I've never seen a trap door installed by IBM. What I've seen was trap doors installed by data center staff and trap doors in 3rd party software. In those cases it's not the platform that is insecure but the installation. Would you blame the lock if someone leaves their key under the doormat?
d) You know how to fix the trap door but management won't let you. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List <[email protected]> on behalf of R.S. <[email protected]> Sent: Thursday, May 30, 2019 7:01 AM To: [email protected] Subject: Re: Fwd: Just how secure are mainframes? | Trevor Eddolls As Shmuel said an application with a trap door is an application vulnerability. Ideed, IF you know such trap door, you know z/OS vulnerability, which proves the platform is not immune. Is it as vulnerable as Windows? No, because it's still not binary, some systems are still more secure than others. Last, but not least: assuming you know such trap door. Or even several trap doors. What next? a) you submitted it to IBM and they are trying to fix it. b) despite of a) you know how to fix it by homegrown code/configuration/procedure and you offer it as a service. c) the trap door cannot be fixed and then your services are disputable - you cannot help. Of course the above *regards only the trap doors you know*, not your services portfolio. Besides that you can provide many valuable services regarding security, but not platform issues, rather people mistakes, misconfigurations, erroneous procedures, etc. It is worth to emphasize: while z/OS is quite secure, it may be quite complex to configure it properly. And here there is a field for Ray, ITschak, RSM Partners, me, etc. -- Radoslaw Skorupka Lodz, Poland W dniu 2019-05-29 o 17:11, Ray Overby pisze: > In response to "Mistakes, lack of time, lack of control, lack of > skills. Not a platform weakness." comment: The mainframe platform, > z/OS, and ESM's all rely on integrity to function. A single TRAP DOOR > code vulnerability pierces the veil of integrity and can be used to > compromise the mainframe. Is this a platform weakness? I think so. The > platform relies on all code it runs adhering to certain rules. z/OS > could be changed to better check and enforce those rules. > > Would you say that the elimination of User Key Common storage is an > example of a z/OS change to address a mainframe platform weakness? I > think so. > > An interesting observation. Thanks. > > On 5/29/2019 5:25 AM, R.S. wrote: >> That's classical FUD. >> Frightening people. >> "if an exploit", "if job reads you RACF db", "unintended consequences". >> What exactly hacking scenario can provide RACF db to the hacker? >> Yes, I saw APF libraries with UACC(ALTER), UID(0) as standard TSO >> user attribute, even UPDATE to RACF db. But it's problem of people. >> Mistakes, lack of time, lack of control, lack of skills. Not a >> platform weakness. >> >> It's typical that assurance/lock/gun salesmen tend to talk about >> risks, threats and dangers. They create a vision. >> My English is poor, but I can observe it for two of debaters here. >> It's visible. I don't like social engineering. ====================================================================== Jeśli nie jesteś adresatem tej wiadomości: - powiadom nas o tym w mailu zwrotnym (dziękujemy!), - usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub zapisałeś na dysku). Wiadomość ta może zawierać chronione prawem informacje, które może wykorzystać tylko adresat.Przypominamy, że każdy, kto rozpowszechnia (kopiuje, rozprowadza) tę wiadomość lub podejmuje podobne działania, narusza prawo i może podlegać karze. mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa,http://secure-web.cisco.com/14ILHCRRunYvlSTtGew3dxkMnoq-EQXunQmxen_zjQXxLP_IX-Ug58lArQAAiDC5ACZe4lMf0-jck0ghav2cqfF_LnMQM_LW30FcxGv_RtgvQgLZhcGgFKSX0F8zBNsaREU7crKD5N9qMEep08A3gQGMJb3xeCyGFXo40ow3C4kklzJKo8ceb3j4dNkhTHXRroJVJvFgw8OmxGSZLh5Cd0s4plzQ0KQOs4Xy6uxx3qpKYcs3SBxUf0fBQo3DcK2kSBE4k3ScihhcNjTJwUDXdyrULocL9bMwXrAVups_q5FzLwrUN5zsycmBegw6QssGwOBAEpAD4PJuMl7bPaecJqL_m4uu_J6gwb2aG9F4h4wvt2z8H95YdG86TQJTbDpHc/http%3A%2F%2Fwww.mBank.pl, e-mail: [email protected]. Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS 0000025237, NIP: 526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na 01.01.2018 r. wynosi 169.248.488 złotych. If you are not the addressee of this message: - let us know by replying to this e-mail (thank you!), - delete this message permanently (including all the copies which you have printed out or saved). This message may contain legally protected information, which may be used exclusively by the addressee.Please be reminded that anyone who disseminates (copies, distributes) this message or takes any similar action, violates the law and may be penalised. mBank S.A. with its registered office in Warsaw, ul. Senatorska 18, 00-950 Warszawa,http://secure-web.cisco.com/14ILHCRRunYvlSTtGew3dxkMnoq-EQXunQmxen_zjQXxLP_IX-Ug58lArQAAiDC5ACZe4lMf0-jck0ghav2cqfF_LnMQM_LW30FcxGv_RtgvQgLZhcGgFKSX0F8zBNsaREU7crKD5N9qMEep08A3gQGMJb3xeCyGFXo40ow3C4kklzJKo8ceb3j4dNkhTHXRroJVJvFgw8OmxGSZLh5Cd0s4plzQ0KQOs4Xy6uxx3qpKYcs3SBxUf0fBQo3DcK2kSBE4k3ScihhcNjTJwUDXdyrULocL9bMwXrAVups_q5FzLwrUN5zsycmBegw6QssGwOBAEpAD4PJuMl7bPaecJqL_m4uu_J6gwb2aG9F4h4wvt2z8H95YdG86TQJTbDpHc/http%3A%2F%2Fwww.mBank.pl, e-mail: [email protected]. District Court for the Capital City of Warsaw, 12th Commercial Division of the National Court Register, KRS 0000025237, NIP: 526-021-50-88. Fully paid-up share capital amounting to PLN 169,248,488 as at 1 January 2018. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
