Some shops require vetting of external software, even if run from personal libraries. They are not just being anal retentive; a user can cause damage even if he can't edit APF libraries. Security is aout more than preserving the integrity of the OS.
-- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 עַם יִשְׂרָאֵל חַי נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר ________________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Radoslaw Skorupka <00000471ebeac275-dmarc-requ...@listserv.ua.edu> Sent: Sunday, January 26, 2025 7:16 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: CBTView ISPF Dialog - quick survey/question External Message: Use Caution W dniu 23.01.2025 o 21:52, Paul Gilmartin pisze: > On Thu, 23 Jan 2025 21:08:48 +0100, Radoslaw Skorupka wrote: >> >>> If the concern is malware infiltration, curl, HTTPS, and IND$FILE >>> from a desktop waystation are all suspect. >> Not mentioning the reasons or rationales, the FTP traffic in/out company >> is forbidden. >> > Is there a whitelist allowing either mainframe or desktop access to > cbttape.org? > > Is there a pathway by which (suitably privileged) individuals can > install cbttape content, possibly program objects, on the mainframe? > > Is curl available on the mainframe? Otherwise this discussion is > academic. Unless the cbttape repository can be mirrored on a > desktop. My observations, based on several shops experience: 1. Cybersecurity dept usually do not touch mainframe. Because they don't know it and don't understand. Not to mention many of them create "Franz Kafka - The Trial" world - you are accused, but you don't know of what. There are bans and prohibitions, but there is no explanation or rationale. 2. Assuming the above you can install anything you uploaded from your workstation. And the workstation (and user) usually is allowed to download from cbttape, etc. The reason is obvious: it is https, not ftp. Note, you can install *anything*. Including APF libraries, SVC, exits, etc. Of course you have to be a sysprog or other person authorized to change APF, etc. Formal acceptation process does not exist, however informal discussions between colleagues usually take a place. 3. Of course the are notable exceptions, where no freeware or RYO tool can be installed, except simple scripts which do not require any special authorizations. 4. Sometimes anything from outside is forbidden by default. However, theoretically you could type your own script. So, printing some useful script at home and typing/copying it by hand would be acceptable. 5. Fun fact: I tried to download some of Mark Zelden's utilities. It turned out the webpage is prohibited with category "porn" and my attempt was recorded, etc. :-) -- Radoslaw Skorupka Lodz, Poland ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
