You are correct. There is security by obscurity at work here, no question:
- If a rogue employee had our listings and link maps he might well be able to patch our code to not do its job in certain circumstances, thereby creating a security exposure (assuming he had write access to the load library, or to "protected" memory). - Our "key" (licensing, whatever you want to call it) is definitely "protection by obscurity." If you knew exactly how it worked, you could defeat it, and run our product forever on every mainframe in the world. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Paul Gilmartin Sent: Tuesday, June 18, 2013 11:10 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Auditing vendor source code On Tue, 18 Jun 2013 16:45:09 -0700, Charles Mills wrote: > >... So it would not necessarily be in great a position to steal >customer data itself, but if we were malicious, and conspired with a >rogue employee, we could perhaps jointly steal valuable data. > >..., nor how to defeat our "keys." ... > "'keys'" sounds a lot like "backdoor" or "'magic' SVC". I.e. anything which if a customer's rogue employee knew it could be used to compromise system security. Imagine, very hypothetically, that you had no concerns for your IP. Then not letting the entire world see all your source code would amount to "security by obscurity". ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
