Bill - I am not interested in selling you anything. I will just demo an
exploit of a code vulnerability. That's it.
On 5/28/2019 12:09 PM, Bill Johnson wrote:
lol, oh it’s a demo and you sell something to fix the hole right? But, it has
never been exploited in the real world.
Sent from Yahoo Mail for iPhone
On Tuesday, May 28, 2019, 1:06 PM, Ray Overby <[email protected]> wrote:
Bill - I assure you the silliness is all on your part. ;-)
/Show me a link to your third scenario successfully implemented? /My company
does not publicly disclose z/OS code vulnerabilities that it finds in z/OS, ISV
and installation code. I would be happy to demo one of the vulnerabilities for
you with a Webex. Please email [email protected] and I will set up an
exploit demo for you.
//Or is this some sort of “could happen” if the stars aligned and you
had a dozen unlikely things happen all at the same time?/ /Nope. This is the
real deal Bill. The demo (and any questions) should take less than 30 minutes
of your time.
//
On 5/28/2019 11:29 AM, Bill Johnson wrote:
Pure silliness now. As this topic always becomes.
I never said or insinuated the platform was immune.
In shops I’ve worked, very few had access to add to the APF list. Security and
Audit often questioned additions. Most additions were software libs from 2-3
vendors whose libraries were also tightly controlled.
Show me a link to your third scenario successfully implemented? Or is this some
sort of “could happen” if the stars aligned and you had a dozen unlikely things
happen all at the same time?
Sent from Yahoo Mail for iPhone
On Tuesday, May 28, 2019, 11:44 AM, Ray Overby <[email protected]> wrote:
This discussion on mainframe vulnerabilities has unfortunately broken
down. I have been talking to mainframe people about vulnerabilities for
the last 12 years. I have talked with people just like Bill Johnson. My
discussions went just like this discussion did. The problem (as I saw
it) was that discussing a “mainframe vulnerability” is too ambiguous.
The discussion needs to be more specific. This led to categorizing
vulnerabilities. When the vulnerabilities were categorized (which also
defined their capabilities BUT does not allow the hacker to generate an
exploit) the discussions evolved to the point that not only did the
mainframe people better understand the vulnerabilities and their
associated risk but also allowed C level, managers, Auditors, Security,
Pen testers, and Risk people to understand and participate in the
vulnerability discussions.
For example, you can classify mainframe vulnerabilities based upon their
source – configuration or code based. Classifying the vulnerability
eliminates ambiguities that are inherent when you don’t classify. It is
these ambiguities that can cause the discussion to break down. For
example, how would the discussion have changed if the vulnerabilities
under discussion were classified as follows:
-Configuration based vulnerabilities
* APF authorized data sets not adequately protected
* SMP/E data sets not adequately protected
* FTP anonymous allowed
* FTP JES option allowed
* Outgoing TCPIP traffic not protected
-Code based vulnerabilities
* Storage alteration
* Trap door
* System Instability
To better focus the discussion perhaps the following questions should be
discussed:
Q for Bill Johnson – Are you saying that the mainframe is immune from
any type of vulnerabilities (Code and Configuration based)?
Q for Bill Johnson - Do you consider a configuration based vulnerability
(APF authorized data set not adequately protected) as a hack if it is
exploited?
Q for Bill Johnson – Do you consider a code based vulnerability (storage
alteration that allows dynamic elevation of ESM or z/OS authorities by
any user of z/OS) as a hack if it is exploited?
On 5/28/2019 9:23 AM, Bill Johnson wrote:
And you sell security services. What do I expect you to say?
Not everything I provided was IBM.
Sent from Yahoo Mail for iPhone
On Tuesday, May 28, 2019, 10:13 AM, ITschak Mugzach <[email protected]> wrote:
These Are IBM docs. What you expect them to say?
ITschak
בתאריך יום ג׳, 28 במאי 2019, 16:54, מאת Tom Marchant <
[email protected]>:
On Tue, 28 May 2019 13:32:35 +0000, Bill Johnson wrote:
If you either didn’t read or didn’t comprehend the posts I provided, I
cannot help you.
As I wrote, I read all of the references that you posted.
Yes, I understood them.
You misrepresented what they said.
Now your response is to insult me. That is pathetic.
--
Tom Marchant
Sent from Yahoo Mail for iPhone
On Tuesday, May 28, 2019, 9:17 AM, Tom Marchant <
[email protected]> wrote:
On Mon, 27 May 2019 16:05:33 +0000, Bill Johnson wrote:
Mainframes are by design far more secure. For good reason. The exposure
is catastrophic potentially. It’s one of the main reasons why banks rely
and
stay on it and spend tens of millions for it. I’ve already provided
numerous
links referencing it.
You have provided pitifully little to support your claim that the
security of
mainframes is the reason banks and others stay with them. I have read
all of the references that you posted, and most of them list the
POTENTIAL
to secure them as ONE of the reasons why people use mainframes for
mission-critical data, but not the main reason.
You have over-stated your case.
Add in my criminal justice knowledge along with my computer science
degree and 40 years of experience in IT and security. But don’t let me
dispel your beliefs.
So I shoulodn't question you because you are the expert?
I call BS.
--
Tom Marchant
Sent from Yahoo Mail for iPhone
On Monday, May 27, 2019, 11:45 AM, Chad Rikansrud <
[email protected]> wrote:
At the risk of re-kicking the already dead horse: Bill, you're
comparing apples and spiders.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
