:>: -----Original Message----- :>: From: IBM Mainframe Assembler List [mailto:ASSEMBLER- :>: l...@listserv.uga.edu] On Behalf Of Tony Harminc :>: Sent: Friday, February 24, 2012 2:56 PM :>: To: ASSEMBLER-LIST@LISTSERV.UGA.EDU :>: Subject: Re: Program FLIH
snip :>: It seems to me that, apart from the eagle eyed Keven Hall, the parties :>: who must know that this code is installed at many sites are its :>: provider, and, by virtue of the unequalled number of dumps it receives :>: from its customers, IBM. That IBM has not to my knowledge issued any :>: public warning about it suggests to me that that while it may be :>: "evil" in a design sense, this code may well not do anything bad in a :>: practical one. IBM would surely not stand by if a widely deployed :>: product provided a convenient method of breaking IBM's own statement :>: of system integrity, so I conclude that it most likely does not. IBM's statement of integrity (SOI) specifically excludes an installation's updates (which to me includes installing other vendors' products) which are intended to run authorized (supervisor state, key 8, or APF) as documented at http://www-03.ibm.com/systems/z/os/zos/features/racf/zos_integrity_statement .html. Since FLIH obviously runs in supervisor state and since this update to FLIH is installed by the customer, IBM is off the hook and there is no SOI violation. This doesn't change the problem but it does shift the onus from IBM to the vendor.
