> Phil, when I first read Alan's assertion my knee-jerk was the same as > yours. Impugn my baby, will he? I thought about responding as you did, > and then slept on it.
Damn timezones. > Those of us in the 'biz' know about IBM's published security policies, > and their unconditional APAR acceptance and all that. Some of us also > remember a time when MVS nee OS/360 was trivially easy to break, and can > attest to the fact that IBM has done much to shore up the big nasty > holes. A friend of mine collected 'exploits', as we would now refer to them. He had 37 OS/360 ones, ranging from the simple SVC 12 (SYNCH) to create an RB and clobber the PSW to something really complex involving an ISAM exit routine. He ticked off IBM's closure of all of them as time went on. > It hasn't been all that long since I caused my last SVC dump. Enough of > these and you have an irritating local DOS attack. Did your > installation code IEALIMIT or sysout-excession exits? If not, it's > trivially easy to fill up the SPOOL or deplete the local page datasets. Even easier. Code a JOB that puts two copies of itself (with randomised JOBNAMEs) into the internal reader. We used to call this RABBITS, and the 'RABBITS time' was a measure of JES2 efficiency - how long until the first SPOOL warning message? > Can you get into 'authorized' state? Maybe, or maybe not. But besides > the over-400 SYS1.LINKLIB modules that are marked authorized, you > probably have lots of non-IBM code that is also marked that way; > Computer Associates requires it for much of their stuff (and I > understand even installs a backdoor SVC). Anyone who agrees to that ... > I think it would be wise to *not* trust IBM, not because they are evil > or incompetent, but because it is impossible to verify their work. And > though we know a skosh more about MVS than Alan Cox, I'm not inclined to > discount his advice out of hand. That's how Enigma was cracked. The Germans had such blind faith in the system that they repe atedly used things like 'HITLER' and 'BERLIN' as their six-character test strings. Trust no one. OTOH - I am one of those who believes that published source code becomes, in time, the most secure and reliable. I saw this in the early days of System/360, as bug after bug in the operating system and (especially) ASP was located and fixed not by IBM but by practitioners. To my mind, a APAR is only a proper APAR if the originator attaches a suggested code change. -- Phil Payne http://www.isham-research.com +44 7785 302 803
