subject:"Re\: Just how secure are mainframes\? \| Trevor Eddolls"


W dniu 2019-06-02 o 21:48, ITschak Mugzach pisze:

Sory to inform you: there are such SVCs available for download. I think
there is one on the cbttape .


While such code is available for download it is not available for install.
Otherwise we talk about mistakes in configurations => human problem, not 
platform weakness.


BTW: I know very dangerous tool for hacking RACFdb and passwords: 
IEBGENER. You run IEBGENER, put RACFdb in SYSUT1, then transfer SYSUT2 
content directly to some hack site and voila.


--
Radoslaw Skorupka
Lodz, Poland




==

Jeśli nie jesteś adresatem tej wiadomości:

- powiadom nas o tym w mailu zwrotnym (dziękujemy!),
- usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub zapisałeś 
na dysku).
Wiadomość ta może zawierać chronione prawem informacje, które może wykorzystać 
tylko adresat.Przypominamy, że każdy, kto rozpowszechnia (kopiuje, rozprowadza) 
tę wiadomość lub podejmuje podobne działania, narusza prawo i może podlegać 
karze.

mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 
Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. Sąd Rejonowy dla m. st. 
Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS 025237, 
NIP: 526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na 
01.01.2018 r. wynosi 169.248.488 złotych.

If you are not the addressee of this message:

- let us know by replying to this e-mail (thank you!),
- delete this message permanently (including all the copies which you have 
printed out or saved).
This message may contain legally protected information, which may be used 
exclusively by the addressee.Please be reminded that anyone who disseminates 
(copies, distributes) this message or takes any similar action, violates the 
law and may be penalised.

mBank S.A. with its registered office in Warsaw, ul. Senatorska 18, 00-950 
Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. District Court for the Capital 
City of Warsaw, 12th Commercial Division of the National Court Register, KRS 
025237, NIP: 526-021-50-88. Fully paid-up share capital amounting to PLN 
169,248,488 as at 1 January 2018.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Just how secure are mainframes? | Trevor Eddolls


W dniu 2019-06-03 o 05:30, ITschak Mugzach pisze:

I do? You must be joking. The thread is monopolized by one person. You know
who.


No, it's not.
Maybe Bill wrote the most, but other people also contributed 
significantly, including you, Ray, Lenny, me, Shmuel, Clark, Tom and 
others.
And everyone is allowed to write more if he wants. The thread is not 
monopolized.


I observe many emotions here which is not good since emotions go hand in 
hand with merit.

I also observe play on sb's emotions, defy, which is even worse.

--
Radoslaw Skorupka
Lodz, Poland




==

Jeśli nie jesteś adresatem tej wiadomości:

- powiadom nas o tym w mailu zwrotnym (dziękujemy!),
- usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub zapisałeś 
na dysku).
Wiadomość ta może zawierać chronione prawem informacje, które może wykorzystać 
tylko adresat.Przypominamy, że każdy, kto rozpowszechnia (kopiuje, rozprowadza) 
tę wiadomość lub podejmuje podobne działania, narusza prawo i może podlegać 
karze.

mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 
Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. Sąd Rejonowy dla m. st. 
Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS 025237, 
NIP: 526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na 
01.01.2018 r. wynosi 169.248.488 złotych.

If you are not the addressee of this message:

- let us know by replying to this e-mail (thank you!),
- delete this message permanently (including all the copies which you have 
printed out or saved).
This message may contain legally protected information, which may be used 
exclusively by the addressee.Please be reminded that anyone who disseminates 
(copies, distributes) this message or takes any similar action, violates the 
law and may be penalised.

mBank S.A. with its registered office in Warsaw, ul. Senatorska 18, 00-950 
Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. District Court for the Capital 
City of Warsaw, 12th Commercial Division of the National Court Register, KRS 
025237, NIP: 526-021-50-88. Fully paid-up share capital amounting to PLN 
169,248,488 as at 1 January 2018.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Just how secure are mainframes? | Trevor Eddolls

2019-06-05 Thread Bill Johnson

Correct

Sent from Yahoo Mail for iPhone

On Wednesday, June 5, 2019, 12:25 PM, R.S.  
wrote:

W dniu 2019-06-04 o 18:52, Clark Morris pisze:
> [Default] On 4 Jun 2019 08:56:03 -0700, in bit.listserv.ibm-main
> 0047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote:
>
> >From the you can't make this up department. Mr. Marchant agrees with me.
>> https://www.compuware.com/proving-z13-modern/
>>
> Considering that he is writing for a mainframe systems software vendor
> that provides APF authorized code, he has some interest in
> perpetuating the mainframe.  Also RACF is a separately priced add-on
> item>  Does IBM require that you license RACF or approved third party
> equivalent as a condition of running z/OS?  Is there a mechanism for
> third party vendors that provide software that runs APF authorized to
> be somehow included in the statement of integrity or have recognized
> equivalents?

Clark,
RACF is optional feature only because there are (were) some competitive 
products. IBM is (has to be?) fair allowing the choice.
However security server is NOT OPTIONAL for the system, you HAVE TO HAVE 
ONE OF THEM. Otherwise you won't be able to run many system components.
So, you can choose which security server to use, not if to use it.

-- 
Radoslaw Skorupka
Lodz, Poland

==

Jeśli nie jesteś adresatem tej wiadomości:

- powiadom nas o tym w mailu zwrotnym (dziękujemy!),
- usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub zapisałeś 
na dysku).
Wiadomość ta może zawierać chronione prawem informacje, które może wykorzystać 
tylko adresat.Przypominamy, że każdy, kto rozpowszechnia (kopiuje, rozprowadza) 
tę wiadomość lub podejmuje podobne działania, narusza prawo i może podlegać 
karze.

mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 
Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. Sąd Rejonowy dla m. st. 
Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS 025237, 
NIP: 526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na 
01.01.2018 r. wynosi 169.248.488 złotych.

If you are not the addressee of this message:

- let us know by replying to this e-mail (thank you!),
- delete this message permanently (including all the copies which you have 
printed out or saved).
This message may contain legally protected information, which may be used 
exclusively by the addressee.Please be reminded that anyone who disseminates 
(copies, distributes) this message or takes any similar action, violates the 
law and may be penalised.

mBank S.A. with its registered office in Warsaw, ul. Senatorska 18, 00-950 
Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. District Court for the Capital 
City of Warsaw, 12th Commercial Division of the National Court Register, KRS 
025237, NIP: 526-021-50-88. Fully paid-up share capital amounting to PLN 
169,248,488 as at 1 January 2018.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Just how secure are mainframes? | Trevor Eddolls


W dniu 2019-06-04 o 18:52, Clark Morris pisze:

[Default] On 4 Jun 2019 08:56:03 -0700, in bit.listserv.ibm-main
0047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote:

>From the you can't make this up department. Mr. Marchant agrees with me.

https://www.compuware.com/proving-z13-modern/


Considering that he is writing for a mainframe systems software vendor
that provides APF authorized code, he has some interest in
perpetuating the mainframe.  Also RACF is a separately priced add-on
item>  Does IBM require that you license RACF or approved third party
equivalent as a condition of running z/OS?  Is there a mechanism for
third party vendors that provide software that runs APF authorized to
be somehow included in the statement of integrity or have recognized
equivalents?


Clark,
RACF is optional feature only because there are (were) some competitive 
products. IBM is (has to be?) fair allowing the choice.
However security server is NOT OPTIONAL for the system, you HAVE TO HAVE 
ONE OF THEM. Otherwise you won't be able to run many system components.

So, you can choose which security server to use, not if to use it.

--
Radoslaw Skorupka
Lodz, Poland




==

Jeśli nie jesteś adresatem tej wiadomości:

- powiadom nas o tym w mailu zwrotnym (dziękujemy!),
- usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub zapisałeś 
na dysku).
Wiadomość ta może zawierać chronione prawem informacje, które może wykorzystać 
tylko adresat.Przypominamy, że każdy, kto rozpowszechnia (kopiuje, rozprowadza) 
tę wiadomość lub podejmuje podobne działania, narusza prawo i może podlegać 
karze.

mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 
Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. Sąd Rejonowy dla m. st. 
Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS 025237, 
NIP: 526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na 
01.01.2018 r. wynosi 169.248.488 złotych.

If you are not the addressee of this message:

- let us know by replying to this e-mail (thank you!),
- delete this message permanently (including all the copies which you have 
printed out or saved).
This message may contain legally protected information, which may be used 
exclusively by the addressee.Please be reminded that anyone who disseminates 
(copies, distributes) this message or takes any similar action, violates the 
law and may be penalised.

mBank S.A. with its registered office in Warsaw, ul. Senatorska 18, 00-950 
Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. District Court for the Capital 
City of Warsaw, 12th Commercial Division of the National Court Register, KRS 
025237, NIP: 526-021-50-88. Fully paid-up share capital amounting to PLN 
169,248,488 as at 1 January 2018.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Just how secure are mainframes? | Trevor Eddolls


Regarding "you have never been hacked during 40 years".
Disclaimer: this is not my case, I only analyze it from logic point of 
view.
Indeed Bill cannot be 100% sure ha had never been hacked. Just because 
maybe he was hacked but the breach was not disclosed. However no one can 
be 100% sure of it. No one on any possible platform, maybe except single 
user computers not connected to any network. Can YOU prove that NOW your 
computer is not hacked? No.
However sometimes we are "pretty sure". I'm pretty sure my mainframe is 
not hacked now. Do you?
Last, but not least: while it would be possible to break in just for fun 
and do nothing, it would be more likely that bad guys break in for 
money. Such breach would be disclosed/know to someone.

And this is the key: Bill can be sure that no KNOW breach had taken place.

BTW: The above is just logic. It is not about "mainframe is secure" or 
"mainframe is insecure".


--
Radoslaw Skorupka
Lodz, Poland






W dniu 2019-06-04 o 16:43, Tom Marchant pisze:

On Tue, 4 Jun 2019 00:01:01 +, Bill Johnson wrote:


noise and plenty of it.

PKB.

You have posted more to this thread than anyone else.

You have claimed that security is the main reason people stay on the
mainframe, and posted a few articles that do not say what you claimed
they say.

You have insisted several times that your MVS systems have never been
hacked without providing any evidence or serious reasoning as to how
you could know that. "40 years of experience" is not evidence. It's called
appeal to authority, and it is a logical fallacy.

When your assertions are questioned, your response is to attack those
who question you rather than provide evidence. Another logical fallacy.





==

Jeśli nie jesteś adresatem tej wiadomości:

- powiadom nas o tym w mailu zwrotnym (dziękujemy!),
- usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub zapisałeś 
na dysku).
Wiadomość ta może zawierać chronione prawem informacje, które może wykorzystać 
tylko adresat.Przypominamy, że każdy, kto rozpowszechnia (kopiuje, rozprowadza) 
tę wiadomość lub podejmuje podobne działania, narusza prawo i może podlegać 
karze.

mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 
Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. Sąd Rejonowy dla m. st. 
Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS 025237, 
NIP: 526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na 
01.01.2018 r. wynosi 169.248.488 złotych.

If you are not the addressee of this message:

- let us know by replying to this e-mail (thank you!),
- delete this message permanently (including all the copies which you have 
printed out or saved).
This message may contain legally protected information, which may be used 
exclusively by the addressee.Please be reminded that anyone who disseminates 
(copies, distributes) this message or takes any similar action, violates the 
law and may be penalised.

mBank S.A. with its registered office in Warsaw, ul. Senatorska 18, 00-950 
Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. District Court for the Capital 
City of Warsaw, 12th Commercial Division of the National Court Register, KRS 
025237, NIP: 526-021-50-88. Fully paid-up share capital amounting to PLN 
169,248,488 as at 1 January 2018.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Just how secure are mainframes? | Trevor Eddolls


Multics... MVS  and CA products 30 years ago...
I strongly believe that prehistory is not good argument for discussion 
about contemporary systems.


--
Radoslaw Skorupka
Lodz, Poland






W dniu 2019-06-03 o 20:28, Clark Morris pisze:

[Default] On 3 Jun 2019 09:41:54 -0700, in bit.listserv.ibm-main
sme...@gmu.edu (Seymour J Metz) wrote:


This whole thread has consistently confused several very different issues:

I agree and have questions in each of the areas.

1. How secure is z/OS itself?

I recall reading that Multics was more secure than the concurrent MVS
was at the time and wonder if that would have been a better base going
forward.  Does the design of z/OS and the tools for implementation
make it more difficult to create and maintain a secure system?  How
secure are VM and TPF relative to z/OS? Does anyone have a feel for
how secure and securable the Unisys and any other mainframe operating
systems are relative to z/OS?

