Re: OT: In regard to password cracking Who is Abbie Sciuto was Re: A New Threat for password hacking
And I'll raise you a Bryce Lynch -Original Message- Robert A. Rosenberg At 18:39 -0500 on 12/01/2010, Don Leahy wrote about Re: OT: In regard to password cracking Who is Abbie Sciuto : So could Chloe O'Brien. I took me a IMDB lookup to find that she was a 24 hacker. I'll take your Chloe O'Brien and respond with Warehouse 13's Claudia Donovan (who hacked W13's servers and bypassed all their security plus locating W13's location and existence in the first place). On Wed, Dec 1, 2010 at 17:37, Robert A. Rosenberg hal9...@panix.com wrote: At 11:32 -0500 on 12/01/2010, August Carideo wrote about Re: OT: In regard to password cracking Who is Abbie Sciuto : Of course, it could be cracked by somebody like Abbie Sciuto (and maybe the NSA or FBI) in just a few minutes grin. Tim McGee also could do it. He is the major hacker on the NCIS team and often he and Annie collaborate on computer forensic matters. Abbie is usually the one to do Brute Force work like the password cracking however. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: OT: In regard to password cracking Who is Abbie Sciuto was Re: A New Threat for password hacking
At 18:39 -0500 on 12/01/2010, Don Leahy wrote about Re: OT: In regard to password cracking Who is Abbie Sciuto : So could Chloe O'Brien. I took me a IMDB lookup to find that she was a 24 hacker. I'll take your Chloe O'Brien and respond with Warehouse 13's Claudia Donovan (who hacked W13's servers and bypassed all their security plus locating W13's location and existence in the first place). On Wed, Dec 1, 2010 at 17:37, Robert A. Rosenberg hal9...@panix.com wrote: At 11:32 -0500 on 12/01/2010, August Carideo wrote about Re: OT: In regard to password cracking Who is Abbie Sciuto : Of course, it could be cracked by somebody like Abbie Sciuto (and maybe the NSA or FBI) in just a few minutes grin. Tim McGee also could do it. He is the major hacker on the NCIS team and often he and Annie collaborate on computer forensic matters. Abbie is usually the one to do Brute Force work like the password cracking however. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: A New Threat for password hacking
In mm5af61vbrcsh8q2936g0d195sbvh16...@4ax.com, on 11/30/2010 at 11:26 AM, Clark Morris cfmpub...@ns.sympatico.ca said: Security is not that high a priority in many organizations where the mantra is get the job done whatever it takes. ITYM get part of the job done even if it sabotages another part of the job. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
OT: In regard to password cracking Who is Abbie Sciuto was Re: A New Threat for password hacking
On 30 Nov 2010 07:42:00 -0800, in bit.listserv.ibm-main you wrote: -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Clark Morris Sent: Tuesday, November 30, 2010 9:27 AM To: IBM-MAIN@bama.ua.edu Subject: Re: A New Threat for password hacking On 29 Nov 2010 08:43:23 -0800, in bit.listserv.ibm-main you wrote: snip If you have a product that insists on special characters in passwords, this can be a major pain given the variability of code points for many of the characters. Also how many passwords do you have to remember? Clark Morris Personally? About 5: (1) Work LAN; (2) Work mainframe; (3) Work benefits web site (outsourced); (4) home LAN; (4) Amazon; (5) home/ISP email. Those are the ones I use most of the time. I have a USB flash drive which is ext4 formatted and uses a GPT partition table which contains an encrypted file which contains my other passwords (i.e. just confuses Windows users). And I have a backup of that encrypted file at home in a couple of places. Hope I never forget __that__ password! Not that I am likely to do so. And it is, for all intents and purposes, unguessable by anyone. No, I won't say more on that or why I would say it. Of course, it could be cracked by somebody like Abbie Sciuto (and maybe the NSA or FBI) in just a few minutes grin. Who is Abbie Sciuto? Clark Morris -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: EXTERNAL: OT: In regard to password cracking Who is Abbie Sciuto was Re: A New Threat for password hacking
Clark is obviously not an NCIS fan. Google Abby Sciuto (spelling corrected) Dennis Roach GHG Corporation Lockheed Martin Mission Services Facilities Design and Operations Contract Strategic Technical Engineering NASA/JSC Address: 2100 Space Park Drive LM-15-4BH Houston, Texas 77058 Mail: P.O. Box 58487 Mail Code H4C Houston, Texas 77258-8487 Phone: Voice: (281)336-5027 Cell: (713)591-1059 Fax:(281)336-5410 E-Mail: dennis.ro...