Re: RACF Database protection
Lets be specific here. On Aug 17, 2013, at 12:30 PM, Skip Robinson jo.skip.robin...@sce.com wrote: This exposure has been known--and discussed publicly--for several years. It is NOT true that 'passwords are not stored'. If they weren't 'stored' at all, then how could RACF validate the password you supply? They are in fact stored in encrypted form. The encryption method itself is not a state secret. It can be simulated. The passwords are NOT stored. The encrypted user id is stored The brute force method alluded to here starts with a copy of a RACF data base. Then generated character strings are fed into an encryption program until the encrypted form of some random string matches what's found in the data base for a given userid. Voila. The password has been hacked. It is not possible to hack RACF passwords unless the user ids that access the system protected by RACF are known. It is typically a difficult task to get a list of user ids without read access to the RACF database. Even if you manage to come up with a list of user ids, it does you no good unless you have read access to the RACF database. Even if two users have identical passwords they would be different in the database so cracking a password once does not allow simple checks to see if other users are using the same password. Once upon a time, it would have taken so long to perform this string match that passwords would likely have changed in the meantime. Nowadays computers all the way down to smart phones have gotten faster while the encryption algorithms have remained the same. There is to my knowledge no canonical defense for this hacking method. Best you can do is to prevent the data base from being copied in the first place. As for what to do with the 'culprit', did he abscond with data or commit some other mischief? Or did he reveal his activity to management as a wake-up call? The news today is replete with tales of 'ethical hackers'. Should we lock them up or bestow medals? Motivation is everything. . . JO.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 626-302-7535 Office 323-715-0595 Mobile jo.skip.robin...@sce.com From: mmjuma mmj...@yahoo.com To: IBM-MAIN@LISTSERV.UA.EDU, Date: 08/17/2013 01:04 AM Subject:RACF Database protection Sent by:IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU Hi list Some one in our section, he was able to download RACF data base file SYS1.RACF.PRIM via ftp to PC, then he used some tool. He was able to get uid and password of some users. He had now access to the file in mainframe. I want to understand what happend, and how to protect against such issue. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: The z/OS V2.1 Migration PDF available
Each page of the manual is formatted into two columns (like a newspaper. When you finish reading the first column (on the left half of the page) you then have to scroll up to see the start of the column of the right half of the page to continue reading. Most IBM manuals (with the notable exception of the Principles of Operation manual) are formatted such that the text runs from the left margin to the right margin allowing you to just scroll down to read it. When you get to the bottom of the page you just continue to scroll to the next page. Hope that helps. Lou On Aug 9, 2013, at 7:28 PM, Marna WALLE mwa...@us.ibm.com wrote: I'm sorry...I am really dense. I'm not following what dual columns are. Are you referring to the template table that is used after the Description, and before the Steps to Take? Is it something else that just now appears in the z/OS V2R1 Migration book, or has it been there all along? I wouldn't like to keep paging up and down online either, so I'd like to see if there is something to be done about it. -Marna WALLE z/OS System Installation -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: The z/OS V2.1 Migration PDF available
The migration specific format is nice, however, for online reading the dual columns cause the reader to constanly page up and down to read each page. On Aug 8, 2013, at 4:51 PM, Marna WALLE mwa...@us.ibm.com wrote: Hi All, Since you mentioned the z/OS V2,1 Migration book being available, I thought I would bring to your attention something. It's different. We've tried a new format for the book, which I'm hoping will make it easier to read. We've divided up the chapters into which migration path you are on (R12- V2.1, or R13- V2.1). You read only the chapters that apply to you. Here's the layout: Chapter 1: Introduction for all users Chapter 2: General migration actionsfor all users Chapter 3: Migration from z/OS R13 for R13 - V2.1 users Chapter 4: Migration from z/OS R12 for R12 - V2.1 users R13-V2R1 : Read Chapters 1, 2, and 3. Skip Chapter 4. R12 - V2R1: Read Chapter 1,2, and 4. Skip chapter 3. Any feedback on this format is welcome! -Marna WALLE z/OS System Installation -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN