I watched the flick and agree with a lot of what he said. He obviously
has no scruples about disclosing any and all information, but isn't that
how Open Source software protects itself? And if someone opens their
TN3270 port to the public internet, whose fault is that really?
One thing he said right off was that SPECIAL effectively has full system
access. I hope auditors understand that. Years ago I had the cleanup
job of removing OPERATIONS auth from as many users as possible, and I
told the auditors they needed to look at SPECIAL users too. They argued
that SPECIAL was out-of-scope for the project :)
I had to laugh a bit when he made fun of names like ISPF and RACF, just
like we make fun of grep and awk. But he's correct in putting down
mainframe people (me included) who haven't fully learned some of the
basics like netstat and nslookup.
However, I'm not sure he understands as much as he thinks he does. For
example, I saw my name while browsing his tumblr page - he made fun of
an ibm-main post where Skip mentioned we had quickly applied IBM
security PTF's, but it would take some time to roll out to production.
I'm not sure he understands change control and the related risk assessment.
What I REALLY DON'T LIKE is that he seems focused on providing automated
hacking solutions. That goes well past a simple lack of scruples.
Tony Harminc wrote:
His (incredibly annoying if you're an old non-hip guy like me) tumblr
page is chock full of GIFs of logon screens with their publicly
reachable IP addresses. So anyone could just TN3270 to any of those.
Even if they support TLS, that protects the data in transit, but it's
unlikely that authentication by the TN3270 client is required. I have
no idea how he got the addresses, and presumably some have been
"fixed" by now, but doubtless not all.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
