Pure silliness now. As this topic always becomes. I never said or insinuated the platform was immune. In shops I’ve worked, very few had access to add to the APF list. Security and Audit often questioned additions. Most additions were software libs from 2-3 vendors whose libraries were also tightly controlled. Show me a link to your third scenario successfully implemented? Or is this some sort of “could happen” if the stars aligned and you had a dozen unlikely things happen all at the same time?
Sent from Yahoo Mail for iPhone On Tuesday, May 28, 2019, 11:44 AM, Ray Overby <[email protected]> wrote: This discussion on mainframe vulnerabilities has unfortunately broken down. I have been talking to mainframe people about vulnerabilities for the last 12 years. I have talked with people just like Bill Johnson. My discussions went just like this discussion did. The problem (as I saw it) was that discussing a “mainframe vulnerability” is too ambiguous. The discussion needs to be more specific. This led to categorizing vulnerabilities. When the vulnerabilities were categorized (which also defined their capabilities BUT does not allow the hacker to generate an exploit) the discussions evolved to the point that not only did the mainframe people better understand the vulnerabilities and their associated risk but also allowed C level, managers, Auditors, Security, Pen testers, and Risk people to understand and participate in the vulnerability discussions. For example, you can classify mainframe vulnerabilities based upon their source – configuration or code based. Classifying the vulnerability eliminates ambiguities that are inherent when you don’t classify. It is these ambiguities that can cause the discussion to break down. For example, how would the discussion have changed if the vulnerabilities under discussion were classified as follows: -Configuration based vulnerabilities * APF authorized data sets not adequately protected * SMP/E data sets not adequately protected * FTP anonymous allowed * FTP JES option allowed * Outgoing TCPIP traffic not protected -Code based vulnerabilities * Storage alteration * Trap door * System Instability To better focus the discussion perhaps the following questions should be discussed: Q for Bill Johnson – Are you saying that the mainframe is immune from any type of vulnerabilities (Code and Configuration based)? Q for Bill Johnson - Do you consider a configuration based vulnerability (APF authorized data set not adequately protected) as a hack if it is exploited? Q for Bill Johnson – Do you consider a code based vulnerability (storage alteration that allows dynamic elevation of ESM or z/OS authorities by any user of z/OS) as a hack if it is exploited? On 5/28/2019 9:23 AM, Bill Johnson wrote: > And you sell security services. What do I expect you to say? > Not everything I provided was IBM. > > > Sent from Yahoo Mail for iPhone > > > On Tuesday, May 28, 2019, 10:13 AM, ITschak Mugzach <[email protected]> > wrote: > > These Are IBM docs. What you expect them to say? > > ITschak > > בתאריך יום ג׳, 28 במאי 2019, 16:54, מאת Tom Marchant < > [email protected]>: > >> On Tue, 28 May 2019 13:32:35 +0000, Bill Johnson wrote: >> >>> If you either didn’t read or didn’t comprehend the posts I provided, I >> cannot help you. >> >> As I wrote, I read all of the references that you posted. >> Yes, I understood them. >> You misrepresented what they said. >> Now your response is to insult me. That is pathetic. >> >> -- >> Tom Marchant >> >>> Sent from Yahoo Mail for iPhone >>> >>> >>> On Tuesday, May 28, 2019, 9:17 AM, Tom Marchant < >> [email protected]> wrote: >>> On Mon, 27 May 2019 16:05:33 +0000, Bill Johnson wrote: >>> >>>> Mainframes are by design far more secure. For good reason. The exposure >>>> is catastrophic potentially. It’s one of the main reasons why banks rely >> and >>>> stay on it and spend tens of millions for it. I’ve already provided >> numerous >>>> links referencing it. >>> You have provided pitifully little to support your claim that the >> security of >>> mainframes is the reason banks and others stay with them. I have read >>> all of the references that you posted, and most of them list the >> POTENTIAL >>> to secure them as ONE of the reasons why people use mainframes for >>> mission-critical data, but not the main reason. >>> >>> You have over-stated your case. >>> >>>> Add in my criminal justice knowledge along with my computer science >>>> degree and 40 years of experience in IT and security. But don’t let me >>>> dispel your beliefs. >>> So I shoulodn't question you because you are the expert? >>> I call BS. >>> >>> -- >>> Tom Marchant >>> >>>> Sent from Yahoo Mail for iPhone >>>> >>>> >>>> On Monday, May 27, 2019, 11:45 AM, Chad Rikansrud < >> [email protected]> wrote: >>>> At the risk of re-kicking the already dead horse: Bill, you're >> comparing apples and spiders. >>> ---------------------------------------------------------------------- >>> For IBM-MAIN subscribe / signoff / archive access instructions, >>> send email to [email protected] with the message: INFO IBM-MAIN >>> >>> >>> >>> ---------------------------------------------------------------------- >>> For IBM-MAIN subscribe / signoff / archive access instructions, >>> send email to [email protected] with the message: INFO IBM-MAIN >> ---------------------------------------------------------------------- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to [email protected] with the message: INFO IBM-MAIN >> > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
