On Fri, 6 Mar 2009 08:05:30 -0500, Jousma, David <david.jou...@53.com> wrote:
>Should I be scared of this? Externalizing the password rules in REXX? >Seems to make it too easy to "collect" passwords. System REXX execs run APF-authorized, and the libraries containing them must be protected the same way as any other APF-authorized library. If someone could update that REXX exec to collect passwords, he could also update an assembler exit to collect them, too. True, it requires a little more knowledge to create a program in assembler language that would collect a password and open a data set to record it, but that knowledge is wide spread enough that it's really the same concern whether you deal with REXX or assembler exits. So, no, you should not be scared of it. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html