________________________________ From: Binyamin Dissen <bdis...@dissensoftware.com> To: IBM-MAIN@bama.ua.edu Sent: Sat, April 3, 2010 3:28:36 PM Subject: Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use
On Sat, 3 Apr 2010 09:48:03 -0700 Ed Gould <ps2...@yahoo.com> wrote: :>We had a *REALLY* good applications programmer that simply bypassed any and all protections we had, RACF, expiration dates, :>password protection, doing cross address space snooping and alterations. In short he was a nightmare. Before going to upper management we decided we had to have proof what he was doing . We decided the only possible way to monitor him was with GTF. He was able to bypass even GTF recording for him, he was that good. He either had an SVC or has/had update access to an APF library with a special program. If the guy was good it would be difficult to catch, but it can be done. A SADUMP would have all the data needed. Sorry he had neither. It took him a month as we kept seeing dumps being taken and logrec entries and all sorts of interesting items. The dumps were of little help (at least the ones I looked at) you could see certain items not being correct but nothing that said "he did it". You could get an inference that he did but inference is not usable in court. The scary part was when he got into cross memory alterations as we were never quite sure what he was aiming for. The ability to alter GTF tracing on the fly was extremely unnerving. We were an early (not ESP) for SAM-e and we had probably our fair share of bugs. We seemed to be using GTF quite a but for the SAMe bugs and we found every once in a while trace entries *GONE* so we had to recreate it again. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html