If one reads the article, then digs into the underlying research, and
finally the Congressional report on the OPM incidents (all 250 pages of
it), it's quite easy to see that the authors of the research and subsequent
article are implying that legacy=mainframe/COBOL, while the real problem(s)
really had nothing to do with either, at the end of the day. It had
everything to do with "legacy" network security, not following best
security practices, etc. Where the research talks about investments in
modernization, they imply that the problem is "archaic" 30-year old COBOL
systems, when that really isn't supported by the research at all
(contradictions?). They really mean that when the distributed network
security is modernized with security best practices, advanced intrusion and
malware detection, use of MFA/PIV/etc, there's a reduction in the number of
incidents.
I wrote up a longer response to it, as comments to the FB and LinkedIn
postings, that starts with the OPM report and works it's way back up to the
article. Seemingly, Computerworld didn't like some of the original comments
from their posting last week on LinkedIn, and felt the need to repost it
yesterday. That's where my longer comments can be found, vs their original
posting. Can't link directly to it or the FB posting.. You'll have to
search for Computerworld's page, then scroll.
At the end of the day, it really has nothing to do with COBOL "security" at
all, but everything to do with network security. The article is just an
example of taking at face value poor research, taking liberties with and
cherry picking bits of a report and quotes from people who probably don't
understand the technology to begin with, and just plain old fashioned bad
journalism... Fake News!
"Common sense is not so common."
* Voltaire, Dictionnaire Philosophique (1764)
On Mon, Mar 20, 2017 at 8:51 AM, Elardus Engelbrecht <
[email protected]> wrote:
> Todd Arnold wrote:
>
> >Gee, I've been developing crypto technology for 30+ years that runs in
> those environments - so it's certainly news to me that it can't be done :-)
>
> Amazing! ;-)
>
> No one said those cards are that *fast* !
>
>
> >Looking at the ICSF Application Programmer's Guide, which defines the
> ways most z/OS applications get cryptographic services, I see this:
>
> > ICSF callable services can be called from application programs written
> in a number of high-level languages as well as assembler. The high-level
> languages are:
> > - C
> > - COBOL
> > - FORTRAN
> > - PL/I
>
> And REXX + Assembler too. Look in Redbook - 'System z Crypto and TKE
> Update' (SG24-7848-00) for samples.
>
> Note from that bookie: The code supplied has not been subjected to any
> formal IBM test ....
>
> Groete / Greetings
> Elardus Engelbrecht
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to [email protected] with the message: INFO IBM-MAIN
>
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