@lmco.com All opinions expressed by me are mine and may not agree with my employer or any person, company, or thing, living or dead, on or near this or any other planet, moon, asteroid, or other spatial object, natural or manufactured, since the beginning of time. From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Clark Morris Sent: Wednesday, December 01, 2010 10:22 AM From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Clark Morris Sent: Tuesday, November 30, 2010 9:27 AM Personally? About 5: (1) Work LAN; (2) Work mainframe; (3) Work benefits web site (outsourced); (4) home LAN; (4) Amazon; (5) home/ISP email. Those are the ones I use most of the time. I have a USB flash drive which is ext4 formatted and uses a GPT partition table which contains an encrypted file which contains my other passwords (i.e. just confuses Windows users). And I have a backup of that encrypted file at home in a couple of places. Hope I never forget __that__ password! Not that I am likely to do so. And it is, for all intents and purposes, unguessable by anyone. No, I won't say more on that or why I would say it. Of course, it could be cracked by somebody like Abbie Sciuto (and maybe the NSA or FBI) in just a few minutes grin. Who is Abbie Sciuto? Clark Morris -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: OT: In regard to password cracking Who is Abbie Sciuto was Re: A New Threat for password hacking
Abigail Abby Sciuto is a fictional character from the NCIS television series by CBS Television, and is portrayed by Pauley Perrette. Clark Morris cfmpub...@ns.sym PATICO.CA To Sent by: IBM IBM-MAIN@bama.ua.edu Mainframe cc Discussion List ibm-m...@bama.ua Subject .edu OT: In regard to password cracking Who is Abbie Sciuto was Re: A New Threat for password hacking 12/01/2010 11:22 AM Please respond to IBM Mainframe Discussion List ibm-m...@bama.ua .edu On 30 Nov 2010 07:42:00 -0800, in bit.listserv.ibm-main you wrote: -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Clark Morris Sent: Tuesday, November 30, 2010 9:27 AM To: IBM-MAIN@bama.ua.edu Subject: Re: A New Threat for password hacking On 29 Nov 2010 08:43:23 -0800, in bit.listserv.ibm-main you wrote: snip If you have a product that insists on special characters in passwords, this can be a major pain given the variability of code points for many of the characters. Also how many passwords do you have to remember? Clark Morris Personally? About 5: (1) Work LAN; (2) Work mainframe; (3) Work benefits web site (outsourced); (4) home LAN; (4) Amazon; (5) home/ISP email. Those are the ones I use most of the time. I have a USB flash drive which is ext4 formatted and uses a GPT partition table which contains an encrypted file which contains my other passwords (i.e. just confuses Windows users). And I have a backup of that encrypted file at home in a couple of places. Hope I never forget __that__ password! Not that I am likely to do so. And it is, for all intents and purposes, unguessable by anyone. No, I won't say more on that or why I would say it. Of course, it could be cracked by somebody like Abbie Sciuto (and maybe the NSA or FBI) in just a few minutes grin. Who is Abbie Sciuto? Clark Morris -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: In regard to password cracking Who is Abbie Sciuto was Re: A New Threat for password hacking
-Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Clark Morris Sent: Wednesday, December 01, 2010 10:22 AM To: IBM-MAIN@bama.ua.edu Subject: OT: In regard to password cracking Who is Abbie Sciuto was Re: A New Threat for password hacking On 30 Nov 2010 07:42:00 -0800, in bit.listserv.ibm-main you wrote: snip Who is Abbie Sciuto? Clark Morris Who is Abbie Sciuto???!!!? A character on my favorite U.S. TV series - NCIS. She is a forensic scientist. And a bit of a goth, but in a fun way. Google will give you more. -- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: OT: In regard to password cracking Who is Abbie Sciuto was Re: A New Threat for password hacking
At 11:32 -0500 on 12/01/2010, August Carideo wrote about Re: OT: In regard to password cracking Who is Abbie Sciuto : Of course, it could be cracked by somebody like Abbie Sciuto (and maybe the NSA or FBI) in just a few minutes grin. Tim McGee also could do it. He is the major hacker on the NCIS team and often he and Annie collaborate on computer forensic matters. Abbie is usually the one to do Brute Force work like the password cracking however. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: OT: In regard to password cracking Who is Abbie Sciuto was Re: A New Threat for password hacking
So could Chloe O'Brien. On Wed, Dec 1, 2010 at 17:37, Robert A. Rosenberg hal9...@panix.com wrote: At 11:32 -0500 on 12/01/2010, August Carideo wrote about Re: OT: In regard to password cracking Who is Abbie Sciuto : Of course, it could be cracked by somebody like Abbie Sciuto (and maybe the NSA or FBI) in just a few minutes grin. Tim McGee also could do it. He is the major hacker on the NCIS team and often he and Annie collaborate on computer forensic matters. Abbie is usually the one to do Brute Force work like the password cracking however. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: A New Threat for password hacking
