Bill Do you believe :
(o) That there have never been any "magic" or "auth on" SVCs or PC routines? (o) That there is no such thing as a Sec/Int APAR? (o) That Karl Schmitz has just been wasting his breath for the last 20 years? (o) That IBM's Secure Engineering department just sit around eating doughnuts and drinking coffee? (o) User key common storage never existed? (o) That every ISV developer is as good as the very best IBM Poughkeepsie z/OS developer you can find? (o) That in-house sysprogs who tinker with their own or public domain authorized code are as good as the very best IBM Poughkeepsie z/OS developer you can find? (o) That pentest software has never found an exposure at a large mainframe site - including financial institutions? z/OS is a extremely robust and well-engineered operating system, but to claim it to be 100% secure in all deployments would be naive. Rob Scott Rocket Software -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Bill Johnson Sent: Tuesday, June 4, 2019 2:09 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Just how secure are mainframes? | Trevor Eddolls It’s a little more than coincidence that 3 of the most vociferous posters who claim the mainframe is not secure, all sell mainframe security services. Sent from Yahoo Mail for iPhone On Tuesday, June 4, 2019, 8:59 AM, ITschak Mugzach <imugz...@gmail.com> wrote: Lennie, You are inviting 'he tries to sell his product / services' ... ITschak On Tue, Jun 4, 2019 at 3:45 PM Lennie Dymoke-Bradshaw < lenni...@rsmpartners.com> wrote: > Bill, > > It is very difficult to prove the negative. Hence, your claim that > your system has never been hacked is difficult to prove. I think it is > possible that your system has been "hacked" and your data has been > exfiltrated. > There is no reason for the hacker to call attention to that fact that > you have been hacked. > > However, by maintaining that you have not been hacked, and also > maintaining that it is very unlikely that you would ever be hacked, I > fear you are doing your employers a disservice. > > Actually, I work through RSM partners as an independent contractor. > Yes, they sell security services. Yes, I am sometimes called upon to > deliver such services. Nothing to hide here. Most people have to work for a > living. > I imagine you do too. Just because one works in an industry does not > mean one's opinion of the industry is invalid; in fact, the opposite > is frequently true. > > Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd > Web: > https://nam01.safelinks.protection.outlook.com/?url=www.rsmpartners.co > m&data=02%7C01%7CRScott%40ROCKETSOFTWARE.COM%7Cccae2809339a4bc9de9 > 008d6e8ede103%7C79544c1eed224879a082b67a9a672aae%7C0%7C0%7C63695250572 > 5186342&sdata=79Mc6duyUK9psstxyH%2FfJq%2BVaSed9R17yT4fGdCK8oE%3D&a > mp;reserved=0 ‘Dance like no one is watching. Encrypt like everyone > is.’ > > -----Original Message----- > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On > Behalf Of Bill Johnson > Sent: 04 June 2019 12:37 > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: [IBM-MAIN] Just how secure are mainframes? | Trevor > Eddolls > > How do you demonstrate something that hasn’t happened? LOL I see your > company sells security services too. > > > Sent from Yahoo Mail for iPhone > > > On Tuesday, June 4, 2019, 5:59 AM, Lennie Dymoke-Bradshaw < > lenni...@rsmpartners.com> wrote: > > How do you demonstrate that you have never been hacked? > > Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd > Web: > https://nam01.safelinks.protection.outlook.com/?url=www.rsmpartners.co > m&data=02%7C01%7CRScott%40ROCKETSOFTWARE.COM%7Cccae2809339a4bc9de9 > 008d6e8ede103%7C79544c1eed224879a082b67a9a672aae%7C0%7C0%7C63695250572 > 5186342&sdata=79Mc6duyUK9psstxyH%2FfJq%2BVaSed9R17yT4fGdCK8oE%3D&a > mp;reserved=0 ‘Dance like no one is watching. Encrypt like everyone > is.’ > > -----Original Message----- > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On > Behalf Of Bill Johnson > Sent: 04 June 2019 01:04 > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: [IBM-MAIN] Just how secure are mainframes? | Trevor > Eddolls > > 40 years on numerous mainframes at more than a dozen companies and > we’ve never been hacked and never had any need for penetration testing. > > > Sent from Yahoo Mail for iPhone > > > On Monday, June 3, 2019, 11:54 AM, Clark Morris <cfmt...