On 15 Oct 2010 21:58:31 -0700, in bit.listserv.ibm-main you wrote: >Actually a lot of the old user and system modification code that is still >around was not where we normally exploited things. Mostly it was the newer >systems that were shipped with a lot of theoretically unused products, code >and other appendages that had for the most part never been installed or was >quickly uninstalled in the "old" days. Installed (and for the most part >unused) access and always authorized technology programs in LPA and Linklist >were always our goto method. I know that I had a hard time figuring out what was on the system and did we really need it in the 1980s when I was doing Virtual Storage Constraint Relief and that was with a lot fewer products. As Brian says elsewhere in this message there is a lot of dead code (IBM products not activated, etc.) that may well be on our systems. Websphere and other web related systems have a whole new host of vulnerabilities. We have gone from hundreds or thousands of allowed users to possibly millions (large banks, various governments, large retailers, etc.) of users who can sign in and access something on our systems. Think about your credit card provider for example.
How vulnerable are the applications? Would compromising Websphere give benefit to those who want to make money? Are we vulnerable to such things as SQL injection and buffer overruns in some of the newer packages? Clark Morris > >I think that it may be that the newer systems programmers were not as >concerned about the stuff that was there because I don't think they ever >really took the time to think about what was out there and what impact it >had/has and what exposures it can cause. > >A lot of people seem to feel that the technical people of the current age >cannot compare to what came before, but that's not really a fair assumption. > If you think about it, z/OS is much more complex than what came before. We >used to know what everything did because there was not really that much >involved. Sure it was millions of lines of code, but compare that to now. > >Having met a large number of the old and new systems programmers, I can >honestly say that there are many that were very bright, and there still are >many new ones that are just as bright. I can remember being at sites that >personnel were in charge of subsets of the code (modules IEF to IJK for >instance). You just can't do that any more today, and thankfully no one has >to. If you were to talk about the requirements of establishing and running >a sysplex with some of the old people, you would completely blow their >minds, just as if you were to try to explain to the systems people today how >important the lights on the front of the 370 were to fixing a system problem >and getting things going again. > >The problems are not the personnel, it's the sloppy code and the excess code >that is shipped with every installed base. There are many ways into the >system with or without RACF. > >Luckily we with the keys are trust-able. > >Brian > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO >Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
