On 4/2/18, 9:15 AM, "IBM Mainframe Discussion List on behalf of Alan Altmark" <IBM-MAIN@LISTSERV.UA.EDU on behalf of alan_altm...@us.ibm.com> wrote: > The most secure delivery of service to z/OS is directly via SMP/E. Corrupted > data or MITM interference is automatically detected by the TLS connection. > You know the data is coming from IBM and you know it hasn't been tampered > with.
I'm not a security guy either, but I do know a fair amount about the transport infrastructure used in the Internet core and what gets connected to what and how. Carrier-level surveillance devices such as the ones manufactured by Palantir Systems are capable of transparently reconstructing signatures and defeating TLS at near-wire speed if given a sufficiently large input sample, and doing it at 100Gbit/sec or more if you can afford the pipe and hardware. These devices are mind-meltingly expensive -- deliberately impossibly out of the budget for anyone less than state-level actors -- but don't think there isn't a market for just such devices on the world stage. There's a lot of potentially uppity peasants out there, and a lot of state-level actors with the interest, ability and access to generate BGP updates and route all the traffic for a suspect area to a compromised device that generates the samples those kind of carrier-level surveillance appliances need. Ma Bell's core network and the parts owned by Cable & Wireless used to be fairly reliably secure -- not so much any more with SS7 and IP policy routing tools available to the moderately wicked. TLS and digitally signed content are a compromise. With enough resources, they are not unbreakable -- probably better than most, but not perfect. If you're dealing with sensitive stuff, an untrusted component anywhere in the path renders the whole path untrusted, and introducing that untrusted component is not hard in the telco world which underlies the IP world, and it's even easier in the IP world. TL;DR - I think there are customers who are willing to pay for a heavily assured path for media delivery -- it will cost a lot more, undoubtedly, and I would expect it to, but it needs to exist. I can think of at least 7 or 8 state-level actors who would be concerned with it (and actively trying to subvert it), and probably willing to put up the cash so that their rivals don’t have an advantage. For all us lesser mortals, Internet delivery probably will suffice, but I'd expect some major resistance along the way and some stiff liability insurance requirements in future contracts. Microsoft has already started to find that out; the next year or so will be very interesting. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
