It’s a little more than coincidence that 3 of the most vociferous posters who claim the mainframe is not secure, all sell mainframe security services.
Sent from Yahoo Mail for iPhone On Tuesday, June 4, 2019, 8:59 AM, ITschak Mugzach <imugz...@gmail.com> wrote: Lennie, You are inviting 'he tries to sell his product / services' ... ITschak On Tue, Jun 4, 2019 at 3:45 PM Lennie Dymoke-Bradshaw < lenni...@rsmpartners.com> wrote: > Bill, > > It is very difficult to prove the negative. Hence, your claim that your > system has never been hacked is difficult to prove. I think it is possible > that your system has been "hacked" and your data has been exfiltrated. > There is no reason for the hacker to call attention to that fact that you > have been hacked. > > However, by maintaining that you have not been hacked, and also > maintaining that it is very unlikely that you would ever be hacked, I fear > you are doing your employers a disservice. > > Actually, I work through RSM partners as an independent contractor. Yes, > they sell security services. Yes, I am sometimes called upon to deliver > such services. Nothing to hide here. Most people have to work for a living. > I imagine you do too. Just because one works in an industry does not mean > one's opinion of the industry is invalid; in fact, the opposite is > frequently true. > > Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd > Web: www.rsmpartners.com > ‘Dance like no one is watching. Encrypt like everyone is.’ > > -----Original Message----- > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf > Of Bill Johnson > Sent: 04 June 2019 12:37 > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: [IBM-MAIN] Just how secure are mainframes? | Trevor Eddolls > > How do you demonstrate something that hasn’t happened? LOL I see your > company sells security services too. > > > Sent from Yahoo Mail for iPhone > > > On Tuesday, June 4, 2019, 5:59 AM, Lennie Dymoke-Bradshaw < > lenni...@rsmpartners.com> wrote: > > How do you demonstrate that you have never been hacked? > > Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd > Web: www.rsmpartners.com > ‘Dance like no one is watching. Encrypt like everyone is.’ > > -----Original Message----- > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf > Of Bill Johnson > Sent: 04 June 2019 01:04 > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: [IBM-MAIN] Just how secure are mainframes? | Trevor Eddolls > > 40 years on numerous mainframes at more than a dozen companies and we’ve > never been hacked and never had any need for penetration testing. > > > Sent from Yahoo Mail for iPhone > > > On Monday, June 3, 2019, 11:54 AM, Clark Morris <cfmt...@uniserve.com> > wrote: > > [Default] On 2 Jun 2019 19:11:41 -0700, in bit.listserv.ibm-main > 00000047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote: > > >He’s selling plain and simple. So is Mugzak. Some laboratory bs that he > will even show you in application code. Then no doubt analyze your > application code for a small (large) fee. Nobody is saying the mainframe is > fool proof. But, it is inherently (by design) more secure than any other > platform. And, a major reason why almost every bank, insurance company, and > major retailers still have them. > >Sent from Yahoo Mail for iPhone > > > As a retired systems programmer whose only computer related investments > are Microsoft, IBM and HPE my belief is that if your organization's > computer system is connected to the Internet (including from PC's using > TN3270 emulation), your organization is subject to attack. If it does not > have a group or outside organization such as IBM, Trevor's organization or > ITschak's organization doing periodic ongoing penetration testing, your > organization won't know what vulnerabilities exist. Since I don't know > enough about the Unisys mainframes to comment on how well they can be > secured, I can't comment on how secure they can be made but I do know it is > a major effort to take advantage of all the tools on any system in making > it secure and keeping it that way. If I knew of any major mainframe user > that does not continually check their systems for vulnerabilities, I would > be tempted to short sell their stock because they probably either have been > breached or will be in the near future. > > Clark Morris > > > >On Sunday, June 2, 2019, 9:57 PM, Clark Morris <cfmt...@uniserve.com> > wrote: > > > >[Default] On 2 Jun 2019 14:46:41 -0700, in bit.listserv.ibm-main > >00000047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote: > > > >>He’s trying to sell his company’s security services. Something I thought > was not allowed on this list. > >> > >Whether or not he is selling something and I don't read his posts that > >way, he is making some valid points. As a retired MVS (I was back in > >applications by the time z/OS was available) systems programmer, I am > >far more skeptical about the invulnerability of z/OS. It is too easy > >to have decades old stuff still in a system in part because people > >don't know why it is there or are unaware of its existence. How much > >effort is required for an installation to achieve even 95 percent of > >the invulnerability that is theoretically possible and keep that up. > >How many holes are left in the average shop because people don't > >understand the implications of all of both IBM and vendor defaults > >where I will almost guarantee that there are at some defaults that > >leave a system open to hacking. I think that it is difficult to > >understand all of the implications of an action. Many shops may be > >running exits or other systems modifications that have worked for > >decades and because they work, no one has checked them to see if they > >have an unintended vulnerability. I hope that none of my code that is > >on file 432 of the CBT Tape (Philips light mods) has any vulnerability > >but the thing that scares me is that I might not be smart enough to > >find it even if I was looking for it. Good security isn't cheap. Z/OS > >may be the most secure starting base but it requires real effort to > >actually implement it with both good security and good usability. How > >much vulnerability is there in the test systems? How much are the > >systems programmer sandboxes exposed to the outside world? What > >uncertainties exist in systems vendor code? Are organizations willing > >or able to periodically test their systems' vulnerabilities? Can be > >secure does not mean is secure? > > > >Clark Morris > >> > >>Sent from Yahoo Mail for iPhone > >> > >> > >>On Sunday, June 2, 2019, 4:04 PM, Seymour J Metz <sme...@gmu.edu> wrote: > >> > >>> * As part of a APF authorized product there is a SVC or PC routine > >>> that when called will turn on the JSBCAUTH bit > >> > >>Ouch! > >> > >>If it's APF authorized then why does it need to do that? And why would > you allow such a vendor in the door? > >> > >>Did you have a tool that discovered that the vendor's SVC turned on > JSCBAUTH, or did you have to read the code like the rest of us? > > > >---------------------------------------------------------------------- > >For IBM-MAIN subscribe / signoff / archive access instructions, send > >email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > > > > >---------------------------------------------------------------------- > >For IBM-MAIN subscribe / signoff / archive access instructions, send > >email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring for Legacy **| * ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