In a6b9336cdb62bb46b9f8708e686a7ea005d5e05...@nrhmms8p02.uicnrh.dom, on 11/29/2010 at 09:57 AM, McKown, John john.mck...@healthmarkets.com said: Each to his own. I prefer the human touch on password resets. But I'm an old paranoid grin. In my arrogance, somebody who cannot remember their RACF password likely can't remember their own name, either. A passphrase may be more difficult. But 8 stupid characters, max? One of the curses of the computer industry is people who believe that their foo[1] is the only one, and aren't concerned about what happens when bar has to use both your foo and baz's foo. Eith characters isn't very much to remember if you only have one password. By the time you have half a dozen, it becomes an issue. [1] E.g., dongle, password -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: A New Threat for password hacking
On 29 Nov 2010 08:43:23 -0800, in bit.listserv.ibm-main you wrote: I would tend to agree with ' they violate our standards and are sharing ids'. Security is not priority one in some other countries. (At least not OUR security). Security is not that high a priority in many organizations where the mantra is get the job done whatever it takes. If the security department is too restrictive and viewed as being a major roadblock, the other departments will get creative. If you have a product that insists on special characters in passwords, this can be a major pain given the variability of code points for many of the characters. Also how many passwords do you have to remember? Clark Morris -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of McKown, John Sent: Monday, November 29, 2010 10:58 AM To: IBM-MAIN@bama.ua.edu Subject: Re: A New Threat for password hacking Each to his own. I prefer the human touch on password resets. But I'm an old paranoid grin. In my arrogance, somebody who cannot remember their RACF password likely can't remember their own name, either. A passphrase may be more difficult. But 8 stupid characters, max? Sure, it could be forgotten early on. And after a vacation. But we've had literally 8 or 10 password reset requests in a row from some of our off-shore users. Personally, I think they violate our standards and are sharing ids. But I can't prove it. John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Paul Gilmartin Sent: Monday, November 29, 2010 9:44 AM To: IBM-MAIN@bama.ua.edu Subject: Re: A New Threat for password hacking On Mon, 29 Nov 2010 05:27:56 -0600, John McKown wrote: What gets me on this is that, in the recent past, some people at work were wanting an automatic resume of any RACF id which got too many password violations after some interval - like 10 minutes. So try n times, wait m minutes, rinse and repeat. Luckily this was killed. The proposal isn't totally unreasonable in that it multiplies the time required for a brute force attack by a few orders of magnitude. I knew a product which imposed an escalating lockout time before retry for each unsuccessful attempt. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: A New Threat for password hacking
-Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Clark Morris Sent: Tuesday, November 30, 2010 9:27 AM To: IBM-MAIN@bama.ua.edu Subject: Re: A New Threat for password hacking On 29 Nov 2010 08:43:23 -0800, in bit.listserv.ibm-main you wrote: I would tend to agree with ' they violate our standards and are sharing ids'. Security is not priority one in some other countries. (At least not OUR security). Security is not that high a priority in many organizations where the mantra is get the job done whatever it takes. If the security department is too restrictive and viewed as being a major roadblock, the other departments will get creative. If you have a product that insists on special characters in passwords, this can be a major pain given the variability of code points for many of the characters. Also how many passwords do you have to remember? Clark Morris Personally? About 5: (1) Work LAN; (2) Work mainframe; (3) Work benefits web site (outsourced); (4) home LAN; (4) Amazon; (5) home/ISP email. Those are the ones I use most of the time. I have a USB flash drive which is ext4 formatted and uses a GPT partition table which contains an encrypted file which contains my other passwords (i.e. just confuses Windows users). And I have a backup of that encrypted file at home in a couple of places. Hope I never forget __that__ password! Not that I am likely to do so. And it is, for all intents and purposes, unguessable by anyone. No, I won't say more on that or why I would say it. Of course, it could be cracked by somebody like Abbie Sciuto (and maybe the NSA or FBI) in just a few minutes grin. -- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: A New Threat for password hacking
