> It is obvious that IBM has vulnerabilities in z/OS. Water is wet; I've reported one such. But not all vulnerabilities are trap doors.
Do you know of a trap door installed by IBM? -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List <[email protected]> on behalf of Lou Losee <[email protected]> Sent: Thursday, May 30, 2019 11:42 AM To: [email protected] Subject: Re: Fwd: Just how secure are mainframes? | Trevor Eddolls Just because it has not been brought up and I think it is pertinent to this discussion. It is obvious that IBM has vulnerabilities in z/OS. The existence of the integrity APARs are proof of that. There may not be as many as the fixes released for Windows or Mac, but they do exist. Lou -- Artificial Intelligence is no match for Natural Stupidity - Unknown On Thu, May 30, 2019 at 10:33 AM Seymour J Metz <[email protected]> wrote: > I've never seen a trap door installed by IBM. What I've seen was trap > doors installed by data center staff and trap doors in 3rd party software. > In those cases it's not the platform that is insecure but the installation. > Would you blame the lock if someone leaves their key under the doormat? > > d) You know how to fix the trap door but management won't let you. > > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > ________________________________________ > From: IBM Mainframe Discussion List <[email protected]> on behalf > of R.S. <[email protected]> > Sent: Thursday, May 30, 2019 7:01 AM > To: [email protected] > Subject: Re: Fwd: Just how secure are mainframes? | Trevor Eddolls > > As Shmuel said an application with a trap door is an application > vulnerability. > Ideed, IF you know such trap door, you know z/OS vulnerability, which > proves the platform is not immune. Is it as vulnerable as Windows? No, > because it's still not binary, some systems are still more secure than > others. > > Last, but not least: assuming you know such trap door. Or even several > trap doors. What next? > a) you submitted it to IBM and they are trying to fix it. > b) despite of a) you know how to fix it by homegrown > code/configuration/procedure and you offer it as a service. > c) the trap door cannot be fixed and then your services are disputable - > you cannot help. > > Of course the above *regards only the trap doors you know*, not your > services portfolio. > Besides that you can provide many valuable services regarding security, > but not platform issues, rather people mistakes, misconfigurations, > erroneous procedures, etc. > It is worth to emphasize: while z/OS is quite secure, it may be quite > complex to configure it properly. And here there is a field for Ray, > ITschak, RSM Partners, me, etc. > > -- > Radoslaw Skorupka > Lodz, Poland > > > > > > W dniu 2019-05-29 o 17:11, Ray Overby pisze: > > In response to "Mistakes, lack of time, lack of control, lack of > > skills. Not a platform weakness." comment: The mainframe platform, > > z/OS, and ESM's all rely on integrity to function. A single TRAP DOOR > > code vulnerability pierces the veil of integrity and can be used to > > compromise the mainframe. Is this a platform weakness? I think so. The > > platform relies on all code it runs adhering to certain rules. z/OS > > could be changed to better check and enforce those rules. > > > > Would you say that the elimination of User Key Common storage is an > > example of a z/OS change to address a mainframe platform weakness? I > > think so. > > > > An interesting observation. Thanks. > > > > On 5/29/2019 5:25 AM, R.S. wrote: > >> That's classical FUD. > >> Frightening people. > >> "if an exploit", "if job reads you RACF db", "unintended consequences". > >> What exactly hacking scenario can provide RACF db to the hacker? > >> Yes, I saw APF libraries with UACC(ALTER), UID(0) as standard TSO > >> user attribute, even UPDATE to RACF db. But it's problem of people. > >> Mistakes, lack of time, lack of control, lack of skills. Not a > >> platform weakness. > >> > >> It's typical that assurance/lock/gun salesmen tend to talk about > >> risks, threats and dangers. They create a vision. > >> My English is poor, but I can observe it for two of debaters here. > >> It's visible. I don't like social engineering. > > ====================================================================== > > Jeśli nie jesteś adresatem tej wiadomości: > > - powiadom nas o tym w mailu zwrotnym (dziękujemy!), > - usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub > zapisałeś na dysku). > Wiadomość ta może zawierać chronione prawem informacje, które może > wykorzystać tylko adresat.Przypominamy, że każdy, kto rozpowszechnia > (kopiuje, rozprowadza) tę wiadomość lub podejmuje podobne działania, > narusza prawo i może podlegać karze. > > mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa, > http://secure-web.cisco.com/14ILHCRRunYvlSTtGew3dxkMnoq-EQXunQmxen_zjQXxLP_IX-Ug58lArQAAiDC5ACZe4lMf0-jck0ghav2cqfF_LnMQM_LW30FcxGv_RtgvQgLZhcGgFKSX0F8zBNsaREU7crKD5N9qMEep08A3gQGMJb3xeCyGFXo40ow3C4kklzJKo8ceb3j4dNkhTHXRroJVJvFgw8OmxGSZLh5Cd0s4plzQ0KQOs4Xy6uxx3qpKYcs3SBxUf0fBQo3DcK2kSBE4k3ScihhcNjTJwUDXdyrULocL9bMwXrAVups_q5FzLwrUN5zsycmBegw6QssGwOBAEpAD4PJuMl7bPaecJqL_m4uu_J6gwb2aG9F4h4wvt2z8H95YdG86TQJTbDpHc/http%3A%2F%2Fwww.mBank.pl, > e-mail: [email protected]. Sąd Rejonowy dla m. st. Warszawy XII Wydział > Gospodarczy Krajowego Rejestru Sądowego, KRS 0000025237, NIP: > 526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na > 01.01.2018 r. wynosi 169.248.488 złotych. > > If you are not the addressee of this message: > > - let us know by replying to this e-mail (thank you!), > - delete this message permanently (including all the copies which you have > printed out or saved). > This message may contain legally protected information, which may be used > exclusively by the addressee.Please be reminded that anyone who > disseminates (copies, distributes) this message or takes any similar > action, violates the law and may be penalised. > > mBank S.A. with its registered office in Warsaw, ul. Senatorska 18, 00-950 > Warszawa, > http://secure-web.cisco.com/14ILHCRRunYvlSTtGew3dxkMnoq-EQXunQmxen_zjQXxLP_IX-Ug58lArQAAiDC5ACZe4lMf0-jck0ghav2cqfF_LnMQM_LW30FcxGv_RtgvQgLZhcGgFKSX0F8zBNsaREU7crKD5N9qMEep08A3gQGMJb3xeCyGFXo40ow3C4kklzJKo8ceb3j4dNkhTHXRroJVJvFgw8OmxGSZLh5Cd0s4plzQ0KQOs4Xy6uxx3qpKYcs3SBxUf0fBQo3DcK2kSBE4k3ScihhcNjTJwUDXdyrULocL9bMwXrAVups_q5FzLwrUN5zsycmBegw6QssGwOBAEpAD4PJuMl7bPaecJqL_m4uu_J6gwb2aG9F4h4wvt2z8H95YdG86TQJTbDpHc/http%3A%2F%2Fwww.mBank.pl, > e-mail: [email protected]. District Court for the Capital City of Warsaw, > 12th Commercial Division of the National Court Register, KRS 0000025237, > NIP: 526-021-50-88. Fully paid-up share capital amounting to PLN > 169,248,488 as at 1 January 2018. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
