I've never seen a trap door installed by IBM. What I've seen was trap
doors installed by data center staff and trap doors in 3rd party software.
In those cases it's not the platform that is insecure but the installation.
Would you blame the lock if someone leaves their key under the doormat?
d) You know how to fix the trap door but management won't let you.
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
________________________________________
From: IBM Mainframe Discussion List <[email protected]> on behalf
of R.S. <[email protected]>
Sent: Thursday, May 30, 2019 7:01 AM
To: [email protected]
Subject: Re: Fwd: Just how secure are mainframes? | Trevor Eddolls
As Shmuel said an application with a trap door is an application
vulnerability.
Ideed, IF you know such trap door, you know z/OS vulnerability, which
proves the platform is not immune. Is it as vulnerable as Windows? No,
because it's still not binary, some systems are still more secure than
others.
Last, but not least: assuming you know such trap door. Or even several
trap doors. What next?
a) you submitted it to IBM and they are trying to fix it.
b) despite of a) you know how to fix it by homegrown
code/configuration/procedure and you offer it as a service.
c) the trap door cannot be fixed and then your services are disputable -
you cannot help.
Of course the above *regards only the trap doors you know*, not your
services portfolio.
Besides that you can provide many valuable services regarding security,
but not platform issues, rather people mistakes, misconfigurations,
erroneous procedures, etc.
It is worth to emphasize: while z/OS is quite secure, it may be quite
complex to configure it properly. And here there is a field for Ray,
ITschak, RSM Partners, me, etc.
--
Radoslaw Skorupka
Lodz, Poland
W dniu 2019-05-29 o 17:11, Ray Overby pisze:
In response to "Mistakes, lack of time, lack of control, lack of
skills. Not a platform weakness." comment: The mainframe platform,
z/OS, and ESM's all rely on integrity to function. A single TRAP DOOR
code vulnerability pierces the veil of integrity and can be used to
compromise the mainframe. Is this a platform weakness? I think so. The
platform relies on all code it runs adhering to certain rules. z/OS
could be changed to better check and enforce those rules.
Would you say that the elimination of User Key Common storage is an
example of a z/OS change to address a mainframe platform weakness? I
think so.
An interesting observation. Thanks.
On 5/29/2019 5:25 AM, R.S. wrote:
That's classical FUD.
Frightening people.
"if an exploit", "if job reads you RACF db", "unintended consequences".
What exactly hacking scenario can provide RACF db to the hacker?
Yes, I saw APF libraries with UACC(ALTER), UID(0) as standard TSO
user attribute, even UPDATE to RACF db. But it's problem of people.
Mistakes, lack of time, lack of control, lack of skills. Not a
platform weakness.
It's typical that assurance/lock/gun salesmen tend to talk about
risks, threats and dangers. They create a vision.
My English is poor, but I can observe it for two of debaters here.
It's visible. I don't like social engineering.
======================================================================
Jeśli nie jesteś adresatem tej wiadomości:
- powiadom nas o tym w mailu zwrotnym (dziękujemy!),
- usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub
zapisałeś na dysku).
Wiadomość ta może zawierać chronione prawem informacje, które może
wykorzystać tylko adresat.Przypominamy, że każdy, kto rozpowszechnia
(kopiuje, rozprowadza) tę wiadomość lub podejmuje podobne działania,
narusza prawo i może podlegać karze.
mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa,
http://secure-web.cisco.com/14ILHCRRunYvlSTtGew3dxkMnoq-EQXunQmxen_zjQXxLP_IX-Ug58lArQAAiDC5ACZe4lMf0-jck0ghav2cqfF_LnMQM_LW30FcxGv_RtgvQgLZhcGgFKSX0F8zBNsaREU7crKD5N9qMEep08A3gQGMJb3xeCyGFXo40ow3C4kklzJKo8ceb3j4dNkhTHXRroJVJvFgw8OmxGSZLh5Cd0s4plzQ0KQOs4Xy6uxx3qpKYcs3SBxUf0fBQo3DcK2kSBE4k3ScihhcNjTJwUDXdyrULocL9bMwXrAVups_q5FzLwrUN5zsycmBegw6QssGwOBAEpAD4PJuMl7bPaecJqL_m4uu_J6gwb2aG9F4h4wvt2z8H95YdG86TQJTbDpHc/http%3A%2F%2Fwww.mBank.pl,
e-mail: [email protected]. Sąd Rejonowy dla m. st. Warszawy XII Wydział
Gospodarczy Krajowego Rejestru Sądowego, KRS 0000025237, NIP:
526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na
01.01.2018 r. wynosi 169.248.488 złotych.
If you are not the addressee of this message:
- let us know by replying to this e-mail (thank you!),
- delete this message permanently (including all the copies which you have
printed out or saved).
This message may contain legally protected information, which may be used
exclusively by the addressee.Please be reminded that anyone who
disseminates (copies, distributes) this message or takes any similar
action, violates the law and may be penalised.
mBank S.A. with its registered office in Warsaw, ul. Senatorska 18, 00-950
Warszawa,
http://secure-web.cisco.com/14ILHCRRunYvlSTtGew3dxkMnoq-EQXunQmxen_zjQXxLP_IX-Ug58lArQAAiDC5ACZe4lMf0-jck0ghav2cqfF_LnMQM_LW30FcxGv_RtgvQgLZhcGgFKSX0F8zBNsaREU7crKD5N9qMEep08A3gQGMJb3xeCyGFXo40ow3C4kklzJKo8ceb3j4dNkhTHXRroJVJvFgw8OmxGSZLh5Cd0s4plzQ0KQOs4Xy6uxx3qpKYcs3SBxUf0fBQo3DcK2kSBE4k3ScihhcNjTJwUDXdyrULocL9bMwXrAVups_q5FzLwrUN5zsycmBegw6QssGwOBAEpAD4PJuMl7bPaecJqL_m4uu_J6gwb2aG9F4h4wvt2z8H95YdG86TQJTbDpHc/http%3A%2F%2Fwww.mBank.pl,
e-mail: [email protected]. District Court for the Capital City of Warsaw,
12th Commercial Division of the National Court Register, KRS 0000025237,
NIP: 526-021-50-88. Fully paid-up share capital amounting to PLN
169,248,488 as at 1 January 2018.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
