Sir, Forget it.
Kind Regards Jim Thomas 617-233-4130 (mobile) 636-294-1014 (res) j...@thethomasresidence.us (Email) -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of R.S. Sent: Sunday, August 21, 2011 10:17 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Security is fun in the PC world.... W dniu 2011-08-20 03:09, Jim Thomas pisze: > /snip >> MVS (or OS/390 or z/OS or whatever you want to call it) has >> NEVER been hacked or destroyed by an ex employee !!. > > How do you know? > Do you expect any financial company to make an advertisement "Hello! > We're open for hackers!". I suspect that no company want do disclose it. > > /endsnip > > Please tell me of 'one' financial company that has been hacked ... but > remember now .. get rid of the 'non mainframe' environments first !!. > Better yet ... please tell me that you KNOW for a fact that if a financial > company was hacked ... 'nobody' would know ?? .. Do you really believe > that ??. Further, going by your own approach, why then have 'financial' and > other institutions admitted that their wonderful non-mainframe environment > has been 'attacked' or gotten a 'virus' or whatever ??. Why they did it? Because they have to do it, becuase it was disclosed. I'm aware of many 'gotten virus' and other security issues which were never ever disclosed to the public. Why? There is (was) no obligation to do that (not every 'Watergate' became scandal, some of them remain secret). Simple? Oh, I KNOW (read it again: I KNOW) at least one case where ex-employe did compromise security of mainframe system (it was OS/390). I cannot provide any further details, except the following: it was possible because of lacks of proffesionalism of management, organisational, and partially RACF administration. In other words it wasn't fault of the system itself. And it wasn't disclosed. I also know many cases when some contractor(s) did have extraonrdinary access to the mainframe system, including, i.e. ALTER to APF libraries. On production LPARs. Is such system still very secure? > /snip >> In fact, let me re-state that .. the mainframes HAVE NEVER >> been hacked or destroyed by an ex employee !!. > > Well, I know such evidence (maybe it was misuse - it's a matter of > definition of "been hacked"), cannot provide details. > Another, publicly known example: Kevin Mitnick. Obviously he wasn't > ex-employee (is it better?), and he hacked people, not systems. So? > /endsnip > > I admit that I have not the foggiest who Kevin Mitnick is ... but bear > with me and I'll find out ... and I'll also find out the circumstances. > That said ... yes, I have had exposure to misuse and in fact, have known > of circumstances where 'A Current' employee has ... umm shall I say .. > embezzled ... forgive me but .. in this context ... we're speaking of > apples and oranges. > > I will further admit that I have know of people that use to 'purposefully' > code for abends but then too, that was only because they could be called > on the weekends and hence, justify time that they would ask remuneration > for. Well, I would suggest to use google or Wikipedia, or better go to the bookstore and ask for Mitnick's book. They will know who is it and sell you the book. It's worth reading IMHO. > /snip > Some remarks: > 1. "Mainframe system" could mean z/OS or poorly configured Linux. Is the > Linux on mainframe any more secure than Linux on PC? IMHO the difference > is none or very small. > /endsnip > > Sorry ... Linux did not enter the picture till recently but FWIW, Linux is > still a hell of a lot better than WinBlows. I think you missed the point. "mainframe" could mean Linux, and "PC" could mean Linux also! PC <> Windows. So: Is the Linux on z any better than Linux on PC? > /snip > 2. Usually "mainframe systems" are big, very big or huge installations > when compared to PC installations. There is no reason to compare small > PC server in small company to huge financial system. > /endsnip > > My apologies ... I was not comparing but you are very correct ... there > is no comparison. As I've said before .... I like PC's for what they > were engineered for .. to be a 'personal computer' ... they were 'never' > designed, architected or built to be a 'business' computer. Hang on .. > what's this discussion about ?? .. I agree that 'mainframe systems' are > meant for big, very big or huge installations ... e.g. ... any business !!. > > Please tell me again, why we are talking about 'small PCs' for a 'business' > purpose ... unless of course, it's a small mom and pop shop !!. Not every business is big enough to justify ht costs of mainframe. Even a shop needs some computer today. There is no reason to blame small business or medium one. Vast majority of small business use PC or no computers at all. Some of them use non-Windows systems (read: Linux). BTW: In Poland any business need to have Windows. Reason: 'Płatnik' application which is only on Windows and is obligatory. > /snip > 3. Ex-employees hacking, social hacking - that could affect any > platform, the platform resilience play minor role here. Again, usually > the bigger comany the better rules apply. > /endsnip > > Really ... must be why most all if not all Winblows environments are > hacked or virused or whatever the devil you want to call it .. on a daily > basis ... Any proof? > For starters, 'social anything' is NOT traditionally part of > MVS ... perhaps that's why PC's were invented. It seems you have no idea what social hacking is. > My apologies again .. but I beg to differ .. despite all the 'rules', how > many times, pray tell, have you heard of non-winblows environments being > 'attacked by a virus' or 'by a hacker' Yes, of course. It also covers many Linux and Unix installations. I was even a witness of such hacking. Do you need hacked system IP, hacker name, or maybe also his photo ID? Oh, BTW: I used to work as auditor. I saw many security holes in OS/390 and z/OS installations. Simple TSO account on non-PROD system allowed me to do really weird things, including blow-up production system. -- Radoslaw Skorupka Lodz, Poland -- Treść tej wiadomości może zawierać informacje prawnie chronione Banku przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorised to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. BRE Bank SA, 00-950 Warszawa, ul. Senatorska 18, tel. +48 (22) 829 00 00, fax +48 (22) 829 00 33, e-mail: i...@brebank.pl Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 0000025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2011 r. kapitał zakładowy BRE Banku SA (w całości wpłacony) wynosi 168.346.696 złotych. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ----- No virus found in this message. Checked by AVG - www.avg.com Version: 10.0.1392 / Virus Database: 1520/3848 - Release Date: 08/21/11 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
