On Sun, 20 Feb 2022 14:10:06 -0500, Phil Smith III wrote:
>
> ... there
>is a theology in security that you err on the side of less detail about a
>security failure, to prevent attackers from gaining information that might
>help them in their quest. This is why, for example, it's considered better
>to say "Login failed" than "No such userid".
>
Has z/OS embraced that "theology" recently? I argued for it in these pages
many years ago and received a rousing chorus of "That would just make it
harder to analyze logon failures!" I regarded it as "NIH" when I had argued
based on my familiarity with non-IBM systems.
"We simply disable the ID after N failures."
"But that's an exposure to DoS attacks."
...
A clash of cultures.
I once dealt with a port that was disabled after too many failures simply by
connecting to a different port. The design may have worked for hardwired
terminals in secured areas. I reported my circumvention to admins. They
recognized the locking as an ineffective nuisance and turned it off.
--
gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