2. How secure is 3rd party software?

30 years ago people were complain about some of the holes in CA
software.  While much has changed and I assume those holes were
plugged long ago, the question remains as to how we evaluate 3rd party
software that by its nature has to have system hooks and run APF
authorized and / or key zero (system monitors, tape management
systems, etc.)?  Could and should changes to z/OS be made that would
allow some of this software run unauthorized and key 8? How much
vulnerability do we introduce by having such things as monitors,
report management systems, etc?  How much security and vulnerability
is at the application level where it is the application that has to
determine whether access is authorized (online banking anyone)?

3. How secure is the typical shop running z/OS?

Given the need to consider security at not only the operating system
level but also the application level and the number of things that
have to be controlled, I suspect that most organizations are less
secure than they think they are.  The problem starts with keeping the
authorities that people have current as they change roles in an
organization and leave that organization.  Are the test system as
secure as the production systems?  Have all of the people involved
including operators, people doing report distribution, application
developers and maintainers etc. been properly vetted?  How do we
monitor to make sure people haveen't been compromised?  The list goes
on.

Clark Morris

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
.





==

Jeśli nie jesteś adresatem tej wiadomości:

- powiadom nas o tym w mailu zwrotnym (dziękujemy!),
- usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub zapisałeś 
na dysku).
Wiadomość ta może zawierać chronione prawem informacje, które może wykorzystać 
tylko adresat.Przypominamy, że każdy, kto rozpowszechnia (kopiuje, rozprowadza) 
tę wiadomość lub podejmuje podobne działania, narusza prawo i może podlegać 
karze.

mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 
Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. Sąd Rejonowy dla m. st. 
Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS 025237, 
NIP: 526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na 
01.01.2018 r. wynosi 169.248.488 złotych.

If you are not the addressee of this message:

- let us know by replying to this e-mail (thank you!),
- delete this message permanently (including all the copies which you have 
printed out or saved).
This message may contain legally protected information, which may be used 
exclusively by the addressee.Please be reminded that anyone who disseminates 
(copies, distributes) this message or takes any similar action, violates the 
law and may be penalised.

mBank S.A. with its registered office in Warsaw, ul. Senatorska 18, 00-950 
Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. District Court for the Capital 
City of Warsaw, 12th Commercial Division of the National Court Register, KRS 
025237, NIP: 526-021-50-88. Fully paid-up share capital amounting to PLN 
169,248,488 as at 1 January 2018.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Just how secure are mainframes? | Trevor Eddolls

W dniu 2019-05-29 o 21:38, Savor, Thomas (Alpharetta) pisze:

In securing Mainframe:

One thing I've noticed over the years is how a Company will "hide" their Mainframe hardware.

The Hardware for me now is in a unmarked Building that looks like a bunker (I'm
told). Pretty bad that the location is in my town, however the address is NOT
circulated. The first installation that I worked at, it was well known where
the data center was. It was no issue to walk into Operations and tour new
equipment or talk to operators. Now, forget it.

The very same rules apply for any other hardware. It's not paltform
specific.
BTW: the address of datacenter is "gray zone". It is neither secret nor
public.
Youd don't publish the address in the press, you won't answer it to
journalist's question.
However a lot of people know this address. All vendors' CE's have to
enter inside. All deliveries have to be delivered. All security folks
know where they work. All of the people are not your people and in fact
you have no legal method to prevent them from disclosing the information.

But, again, it is completely not platform specific.

--
Radoslaw Skorupka
Lodz, Poland

Jeśli nie jesteś adresatem tej wiadomości:

- powiadom nas o tym w mailu zwrotnym (dziękujemy!),
- usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub zapisałeś
na dysku).
Wiadomość ta może zawierać chronione prawem informacje, które może wykorzystać
tylko adresat.Przypominamy, że każdy, kto rozpowszechnia (kopiuje, rozprowadza)
tę wiadomość lub podejmuje podobne działania, narusza prawo i może podlegać
karze.

mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950
Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. Sąd Rejonowy dla m. st.
Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS 025237,
NIP: 526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na
01.01.2018 r. wynosi 169.248.488 złotych.

If you are not the addressee of this message:

- let us know by replying to this e-mail (thank you!),
- delete this message permanently (including all the copies which you have
printed out or saved).
This message may contain legally protected information, which may be used
exclusively by the addressee.Please be reminded that anyone who disseminates
(copies, distributes) this message or takes any similar action, violates the
law and may be penalised.

mBank S.A. with its registered office in Warsaw, ul. Senatorska 18, 00-950
Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. District Court for the Capital
City of Warsaw, 12th Commercial Division of the National Court Register, KRS
025237, NIP: 526-021-50-88. Fully paid-up share capital amounting to PLN
169,248,488 as at 1 January 2018.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Just how secure are mainframes? | Trevor Eddolls

2019-06-04 Thread Tom Marchant

On Tue, 4 Jun 2019 13:52:27 -0300, Clark Morris wrote:

>Is there a mechanism for
>third party vendors that provide software that runs APF authorized to
>be somehow included in the statement of integrity or have recognized
>equivalents?

Other vendors are free to issue their own statements of integrity. 
IBM makes no statements about other vendors commitments to 
system integrity. The IBM statement for z/OS can be found at
https://www.ibm.com/downloads/cas/OWGOKG40 

It is up to customers to evaluate all of their vendors' commitments to 
system integrity. 

-- 
Tom Marchant

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Just how secure are mainframes? | Trevor Eddolls

Agile: doing the wrong thing quickly


--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3


From: IBM Mainframe Discussion List  on behalf of 
ITschak Mugzach 
Sent: Monday, June 3, 2019 2:59 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Just how secure are mainframes? | Trevor Eddolls

Have no idea about MultiCS, but can comment on 2 & 3 as I've seen many
installations here and in EU.

   1. The best way is to check the product after it was installed by the
   sysprog. I noticed that some of them skip installation steps. When it comes
   to products that depend on USS, it can be a vendor issue as well. for
   example, many vendors, including IBM, set wrong UMASK. almost all new
   products i examined, usually in a pre-prod assessment, depend on USS.
   2. many organizations has a single source for distributing software,
   usually the system's sandbox. that mean, that you must protect the sandbox
   at last as production clones, because if someone can access your SMP and
   target libraries, a zero day (not zero, but one you haven't applied fix for
   yet) can be exploit in production.
   3. BTW, I am seeing move to agile development, but usually there is no
   security expert between the team members. these people are rare...


Don't buy anything from me!
ITschak

On Mon, Jun 3, 2019 at 9:29 PM Clark Morris  wrote:

> [Default] On 3 Jun 2019 09:41:54 -0700, in bit.listserv.ibm-main
> sme...@gmu.edu (Seymour J Metz) wrote:
>
> >This whole thread has consistently confused several very different issues:
>
> I agree and have questions in each of the areas.
> >
> > 1. How secure is z/OS itself?
>
> I recall reading that Multics was more secure than the concurrent MVS
> was at the time and wonder if that would have been a better base going
> forward.  Does the design of z/OS and the tools for implementation
> make it more difficult to create and maintain a secure system?  How
> secure are VM and TPF relative to z/OS? Does anyone have a feel for
> how secure and securable the Unisys and any other mainframe operating
> systems are relative to z/OS?
> >
> > 2. How secure is 3rd party software?
>
> 30 years ago people were complain about some of the holes in CA
> software.  While much has changed and I assume those holes were
> plugged long ago, the question remains as to how we evaluate 3rd party
> software that by its nature has to have system hooks and run APF
> authorized and / or key zero (system monitors, tape management
> systems, etc.)?  Could and should changes to z/OS be made that would
> allow some of this software run unauthorized and key 8? How much
> vulnerability do we introduce by having such things as monitors,
> report management systems, etc?  How much security and vulnerability
> is at the application level where it is the application that has to
> determine whether access is authorized (online banking anyone)?
> >
> > 3. How secure is the typical shop running z/OS?
>
> Given the need to consider security at not only the operating system
> level but also the application level and the number of things that
> have to be controlled, I suspect that most organizations are less
> secure than they think they are.  The problem starts with keeping the
> authorities that people have current as they change roles in an
> organization and leave that organization.  Are the test system as
> secure as the production systems?  Have all of the people involved
> including operators, people doing report distribution, application
> developers and maintainers etc. been properly vetted?  How do we
> monitor to make sure people haveen't been compromised?  The list goes
> on.
>
> Clark Morris
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>


--
ITschak Mugzach
*|** IronSphere Platform* *|* *Information Security Contiguous Monitoring
for Legacy **|  *

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Just how secure are mainframes? | Trevor Eddolls

 Bad link
https://www.computerworld.com/article/2487425/target-breach-happened-because-of-a-basic-network-segmentation-error.html


On Tuesday, June 4, 2019, 12:53:11 PM EDT, Clark Morris 
 wrote:  
 
 [Default] On 4 Jun 2019 08:56:03 -0700, in bit.listserv.ibm-main
0047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote:

>From the you can’t make this up department. Mr. Marchant agrees with me.
>
>https://www.compuware.com/proving-z13-modern/
>
Considering that he is writing for a mainframe systems software vendor
that provides APF authorized code, he has some interest in
perpetuating the mainframe.  Also RACF is a separately priced add-on
item>  Does IBM require that you license RACF or approved third party
equivalent as a condition of running z/OS?  Is there a mechanism for
third party vendors that provide software that runs APF authorized to
be somehow included in the statement of integrity or have recognized
equivalents?


I suspect that the data that was involved in the famous Target
retailer breach was residing on a mainframe and was gotten by using
credentials that were stolen from a supplier that had valid access to
the data.  I think the initial breach was at the supplier that was
probably not running a mainframe system.

Clark Morris 
>
>Talk of “modernization” of mainframe systems is often code for redesigning 
>mainframe-based applications and implementing them to run on Windows, or less 
>frequently, on Unix or Linux. None of these systems can match the security 
>capabilities of modern mainframe operating systems.
>
>
>Sent from Yahoo Mail for iPhone
>
>
>On Tuesday, June 4, 2019, 10:45 AM, Tom Marchant 
><000a2a8c2020-dmarc-requ...@listserv.ua.edu> wrote:
>
>On Tue, 4 Jun 2019 00:01:01 +, Bill Johnson wrote:
>
>>noise and plenty of it.
>
>PKB.
>
>You have posted more to this thread than anyone else.
>
>You have claimed that security is the main reason people stay on the 
>mainframe, and posted a few articles that do not say what you claimed 
>they say.
>
>You have insisted several times that your MVS systems have never been 
>hacked without providing any evidence or serious reasoning as to how 
>you could know that. "40 years of experience" is not evidence. It's called 
>appeal to authority, and it is a logical fallacy.
>
>When your assertions are questioned, your response is to attack those 
>who question you rather than provide evidence. Another logical fallacy.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN  

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Just how secure are mainframes? | Trevor Eddolls

How target was hacked.
https://www.computerworld.com/article/2487425/target-breach-happened-because-of-a-basic-network-segmentation-error.html
 


Sent from Yahoo Mail for iPhone


On Tuesday, June 4, 2019, 12:52 PM, Clark Morris  wrote:

[Default] On 4 Jun 2019 08:56:03 -0700, in bit.listserv.ibm-main
0047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote:

>From the you can’t make this up department. Mr. Marchant agrees with me.
>
>https://www.compuware.com/proving-z13-modern/
>
Considering that he is writing for a mainframe systems software vendor
that provides APF authorized code, he has some interest in
perpetuating the mainframe.  Also RACF is a separately priced add-on
item>  Does IBM require that you license RACF or approved third party
equivalent as a condition of running z/OS?  Is there a mechanism for
third party vendors that provide software that runs APF authorized to
be somehow included in the statement of integrity or have recognized
equivalents?


I suspect that the data that was involved in the famous Target
retailer breach was residing on a mainframe and was gotten by using
credentials that were stolen from a supplier that had valid access to
the data.  I think the initial breach was at the supplier that was
probably not running a mainframe system.

Clark Morris 
>
>Talk of “modernization” of mainframe systems is often code for redesigning 
>mainframe-based applications and implementing them to run on Windows, or less 
>frequently, on Unix or Linux. None of these systems can match the security 
>capabilities of modern mainframe operating systems.
>
>
>Sent from Yahoo Mail for iPhone
>
>
>On Tuesday, June 4, 2019, 10:45 AM, Tom Marchant 
><000a2a8c2020-dmarc-requ...@listserv.ua.edu> wrote:
>
>On Tue, 4 Jun 2019 00:01:01 +, Bill Johnson wrote:
>
>>noise and plenty of it.
>
>PKB.
>
>You have posted more to this thread than anyone else.
>
>You have claimed that security is the main reason people stay on the 
>mainframe, and posted a few articles that do not say what you claimed 
>they say.
>
>You have insisted several times that your MVS systems have never been 
>hacked without providing any evidence or serious reasoning as to how 
>you could know that. "40 years of experience" is not evidence. It's called 
>appeal to authority, and it is a logical fallacy.
>
>When your assertions are questioned, your response is to attack those 
>who question you rather than provide evidence. Another logical fallacy.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Just how secure are mainframes? | Trevor Eddolls

Well, the vendor could submit z/OS with their software installed for a security 
certification, but as I understand it that's very expensive and time consuming.

