On Sat, 2002-09-07 at 17:28, Dave Jones wrote: > claim of "equal vulnerabilities". I'm extremely skeptical that, say, z/OS > is as vulnerable as Windows 2000, or has as many vulnerabilities reported. > Where's the data to substantiate this claim?
I suspect if you put the same number of people at z/OS as anything else they would find lots of holes in it. Nobody bothers hacking a z/OS box - why bother, there aren't many of them and they are not generally run without proper administration. Most attacks we see are exploits building off long fixed holes. There are very few computer systems that are truely secure, where the definition involves mathematical proofs that the theory behind the system is correct and a review of the accuracy of the relevant code by third parties occurred. There is also an unfortunately unsolved research problem which is how to build a system that is both mathematically secure and *usable* by mere mortals. z/OS is secure because nobody cares about it. It only takes one person to care enough. Computer security sucks - all of it. Given the urge and the right people a virus/worm attack that physically destroyed 100,000 PCs would actually not be that hard to carry off right now. Alan