@uniserve.com> > wrote: > > [Default] On 2 Jun 2019 19:11:41 -0700, in bit.listserv.ibm-main > 00000047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote: > > >He’s selling plain and simple. So is Mugzak. Some laboratory bs that > >he > will even show you in application code. Then no doubt analyze your > application code for a small (large) fee. Nobody is saying the > mainframe is fool proof. But, it is inherently (by design) more secure > than any other platform. And, a major reason why almost every bank, > insurance company, and major retailers still have them. > >Sent from Yahoo Mail for iPhone > > > As a retired systems programmer whose only computer related > investments are Microsoft, IBM and HPE my belief is that if your > organization's computer system is connected to the Internet (including > from PC's using > TN3270 emulation), your organization is subject to attack. If it does > not have a group or outside organization such as IBM, Trevor's > organization or ITschak's organization doing periodic ongoing > penetration testing, your organization won't know what vulnerabilities > exist. Since I don't know enough about the Unisys mainframes to > comment on how well they can be secured, I can't comment on how secure > they can be made but I do know it is a major effort to take advantage > of all the tools on any system in making it secure and keeping it that > way. If I knew of any major mainframe user that does not continually > check their systems for vulnerabilities, I would be tempted to short > sell their stock because they probably either have been breached or will be > in the near future. > > Clark Morris > > > >On Sunday, June 2, 2019, 9:57 PM, Clark Morris <cfmt...@uniserve.com> > wrote: > > > >[Default] On 2 Jun 2019 14:46:41 -0700, in bit.listserv.ibm-main > >00000047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote: > > > >>He’s trying to sell his company’s security services. Something I > >>thought > was not allowed on this list. > >> > >Whether or not he is selling something and I don't read his posts > >that way, he is making some valid points. As a retired MVS (I was > >back in applications by the time z/OS was available) systems > >programmer, I am far more skeptical about the invulnerability of > >z/OS. It is too easy to have decades old stuff still in a system in > >part because people don't know why it is there or are unaware of its > >existence. How much effort is required for an installation to > >achieve even 95 percent of the invulnerability that is theoretically > >possible and keep that up. > >How many holes are left in the average shop because people don't > >understand the implications of all of both IBM and vendor defaults > >where I will almost guarantee that there are at some defaults that > >leave a system open to hacking. I think that it is difficult to > >understand all of the implications of an action. Many shops may be > >running exits or other systems modifications that have worked for > >decades and because they work, no one has checked them to see if they > >have an unintended vulnerability. I hope that none of my code that > >is on file 432 of the CBT Tape (Philips light mods) has any > >vulnerability but the thing that scares me is that I might not be > >smart enough to find it even if I was looking for it. Good security > >isn't cheap. Z/OS may be the most secure starting base but it > >requires real effort to actually implement it with both good security > >and good usability. How much vulnerability is there in the test > >systems? How much are the systems programmer sandboxes exposed to > >the outside world? What uncertainties exist in systems vendor code? > >Are organizations willing or able to periodically test their systems' > >vulnerabilities? Can be secure does not mean is secure? > > > >Clark Morris > >> > >>Sent from Yahoo Mail for iPhone > >> > >> > >>On Sunday, June 2, 2019, 4:04 PM, Seymour J Metz <sme...@gmu.edu> wrote: > >> > >>> * As part of a APF authorized product there is a SVC or PC > >>>routine > >>> that when called will turn on the JSBCAUTH bit > >> > >>Ouch! > >> > >>If it's APF authorized then why does it need to do that? And why > >>would > you allow such a vendor in the door? > >> > >>Did you have a tool that discovered that the vendor's SVC turned on > JSCBAUTH, or did you have to read the code like the rest of us? > > > >--------------------------------------------------------------------- > >- For IBM-MAIN subscribe / signoff / archive access instructions, > >send email to lists...@listserv.ua.edu with the message: INFO > >IBM-MAIN > > > > > > > >--------------------------------------------------------------------- > >- For IBM-MAIN subscribe / signoff / archive access instructions, > >send email to lists...@listserv.ua.edu with the message: INFO > >IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring for Legacy **| * ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ================================ Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■ Main Office Toll Free Number: +1 855.577.4323 Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy ================================ This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
