https://en.wikipedia.org/wiki/Draconian
https://en.wikipedia.org/wiki/Draco_(lawgiver) Draco, law scribe who replaced informal oral laws with harsh written laws and a court system 650-600 BC, Athens, Greece On Wed, Sep 13, 2017 at 12:28 PM, Jesse 1 Robinson <[email protected]> wrote: > There was a lot of discussion at SHARE this summer about the impact of the > new EU regulation that imposes Draconian penalties on a company that fails to > report data breaches *very* quickly. (Who was Dracon anyway, and why such a > hard *ss?) The EU rule stipulates that if breached data is encrypted, then > there is no obligation to report and no penalty. The difference in cost to a > large company ought to pay for several z14s. > > . > . > J.O.Skip Robinson > Southern California Edison Company > Electric Dragon Team Paddler > SHARE MVS Program Co-Manager > 323-715-0595 Mobile > 626-543-6132 Office ⇐=== NEW > [email protected] > > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] On > Behalf Of Steve Smith > Sent: Wednesday, September 13, 2017 6:15 AM > To: [email protected] > Subject: (External):Re: Would encryption have prevented known major breaches? > > The bottom line is this: stolen encrypted data is much harder to use, or it > takes time and effort to crack it. But no encryption seals all the attack > vectors, many of which would bypass encryption. > > E.G. z/OS Data Set Encryption is so transparent, many users won't even know > the data *is* encrypted. (in my experiments with it, it's actually more > difficult to get a glimpse at the encrypted data than to see it in the > clear). So a bad guy who breaches the system in a way that impersonates an > authorized user won't be bothered by the encryption at all. > > Crypto-wizards know exactly how hard it is to crack particular forms of > encryption. It's nothing to IBM's shame if someone builds a powerful enough > machine to do it; or far less likely a mathematical genius finds a better > algorithm. Now, if their implementation has some fatal back-door that gets > exploited, then they'd deserve much more than embarrassment. > > sas > > On Wed, Sep 13, 2017 at 8:54 AM, Elardus Engelbrecht > <[email protected]> wrote: >> Peter Relson wrote: >> >>>Isn't the answer really: no, it would not have prevented the breach but it >>>would have prevented the breach from having the undesirable effects (e.g., >>>exposing sensitive data)? >> >> Actually in my humble opinion, there are TWO answers - Yes and No. >> >> It depends on how the breach took place in the first place. >> >> If breachers are insiders themselves, you're basically out of luck and >> goodbye to your [sensitive and unencrypted] data. >> >> If breachers can install nefarious software on your z/OS users workstation, >> they can mis-use those workstations to steal [and perhaps decrypt] whatever >> they want. >> >> If you are leaving a hole somewhere where (non-SSL) application, FTP and >> TELNET for example, are open to the outside world, then you deserves to be >> punished. >> >> ... etc ... >> >> >>>If breached data is encrypted, I believe that there is not a regulatory >>>requirement to report the breach. >> >> I don't know about rules and regulations, but I believe ALL breaches should >> be reported somehow. Of course, red faces will follow despite the encrypted >> data. >> >> Perhaps if someone can really decrypt it, then big blue has a red face... >> >> Groete / Greetings >> Elardus Engelbrecht > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN -- Mike A Schwab, Springfield IL USA Where do Forest Rangers go to get away from it all? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
