There is a lot of security out there, if you're permitted to use it. TCPIP did not make the mainframe less safe, other things using TCPIP did, especially when we moved most authentication off the mainframe.
"Let the servers do anything they want!" "Ahhhh, no." The pen tester found stupid pointless stuff, and left. The one time they were successful, they found a list of privileged accounts off mainframe, and guessed at the four obvious per 90 day passwords based on a partial password of one of those ids, where the signon was not secure. Things are only as secure as the weakest link. -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Seymour J Metz Sent: Wednesday, May 08, 2019 2:57 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: mainframe hacking "success stories"? It's similar to an authorized program in that there are complex rules for its use. You can associate access rules with controlled programs, but you need to dot all the Is and cross all the Ts. An example might be giving a specific user to a payroll file only if he is running a specific program. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Bob Bridges <robhbrid...@gmail.com> Sent: Tuesday, May 7, 2019 5:46 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: mainframe hacking "success stories"? Yeah, about that: What ~is~ a "controled program"? I noticed that qualification, but my background is apps development and I'm woefully ignorant in spots. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* Expecting the world to treat you fairly because you are a good person is a little like expecting the bull not to attack you because you are a vegetarian. -Dennis Wholey */ -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Seymour J Metz Sent: Tuesday, May 7, 2019 17:05 The quoted text refers to controlled programs, which are not what users normally run. ________________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Bob Bridges <robhbrid...@gmail.com> Sent: Tuesday, May 7, 2019 5:02 PM Well, more correctly, an installation ~can~ control users' ability to create dumps. Here's a bit from the RACF manual: "Your installation can control the dumping (with SYSUDUMP, SYSABEND, and SYSMDUMP statements) of address spaces that contain controlled programs by defining a profile to protect a resource called IEAABD.DMPAUTH in the FACILITY general resource class. / To control the dumping (with SYSABEND, SYSMDUMP, and SYSUDUMP statements) of address spaces that have tasks running in a task control block (TCB) key of less than 8, a profile protecting a resource called IEAABD.DMPAKEY must be defined in the FACILITY general resource class." >From the way this is worded, I gather that if you don't define that rule in >RACF then dumps aren't restricted. ACF2 and Top Secret may have the >restriction turned on by default, I'm not sure. My current three clients seem >all to have this feature turned on, that is, they're controling access to >dumps. -----Original Message----- From: Seymour J Metz Sent: Tuesday, May 7, 2019 16:29 "MVS users nowadays need special authority to create a program dump"? -----Original Message----- From: Bob Bridges <robhbrid...@gmail.com> Sent: Tuesday, May 7, 2019 3:33 PM And thus what I said last night: MVS has been around longer, so it's had more opportunity to find and plug holes. Give it another two decades and we may find that even Windows is much more secure. Not perfect, of course, even then. Iron sharpens iron, so the Good Guys and the Bad Guys continue to get smarter together. In 1978 and '79 I worked for a university that had a DECsystem-10. I learned a ~ton~ back then about...well, I didn't think of it as hacking, but I could start a program, then <Ctrl-C> it and inspect the machine code at my leisure. I made substantial progress toward figuring out Colossal Cave's "magic mode" before I left there for another job. It's primarily by remembering those days that I came to understand why MVS users nowadays need special authority to create a program dump. -----Original Message----- From: Seymour J Metz Sent: Tuesday, May 7, 2019 13:21 While the old mainframes were too expensive for individual users, that changed by the 1960s and moreso by the 1970s. Reme4mber the Honeywell Kitchen Computer? The DEC PDP-5 and PDP-8? As for mainframe security I don't believe that such operating systems as IBSYS/IBJOB cleared storage between jobs. -----Original Message----- From: Jesse 1 Robinson <jesse1.robin...@sce.com> Sent: Tuesday, May 7, 2019 1:12 PM When I explain mainframe security to the unwashed but curious, I cite history above all. The mainframe emerged from the primordial bit bucket soup at a time and in a form that utterly precluded individual users from possessing their own computers. The notion of one-computer-one-user was monstrously unthinkable. Mainframe was of necessity a shared environment in which utter strangers were obligated to breathe the same digital air and excrete into the same pools. Preventing cross contamination was the first commandment. This overriding concern guided and often dictated decades of evolution. There was never a moment in the mainframe's lineage where security or integrity could be architecturally compromised for *any* other goal. Contrast that with any sort of Pee-Cee, where Pee stood originally for 'be sure to close the dorm room door when you toddle down the hall for a cold one'. Likewise for the U of xNIX. Each machine had one devoted owner whose needs were paramount. Unfortunately the computer could not discern its master by nose, a simple trick any dog could perform instinctively. Then the throwable machines, by virtue of price and availability, were ushered on to the big-boy stage, and shareability was suddenly de rigueur. So began still-developing Rube Goldberg mechanisms to keep multiple users out of each other's shorts. After decades of flailing around, the only 'security tool' trusted by weenie-ware folks with something important to protect is server isolation. Let's be clear. The major reason for the mind-boggling proliferation of midrange servers is not the need for more MIPS and gigabytes. It's the fundamental distrust common to all non-mainframe users that anyone else allowed onto MY hardware is a potential mugger. One app, one server. You got a problem with that? The boss will buy you your own server. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN DISCLAIMER: This email and any attachments may contain confidential information that is intended solely for use by the intended recipient(s). If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of the information contained in the communication. If you received this email in error, please contact the sender by reply email and immediately delete the communication. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