As for an ESM, there are a lot of facilities that won't work at all without one.

BTW, just because an application isn't APF authorized and therefore doesn't 
have an integrity vulnerability doesn't mean that it doesn't have a security 
vulnerability. If it has multiple users and allows one user unauthorized access 
to the data of another, ...


--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3


From: IBM Mainframe Discussion List  on behalf of 
Clark Morris 
Sent: Tuesday, June 4, 2019 12:52 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Just how secure are mainframes? | Trevor Eddolls

[Default] On 4 Jun 2019 08:56:03 -0700, in bit.listserv.ibm-main
0047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote:

>From the you can’t make this up department. Mr. Marchant agrees with me.
>
>https://secure-web.cisco.com/1-whmwv7ULNYR1Hukwy-H5Q9Q_4xxNp8kYaDWfQ_GoMFseGBxwIbMwKs0Rrl3jVK6OBpw-WYyZ1DTl6RV2xyK9yJCovsG-dNbqIg9MfqXdV2KiPKR3uYau79LHXCF-Nlgif0qWny0y-5PPH78itFajSf0D4z9XPR_j98gYPV7f54LfqOplIiFdoIWHcjisX6FjYJwbr5vx-cQqOuqZ2mLaAMEvPvINJsmmpb8y3aO-5oTSLdgkJ1FTPeky66f4xtwpBr_sAsFYPYJWf-zdA0rKGzFmfub4Uk8u2tQ5hCnKwcwe-nd4194giBemlc5fxp9ZhDMwUeUYBPRVnYX-wEFF2aQ-FiHbP_uDuQbwAs-3kOE1PadBdfq_GC3vPqUVOhSzB4jLwb7bkAAdmDVs7hRAqJYH6HZqI5F1zVEdsss6CNcwwI1PYaI3qkTyxmEqOXjNU6W9fckIIXxrEHy2expkw/https%3A%2F%2Fwww.compuware.com%2Fproving-z13-modern%2F
>
Considering that he is writing for a mainframe systems software vendor
that provides APF authorized code, he has some interest in
perpetuating the mainframe.  Also RACF is a separately priced add-on
item>  Does IBM require that you license RACF or approved third party
equivalent as a condition of running z/OS?  Is there a mechanism for
third party vendors that provide software that runs APF authorized to
be somehow included in the statement of integrity or have recognized
equivalents?


I suspect that the data that was involved in the famous Target
retailer breach was residing on a mainframe and was gotten by using
credentials that were stolen from a supplier that had valid access to
the data.  I think the initial breach was at the supplier that was
probably not running a mainframe system.

Clark Morris
>
>Talk of “modernization” of mainframe systems is often code for redesigning 
>mainframe-based applications and implementing them to run on Windows, or less 
>frequently, on Unix or Linux. None of these systems can match the security 
>capabilities of modern mainframe operating systems.
>
>
>Sent from Yahoo Mail for iPhone
>
>
>On Tuesday, June 4, 2019, 10:45 AM, Tom Marchant 
><000a2a8c2020-dmarc-requ...@listserv.ua.edu> wrote:
>
>On Tue, 4 Jun 2019 00:01:01 +, Bill Johnson wrote:
>
>>noise and plenty of it.
>
>PKB.
>
>You have posted more to this thread than anyone else.
>
>You have claimed that security is the main reason people stay on the
>mainframe, and posted a few articles that do not say what you claimed
>they say.
>
>You have insisted several times that your MVS systems have never been
>hacked without providing any evidence or serious reasoning as to how
>you could know that. "40 years of experience" is not evidence. It's called
>appeal to authority, and it is a logical fallacy.
>
>When your assertions are questioned, your response is to attack those
>who question you rather than provide evidence. Another logical fallacy.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Just how secure are mainframes? | Trevor Eddolls

Not according to Target or any write ups I’ve read on it.


Sent from Yahoo Mail for iPhone


On Tuesday, June 4, 2019, 12:52 PM, Clark Morris  wrote:

[Default] On 4 Jun 2019 08:56:03 -0700, in bit.listserv.ibm-main
0047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote:

>From the you can’t make this up department. Mr. Marchant agrees with me.
>
>https://www.compuware.com/proving-z13-modern/
>
Considering that he is writing for a mainframe systems software vendor
that provides APF authorized code, he has some interest in
perpetuating the mainframe.  Also RACF is a separately priced add-on
item>  Does IBM require that you license RACF or approved third party
equivalent as a condition of running z/OS?  Is there a mechanism for
third party vendors that provide software that runs APF authorized to
be somehow included in the statement of integrity or have recognized
equivalents?


I suspect that the data that was involved in the famous Target
retailer breach was residing on a mainframe and was gotten by using
credentials that were stolen from a supplier that had valid access to
the data.  I think the initial breach was at the supplier that was
probably not running a mainframe system.

Clark Morris 
>
>Talk of “modernization” of mainframe systems is often code for redesigning 
>mainframe-based applications and implementing them to run on Windows, or less 
>frequently, on Unix or Linux. None of these systems can match the security 
>capabilities of modern mainframe operating systems.
>
>
>Sent from Yahoo Mail for iPhone
>
>
>On Tuesday, June 4, 2019, 10:45 AM, Tom Marchant 
><000a2a8c2020-dmarc-requ...@listserv.ua.edu> wrote:
>
>On Tue, 4 Jun 2019 00:01:01 +, Bill Johnson wrote:
>
>>noise and plenty of it.
>
>PKB.
>
>You have posted more to this thread than anyone else.
>
>You have claimed that security is the main reason people stay on the 
>mainframe, and posted a few articles that do not say what you claimed 
>they say.
>
>You have insisted several times that your MVS systems have never been 
>hacked without providing any evidence or serious reasoning as to how 
>you could know that. "40 years of experience" is not evidence. It's called 
>appeal to authority, and it is a logical fallacy.
>
>When your assertions are questioned, your response is to attack those 
>who question you rather than provide evidence. Another logical fallacy.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Just how secure are mainframes? | Trevor Eddolls

RACF comes with the OS. You turn it on and pay for it ONLY if you don’t have 
ACF2 or TSS. And RACF has approx 80% market share.


Sent from Yahoo Mail for iPhone


On Tuesday, June 4, 2019, 12:52 PM, Clark Morris  wrote:

[Default] On 4 Jun 2019 08:56:03 -0700, in bit.listserv.ibm-main
0047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote:

>From the you can’t make this up department. Mr. Marchant agrees with me.
>
>https://www.compuware.com/proving-z13-modern/
>
Considering that he is writing for a mainframe systems software vendor
that provides APF authorized code, he has some interest in
perpetuating the mainframe.  Also RACF is a separately priced add-on
item>  Does IBM require that you license RACF or approved third party
equivalent as a condition of running z/OS?  Is there a mechanism for
third party vendors that provide software that runs APF authorized to
be somehow included in the statement of integrity or have recognized
equivalents?


I suspect that the data that was involved in the famous Target
retailer breach was residing on a mainframe and was gotten by using
credentials that were stolen from a supplier that had valid access to
the data.  I think the initial breach was at the supplier that was
probably not running a mainframe system.

Clark Morris 
>
>Talk of “modernization” of mainframe systems is often code for redesigning 
>mainframe-based applications and implementing them to run on Windows, or less 
>frequently, on Unix or Linux. None of these systems can match the security 
>capabilities of modern mainframe operating systems.
>
>
>Sent from Yahoo Mail for iPhone
>
>
>On Tuesday, June 4, 2019, 10:45 AM, Tom Marchant 
><000a2a8c2020-dmarc-requ...@listserv.ua.edu> wrote:
>
>On Tue, 4 Jun 2019 00:01:01 +, Bill Johnson wrote:
>
>>noise and plenty of it.
>
>PKB.
>
>You have posted more to this thread than anyone else.
>
>You have claimed that security is the main reason people stay on the 
>mainframe, and posted a few articles that do not say what you claimed 
>they say.
>
>You have insisted several times that your MVS systems have never been 
>hacked without providing any evidence or serious reasoning as to how 
>you could know that. "40 years of experience" is not evidence. It's called 
>appeal to authority, and it is a logical fallacy.
>
>When your assertions are questioned, your response is to attack those 
>who question you rather than provide evidence. Another logical fallacy.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Just how secure are mainframes? | Trevor Eddolls

2019-06-04 Thread Clark Morris

[Default] On 4 Jun 2019 08:56:03 -0700, in bit.listserv.ibm-main
0047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote:

>From the you cant make this up department. Mr. Marchant agrees with me.
>
>https://www.compuware.com/proving-z13-modern/
>
Considering that he is writing for a mainframe systems software vendor
that provides APF authorized code, he has some interest in
perpetuating the mainframe.  Also RACF is a separately priced add-on
item>  Does IBM require that you license RACF or approved third party
equivalent as a condition of running z/OS?  Is there a mechanism for
third party vendors that provide software that runs APF authorized to
be somehow included in the statement of integrity or have recognized
equivalents?


I suspect that the data that was involved in the famous Target
retailer breach was residing on a mainframe and was gotten by using
credentials that were stolen from a supplier that had valid access to
the data.  I think the initial breach was at the supplier that was
probably not running a mainframe system.

Clark Morris 
>
>Talk of modernization of mainframe systems is often code for redesigning 
>mainframe-based applications and implementing them to run on Windows, or less 
>frequently, on Unix or Linux. None of these systems can match the security 
>capabilities of modern mainframe operating systems.
>
>
>Sent from Yahoo Mail for iPhone
>
>
>On Tuesday, June 4, 2019, 10:45 AM, Tom Marchant 
><000a2a8c2020-dmarc-requ...@listserv.ua.edu> wrote:
>
>On Tue, 4 Jun 2019 00:01:01 +, Bill Johnson wrote:
>
>>noise and plenty of it.
>
>PKB.
>
>You have posted more to this thread than anyone else.
>
>You have claimed that security is the main reason people stay on the 
>mainframe, and posted a few articles that do not say what you claimed 
>they say.
>
>You have insisted several times that your MVS systems have never been 
>hacked without providing any evidence or serious reasoning as to how 
>you could know that. "40 years of experience" is not evidence. It's called 
>appeal to authority, and it is a logical fallacy.
>
>When your assertions are questioned, your response is to attack those 
>who question you rather than provide evidence. Another logical fallacy.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Just how secure are mainframes? | Trevor Eddolls

Sounds like a combination of improper RACF configuration and vulnerabilities in 
various Unix components, both standard (FTP) and IBM (WebSphere). What's really 
disturbing is the total lack of cooperation from LE for nearly two weeks.

This sounds like a case where pen testing might have saved their bacon.


--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3


From: IBM Mainframe Discussion List  on behalf of 
Mike Schwab 
Sent: Monday, June 3, 2019 4:24 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Just how secure are mainframes? | Trevor Eddolls

How was a mainframe breach detected?  A TSOID trying to access a ton
of files they didn't have access too.

