On 7 Jun 2010 16:31:17 -0700, in bit.listserv.ibm-main you wrote: >-----------------------------<snip>---------------------------- > >>>>Well I hate to look like a solicitor, but, if there is anyone out there, >>>>particularly in the Houston area, with a multiprise (actually, any mainframe >>>>for that matter, I mean it depends, but if you have ANYTHING talk to me) >>>>that is just going to waste that'll be trashed anyway, it would be going to >>>>a good home. >>>> >>>> >>>I have been asking for older equipment for the collection for several >>>years, and I do not think anyone really takes offense. There have been >>>some extremely generous people on this list - and I would once again >>>like to give a public THANK YOU to them. Saving an old machine, a pile >>>of docs, or some reels of tape can go a long way, and in just about >>>every way is better than the stuff going to the scrapper. >>> >>>Someday IBM may have some sort of non-commercial license for their >>>mainframe software - perhaps something like Syntegra/Control Data or >>>HP/Digital has. Save the software first, then worry about the legal >>>issues. Once the software is gone, it is GONE. >>> >>> >> >>In one sense, we need to be careful about what we ask for. Do we want >>z/OS to be easily available to those who want to find vulnerabilities >>and crack the system? For security purposes are we better off with >>some kind of regulated hobbyist access to z/OS running under z/VM at >>data centers? >> >> >------------------------------------<unsnip>---------------------------------- >Clark, I think your concerns are valid, but unwarranted. > >Even with a "disasembler", the complexity of the instruction set and the >complexity of z/OS code and interfaces would require a VERY sharp >Assembler programmer to be able to do serious "hacks" into z/OS. It's >taken 46 years to develop the current level and, like they say, "Rome >wasn't built in a day." Given the constant evolution of both hardware >and software, I'm not sure any of US could keep up with it effectively >enough to crack into it consistantly, and we're all experienced >professionals, some more so than others. And even a Disassembler won't >decode things like SVC parameter lists, PC parms, etc. or even what a >particular PC is intended to accomplish.
If I were looking for vulnerabilities, I wouldn't even go for the source. I would just set up the system as a server and see what I could get away with. The vulnerability can be in CICS, Websphere or any other portal open to the outside world. My second line of attack would be the CBT and JES mods to see if any of them have vulnerabilities I could exploit. Having my own system would enable me to see what flags are raised by various attempts. I don't think enough like an intruder to make it worth while either as a white hat consultant or a black hat thief but intimate code knowledge may not be the only way to break the system. The ability to test exploits based on APARs might be interesting. > >A regulated hobbyist with access to z/OS running under z/VM could crack >into that system just as easily as a "home user". Then what? Also, by >putting it under z/VM, you could be giving him access to two systems to >crack: z/OS AND z/VM. Here I would assume a hardened and monitored VM NOT controlled by the z/OS hobbyist user. There also might be some vetting of the person before access is allowed. > >We are now all holding, or have held, positions of grave responsibility >in our various organizations, be they private industry or government; >along with that comes trust and our ability to prove that the trust is >not misplaced. The ultimate bottom line: sooner or later the honesty of >the user, or system programmer, has to be proven and that's probably the >hardest part of dealing with this whole set of interrelated issues. > >Rick > Clark ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