--- On Mon, 11/29/10, McKown, John john.mck...@healthmarkets.com wrote: From: McKown, John john.mck...@healthmarkets.com Subject: Re: A New Threat for password hacking To: IBM-MAIN@bama.ua.edu Date: Monday, November 29, 2010, 9:57 AM Each to his own. I prefer the human touch on password resets. But I'm an old paranoid grin. In my arrogance, somebody who cannot remember their RACF password likely can't remember their own name, either. A passphrase may be more difficult. But 8 stupid characters, max? Sure, it could be forgotten early on. And after a vacation. But we've had literally 8 or 10 password reset requests in a row from some of our off-shore users. Personally, I think they violate our standards and are sharing ids. But I can't prove it. John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com John:A couple of sites I use on the internet now use phrase checking. What I have found is that they are inconsistant in checking the response which makes it really confusing. Example: Birth City:Some sites insist on capital letters eg New Yorkwhile some sites do not care if one types: new york I do not know if it is on purpose that it matters or what.I certianly hope IBM does not care. Ed -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: A New Threat for password hacking
It's kind of difficult to use a brute force attack when RACF revokes the ID after a site specified number of attempts. Assuming the site doesn't allow 1 or 2 character passwords (you don't do you), even if the site were to allow 100 attempts, it's statistically a REALLY long shot to guess the password. I would imagine that most sites have 3 or 4 as the number of attempts, making the probability for success of a brute force attack too remote to consider as they wouldn't even get out of the single character attempts. Brian -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: A New Threat for password hacking
On Mon, 29 Nov 2010 04:39:54 -0600 Brian Westerman brian_wester...@syzygyinc.com wrote: :It's kind of difficult to use a brute force attack when RACF revokes the ID :after a site specified number of attempts. Assuming the site doesn't allow :1 or 2 character passwords (you don't do you), even if the site were to :allow 100 attempts, it's statistically a REALLY long shot to guess the :password. I would imagine that most sites have 3 or 4 as the number of :attempts, making the probability for success of a brute force attack too :remote to consider as they wouldn't even get out of the single character :attempts. If you have the offload, you can make as many attempts as you wish. -- Binyamin Dissen bdis...@dissensoftware.com http://www.dissensoftware.com Director, Dissen Software, Bar Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: A New Threat for password hacking
John, I believe RACF only uses single DES, not Triple DES. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com - 2011 RACF Training Intro Basic Admin - WebEx - JAN 24-28 Securing z/OS Unix - WebEx - FEB 8-10 Audit for Results - Boston - APR 12-14 Intro Basic Admin - Boston - MAY 10-12 Visit our website for registration details - -Original Message- Date:Sun, 28 Nov 2010 19:37:37 -0600 From:John McKown joa...@swbell.net Subject: Re: A New Threat for password hacking RACF password encryption is explained here: http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ichza290/3.3.1 It uses Triple DES where the password is a key to encrypt the userid, which encrypted value is then stored in the DB. So two different users with the same password would have two different encrypted values. It also states it is a one way encryption. There is no way to back out. To crack a password would require having the unencrypted RACF id, the encrypted stored value, and the exact algorithm. Now, I'm not a cryptographer, but I don't think you can use that information to recreate a valid password easily. So you're more likely to try a brute force dictionary attack. Again, using an NSA quality supercomputer, I have no idea how long this would take. I think I'd just play the lotto and win sooner. But that is my ignorance speaking. On Sun, 2010-11-28 at 19:15 -0600, Paul Gilmartin wrote: On Sun, 28 Nov 2010 15:56:36 -0600, Russell Witt wrote: Easy to say do not share your RACF db; harder in reality. Most sites believe they are safe because their RACF db is security protected and the dasd is not shared. And then completely forget that backups (to physical or virtual tape) contain the exact same information. And quite often the DSN used for the backup tapes is some type of dasd-manager HLQ, since it was most likely a full-volume backup that happen'ed to contain the RACF db. And even if the HLQ for the full-volume backups is read-protected; it is still far easier to hack a tape dataset. Often, tape libraries (physical and virtual) are shared with less-secure test machines and quite often even with non z/OS systems. Granted, you will need the physical layout of the RACF db; but not the entire layout. Just enough to identify where the passphrases are maintained. Aren't the passwords encrypted? But how strong is the encryption? It would be peculiarly pointless to store fewer bits of the encrypted password than are used in the encrypting key. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- John McKown Maranatha! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: A New Threat for password hacking