(link to Share PDF 'how hackers breached a government (and a bank)' by
Soldier of Fortran below.)

https://secure-web.cisco.com/1diIq2WmycO9mehmrGwTzmCLbt_KnBvFyhZUCpwxPn1IJCNukCY1aIACm935ADVtNgQ9BnGX9-_ZdmbGpOW-TcEPkRJhzeWPGoSbE6hh0eyPTYszGh-l5PACE5jfh3KLIEM92oz5MCfblU9gLwz9KOrNzu4rB-BJiZOp1XgXRTyOp44a8f0Gw62Ko_399a6NHmu18r7MWMYFDYHTNIplgVtjRSyXA5P_actNC5qVVYdcyYw884CcRvKP2nm-uGgtNoh1YrZLN-0JFynfHDxhITKkKkxUu2KHzqoudEoI_Gh2277euHi3tQuHRVTaQDAppTa7sG9znc8p-gzGCtyFV8IdblA9wVXYVA7b-jG_EC8JUULO5R9q_IpGiE44_F95v8pJTpOBXDv-ZXkmlUMNgFV31lPRBO2M94sqX5PlH5svWBkyD-Ai0BeCBaNk5gys7/https%3A%2F%2Fwww.google.com%2Furl%3Fsa%3Dt%26rct%3Dj%26q%3D%26esrc%3Ds%26source%3Dweb%26cd%3D1%26cad%3Drja%26uact%3D8%26ved%3D2ahUKEwj9qtK9kc7iAhUN-6wKHaMpAewQFjAAegQIABAC%26url%3Dhttps%253A%252F%252Fshare.confex.com%252Fshare%252F124%252Fwebprogram%252FHandout%252FSession16982%252FHow%252520Hackers%252520Breached%252520a%252520Government%252520%28and%252520a%252520Bank%29.pdf%26usg%3DAOvVaw1lvSNyZEIct1DU7WLqm4hY

On Mon, Jun 3, 2019 at 4:42 PM Seymour J Metz  wrote:
>
> This whole thread has consistently confused several very different issues:
>
>  1. How secure is z/OS itself?
>
>  2. How secure is 3rd party software?
>
>  3. How secure is the typical shop running z/OS?
>
>
> --
> Shmuel (Seymour J.) Metz
> http://mason.gmu.edu/~smetz3
>
> 
> From: IBM Mainframe Discussion List  on behalf of 
> Clark Morris 
> Sent: Sunday, June 2, 2019 9:57 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: Just how secure are mainframes? | Trevor Eddolls
>
> [Default] On 2 Jun 2019 14:46:41 -0700, in bit.listserv.ibm-main
> 0047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote:
>
> >He’s trying to sell his company’s security services. Something I thought was 
> >not allowed on this list.
> >
> Whether or not he is selling something and I don't read his posts that
> way, he is making some valid points. As a retired MVS (I was back in
> applications by the time z/OS was available) systems programmer, I am
> far more skeptical about the invulnerability of z/OS.  It is too easy
> to have decades old stuff still in a system in part because people
> don't know why it is there or are unaware of its existence.  How much
> effort is required for an installation to achieve even 95 percent of
> the invulnerability that is theoretically possible and keep that up.
> How many holes are left in the average shop  because people don't
> understand the implications of all of both IBM and vendor defaults
> where I will almost guarantee that there are at some defaults that
> leave a system open to hacking.  I think that it is difficult to
> understand all of the implications of an action.  Many shops may be
> running exits or other systems modifications that have worked for
> decades and because they work, no one has checked them to see if they
> have an unintended vulnerability.  I hope that none of my code that is
> on file 432 of the CBT Tape (Philips light mods) has any vulnerability
> but the thing that scares me is that I might not be smart enough to
> find it even if I was looking for it.  Good security isn't cheap. Z/OS
> may be the most secure starting base but it requires real effort to
> actually implement it with both good security and good usability. How
> much vulnerability is there in the test systems?  How much are the
> systems programmer sandboxes exposed to the outside world?  What
> uncertainties exist in systems vendor code?  Are organizations willing
> or able to periodically test their systems' vulnerabilities?  Can be
> secure does not mean is secure?
>
> Clark Morris
> >
> >Sent from Yahoo Mail for iPhone
> >
> >
> >On Sunday, June 2, 2019, 4:04 PM, Seymour J Metz  wrote:
> >
> >>  * As part of a APF authorized product there is a SVC or PC routine
> >>that when called will turn on the JSBCAUTH bit
> >
> >Ouch!
> >
> >If it's APF authorized then why does it need to do that? And why would you 
> >allow such a vendor in the door?
> >
&

Re: Just how secure are mainframes? | Trevor Eddolls

Well, it's important to replace all of that COBOL code using a language like C 
that came out this decade. Oh, wait, it didn't. 

But didn't Multics have B1 before MVS did?

Reading the transcript I would have to assume that either the government is in 
the process of upgrading its 360/65 fleet to ES/9000 or that the author is 
inventing hisfacts out of the whole cloth. Tom was too kind.

--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3

From: IBM Mainframe Discussion List  on behalf of 
Bill Johnson <0047540adefe-dmarc-requ...@listserv.ua.edu>
Sent: Tuesday, June 4, 2019 11:55 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Just how secure are mainframes? | Trevor Eddolls

>From the you can’t make this up department. Mr. Marchant agrees with me.

https://secure-web.cisco.com/1yL63m40iBCeQbG1WvmNZsrKa4FxGrXYc1ASKMXpNVzdwtqEkgBeRY3ZdRhqcYpE8x1EGH2oYCOAOaZ2bO_7UCfP3tVCijeenqLOIOeq4mRO5gAjMFyrW655_OndDRRXv6odsUjGx8U63qP3bZTyag1OE4FZs-eJeOB23r82elSblLxXJiu2Fh_IHTw21XRKd28yHEMzSPfBuKtUVSiyFfuGeaGjvjHHoXDdIpUQDoKoNszOoMM3Ar533ngeRAZ6trUZxEHPPYiskU5HZF_GQqM-hEUDOJDMBGXFyLw3zKUGwb_hECp5TXhm7GT2n576H_0c98_THsaujOvUko7S4PpkfbD9ZkQaxNo4pf6l9gFUTkzD-Mx19UmKzIMfs0HAbM4gr_mr1K2Ay7i-N7A-BtF1h8JktxkkDKEIiQ4yaS7ooLyoQlRDwtipt90OA9DNHxHsFGI0ASBqXUhnRS_pB1g/https%3A%2F%2Fwww.compuware.com%2Fproving-z13-modern%2F

Talk of “modernization” of mainframe systems is often code for redesigning 
mainframe-based applications and implementing them to run on Windows, or less 
frequently, on Unix or Linux. None of these systems can match the security 
capabilities of modern mainframe operating systems.

Sent from Yahoo Mail for iPhone

On Tuesday, June 4, 2019, 10:45 AM, Tom Marchant 
<000a2a8c2020-dmarc-requ...@listserv.ua.edu> wrote:

On Tue, 4 Jun 2019 00:01:01 +, Bill Johnson wrote:

>noise and plenty of it.

PKB.

You have posted more to this thread than anyone else.

You have claimed that security is the main reason people stay on the
mainframe, and posted a few articles that do not say what you claimed
they say.

You have insisted several times that your MVS systems have never been
hacked without providing any evidence or serious reasoning as to how
you could know that. "40 years of experience" is not evidence. It's called
appeal to authority, and it is a logical fallacy.

When your assertions are questioned, your response is to attack those
who question you rather than provide evidence. Another logical fallacy.

--
Tom Marchant

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Just how secure are mainframes? | Trevor Eddolls

I agree. I’m out.


Sent from Yahoo Mail for iPhone


On Tuesday, June 4, 2019, 11:50 AM, Carmen Vitullo  wrote:

where are the forum monitors when you need them, I have nothing positive or 
negative to add the this run out thread, ok - NO ONE is 100% secure, is the 
IBM-MAIN or FACEBOOK - 
lets move this on PLEASE ! 



Carmen Vitullo 

- Original Message -

From: "Bill Johnson" <0047540adefe-dmarc-requ...@listserv.ua.edu> 
To: IBM-MAIN@LISTSERV.UA.EDU 
Sent: Tuesday, June 4, 2019 10:45:31 AM 
Subject: Re: Just how secure are mainframes? | Trevor Eddolls 

You have posted more to this thread than anyone else. 
False 
You have claimed that security is the main reason people stay on the 
mainframe, and posted a few articles that do not say what you claimed 
they say. 
False, they all stated flatly security was a top 3 reason for staying on the 
platform. 
You have insisted several times that your MVS systems have never been 
hacked without providing any evidence or serious reasoning as to how 
you could know that. "40 years of experience" is not evidence. It's called 
appeal to authority, and it is a logical fallacy. 
Proving something that did not happen is simply impossible. YOU prove it did 
since you claim it has. 
When your assertions are questioned, your response is to attack those 
who question you rather than provide evidence. Another logical fallacy. 
I have been attacked numerous times. 

Sent from Yahoo Mail for iPhone 


On Tuesday, June 4, 2019, 10:45 AM, Tom Marchant 
<000a2a8c2020-dmarc-requ...@listserv.ua.edu> wrote: 

On Tue, 4 Jun 2019 00:01:01 +, Bill Johnson wrote: 

>noise and plenty of it. 

PKB. 

You have posted more to this thread than anyone else. 

You have claimed that security is the main reason people stay on the 
mainframe, and posted a few articles that do not say what you claimed 
they say. 

You have insisted several times that your MVS systems have never been 
hacked without providing any evidence or serious reasoning as to how 
you could know that. "40 years of experience" is not evidence. It's called 
appeal to authority, and it is a logical fallacy. 

When your assertions are questioned, your response is to attack those 
who question you rather than provide evidence. Another logical fallacy. 

-- 
Tom Marchant 

-- 
For IBM-MAIN subscribe / signoff / archive access instructions, 
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN 



-- 
For IBM-MAIN subscribe / signoff / archive access instructions, 
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN




--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Just how secure are mainframes? | Trevor Eddolls

>From the you can’t make this up department. Mr. Marchant agrees with me.

https://www.compuware.com/proving-z13-modern/

Talk of “modernization” of mainframe systems is often code for redesigning 
mainframe-based applications and implementing them to run on Windows, or less 
frequently, on Unix or Linux. None of these systems can match the security 
capabilities of modern mainframe operating systems.

Sent from Yahoo Mail for iPhone

On Tuesday, June 4, 2019, 10:45 AM, Tom Marchant 
<000a2a8c2020-dmarc-requ...@listserv.ua.edu> wrote:

On Tue, 4 Jun 2019 00:01:01 +, Bill Johnson wrote:

>noise and plenty of it.

PKB.

You have posted more to this thread than anyone else.

You have claimed that security is the main reason people stay on the 
mainframe, and posted a few articles that do not say what you claimed 
they say.

You have insisted several times that your MVS systems have never been 
hacked without providing any evidence or serious reasoning as to how 
you could know that. "40 years of experience" is not evidence. It's called 
appeal to authority, and it is a logical fallacy.

When your assertions are questioned, your response is to attack those 
who question you rather than provide evidence. Another logical fallacy.

-- 
Tom Marchant

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Just how secure are mainframes? | Trevor Eddolls

2019-06-04 Thread Carmen Vitullo

where are the forum monitors when you need them, I have nothing positive or 
negative to add the this run out thread, ok - NO ONE is 100% secure, is the 
IBM-MAIN or FACEBOOK - 
lets move this on PLEASE ! 



Carmen Vitullo 

- Original Message -

From: "Bill Johnson" <0047540adefe-dmarc-requ...@listserv.ua.edu> 
To: IBM-MAIN@LISTSERV.UA.EDU 
Sent: Tuesday, June 4, 2019 10:45:31 AM 
Subject: Re: Just how secure are mainframes? | Trevor Eddolls 

You have posted more to this thread than anyone else. 
False 
You have claimed that security is the main reason people stay on the 
mainframe, and posted a few articles that do not say what you claimed 
they say. 
False, they all stated flatly security was a top 3 reason for staying on the 
platform. 
You have insisted several times that your MVS systems have never been 
hacked without providing any evidence or serious reasoning as to how 
you could know that. "40 years of experience" is not evidence. It's called 
appeal to authority, and it is a logical fallacy. 
Proving something that did not happen is simply impossible. YOU prove it did 
since you claim it has. 
When your assertions are questioned, your response is to attack those 
who question you rather than provide evidence. Another logical fallacy. 
I have been attacked numerous times. 

Sent from Yahoo Mail for iPhone 


On Tuesday, June 4, 2019, 10:45 AM, Tom Marchant 
<000a2a8c2020-dmarc-requ...@listserv.ua.edu> wrote: 

On Tue, 4 Jun 2019 00:01:01 +, Bill Johnson wrote: 

>noise and plenty of it. 

PKB. 

You have posted more to this thread than anyone else. 

You have claimed that security is the main reason people stay on the 
mainframe, and posted a few articles that do not say what you claimed 
they say. 

You have insisted several times that your MVS systems have never been 
hacked without providing any evidence or serious reasoning as to how 
you could know that. "40 years of experience" is not evidence. It's called 
appeal to authority, and it is a logical fallacy. 

When your assertions are questioned, your response is to attack those 
who question you rather than provide evidence. Another logical fallacy. 

-- 
Tom Marchant 

-- 
For IBM-MAIN subscribe / signoff / archive access instructions, 
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN 



-- 
For IBM-MAIN subscribe / signoff / archive access instructions, 
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Just how secure are mainframes? | Trevor Eddolls

You have posted more to this thread than anyone else.
False 
You have claimed that security is the main reason people stay on the 
mainframe, and posted a few articles that do not say what you claimed 
they say.
False, they all stated flatly security was a top 3 reason for staying on the 
platform.
You have insisted several times that your MVS systems have never been 
hacked without providing any evidence or serious reasoning as to how 
you could know that. "40 years of experience" is not evidence. It's called 
appeal to authority, and it is a logical fallacy.
Proving something that did not happen is simply impossible. YOU prove it did 
since you claim it has.
When your assertions are questioned, your response is to attack those 
who question you rather than provide evidence. Another logical fallacy.
I have been attacked numerous times.

Sent from Yahoo Mail for iPhone


On Tuesday, June 4, 2019, 10:45 AM, Tom Marchant 
<000a2a8c2020-dmarc-requ...@listserv.ua.edu> wrote:

On Tue, 4 Jun 2019 00:01:01 +, Bill Johnson wrote:

>noise and plenty of it.

PKB.

You have posted more to this thread than anyone else.

You have claimed that security is the main reason people stay on the 
mainframe, and posted a few articles that do not say what you claimed 
they say.

You have insisted several times that your MVS systems have never been 
hacked without providing any evidence or serious reasoning as to how 
you could know that. "40 years of experience" is not evidence. It's called 
appeal to authority, and it is a logical fallacy.

When your assertions are questioned, your response is to attack those 
who question you rather than provide evidence. Another logical fallacy.

-- 
Tom Marchant

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Just how secure are mainframes? | Trevor Eddolls

2019-06-04 Thread Tom Marchant

On Tue, 4 Jun 2019 00:01:01 +, Bill Johnson wrote:

>noise and plenty of it.

PKB.

You have posted more to this thread than anyone else.

You have claimed that security is the main reason people stay on the 
mainframe, and posted a few articles that do not say what you claimed 
they say.

You have insisted several times that your MVS systems have never been 
hacked without providing any evidence or serious reasoning as to how 
you could know that. "40 years of experience" is not evidence. It's called 
appeal to authority, and it is a logical fallacy.

When your assertions are questioned, your response is to attack those 
who question you rather than provide evidence. Another logical fallacy.

-- 
Tom Marchant

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Just how secure are mainframes? | Trevor Eddolls

Why do you people keep saying I said it was 100% secure? I never said that, 
ever. Nothing is 100% secure. I’m well aware of sec/int APARS and well aware of 
the rest.
All I said was the MF is the most secure platform on the planet (by design) and 
security is one of the main reasons banks, insurers, and large retailers stay 
on it. And, I provided 3-4 articles saying exactly that. Plus, I’ve worked at a 
bank and multiple insurers and know that’s the case.

Sent from Yahoo Mail for iPhone

On Tuesday, June 4, 2019, 9:53 AM, Rob Scott  wrote:

Bill

Do you believe :

(o) That there have never been any "magic" or "auth on" SVCs or PC routines?

(o) That there is no such thing as a Sec/Int APAR?

(o) That Karl Schmitz has just been wasting his breath for the last 20 years?

(o) That IBM's Secure Engineering department just sit around eating doughnuts 
and drinking coffee?

(o) User key common storage never existed?

(o) That every ISV developer is as good as the very best IBM Poughkeepsie z/OS 
developer you can find?

(o) That in-house sysprogs who tinker with their own or public domain 
authorized code are as good as the very best IBM Poughkeepsie z/OS developer 
you can find?

(o) That pentest software has never found an exposure at a large mainframe site 
- including financial institutions?

z/OS is a extremely robust and well-engineered operating system, but to claim 
it to be 100% secure in all deployments would be naive.

Rob Scott
Rocket Software

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Bill Johnson
Sent: Tuesday, June 4, 2019 2:09 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Just how secure are mainframes? | Trevor Eddolls

It’s a little more than coincidence that 3 of the most vociferous posters who 
claim the mainframe is not secure, all sell mainframe security services.

Sent from Yahoo Mail for iPhone

On Tuesday, June 4, 2019, 8:59 AM, ITschak Mugzach  wrote:

Lennie,

You are inviting 'he tries to sell his product / services' ...

ITschak

On Tue, Jun 4, 2019 at 3:45 PM Lennie Dymoke-Bradshaw < 
lenni...@rsmpartners.com> wrote:

> Bill,
>
> It is very difficult to prove the negative. Hence, your claim that
> your system has never been hacked is difficult to prove. I think it is
> possible that your system has been "hacked" and your data has been 
> exfiltrated.
> There is no reason for the hacker to call attention to that fact that
> you have been hacked.
>
> However, by maintaining that you have not been hacked, and also
> maintaining that it is very unlikely that you would ever be hacked, I
> fear you are doing your employers a disservice.
>
> Actually, I work through RSM partners as an independent contractor.
> Yes, they sell security services. Yes, I am sometimes called upon to
> deliver such services. Nothing to hide here. Most people have to work for a 
> living.
> I imagine you do too. Just because one works in an industry does not
> mean one's opinion of the industry is invalid; in fact, the opposite
> is frequently true.
>
> Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd
> Web:
> https://nam01.safelinks.protection.outlook.com/?url=www.rsmpartners.co
> mdata=02%7C01%7CRScott%40ROCKETSOFTWARE.COM%7Cccae2809339a4bc9de9
> 008d6e8ede103%7C79544c1eed224879a082b67a9a672aae%7C0%7C0%7C63695250572
> 5186342sdata=79Mc6duyUK9psstxyH%2FfJq%2BVaSed9R17yT4fGdCK8oE%3D
> mp;reserved=0 ‘Dance like no one is watching. Encrypt like everyone
> is.’
>
> -Original Message-
> From: IBM Mainframe Discussion List  On
> Behalf Of Bill Johnson
> Sent: 04 June 2019 12:37
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: [IBM-MAIN] Just how secure are mainframes? | Trevor
> Eddolls
>
> How do you demonstrate something that hasn’t happened? LOL I see your
> company sells security services too.
>
>
> Sent from Yahoo Mail for iPhone
>
>
> On Tuesday, June 4, 2019, 5:59 AM, Lennie Dymoke-Bradshaw <
> lenni...@rsmpartners.com> wrote:
>
> How do you demonstrate that you have never been hacked?
>
> Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd
> Web:
> https://nam01.safelinks.protection.outlook.com/?url=www.rsmpartners.co
> mdata=02%7C01%7CRScott%40ROCKETSOFTWARE.COM%7Cccae2809339a4bc9de9
> 008d6e8ede103%7C79544c1eed224879a082b67a9a672aae%7C0%7C0%7C63695250572
> 5186342sdata=79Mc6duyUK9psstxyH%2FfJq%2BVaSed9R17yT4fGdCK8oE%3D
> mp;reserved=0 ‘Dance like no one is watching. Encrypt like everyone
> is.’
>
> -Original Message-
> From: IBM Mainframe Discussion List  On
> Behalf Of Bill Johnson
> Sent: 04 June 2019 01:04
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: [IBM-MAIN] Just how secure are mainframes? | Trevor
> Eddolls
>
> 40 years on numerous mainframes at more than a dozen companies an

Re: Just how secure are mainframes? | Trevor Eddolls

2019-06-04 Thread Rob Scott

Bill

Do you believe :

(o) That there have never been any "magic" or "auth on" SVCs or PC routines?

(o) That there is no such thing as a Sec/Int APAR?

(o) That Karl Schmitz has just been wasting his breath for the last 20 years?

(o) That IBM's Secure Engineering department just sit around eating doughnuts 
and drinking coffee?

(o) User key common storage never existed?

(o) That every ISV developer is as good as the very best IBM Poughkeepsie z/OS 
developer you can find?

(o) That in-house sysprogs who tinker with their own or public domain 
authorized code are as good as the very best IBM Poughkeepsie z/OS developer 
you can find?

(o) That pentest software has never found an exposure at a large mainframe site 
- including financial institutions?

z/OS is a extremely robust and well-engineered operating system, but to claim 
it to be 100% secure in all deployments would be naive.

Rob Scott
Rocket Software


-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Bill Johnson
Sent: Tuesday, June 4, 2019 2:09 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Just how secure are mainframes? | Trevor Eddolls

It’s a little more than coincidence that 3 of the most vociferous posters who 
claim the mainframe is not secure, all sell mainframe security services.


Sent from Yahoo Mail for iPhone


On Tuesday, June 4, 2019, 8:59 AM, ITschak Mugzach  wrote:

Lennie,

You are inviting 'he tries to sell his product / services' ...

ITschak

On Tue, Jun 4, 2019 at 3:45 PM Lennie Dymoke-Bradshaw < 
lenni...@rsmpartners.com> wrote:

> Bill,
>
> It is very difficult to prove the negative. Hence, your claim that
> your system has never been hacked is difficult to prove. I think it is
> possible that your system has been "hacked" and your data has been 
> exfiltrated.
> There is no reason for the hacker to call attention to that fact that
> you have been hacked.
>
> However, by maintaining that you have not been hacked, and also
> maintaining that it is very unlikely that you would ever be hacked, I
> fear you are doing your employers a disservice.
>
> Actually, I work through RSM partners as an independent contractor.
> Yes, they sell security services. Yes, I am sometimes called upon to
> deliver such services. Nothing to hide here. Most people have to work for a 
> living.
> I imagine you do too. Just because one works in an industry does not
> mean one's opinion of the industry is invalid; in fact, the opposite
> is frequently true.
>
> Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd
> Web:
> https://nam01.safelinks.protection.outlook.com/?url=www.rsmpartners.co
> mdata=02%7C01%7CRScott%40ROCKETSOFTWARE.COM%7Cccae2809339a4bc9de9
> 008d6e8ede103%7C79544c1eed224879a082b67a9a672aae%7C0%7C0%7C63695250572
> 5186342sdata=79Mc6duyUK9psstxyH%2FfJq%2BVaSed9R17yT4fGdCK8oE%3D
> mp;reserved=0 ‘Dance like no one is watching. Encrypt like everyone
> is.’
>
> -Original Message-
> From: IBM Mainframe Discussion List  On
> Behalf Of Bill Johnson
> Sent: 04 June 2019 12:37
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: [IBM-MAIN] Just how secure are mainframes? | Trevor
> Eddolls
>
> How do you demonstrate something that hasn’t happened? LOL I see your
> company sells security services too.
>
>
> Sent from Yahoo Mail for iPhone
>
>
> On Tuesday, June 4, 2019, 5:59 AM, Lennie Dymoke-Bradshaw <
> lenni...@rsmpartners.com> wrote:
>
> How do you demonstrate that you have never been hacked?
>
> Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd
> Web:
> https://nam01.safelinks.protection.outlook.com/?url=www.rsmpartners.co
> mdata=02%7C01%7CRScott%40ROCKETSOFTWARE.COM%7Cccae2809339a4bc9de9
> 008d6e8ede103%7C79544c1eed224879a082b67a9a672aae%7C0%7C0%7C63695250572
> 5186342sdata=79Mc6duyUK9psstxyH%2FfJq%2BVaSed9R17yT4fGdCK8oE%3D
> mp;reserved=0 ‘Dance like no one is watching. Encrypt like everyone
> is.’
>
> -Original Message-
> From: IBM Mainframe Discussion List  On
> Behalf Of Bill Johnson
> Sent: 04 June 2019 01:04
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: [IBM-MAIN] Just how secure are mainframes? | Trevor
> Eddolls
>
> 40 years on numerous mainframes at more than a dozen companies and
> we’ve never been hacked and never had any need for penetration testing.
>
>
> Sent from Yahoo Mail for iPhone
>
>
> On Monday, June 3, 2019, 11:54 AM, Clark Morris 
> wrote:
>
> [Default] On 2 Jun 2019 19:11:41 -0700, in bit.listserv.ibm-main
> 0047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote:
>
> >He’s selling plain and simple. So is Mugzak. Some laboratory bs that
> >he
> will even show you in application code. Then no doubt analyze your
> application code for a small (large) fee.

Re: Just how secure are mainframes? | Trevor Eddolls

Just maybe, they are the ones who understand the problems, as they spend time 
focussed on them.

Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd  
Web:  www.rsmpartners.com
‘Dance like no one is watching. Encrypt like everyone is.’

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Bill Johnson
Sent: 04 June 2019 14:09
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [IBM-MAIN] Just how secure are mainframes? | Trevor Eddolls

It’s a little more than coincidence that 3 of the most vociferous posters who 
claim the mainframe is not secure, all sell mainframe security services.


Sent from Yahoo Mail for iPhone


On Tuesday, June 4, 2019, 8:59 AM, ITschak Mugzach  wrote:

Lennie,

You are inviting 'he tries to sell his product / services' ...

ITschak

On Tue, Jun 4, 2019 at 3:45 PM Lennie Dymoke-Bradshaw < 
lenni...@rsmpartners.com> wrote:

> Bill,
>
> It is very difficult to prove the negative. Hence, your claim that 
> your system has never been hacked is difficult to prove. I think it is 
> possible that your system has been "hacked" and your data has been 
> exfiltrated.
> There is no reason for the hacker to call attention to that fact that 
> you have been hacked.
>
> However, by maintaining that you have not been hacked, and also 
> maintaining that it is very unlikely that you would ever be hacked, I 
> fear you are doing your employers a disservice.
>
> Actually, I work through RSM partners as an independent contractor. 
> Yes, they sell security services. Yes, I am sometimes called upon to 
> deliver such services. Nothing to hide here. Most people have to work for a 
> living.
> I imagine you do too. Just because one works in an industry does not 
> mean one's opinion of the industry is invalid; in fact, the opposite 
> is frequently true.
>
> Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd
> Web:              www.rsmpartners.com
> ‘Dance like no one is watching. Encrypt like everyone is.’
>
> -Original Message-
> From: IBM Mainframe Discussion List  On 
> Behalf Of Bill Johnson
> Sent: 04 June 2019 12:37
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: [IBM-MAIN] Just how secure are mainframes? | Trevor 
> Eddolls
>
> How do you demonstrate something that hasn’t happened? LOL I see your 
> company sells security services too.
>
>
> Sent from Yahoo Mail for iPhone
>
>
> On Tuesday, June 4, 2019, 5:59 AM, Lennie Dymoke-Bradshaw < 
> lenni...@rsmpartners.com> wrote:
>
> How do you demonstrate that you have never been hacked?
>
> Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd
> Web:              www.rsmpartners.com
> ‘Dance like no one is watching. Encrypt like everyone is.’
>
> -Original Message-
> From: IBM Mainframe Discussion List  On 
> Behalf Of Bill Johnson
> Sent: 04 June 2019 01:04
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: [IBM-MAIN] Just how secure are mainframes? | Trevor 
> Eddolls
>
> 40 years on numerous mainframes at more than a dozen companies and 
> we’ve never been hacked and never had any need for penetration testing.
>
>
> Sent from Yahoo Mail for iPhone
>
>
> On Monday, June 3, 2019, 11:54 AM, Clark Morris 
> wrote:
>
> [Default] On 2 Jun 2019 19:11:41 -0700, in bit.listserv.ibm-main 
> 0047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote:
>
> >He’s selling plain and simple. So is Mugzak. Some laboratory bs that 
> >he
> will even show you in application code. Then no doubt analyze your 
> application code for a small (large) fee. Nobody is saying the 
> mainframe is fool proof. But, it is inherently (by design) more secure 
> than any other platform. And, a major reason why almost every bank, 
> insurance company, and major retailers still have them.
> >Sent from Yahoo Mail for iPhone
> >
> As a retired systems programmer whose only computer related 
> investments are Microsoft, IBM and HPE my belief is that if your 
> organization's computer system is connected to the Internet (including 
> from PC's using
> TN3270 emulation), your organization is subject to attack.  If it does 
> not have a group or outside organization such as IBM, Trevor's 
> organization or ITschak's organization doing periodic ongoing 
> penetration testing, your organization won't know what vulnerabilities 
> exist.  Since I don't know enough about the Unisys mainframes to 
> comment on how well they can be secured, I can't comment on how secure 
> they can be made but I do know it is a major effort to take advantage 
> of all the tools on any system in making it secure and keeping it that 
> way.  If I knew of any major mainframe user that does not continually 
> check their systems for vulnerabilities, I would be tempted to short 
> sell their stock because they probably either have been breached or will be 
> in the near future.
>
> Clark Morris
> >
> >On Sunday, June 2, 2019, 9:57 PM, Clark Morris 
> wrote:
> >
> >[Default] On 2 Jun 2019 14:46:41 -0700, in bit.listserv.ibm-main 
>

Re: Just how secure are mainframes? | Trevor Eddolls

It’s a little more than coincidence that 3 of the most vociferous posters who 
claim the mainframe is not secure, all sell mainframe security services.


Sent from Yahoo Mail for iPhone


On Tuesday, June 4, 2019, 8:59 AM, ITschak Mugzach  wrote:

Lennie,

You are inviting 'he tries to sell his product / services' ...

ITschak

On Tue, Jun 4, 2019 at 3:45 PM Lennie Dymoke-Bradshaw <
lenni...@rsmpartners.com> wrote:

> Bill,
>
> It is very difficult to prove the negative. Hence, your claim that your
> system has never been hacked is difficult to prove. I think it is possible
> that your system has been "hacked" and your data has been exfiltrated.
> There is no reason for the hacker to call attention to that fact that you
> have been hacked.
>
> However, by maintaining that you have not been hacked, and also
> maintaining that it is very unlikely that you would ever be hacked, I fear
> you are doing your employers a disservice.
>
> Actually, I work through RSM partners as an independent contractor. Yes,
> they sell security services. Yes, I am sometimes called upon to deliver
> such services. Nothing to hide here. Most people have to work for a living.
> I imagine you do too. Just because one works in an industry does not mean
> one's opinion of the industry is invalid; in fact, the opposite is
> frequently true.
>
> Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd
> Web:              www.rsmpartners.com
> ‘Dance like no one is watching. Encrypt like everyone is.’
>
> -Original Message-
> From: IBM Mainframe Discussion List  On Behalf
> Of Bill Johnson
> Sent: 04 June 2019 12:37
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: [IBM-MAIN] Just how secure are mainframes? | Trevor Eddolls
>
> How do you demonstrate something that hasn’t happened? LOL I see your
> company sells security services too.
>
>
> Sent from Yahoo Mail for iPhone
>
>
> On Tuesday, June 4, 2019, 5:59 AM, Lennie Dymoke-Bradshaw <
> lenni...@rsmpartners.com> wrote:
>
> How do you demonstrate that you have never been hacked?
>
> Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd
> Web:              www.rsmpartners.com
> ‘Dance like no one is watching. Encrypt like everyone is.’
>
> -Original Message-
> From: IBM Mainframe Discussion List  On Behalf
> Of Bill Johnson
> Sent: 04 June 2019 01:04
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: [IBM-MAIN] Just how secure are mainframes? | Trevor Eddolls
>
> 40 years on numerous mainframes at more than a dozen companies and we’ve
> never been hacked and never had any need for penetration testing.
>
>
> Sent from Yahoo Mail for iPhone
>
>
> On Monday, June 3, 2019, 11:54 AM, Clark Morris 
> wrote:
>
> [Default] On 2 Jun 2019 19:11:41 -0700, in bit.listserv.ibm-main
> 0047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote:
>
> >He’s selling plain and simple. So is Mugzak. Some laboratory bs that he
> will even show you in application code. Then no doubt analyze your
> application code for a small (large) fee. Nobody is saying the mainframe is
> fool proof. But, it is inherently (by design) more secure than any other
> platform. And, a major reason why almost every bank, insurance company, and
> major retailers still have them.
> >Sent from Yahoo Mail for iPhone
> >
> As a retired systems programmer whose only computer related investments
> are Microsoft, IBM and HPE my belief is that if your organization's
> computer system is connected to the Internet (including from PC's using
> TN3270 emulation), your organization is subject to attack.  If it does not
> have a group or outside organization such as IBM, Trevor's organization or
> ITschak's organization doing periodic ongoing penetration testing, your
> organization won't know what vulnerabilities exist.  Since I don't know
> enough about the Unisys mainframes to comment on how well they can be
> secured, I can't comment on how secure they can be made but I do know it is
> a major effort to take advantage of all the tools on any system in making
> it secure and keeping it that way.  If I knew of any major mainframe user
> that does not continually check their systems for vulnerabilities, I would
> be tempted to short sell their stock because they probably either have been
> breached or will be in the near future.
>
> Clark Morris
> >
> >On Sunday, June 2, 2019, 9:57 PM, Clark Morris 
> wrote:
> >
> >[Default] On 2 Jun 2019 14:46:41 -0700, in bit.listserv.ibm-main
> >0047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote:
> >
> >>He’s trying to sell his company’s security services. Something I thought
> was not allowed on this list.
> >>
> >Whether or not he is selling something and I don't read his posts that
> >way, he is making some valid points. As a retired MVS (I was back in
> >applications by the time z/OS was available) systems programmer, I am
> >far more skeptical about the invulnerability of z/OS.  It is too easy
> >to have decades old stuff still in a system in part because people
>

Re: Just how secure are mainframes? | Trevor Eddolls

Bill,

So you have not seen these things. Others have. Please accept their word for 
this.

If you were as rich as Warren Buffet then you could afford to employ others to 
work out if you need a haircut. Maybe you could teach yourself those skills. 
Your logic takes us down a path of only taking advice from those who have no 
experience. Your choice.

Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd  
Web:  www.rsmpartners.com
‘Dance like no one is watching. Encrypt like everyone is.’

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Bill Johnson
Sent: 04 June 2019 13:52
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [IBM-MAIN] Just how secure are mainframes? | Trevor Eddolls

In 40 years, I’ve never seen any company I’ve worked for have their mainframe 
hacked or compromised. Including a bank and multiple insurance companies. Plus, 
I was in positions to know.
I have seen numerous hacks and compromises of non mainframe platforms at those 
companies.

As Warren Buffett says: Never ask your barber if you need a haircut.

Sent from Yahoo Mail for iPhone

On Tuesday, June 4, 2019, 8:44 AM, Lennie Dymoke-Bradshaw 
 wrote:

Bill,

It is very difficult to prove the negative. Hence, your claim that your system 
has never been hacked is difficult to prove. I think it is possible that your 
system has been "hacked" and your data has been exfiltrated. There is no reason 
for the hacker to call attention to that fact that you have been hacked. 

However, by maintaining that you have not been hacked, and also maintaining 
that it is very unlikely that you would ever be hacked, I fear you are doing 
your employers a disservice.

Actually, I work through RSM partners as an independent contractor. Yes, they 
sell security services. Yes, I am sometimes called upon to deliver such 
services. Nothing to hide here. Most people have to work for a living. I 
imagine you do too. Just because one works in an industry does not mean one's 
opinion of the industry is invalid; in fact, the opposite is frequently true.

Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd
Web:  www.rsmpartners.com
‘Dance like no one is watching. Encrypt like everyone is.’

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Bill Johnson
Sent: 04 June 2019 12:37
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [IBM-MAIN] Just how secure are mainframes? | Trevor Eddolls

How do you demonstrate something that hasn’t happened? LOL I see your company 
sells security services too.

Sent from Yahoo Mail for iPhone

On Tuesday, June 4, 2019, 5:59 AM, Lennie Dymoke-Bradshaw 
 wrote:

How do you demonstrate that you have never been hacked?

Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd
Web:  www.rsmpartners.com
‘Dance like no one is watching. Encrypt like everyone is.’

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Bill Johnson
Sent: 04 June 2019 01:04
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [IBM-MAIN] Just how secure are mainframes? | Trevor Eddolls

40 years on numerous mainframes at more than a dozen companies and we’ve never 
been hacked and never had any need for penetration testing.

Sent from Yahoo Mail for iPhone

On Monday, June 3, 2019, 11:54 AM, Clark Morris  wrote:

[Default] On 2 Jun 2019 19:11:41 -0700, in bit.listserv.ibm-main 
0047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote:

>He’s selling plain and simple. So is Mugzak. Some laboratory bs that he will 
>even show you in application code. Then no doubt analyze your application code 
>for a small (large) fee. Nobody is saying the mainframe is fool proof. But, it 
>is inherently (by design) more secure than any other platform. And, a major 
>reason why almost every bank, insurance company, and major retailers still 
>have them.
>Sent from Yahoo Mail for iPhone
>
As a retired systems programmer whose only computer related investments are 
Microsoft, IBM and HPE my belief is that if your organization's computer system 
is connected to the Internet (including from PC's using TN3270 emulation), your 
organization is subject to attack.  If it does not have a group or outside 
organization such as IBM, Trevor's organization or ITschak's organization doing 
periodic ongoing penetration testing, your organization won't know what 
vulnerabilities exist.  Since I don't know enough about the Unisys mainframes 
to comment on how well they can be secured, I can't comment on how secure they 
can be made but I do know it is a major effort to take advantage of all the 
tools on any system in making it secure and keeping it that way.  If I knew of 
any major mainframe user that does not continually check their systems for 
vulnerabilities, I would be tempted to short sell their stock because they 
probably either have been breached or will be in the near future.

Clark Morris  
>
>On Sunday, June 2, 2019, 9:57 PM, Clark Morris  wrote:
>
>[Default] On

Re: Just how secure are mainframes? | Trevor Eddolls

2019-06-04 Thread ITschak Mugzach

Lennie,

You are inviting 'he tries to sell his product / services' ...

