Need to know can bite you from behind. Once upon a time--before the interweb--IBM supported an 'app' called InfoMVS. They sent data via tape to subscribed customers on a regular basis. Customer loaded data into VSAM and queried it much like SIS in ServiceLink today. Nothing secret, we thought, so the app was essentially open.
One day a loose-cannon VP went marauding through Info and found a VTAM APAR that he thought spelled the end of the world as we knew it. Instead of coming to us with it (I did say loose cannon), he started freaking out higher management with tales of impending Apocalypse spiced with insinuations that we techies were idiots for not handling the problem earlier. When we finally got wind of what was happening, we pointed out to the Prophet of Doom that the APAR was for a different release of VTAM than the one we were running. P.S. InfoMVS got locked up in a flash. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW [email protected] -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Paul Gilmartin Sent: Monday, January 29, 2018 11:31 AM To: [email protected] Subject: (External):Re: RFE For ISRDDN/DDLIST to further protect system integrity On Sat, 27 Jan 2018 10:05:29 -0500, Peter Relson wrote: >... >If a customer does not have their APF or PARMLIB or LNKLST or LPA >libraries properly protected, that is a different matter entirely, and >is one of the reasons why there is a RACF health check related to APF. >... >The information itself cannot be "exploited". Customer security gaps >can be exploited. > >Security by obscurity (which is what you'd get to a small extent if >what was asked for was implemented) is often only a little better than nothing. > Yes. But someone mentioned "need to know". If an adninistrator carelessly leaves sensitive information in a readable file, it invites an exploit. Health check is likely not to notice that. Fetch protection narrows the community of exploiters. Security is rarely perfect; not all-or-nothing. The closer the better. The FOSS community takes the view that the more eyes on the code, the sooner a weakness will be recognized, reported, and repaired. The Enterprise community takes the view that the more eyes on code, the more likely a weakness is to be exploited. IBM seems to fall in this category by embargoing integrity defect information long after patches are available. Is that "security by obscurity"? -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
