MVS and VM source was always > 90% available. A secure system can't be cracked even when you do have the source -- see above. Mind you, a dumb sysmod could leave the system wide open. I cracked one IBM datacenter's MVT pre-RACF "security" in about 20 minutes with a SYSABEND dump -- without source code.
----- Original Message ----- From: "Nick Gimbrone" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, January 31, 2002 5:03 PM Subject: Re: Messages Manual > > Oh, come on Nick. How are you going to prevent any operations staff > > with the inclination either downloading the source code to Linux in > > their one time on their own equipment? > I never spoke about prohibit, the question is one of what an auditor does. They > are advisors. It is reasonable for them to advise of the risk that was being > outlined here (that the "way" to find out what a msg means is to look at the > source, when the original posting did not even say "open source"). That source > might not be available, or it might be a risk of feasibility/practicality (come > on folks, just how many computer operators do you know that can read C source > and make heads or tails of it?). > > These are not things to just "get used to", they represent real risks to real > businesses. Sure a PROGRAMMER can read the source, and perhaps figure out what > is going on (though all the problems stated on this list about simple > configurations clearly indicates that even we find that to be difficult ;-)... > but really, expecting an OPERATOR to do so... and then expecting the AUDITORs to > not care about the business risks this represents (and no, it is not security... > audit & control is much more than just security). > > All I have said is that there is a cost to this approach, > and that it is unreasonable for "auditors to get used to it", > and that we can actually start to do something to fix it... > > Get over it. > > Peace. -njg