ITschak

On Tue, Jun 4, 2019 at 3:45 PM Lennie Dymoke-Bradshaw <
lenni...@rsmpartners.com> wrote:

> Bill,
>
> It is very difficult to prove the negative. Hence, your claim that your
> system has never been hacked is difficult to prove. I think it is possible
> that your system has been "hacked" and your data has been exfiltrated.
> There is no reason for the hacker to call attention to that fact that you
> have been hacked.
>
> However, by maintaining that you have not been hacked, and also
> maintaining that it is very unlikely that you would ever be hacked, I fear
> you are doing your employers a disservice.
>
> Actually, I work through RSM partners as an independent contractor. Yes,
> they sell security services. Yes, I am sometimes called upon to deliver
> such services. Nothing to hide here. Most people have to work for a living.
> I imagine you do too. Just because one works in an industry does not mean
> one's opinion of the industry is invalid; in fact, the opposite is
> frequently true.
>
> Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd
> Web:  www.rsmpartners.com
> ‘Dance like no one is watching. Encrypt like everyone is.’
>
> -Original Message-
> From: IBM Mainframe Discussion List  On Behalf
> Of Bill Johnson
> Sent: 04 June 2019 12:37
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: [IBM-MAIN] Just how secure are mainframes? | Trevor Eddolls
>
> How do you demonstrate something that hasn’t happened? LOL I see your
> company sells security services too.
>
>
> Sent from Yahoo Mail for iPhone
>
>
> On Tuesday, June 4, 2019, 5:59 AM, Lennie Dymoke-Bradshaw <
> lenni...@rsmpartners.com> wrote:
>
> How do you demonstrate that you have never been hacked?
>
> Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd
> Web:  www.rsmpartners.com
> ‘Dance like no one is watching. Encrypt like everyone is.’
>
> -Original Message-
> From: IBM Mainframe Discussion List  On Behalf
> Of Bill Johnson
> Sent: 04 June 2019 01:04
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: [IBM-MAIN] Just how secure are mainframes? | Trevor Eddolls
>
> 40 years on numerous mainframes at more than a dozen companies and we’ve
> never been hacked and never had any need for penetration testing.
>
>
> Sent from Yahoo Mail for iPhone
>
>
> On Monday, June 3, 2019, 11:54 AM, Clark Morris 
> wrote:
>
> [Default] On 2 Jun 2019 19:11:41 -0700, in bit.listserv.ibm-main
> 0047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote:
>
> >He’s selling plain and simple. So is Mugzak. Some laboratory bs that he
> will even show you in application code. Then no doubt analyze your
> application code for a small (large) fee. Nobody is saying the mainframe is
> fool proof. But, it is inherently (by design) more secure than any other
> platform. And, a major reason why almost every bank, insurance company, and
> major retailers still have them.
> >Sent from Yahoo Mail for iPhone
> >
> As a retired systems programmer whose only computer related investments
> are Microsoft, IBM and HPE my belief is that if your organization's
> computer system is connected to the Internet (including from PC's using
> TN3270 emulation), your organization is subject to attack.  If it does not
> have a group or outside organization such as IBM, Trevor's organization or
> ITschak's organization doing periodic ongoing penetration testing, your
> organization won't know what vulnerabilities exist.  Since I don't know
> enough about the Unisys mainframes to comment on how well they can be
> secured, I can't comment on how secure they can be made but I do know it is
> a major effort to take advantage of all the tools on any system in making
> it secure and keeping it that way.  If I knew of any major mainframe user
> that does not continually check their systems for vulnerabilities, I would
> be tempted to short sell their stock because they probably either have been
> breached or will be in the near future.
>
> Clark Morris
> >
> >On Sunday, June 2, 2019, 9:57 PM, Clark Morris 
> wrote:
> >
> >[Default] On 2 Jun 2019 14:46:41 -0700, in bit.listserv.ibm-main
> >0047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote:
> >
> >>He’s trying to sell his company’s security services. Something I thought
> was not allowed on this list.
> >>
> >Whether or not he is selling something and I don't read his posts that
> >way, he is making some valid points. As a retired MVS (I was back in
> >applications by the time z/OS was available) systems programmer, I am
> >far more skeptical about the invulnerability of z/OS.  It is too easy
> >to have decades old stuff still in a system in part because people
> >don't know why it is there or are unaware of its existence.  How much
> >effort is required for an installation to achieve even 95 percent of
> >the invulnerability that is theoretically possible and keep that up.
> >How many holes are left in the

Re: Just how secure are mainframes? | Trevor Eddolls

In 40 years, I’ve never seen any company I’ve worked for have their mainframe 
hacked or compromised. Including a bank and multiple insurance companies. Plus, 
I was in positions to know.
I have seen numerous hacks and compromises of non mainframe platforms at those 
companies.

As Warren Buffett says: Never ask your barber if you need a haircut.

Sent from Yahoo Mail for iPhone

On Tuesday, June 4, 2019, 8:44 AM, Lennie Dymoke-Bradshaw 
 wrote:

Bill,

It is very difficult to prove the negative. Hence, your claim that your system 
has never been hacked is difficult to prove. I think it is possible that your 
system has been "hacked" and your data has been exfiltrated. There is no reason 
for the hacker to call attention to that fact that you have been hacked. 

However, by maintaining that you have not been hacked, and also maintaining 
that it is very unlikely that you would ever be hacked, I fear you are doing 
your employers a disservice.

Actually, I work through RSM partners as an independent contractor. Yes, they 
sell security services. Yes, I am sometimes called upon to deliver such 
services. Nothing to hide here. Most people have to work for a living. I 
imagine you do too. Just because one works in an industry does not mean one's 
opinion of the industry is invalid; in fact, the opposite is frequently true.

Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd  
Web:  www.rsmpartners.com
‘Dance like no one is watching. Encrypt like everyone is.’

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Bill Johnson
Sent: 04 June 2019 12:37
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [IBM-MAIN] Just how secure are mainframes? | Trevor Eddolls

How do you demonstrate something that hasn’t happened? LOL I see your company 
sells security services too.

Sent from Yahoo Mail for iPhone

On Tuesday, June 4, 2019, 5:59 AM, Lennie Dymoke-Bradshaw 
 wrote:

How do you demonstrate that you have never been hacked?

Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd  
Web:  www.rsmpartners.com
‘Dance like no one is watching. Encrypt like everyone is.’

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Bill Johnson
Sent: 04 June 2019 01:04
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [IBM-MAIN] Just how secure are mainframes? | Trevor Eddolls

40 years on numerous mainframes at more than a dozen companies and we’ve never 
been hacked and never had any need for penetration testing.

Sent from Yahoo Mail for iPhone

On Monday, June 3, 2019, 11:54 AM, Clark Morris  wrote:

[Default] On 2 Jun 2019 19:11:41 -0700, in bit.listserv.ibm-main 
0047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote:

>He’s selling plain and simple. So is Mugzak. Some laboratory bs that he will 
>even show you in application code. Then no doubt analyze your application code 
>for a small (large) fee. Nobody is saying the mainframe is fool proof. But, it 
>is inherently (by design) more secure than any other platform. And, a major 
>reason why almost every bank, insurance company, and major retailers still 
>have them.
>Sent from Yahoo Mail for iPhone
>
As a retired systems programmer whose only computer related investments are 
Microsoft, IBM and HPE my belief is that if your organization's computer system 
is connected to the Internet (including from PC's using TN3270 emulation), your 
organization is subject to attack.  If it does not have a group or outside 
organization such as IBM, Trevor's organization or ITschak's organization doing 
periodic ongoing penetration testing, your organization won't know what 
vulnerabilities exist.  Since I don't know enough about the Unisys mainframes 
to comment on how well they can be secured, I can't comment on how secure they 
can be made but I do know it is a major effort to take advantage of all the 
tools on any system in making it secure and keeping it that way.  If I knew of 
any major mainframe user that does not continually check their systems for 
vulnerabilities, I would be tempted to short sell their stock because they 
probably either have been breached or will be in the near future.

Clark Morris  
>
>On Sunday, June 2, 2019, 9:57 PM, Clark Morris  wrote:
>
>[Default] On 2 Jun 2019 14:46:41 -0700, in bit.listserv.ibm-main 
>0047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote:
>
>>He’s trying to sell his company’s security services. Something I thought was 
>>not allowed on this list.
>>
>Whether or not he is selling something and I don't read his posts that 
>way, he is making some valid points. As a retired MVS (I was back in 
>applications by the time z/OS was available) systems programmer, I am 
>far more skeptical about the invulnerability of z/OS.  It is too easy 
>to have decades old stuff still in a system in part because people 
>don't know why it is there or are unaware of its existence.  How much 
>effort is required for an installation to achieve even 95

Re: Just how secure are mainframes? | Trevor Eddolls

Bill,

It is very difficult to prove the negative. Hence, your claim that your system 
has never been hacked is difficult to prove. I think it is possible that your 
system has been "hacked" and your data has been exfiltrated. There is no reason 
for the hacker to call attention to that fact that you have been hacked. 

However, by maintaining that you have not been hacked, and also maintaining 
that it is very unlikely that you would ever be hacked, I fear you are doing 
your employers a disservice.

Actually, I work through RSM partners as an independent contractor. Yes, they 
sell security services. Yes, I am sometimes called upon to deliver such 
services. Nothing to hide here. Most people have to work for a living. I 
imagine you do too. Just because one works in an industry does not mean one's 
opinion of the industry is invalid; in fact, the opposite is frequently true.

Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd  
Web:  www.rsmpartners.com
‘Dance like no one is watching. Encrypt like everyone is.’

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Bill Johnson
Sent: 04 June 2019 12:37
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [IBM-MAIN] Just how secure are mainframes? | Trevor Eddolls

How do you demonstrate something that hasn’t happened? LOL I see your company 
sells security services too.

Sent from Yahoo Mail for iPhone

On Tuesday, June 4, 2019, 5:59 AM, Lennie Dymoke-Bradshaw 
 wrote:

How do you demonstrate that you have never been hacked?

Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd  
Web:  www.rsmpartners.com
‘Dance like no one is watching. Encrypt like everyone is.’

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Bill Johnson
Sent: 04 June 2019 01:04
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [IBM-MAIN] Just how secure are mainframes? | Trevor Eddolls

40 years on numerous mainframes at more than a dozen companies and we’ve never 
been hacked and never had any need for penetration testing.

Sent from Yahoo Mail for iPhone

On Monday, June 3, 2019, 11:54 AM, Clark Morris  wrote:

[Default] On 2 Jun 2019 19:11:41 -0700, in bit.listserv.ibm-main 
0047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote:

>He’s selling plain and simple. So is Mugzak. Some laboratory bs that he will 
>even show you in application code. Then no doubt analyze your application code 
>for a small (large) fee. Nobody is saying the mainframe is fool proof. But, it 
>is inherently (by design) more secure than any other platform. And, a major 
>reason why almost every bank, insurance company, and major retailers still 
>have them.
>Sent from Yahoo Mail for iPhone
>
As a retired systems programmer whose only computer related investments are 
Microsoft, IBM and HPE my belief is that if your organization's computer system 
is connected to the Internet (including from PC's using TN3270 emulation), your 
organization is subject to attack.  If it does not have a group or outside 
organization such as IBM, Trevor's organization or ITschak's organization doing 
periodic ongoing penetration testing, your organization won't know what 
vulnerabilities exist.  Since I don't know enough about the Unisys mainframes 
to comment on how well they can be secured, I can't comment on how secure they 
can be made but I do know it is a major effort to take advantage of all the 
tools on any system in making it secure and keeping it that way.  If I knew of 
any major mainframe user that does not continually check their systems for 
vulnerabilities, I would be tempted to short sell their stock because they 
probably either have been breached or will be in the near future.

Clark Morris  
>
>On Sunday, June 2, 2019, 9:57 PM, Clark Morris  wrote:
>
>[Default] On 2 Jun 2019 14:46:41 -0700, in bit.listserv.ibm-main 
>0047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote:
>
>>He’s trying to sell his company’s security services. Something I thought was 
>>not allowed on this list.
>>
>Whether or not he is selling something and I don't read his posts that 
>way, he is making some valid points. As a retired MVS (I was back in 
>applications by the time z/OS was available) systems programmer, I am 
>far more skeptical about the invulnerability of z/OS.  It is too easy 
>to have decades old stuff still in a system in part because people 
>don't know why it is there or are unaware of its existence.  How much 
>effort is required for an installation to achieve even 95 percent of 
>the invulnerability that is theoretically possible and keep that up.
>How many holes are left in the average shop  because people don't 
>understand the implications of all of both IBM and vendor defaults 
>where I will almost guarantee that there are at some defaults that 
>leave a system open to hacking.  I think that it is difficult to 
>understand all of the implications of an action.  Many shops may be 
>running exits or other

Re: Just how secure are mainframes? | Trevor Eddolls

Quite different. The sell the security as part of the OS. They don’t then bash 
the security (their own product) and try to sell you additional products.
IBM actually tells you how great mainframe security is and use it as a selling 
point to industries where security is paramount.


Sent from Yahoo Mail for iPhone


On Tuesday, June 4, 2019, 7:46 AM, Lou Losee  wrote:

So does IBM

Lou

On Tue, Jun 4, 2019 at 6:38 AM Bill Johnson <
0047540adefe-dmarc-requ...@listserv.ua.edu> wrote:

> How do you demonstrate something that hasn’t happened? LOL
> I see your company sells security services too.
>
>
> Sent from Yahoo Mail for iPhone
>
>
> On Tuesday, June 4, 2019, 5:59 AM, Lennie Dymoke-Bradshaw <
> lenni...@rsmpartners.com> wrote:
>
> How do you demonstrate that you have never been hacked?
>
> Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd
> Web:              www.rsmpartners.com
> ‘Dance like no one is watching. Encrypt like everyone is.’
>
> -Original Message-
> From: IBM Mainframe Discussion List  On Behalf
> Of Bill Johnson
> Sent: 04 June 2019 01:04
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: [IBM-MAIN] Just how secure are mainframes? | Trevor Eddolls
>
> 40 years on numerous mainframes at more than a dozen companies and we’ve
> never been hacked and never had any need for penetration testing.
>
>
> Sent from Yahoo Mail for iPhone
>
>
> On Monday, June 3, 2019, 11:54 AM, Clark Morris 
> wrote:
>
> [Default] On 2 Jun 2019 19:11:41 -0700, in bit.listserv.ibm-main
> 0047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote:
>
> >He’s selling plain and simple. So is Mugzak. Some laboratory bs that he
> will even show you in application code. Then no doubt analyze your
> application code for a small (large) fee. Nobody is saying the mainframe is
> fool proof. But, it is inherently (by design) more secure than any other
> platform. And, a major reason why almost every bank, insurance company, and
> major retailers still have them.
> >Sent from Yahoo Mail for iPhone
> >
> As a retired systems programmer whose only computer related investments
> are Microsoft, IBM and HPE my belief is that if your organization's
> computer system is connected to the Internet (including from PC's using
> TN3270 emulation), your organization is subject to attack.  If it does not
> have a group or outside organization such as IBM, Trevor's organization or
> ITschak's organization doing periodic ongoing penetration testing, your
> organization won't know what vulnerabilities exist.  Since I don't know
> enough about the Unisys mainframes to comment on how well they can be
> secured, I can't comment on how secure they can be made but I do know it is
> a major effort to take advantage of all the tools on any system in making
> it secure and keeping it that way.  If I knew of any major mainframe user
> that does not continually check their systems for vulnerabilities, I would
> be tempted to short sell their stock because they probably either have been
> breached or will be in the near future.
>
> Clark Morris
> >
> >On Sunday, June 2, 2019, 9:57 PM, Clark Morris 
> wrote:
> >
> >[Default] On 2 Jun 2019 14:46:41 -0700, in bit.listserv.ibm-main
> >0047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote:
> >
> >>He’s trying to sell his company’s security services. Something I thought
> was not allowed on this list.
> >>
> >Whether or not he is selling something and I don't read his posts that
> >way, he is making some valid points. As a retired MVS (I was back in
> >applications by the time z/OS was available) systems programmer, I am
> >far more skeptical about the invulnerability of z/OS.  It is too easy
> >to have decades old stuff still in a system in part because people
> >don't know why it is there or are unaware of its existence.  How much
> >effort is required for an installation to achieve even 95 percent of
> >the invulnerability that is theoretically possible and keep that up.
> >How many holes are left in the average shop  because people don't
> >understand the implications of all of both IBM and vendor defaults
> >where I will almost guarantee that there are at some defaults that
> >leave a system open to hacking.  I think that it is difficult to
> >understand all of the implications of an action.  Many shops may be
> >running exits or other systems modifications that have worked for
> >decades and because they work, no one has checked them to see if they
> >have an unintended vulnerability.  I hope that none of my code that is
> >on file 432 of the CBT Tape (Philips light mods) has any vulnerability
> >but the thing that scares me is that I might not be smart enough to
> >find it even if I was looking for it.  Good security isn't cheap. Z/OS
> >may be the most secure starting base but it requires real effort to
> >actually implement it with both good security and good usability. How
> >much vulnerability is there in the test systems?  How much are the
> >systems programmer

Re: Just how secure are mainframes? | Trevor Eddolls

2019-06-04 Thread Lou Losee

So does IBM

Lou

On Tue, Jun 4, 2019 at 6:38 AM Bill Johnson <
0047540adefe-dmarc-requ...@listserv.ua.edu> wrote:

> How do you demonstrate something that hasn’t happened? LOL
> I see your company sells security services too.
>
>
> Sent from Yahoo Mail for iPhone
>
>
> On Tuesday, June 4, 2019, 5:59 AM, Lennie Dymoke-Bradshaw <
> lenni...@rsmpartners.com> wrote:
>
> How do you demonstrate that you have never been hacked?
>
> Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd
> Web:  www.rsmpartners.com
> ‘Dance like no one is watching. Encrypt like everyone is.’
>
> -Original Message-
> From: IBM Mainframe Discussion List  On Behalf
> Of Bill Johnson
> Sent: 04 June 2019 01:04
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: [IBM-MAIN] Just how secure are mainframes? | Trevor Eddolls
>
> 40 years on numerous mainframes at more than a dozen companies and we’ve
> never been hacked and never had any need for penetration testing.
>
>
> Sent from Yahoo Mail for iPhone
>
>
> On Monday, June 3, 2019, 11:54 AM, Clark Morris 
> wrote:
>
> [Default] On 2 Jun 2019 19:11:41 -0700, in bit.listserv.ibm-main
> 0047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote:
>
> >He’s selling plain and simple. So is Mugzak. Some laboratory bs that he
> will even show you in application code. Then no doubt analyze your
> application code for a small (large) fee. Nobody is saying the mainframe is
> fool proof. But, it is inherently (by design) more secure than any other
> platform. And, a major reason why almost every bank, insurance company, and
> major retailers still have them.
> >Sent from Yahoo Mail for iPhone
> >
> As a retired systems programmer whose only computer related investments
> are Microsoft, IBM and HPE my belief is that if your organization's
> computer system is connected to the Internet (including from PC's using
> TN3270 emulation), your organization is subject to attack.  If it does not
> have a group or outside organization such as IBM, Trevor's organization or
> ITschak's organization doing periodic ongoing penetration testing, your
> organization won't know what vulnerabilities exist.  Since I don't know
> enough about the Unisys mainframes to comment on how well they can be
> secured, I can't comment on how secure they can be made but I do know it is
> a major effort to take advantage of all the tools on any system in making
> it secure and keeping it that way.  If I knew of any major mainframe user
> that does not continually check their systems for vulnerabilities, I would
> be tempted to short sell their stock because they probably either have been
> breached or will be in the near future.
>
> Clark Morris
> >
> >On Sunday, June 2, 2019, 9:57 PM, Clark Morris 
> wrote:
> >
> >[Default] On 2 Jun 2019 14:46:41 -0700, in bit.listserv.ibm-main
> >0047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote:
> >
> >>He’s trying to sell his company’s security services. Something I thought
> was not allowed on this list.
> >>
> >Whether or not he is selling something and I don't read his posts that
> >way, he is making some valid points. As a retired MVS (I was back in
> >applications by the time z/OS was available) systems programmer, I am
> >far more skeptical about the invulnerability of z/OS.  It is too easy
> >to have decades old stuff still in a system in part because people
> >don't know why it is there or are unaware of its existence.  How much
> >effort is required for an installation to achieve even 95 percent of
> >the invulnerability that is theoretically possible and keep that up.
> >How many holes are left in the average shop  because people don't
> >understand the implications of all of both IBM and vendor defaults
> >where I will almost guarantee that there are at some defaults that
> >leave a system open to hacking.  I think that it is difficult to
> >understand all of the implications of an action.  Many shops may be
> >running exits or other systems modifications that have worked for
> >decades and because they work, no one has checked them to see if they
> >have an unintended vulnerability.  I hope that none of my code that is
> >on file 432 of the CBT Tape (Philips light mods) has any vulnerability
> >but the thing that scares me is that I might not be smart enough to
> >find it even if I was looking for it.  Good security isn't cheap. Z/OS
> >may be the most secure starting base but it requires real effort to
> >actually implement it with both good security and good usability. How
> >much vulnerability is there in the test systems?  How much are the
> >systems programmer sandboxes exposed to the outside world?  What
> >uncertainties exist in systems vendor code?  Are organizations willing
> >or able to periodically test their systems' vulnerabilities?  Can be
> >secure does not mean is secure?
> >
> >Clark Morris
> >>
> >>Sent from Yahoo Mail for iPhone
> >>
> >>
> >>On Sunday, June 2, 2019, 4:04 PM, Seymour J Metz  wrote:
> >>
> >>>  * As

Re: Just how secure are mainframes? | Trevor Eddolls

How do you demonstrate something that hasn’t happened? LOL 
I see your company sells security services too.


Sent from Yahoo Mail for iPhone


On Tuesday, June 4, 2019, 5:59 AM, Lennie Dymoke-Bradshaw 
 wrote:

How do you demonstrate that you have never been hacked?

Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd  
Web:  www.rsmpartners.com
‘Dance like no one is watching. Encrypt like everyone is.’

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Bill Johnson
Sent: 04 June 2019 01:04
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [IBM-MAIN] Just how secure are mainframes? | Trevor Eddolls

40 years on numerous mainframes at more than a dozen companies and we’ve never 
been hacked and never had any need for penetration testing.


Sent from Yahoo Mail for iPhone


On Monday, June 3, 2019, 11:54 AM, Clark Morris  wrote:

[Default] On 2 Jun 2019 19:11:41 -0700, in bit.listserv.ibm-main 
0047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote:

>He’s selling plain and simple. So is Mugzak. Some laboratory bs that he will 
>even show you in application code. Then no doubt analyze your application code 
>for a small (large) fee. Nobody is saying the mainframe is fool proof. But, it 
>is inherently (by design) more secure than any other platform. And, a major 
>reason why almost every bank, insurance company, and major retailers still 
>have them.
>Sent from Yahoo Mail for iPhone
>
As a retired systems programmer whose only computer related investments are 
Microsoft, IBM and HPE my belief is that if your organization's computer system 
is connected to the Internet (including from PC's using TN3270 emulation), your 
organization is subject to attack.  If it does not have a group or outside 
organization such as IBM, Trevor's organization or ITschak's organization doing 
periodic ongoing penetration testing, your organization won't know what 
vulnerabilities exist.  Since I don't know enough about the Unisys mainframes 
to comment on how well they can be secured, I can't comment on how secure they 
can be made but I do know it is a major effort to take advantage of all the 
tools on any system in making it secure and keeping it that way.  If I knew of 
any major mainframe user that does not continually check their systems for 
vulnerabilities, I would be tempted to short sell their stock because they 
probably either have been breached or will be in the near future.

Clark Morris  
>
>On Sunday, June 2, 2019, 9:57 PM, Clark Morris  wrote:
>
>[Default] On 2 Jun 2019 14:46:41 -0700, in bit.listserv.ibm-main 
>0047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote:
>
>>He’s trying to sell his company’s security services. Something I thought was 
>>not allowed on this list.
>>
>Whether or not he is selling something and I don't read his posts that 
>way, he is making some valid points. As a retired MVS (I was back in 
>applications by the time z/OS was available) systems programmer, I am 
>far more skeptical about the invulnerability of z/OS.  It is too easy 
>to have decades old stuff still in a system in part because people 
>don't know why it is there or are unaware of its existence.  How much 
>effort is required for an installation to achieve even 95 percent of 
>the invulnerability that is theoretically possible and keep that up.
>How many holes are left in the average shop  because people don't 
>understand the implications of all of both IBM and vendor defaults 
>where I will almost guarantee that there are at some defaults that 
>leave a system open to hacking.  I think that it is difficult to 
>understand all of the implications of an action.  Many shops may be 
>running exits or other systems modifications that have worked for 
>decades and because they work, no one has checked them to see if they 
>have an unintended vulnerability.  I hope that none of my code that is 
>on file 432 of the CBT Tape (Philips light mods) has any vulnerability 
>but the thing that scares me is that I might not be smart enough to 
>find it even if I was looking for it.  Good security isn't cheap. Z/OS 
>may be the most secure starting base but it requires real effort to 
>actually implement it with both good security and good usability. How 
>much vulnerability is there in the test systems?  How much are the 
>systems programmer sandboxes exposed to the outside world?  What 
>uncertainties exist in systems vendor code?  Are organizations willing 
>or able to periodically test their systems' vulnerabilities?  Can be 
>secure does not mean is secure?
>
>Clark Morris
>>
>>Sent from Yahoo Mail for iPhone
>>
>>
>>On Sunday, June 2, 2019, 4:04 PM, Seymour J Metz  wrote:
>>
>>>  * As part of a APF authorized product there is a SVC or PC routine
>>>    that when called will turn on the JSBCAUTH bit
>>
>>Ouch!
>>
>>If it's APF authorized then why does it need to do that? And why would you 
>>allow such a vendor in the door?
>>
>>Did you have a tool that discovered

Re: Just how secure are mainframes? | Trevor Eddolls