Re: How much can sysprogs steal was Re: OT: Obscurity Is Not Security... Or Is It?
On Mon, 9 Sep 2013 21:23:35 -0400 Arthur T. ibmm...@intergate.com wrote: :On 9 Sep 2013 17:21:22 -0700, in bit.listserv.ibm-main :(Message-ID:p8ps29dehr76q9k41pgud8dot2kjf3v...@4ax.com) :cfmpub...@ns.sympatico.ca (Clark Morris) wrote: :On 9 Sep 2013 07:41:42 -0700, in bit.listserv.ibm-main you :wrote: :I once enquired into the question :Sysprogs, even disgruntled ones, have not usually been :problematic in :mainframe shops; and it is well that this is the :case. Anyone who :makes much use of locks needs locksmiths too. :This brings up the very interesting question of whether a :senior :mainframe systems programmer would be able to take as much :information :from his/her installation as Edward Snowden seemingly has :from the :NSA. If so, is it in the nature of the job or was someone :lax within :the NSA organization? :If you have write access to an APF library, you can read :from and write to any dataset. If people were suspicious :of you, your accesses could be found out after the :fact. If you're very good or very sneaky, even post-access :auditing won't find out what you've done. :No, I won't explain how. I'll leave it as an exercise for :the student, who will likely get caught, fired, and maybe :indicted. Don't pretend that it is super sekrit. Any SYSPROG that writes code (other than a SMP jockey) knows how to do it. -- Binyamin Dissen bdis...@dissensoftware.com http://www.dissensoftware.com Director, Dissen Software, Bar Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How much can sysprogs steal was Re: OT: Obscurity Is Not Security... Or Is It?
On 10 Sep 2013 00:08:02 -0700, in bit.listserv.ibm-main (Message-ID:r7ht291houi25hhl5lu4j2s78horr9r...@4ax.com) bdis...@dissensoftware.com (Binyamin Dissen) wrote: Don't pretend that it is super sekrit. Any SYSPROG that writes code (other than a SMP jockey) knows how to do it. No, it's not super sekrit. But I've worked with real systems programmers (not just SMP jockeys) who would have a hard time figuring it out. It's not because they're stupid or ignorant, but just because their experiences didn't lead them along the same paths as mine. I believe you owe an apology to Clark Morris, who started this thread. -- I cannot receive mail at the address this was sent from. To reply directly, send to ar23hur at pobox dot com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How much can sysprogs steal was Re: OT: Obscurity Is Not Security... Or Is It?
On Tue, 10 Sep 2013 04:01:24 -0400 Arthur T. ibmm...@intergate.com wrote: :On 10 Sep 2013 00:08:02 -0700, in bit.listserv.ibm-main :(Message-ID:r7ht291houi25hhl5lu4j2s78horr9r...@4ax.com) :bdis...@dissensoftware.com (Binyamin Dissen) wrote: :Don't pretend that it is super sekrit. :Any SYSPROG that writes code (other than a SMP jockey) :knows how to do it. : No, it's not super sekrit. But I've worked with :real systems programmers (not just SMP jockeys) who would :have a hard time figuring it out. It's not because they're :stupid or ignorant, but just because their experiences :didn't lead them along the same paths as mine. I find that difficult to understand. What true SYSPROG has not read about system exits? : I believe you owe an apology to Clark Morris, who :started this thread. No offense intended. -- Binyamin Dissen bdis...@dissensoftware.com http://www.dissensoftware.com Director, Dissen Software, Bar Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How much can sysprogs steal was Re: OT: Obscurity Is Not Security... Or Is It?
From: Jon Perryman jperr...@pacbell.net To: IBM-MAIN@LISTSERV.UA.EDU Sent: Monday, September 9, 2013 11:37:07 PM Subject: Re: How much can sysprogs steal was Re: OT: Obscurity Is Not Security... Or Is It? I heard that the NSA proposed solution for the snowden problem is to require 2 people to access sensitive information. I wonder if the logon screens will require dual userid's. Will both enter keys have to be at least 10 feet apart and pressed within 1/2 second of each other? This is how two different trustable people launch an ICBM. At least in the movies. Two quotes on how much can be stolen: “A man who has never gone to school may steal from a freight car, but if he has a university education he may steal the whole railroad.” [Theodore Roosevelt] “You can get much further with a kind word and a gun than you can with a kind word alone.” [Al Capone] Bill Fairchild Franklin, TN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How much can sysprogs steal was Re: OT: Obscurity Is Not Security... Or Is It?
