And I actually got to play with NOS ... many years after the fact ... never thought I'd see that! What the cray-cyber.org guys are doing is remarkable.
Best, Sean On Wed, Sep 16, 2015 at 3:22 PM, Sean Caron <sca...@umich.edu> wrote: > Cyber systems didn't get much love from the H/P kids back in the day :O > > http://phrack.org/issues/18/5.html > > That said; NOS is one of the few mainframe systems ever really discussed > in Phrack... MVS/TSO and VM/CMS you also see occasionally, but beyond that, > it seems like most of the G-files were focused on midrange systems ... > UNIX, VMS, MPE, PRIMOS, TOPS and the like. Very little discussion of many > of the mainframe vendors ... > > There are a few Youtube videos where I guess people have done > presentations at Defcon or something recently, about mainframe security ... > kind of neat to watch ... of course, the z/OS they show has got all kinds > of POSIX stuff grafted onto it and ... it's fairly indistinguishable from > something older that I would recognize... like MVS 3.8J :O > > Best, > > Sean > > > On Wed, Sep 16, 2015 at 2:29 PM, Paul Koning <paulkon...@comcast.net> > wrote: > >> >> > On Sep 16, 2015, at 2:10 PM, Chuck Guzis <ccl...@sydex.com> wrote: >> > >> > This brings up something that's always baffled me. >> > >> > Why does a user's (or worse, the entire system's) files have to be >> immediately accessible to any application wanting to take a look. >> > >> > Take a legacy example, SCOPE or NOS on a CDC mainframe. ... >> >> Just remember that those older systems may well have had any number of >> security issues of their own. They did benefit a lot from "security by >> obscurity" as well as the fact that they weren't connected to the Internet. >> >> I never had any incentive to look for holes in CDC operating systems, but >> I still remember a simple hole I found in OS/360, about a month after I >> first wrote a program for that OS. It allowed anyone to run supervisor >> mode code with a couple dozen lines of assembler source code. I found it on >> OS/PCP 19.6, but I noticed in graduate school that it still worked on the >> university's 370 running OS/MVS 21.7. >> >> (The magic? Use the OS service to give a symbolic name to a location in >> your code, with a well chosen name, then give that name as the name of the >> "start I/O appendage" in an EXCP style I/O request.) >> >> paul >> >> >