On 2 April 2013 16:21, John Gilmore <[email protected]> wrote: > This piece will repay your attention. It is the first open-literature > discussion of the market for 'exploits' and who is selling what to > whom for how much that I have seen.
There have been discussions in less well informed and well written publications than The Economist over the last year or so. Notably Forbes and ZDnet both published articles last March: http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/ http://www.zdnet.com/blog/security/us-government-pays-250000-for-ios-exploit/11044 > There is no discussion of z/OS exploits, but I do not find this reassuring. > Our turn will certainly come. Vulnerabilities in the z/OS core certainly appear from time to time, but we generally learn of them only from the obscure nature of IBM's fixes. I discovered one a couple of years ago, and demonstrated to myself, but did not write code for a usable exploit. About the time I was going to send it to IBM, the fix appeared. But the nature of z/OS vulnerabilities and any putative market for their exploits is rather different from those on most other platforms. The general public does not have the sort of insider access to z/OS that the lowliest COBOL programmer or operations clerk has, and that is required to even bump into IBM's statement of system integrity. Guarding against insiders is worthy and necessary, but it's hard to imagine much of a market for exploits that they can use, fun as it may be to dream them up. Exploits against web servers and other public z/OS interfaces are much more generic and - despite the dreaded C string buffer overflows - probably less likely to be successful because of the layering of privileges within z/OS and its components. One can imagine a complex Stuxnet-like exploit that targets z/OS, and is spread by USB keys or system programmers' bad browsing habits, but then really the exploit target is not z/OS but the intermediate systems and their users. Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