On Mon, 2010-11-29 at 04:39 -0600, Brian Westerman wrote: It's kind of difficult to use a brute force attack when RACF revokes the ID after a site specified number of attempts. Assuming the site doesn't allow 1 or 2 character passwords (you don't do you), even if the site were to allow 100 attempts, it's statistically a REALLY long shot to guess the password. I would imagine that most sites have 3 or 4 as the number of attempts, making the probability for success of a brute force attack too remote to consider as they wouldn't even get out of the single character attempts. Brian I was thinking more of an off-line attack by having captured some sort of dump of the database. What gets me on this is that, in the recent past, some people at work were wanting an automatic resume of any RACF id which got too many password violations after some interval - like 10 minutes. So try n times, wait m minutes, rinse and repeat. Luckily this was killed. They also want a Web like interface so that a person could reset their own password via their browser. Luckily, we were able to kill most of this stuff with HIPAA requirements. And the dangling of multi-million dollar penalities should this be used to crack our system. -- John McKown Maranatha! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: A New Threat for password hacking
-Original Message- From: IBM Mainframe Discussion List On Behalf Of Binyamin Dissen On Mon, 29 Nov 2010 04:39:54 -0600 Brian Westerman brian_wester...@syzygyinc.com wrote: :It's kind of difficult to use a brute force attack when RACF revokes the ID :after a site specified number of attempts. Assuming the site doesn't allow :1 or 2 character passwords (you don't do you), even if the site were to :allow 100 attempts, it's statistically a REALLY long shot to guess the :password. I would imagine that most sites have 3 or 4 as the number of :attempts, making the probability for success of a brute force attack too :remote to consider as they wouldn't even get out of the single character :attempts. If you have the offload, you can make as many attempts as you wish. But the offload (did you mean unload, as produced by IRRDBU00?) doesn't contain the password If you meant backup, then your point is valid. -jc- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: A New Threat for password hacking
Could well be. I vaguely remember something about Triple DES somewhere. But my mind is a bit loose right now on meds. John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Robert S. Hansel (RSH) Sent: Monday, November 29, 2010 5:25 AM To: IBM-MAIN@bama.ua.edu Subject: Re: A New Threat for password hacking John, I believe RACF only uses single DES, not Triple DES. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com - 2011 RACF Training Intro Basic Admin - WebEx - JAN 24-28 Securing z/OS Unix - WebEx - FEB 8-10 Audit for Results - Boston - APR 12-14 Intro Basic Admin - Boston - MAY 10-12 Visit our website for registration details - -Original Message- Date:Sun, 28 Nov 2010 19:37:37 -0600 From:John McKown joa...@swbell.net Subject: Re: A New Threat for password hacking RACF password encryption is explained here: http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ich za290/3.3.1 It uses Triple DES where the password is a key to encrypt the userid, which encrypted value is then stored in the DB. So two different users with the same password would have two different encrypted values. It also states it is a one way encryption. There is no way to back out. To crack a password would require having the unencrypted RACF id, the encrypted stored value, and the exact algorithm. Now, I'm not a cryptographer, but I don't think you can use that information to recreate a valid password easily. So you're more likely to try a brute force dictionary attack. Again, using an NSA quality supercomputer, I have no idea how long this would take. I think I'd just play the lotto and win sooner. But that is my ignorance speaking. On Sun, 2010-11-28 at 19:15 -0600, Paul Gilmartin wrote: On Sun, 28 Nov 2010 15:56:36 -0600, Russell Witt wrote: Easy to say do not share your RACF db; harder in reality. Most sites believe they are safe because their RACF db is security protected and the dasd is not shared. And then completely forget that backups (to physical or virtual tape) contain the exact same information. And quite often the DSN used for the backup tapes is some type of dasd-manager HLQ, since it was most likely a full-volume backup that happen'ed to contain the RACF db. And even if the HLQ for the full-volume backups is read-protected; it is still far easier to hack a tape dataset. Often, tape libraries (physical and virtual) are shared with less-secure test machines and quite often even with non z/OS systems. Granted, you will need the physical layout of the RACF db; but not the entire layout. Just enough to identify where the passphrases are maintained. Aren't the passwords encrypted? But how strong is the encryption? It would be peculiarly pointless to store fewer bits of the encrypted password than are used in the encrypting key. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- John McKown Maranatha! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: A New Threat for password hacking
