Tuesday, April 02, 2013 3:00 PM To: [email protected] Subject: Re: "The digital arms trade", article in the Economist, 2013 March 30 ... Vulnerabilities in the z/OS core certainly appear from time to time, but we generally learn of them only from the obscure nature of IBM's fixes. I discovered one a couple of years ago, and demonstrated to myself, but did not write code for a usable exploit. About the time I was going to send it to IBM, the fix appeared. But the nature of z/OS vulnerabilities and any putative market for their exploits is rather different from those on most other platforms. The general public does not have the sort of insider access to z/OS that the lowliest COBOL programmer or operations clerk has, and that is required to even bump into IBM's statement of system integrity. Guarding against insiders is worthy and necessary, but it's hard to imagine much of a market for exploits that they can use, fun as it may be to dream them up. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