Arthur is correct. Back at my JCP days, that is one reason they broke the SYSPROG job into 3 different jobs. You had the assembler programers who wrote the exits and any assembler user-mods or in-house applications; the SMP jockeys that applied IBM maintenance and also tested the assembler exits from the programmers and put together the production libraries, and finally the Operations sysprogs that actually moved the libraries given them by the SMP jockeys into production. No one person was authorized to do it all; and technically there were checks at each step to make sure that nothing special was moved forward. Of course, it would still have been possible for the assembler programmer to move an exit into production that granted him special authority; but since that programmer didn't even have a good usable ID on the other systems it would not have done him a lot of good. It would require at least 2 people to do something outside the norm. Russell On 09/09/13, Arthur T.ibmm...@intergate.com wrote: On 9 Sep 2013 17:21:22 -0700, in bit.listserv.ibm-main (Message-ID:p8ps29dehr76q9k41pgud8dot2kjf3v...@4ax.com) cfmpub...@ns.sympatico.ca (Clark Morris) wrote: On 9 Sep 2013 07:41:42 -0700, in bit.listserv.ibm-main you wrote: I once enquired into the question snip Sysprogs, even disgruntled ones, have not usually been problematic in mainframe shops; and it is well that this is the case. Anyone who makes much use of locks needs locksmiths too. This brings up the very interesting question of whether a senior mainframe systems programmer would be able to take as much information from his/her installation as Edward Snowden seemingly has from the NSA. If so, is it in the nature of the job or was someone lax within the NSA organization? If you have write access to an APF library, you can read from and write to any dataset. If people were suspicious of you, your accesses could be found out after the fact. If you're very good or very sneaky, even post-access auditing won't find out what you've done. No, I won't explain how. I'll leave it as an exercise for the student, who will likely get caught, fired, and maybe indicted. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How much can sysprogs steal was Re: OT: Obscurity Is Not Security... Or Is It?
W dniu 2013-09-10 14:09, Russell Witt pisze: Arthur is correct. Back at my JCP days, that is one reason they broke the SYSPROG job into 3 different jobs. You had the assembler programers who wrote the exits and any assembler user-mods or in-house applications; the SMP jockeys that applied IBM maintenance and also tested the assembler exits from the programmers and put together the production libraries, and finally the Operations sysprogs that actually moved the libraries given them by the SMP jockeys into production. No one person was authorized to do it all; and technically there were checks at each step to make sure that nothing special was moved forward. Of course, it would still have been possible for the assembler programmer to move an exit into production that granted him special authority; but since that programmer didn't even have a good usable ID on the other systems it would not have done him a lot of good. It would require at least 2 people to do something outside the norm. In modern world they call it separation of duties. Of course it is as old as SPECIAL and AUDITOR, not to mention SPECIAL's access to the resources. -- Radoslaw Skorupka Lodz, Poland -- Treść tej wiadomości może zawierać informacje prawnie chronione Banku przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorised to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. BRE Bank SA, 00-950 Warszawa, ul. Senatorska 18, tel. +48 (22) 829 00 00, fax +48 (22) 829 00 33, www.brebank.pl, e-mail: i...@brebank.pl Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2013 r. kapitał zakładowy BRE Banku SA (w całości wpłacony) wynosi 168.555.904 złotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How much can sysprogs steal was Re: OT: Obscurity Is Not Security... Or Is It?
The two-persons-required scheme has its uses. Final authority must, however, be lodged somewhere; and these schemes almost always come with overrides. The parcel of land on the East River in Manhattan on which the UN built its Headquarters was donated by John D. Rockefeller, Jr.; and a picture of the check he used to pay for it appeared in the New York Times. It bears two signature lines, both labeled 'attorney' as in 'power of attorney', but only one signature, that of John D. Rockefeller, Jr., himself. Principals often exempt themselves from the restrictions they impose upon their hirelings, on the sound principle that they are and should be free to steal from themselves. New locks on the barn door, installed ostentatiously after the discovery that the horses are missing, need to be understood for what they are: They are gestural, not substantive. John Gilmore, Ashland, MA 01721 - USA -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How much can sysprogs steal was Re: OT: Obscurity Is Not Security... Or Is It?