Correct. I meant FDR or DFDSS or even IRRUTnnn unload. Not IRRDBU00. John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Chase, John Sent: Monday, November 29, 2010 6:54 AM To: IBM-MAIN@bama.ua.edu Subject: Re: A New Threat for password hacking -Original Message- From: IBM Mainframe Discussion List On Behalf Of Binyamin Dissen On Mon, 29 Nov 2010 04:39:54 -0600 Brian Westerman brian_wester...@syzygyinc.com wrote: :It's kind of difficult to use a brute force attack when RACF revokes the ID :after a site specified number of attempts. Assuming the site doesn't allow :1 or 2 character passwords (you don't do you), even if the site were to :allow 100 attempts, it's statistically a REALLY long shot to guess the :password. I would imagine that most sites have 3 or 4 as the number of :attempts, making the probability for success of a brute force attack too :remote to consider as they wouldn't even get out of the single character :attempts. If you have the offload, you can make as many attempts as you wish. But the offload (did you mean unload, as produced by IRRDBU00?) doesn't contain the password If you meant backup, then your point is valid. -jc- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: A New Threat for password hacking
On Mon, 29 Nov 2010 05:27:56 -0600, John McKown wrote: What gets me on this is that, in the recent past, some people at work were wanting an automatic resume of any RACF id which got too many password violations after some interval - like 10 minutes. So try n times, wait m minutes, rinse and repeat. Luckily this was killed. The proposal isn't totally unreasonable in that it multiplies the time required for a brute force attack by a few orders of magnitude. I knew a product which imposed an escalating lockout time before retry for each unsuccessful attempt. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: A New Threat for password hacking
Each to his own. I prefer the human touch on password resets. But I'm an old paranoid grin. In my arrogance, somebody who cannot remember their RACF password likely can't remember their own name, either. A passphrase may be more difficult. But 8 stupid characters, max? Sure, it could be forgotten early on. And after a vacation. But we've had literally 8 or 10 password reset requests in a row from some of our off-shore users. Personally, I think they violate our standards and are sharing ids. But I can't prove it. John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Paul Gilmartin Sent: Monday, November 29, 2010 9:44 AM To: IBM-MAIN@bama.ua.edu Subject: Re: A New Threat for password hacking On Mon, 29 Nov 2010 05:27:56 -0600, John McKown wrote: What gets me on this is that, in the recent past, some people at work were wanting an automatic resume of any RACF id which got too many password violations after some interval - like 10 minutes. So try n times, wait m minutes, rinse and repeat. Luckily this was killed. The proposal isn't totally unreasonable in that it multiplies the time required for a brute force attack by a few orders of magnitude. I knew a product which imposed an escalating lockout time before retry for each unsuccessful attempt. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: A New Threat for password hacking
I would tend to agree with ' they violate our standards and are sharing ids'. Security is not priority one in some other countries. (At least not OUR security). -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of McKown, John Sent: Monday, November 29, 2010 10:58 AM To: IBM-MAIN@bama.ua.edu Subject: Re: A New Threat for password hacking Each to his own. I prefer the human touch on password resets. But I'm an old paranoid grin. In my arrogance, somebody who cannot remember their RACF password likely can't remember their own name, either. A passphrase may be more difficult. But 8 stupid characters, max? Sure, it could be forgotten early on. And after a vacation. But we've had literally 8 or 10 password reset requests in a row from some of our off-shore users. Personally, I think they violate our standards and are sharing ids. But I can't prove it. John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Paul Gilmartin Sent: Monday, November 29, 2010 9:44 AM To: IBM-MAIN@bama.ua.edu Subject: Re: A New Threat for password hacking On Mon, 29 Nov 2010 05:27:56 -0600, John McKown wrote: What gets me on this is that, in the recent past, some people at work were wanting an automatic resume of any RACF id which got too many password violations after some interval - like 10 minutes. So try n times, wait m minutes, rinse and repeat. Luckily this was killed. The proposal isn't totally unreasonable in that it multiplies the time required for a brute force attack by a few orders of magnitude. I knew a product which imposed an escalating lockout time before retry for each unsuccessful attempt. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html This e-mail may contain confidential or privileged information. If you think you have received this e-mail in error, please advise the sender by reply e-mail and then delete this e-mail immediately. Thank you. Aetna -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: A New Threat for password hacking
W dniu 2010-11-29 16:43, Paul Gilmartin pisze: On Mon, 29 Nov 2010 05:27:56 -0600, John McKown wrote: What gets me on this is that, in the recent past, some people at work were wanting an automatic resume of any RACF id which got too many password violations after some interval - like 10 minutes. So try n times, wait m minutes, rinse and repeat. Luckily this was killed. The proposal isn't totally unreasonable in that it multiplies the time required for a brute force attack by a few orders of magnitude. I knew a product which imposed an escalating lockout time before retry for each unsuccessful attempt. The proposal is *very* reasonable. Such functionality could be very convenient and it's NOT security breach. Note: YOU CAN SWITCH IT OFF! A choice is good. For those who do not accept such solution the functionality would be disabled. For others that means saved FTE's. IMHO it's better (safer) that self service password reset. Would I switch it on? I wouldn't decide, IT'S NOT MY DOG. ;-) My dog is to abide by (observe) the rules. -- Radoslaw Skorupka Lodz, Poland -- BRE Bank SA ul. Senatorska 18 00-950 Warszawa www.brebank.pl Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 025237 NIP: 526-021-50-88 Według stanu na dzień 16.07.2010 r. kapitał zakładowy BRE Banku SA (w całości wpłacony) wynosi 168.248.328 złotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: A New Threat for password hacking
IMHO it's better (safer) that self service password reset. A full service reset could be costly. I was once a customer of a service provider that charged us for each reset. Each year we paid them twice as much as the cost of a self-service solution. And, we're not talking about one of the cheap ones. We're talking about a redundant server with connections to windows, z, *nix, including LINUX, active directory, and things we didn't have. They can be very secure. We had 3-question challenge response, full profiling of users -- the works. - Ted MacNEIL eamacn...@yahoo.ca -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: A New Threat for password hacking
Easy to say do not share your RACF db; harder in reality. Most sites believe they are safe because their RACF db is security protected and the dasd is not shared. And then completely forget that backups (to physical or virtual tape) contain the exact same information. And quite often the DSN used for the backup tapes is some type of dasd-manager HLQ, since it was most likely a full-volume backup that happen'ed to contain the RACF db. And even if the HLQ for the full-volume backups is read-protected; it is still far easier to hack a tape dataset. Often, tape libraries (physical and virtual) are shared with less-secure test machines and quite often even with non z/OS systems. Granted, you will need the physical layout of the RACF db; but not the entire layout. Just enough to identify where the passphrases are maintained. The number of sites that forget about tape security is scary. And unprotected tape (both physical and virtual) allows anyone in the organization to read a backup of almost any file in the data center. Russell Witt my own 2-cents worth -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu]on Behalf Of R.S. Sent: Sunday, November 28, 2010 1:52 AM To: IBM-MAIN@bama.ua.edu Subject: Re: A New Threat for password hacking Ed Gould pisze: http://preview.tinyurl.com/2djttta Hacker Cracks Secure Hashing Algorithm Using Amazon CloudUsing EC2's cluster GPU power, security researcher spent only $2.10 to decrypt 14 SHA1 passwords in under an hour; other experts aren't concerned. Fortunately mainframe has no GPU vbg more seriously: 1. Passwords in RACF db are stored using DES, not SHA (actually the password is the key used to encrypt the userid). 2. It's wide known that SHA1 is not enough strong. 3. The best idea is not to share RACF db with potential hackers. No db means nothing to crack, doesn't matter neither algorithm, nor CPU power available for cracking. -- Radoslaw Skorupka Lodz, Poland -- BRE Bank SA ul. Senatorska 18 00-950 Warszawa www.brebank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237 NIP: 526-021-50-88 Wedug stanu na dzie 16.07.2010 r. kapita zakadowy BRE Banku SA (w caoci wpacony) wynosi 168.248.328 zotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: A New Threat for password hacking
On Sun, 28 Nov 2010 15:56:36 -0600, Russell Witt wrote: Easy to say do not share your RACF db; harder in reality. Most sites believe they are safe because their RACF db is security protected and the dasd is not shared. And then completely forget that backups (to physical or virtual tape) contain the exact same information. And quite often the DSN used for the backup tapes is some type of dasd-manager HLQ, since it was most likely a full-volume backup that happen'ed to contain the RACF db. And even if the HLQ for the full-volume backups is read-protected; it is still far easier to hack a tape dataset. Often, tape libraries (physical and virtual) are shared with less-secure test machines and quite often even with non z/OS systems. Granted, you will need the physical layout of the RACF db; but not the entire layout. Just enough to identify where the passphrases are maintained. Aren't the passwords encrypted? But how strong is the encryption? It would be peculiarly pointless to store fewer bits of the encrypted password than are used in the encrypting key. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: A New Threat for password hacking
RACF password encryption is explained here: http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ichza290/3.3.1 It uses Triple DES where the password is a key to encrypt the userid, which encrypted value is then stored in the DB. So two different users with the same password would have two different encrypted values. It also states it is a one way encryption. There is no way to back out. To crack a password would require having the unencrypted RACF id, the encrypted stored value, and the exact algorithm. Now, I'm not a cryptographer, but I don't think you can use that information to recreate a valid password easily. So you're more likely to try a brute force dictionary attack. Again, using an NSA quality supercomputer, I have no idea how long this would take. I think I'd just play the lotto and win sooner. But that is my ignorance speaking. On Sun, 2010-11-28 at 19:15 -0600, Paul Gilmartin wrote: On Sun, 28 Nov 2010 15:56:36 -0600, Russell Witt wrote: Easy to say do not share your RACF db; harder in reality. Most sites believe they are safe because their RACF db is security protected and the dasd is not shared. And then completely forget that backups (to physical or virtual tape) contain the exact same information. And quite often the DSN used for the backup tapes is some type of dasd-manager HLQ, since it was most likely a full-volume backup that happen'ed to contain the RACF db. And even if the HLQ for the full-volume backups is read-protected; it is still far easier to hack a tape dataset. Often, tape libraries (physical and virtual) are shared with less-secure test machines and quite often even with non z/OS systems. Granted, you will need the physical layout of the RACF db; but not the entire layout. Just enough to identify where the passphrases are maintained. Aren't the passwords encrypted? But how strong is the encryption? It would be peculiarly pointless to store fewer bits of the encrypted password than are used in the encrypting key. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- John McKown Maranatha! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
A New Threat for password hacking
http://preview.tinyurl.com/2djttta Hacker Cracks Secure Hashing Algorithm Using Amazon CloudUsing EC2's cluster GPU power, security researcher spent only $2.10 to decrypt 14 SHA1 passwords in under an hour; other experts aren't concerned. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: A New Threat for password hacking
Ed Gould pisze: http://preview.tinyurl.com/2djttta Hacker Cracks Secure Hashing Algorithm Using Amazon CloudUsing EC2's cluster GPU power, security researcher spent only $2.10 to decrypt 14 SHA1 passwords in under an hour; other experts aren't concerned. Fortunately mainframe has no GPU vbg more seriously: 1. Passwords in RACF db are stored using DES, not SHA (actually the password is the key used to encrypt the userid). 2. It's wide known that SHA1 is not enough strong. 3. The best idea is not to share RACF db with potential hackers. No db means nothing to crack, doesn't matter neither algorithm, nor CPU power available for cracking. -- Radoslaw Skorupka Lodz, Poland -- BRE Bank SA ul. Senatorska 18 00-950 Warszawa www.brebank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237 NIP: 526-021-50-88 Wedug stanu na dzie 16.07.2010 r. kapita zakadowy BRE Banku SA (w caoci wpacony) wynosi 168.248.328 zotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html