In 522f0d76.2020...@bremultibank.com.pl, on 09/10/2013 at 02:15 PM, R.S. r.skoru...@bremultibank.com.pl said: Of course it is as old as SPECIAL and AUDITOR, Every generation believes that it invented sex. -- Shmuel (Seymour J.) Metz, SysProg and JOAT Atid/2http://patriot.net/~shmuel We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How much can sysprogs steal was Re: OT: Obscurity Is Not Security... Or Is It?
In 17868922.1560312.1378814955966.JavaMail.root@vznit170182, on 09/10/2013 at 07:09 AM, Russell Witt res09...@verizon.net said: Of course, it would still have been possible for the assembler programmer to move an exit into production that granted him special authority; I've been in jobs where I was not permitted to remove such code. Security requires management buyin. As for trust, even if your sysprogs are honest they can make mistakes. IMHO we'd all be better off if code and design reviews were more common. -- Shmuel (Seymour J.) Metz, SysProg and JOAT Atid/2http://patriot.net/~shmuel We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
How much can sysprogs steal was Re: OT: Obscurity Is Not Security... Or Is It?
On 9 Sep 2013 07:41:42 -0700, in bit.listserv.ibm-main you wrote: I once enquired into the question Do licensed locksmiths burgle? The answer, as a practical matter, turns out to be no. Selection presumably plays a part. Convicted burglars may well find it hard to obtain a locksmith's license. There is something else at work too. As George Orwell mentioned in his novel Burmese Days, colonial administrators were not expected to be fearful; and so in general they were not. Sysprogs, even disgruntled ones, have not usually been problematic in mainframe shops; and it is well that this is the case. Anyone who makes much use of locks needs locksmiths too. This brings up the very interesting question of whether a senior mainframe systems programmer would be able to take as much information from his/her installation as Edward Snowden seemingly has from the NSA. If so, is it in the nature of the job or was someone lax within the NSA organization? Clark Morris -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How much can sysprogs steal was Re: OT: Obscurity Is Not Security... Or Is It?
On 9 Sep 2013 17:21:22 -0700, in bit.listserv.ibm-main (Message-ID:p8ps29dehr76q9k41pgud8dot2kjf3v...@4ax.com) cfmpub...@ns.sympatico.ca (Clark Morris) wrote: On 9 Sep 2013 07:41:42 -0700, in bit.listserv.ibm-main you wrote: I once enquired into the question snip Sysprogs, even disgruntled ones, have not usually been problematic in mainframe shops; and it is well that this is the case. Anyone who makes much use of locks needs locksmiths too. This brings up the very interesting question of whether a senior mainframe systems programmer would be able to take as much information from his/her installation as Edward Snowden seemingly has from the NSA. If so, is it in the nature of the job or was someone lax within the NSA organization? If you have write access to an APF library, you can read from and write to any dataset. If people were suspicious of you, your accesses could be found out after the fact. If you're very good or very sneaky, even post-access auditing won't find out what you've done. No, I won't explain how. I'll leave it as an exercise for the student, who will likely get caught, fired, and maybe indicted. -- I cannot receive mail at the address this was sent from. To reply directly, send to ar23hur at pobox dot com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How much can sysprogs steal was Re: OT: Obscurity Is Not Security... Or Is It?
I heard that the NSA proposed solution for the snowden problem is to require 2 people to access sensitive information. I wonder if the logon screens will require dual userid's. Jon Perryman. From: Clark Morris cfmpub...@ns.sympatico.ca Sysprogs, even disgruntled ones, have not usually been problematic in mainframe shops; and it is well that this is the case. Anyone who makes much use of locks needs locksmiths too. This brings up the very interesting question of whether a senior mainframe systems programmer would be able to take as much information from his/her installation as Edward Snowden seemingly has from the NSA. If so, is it in the nature of the job or was someone lax within the NSA organization? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN