Re: Initial User Directory ( was: hacking vm/cms (probably old news))
> A full pack is allocated to each page and spool with Version 5. > Although that may not be enough for some (most) Linux implementations, > it's certainly better than the old defaults. :) Which got changed by exactly this kind of discussion...
Re: Initial User Directory ( was: hacking vm/cms (probably old news))
A full pack is allocated to each page and spool with Version 5. Although that may not be enough for some (most) Linux implementations, it's certainly better than the old defaults. :) [EMAIL PROTECTED] wrote: And the Starter System (Initial System) has very limited page and spool space, too... And, if they are going to expand on the page and spool space, they really should know enough to get onto their own (hopefully secure) system. -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 rich.smrcina at vmassist.com http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2008 - Chattanooga - April 18-22, 2008
Re: Initial User Directory ( was: hacking vm/cms (probably old news))
And the Starter System (Initial System) has very limited page and spool space, too... And, if they are going to expand on the page and spool space, they really should know enough to get onto their own (hopefully secure) system. "Huegel, Thomas" <[EMAIL PROTECTED]> Sent by: The IBM z/VM Operating System 10/09/2007 01:20 PM Please respond to The IBM z/VM Operating System To IBMVM@LISTSERV.UARK.EDU cc Subject Re: Initial User Directory ( was: hacking vm/cms (probably old news)) I'm sorry, but if I have to learn LINUX I think it only fitting that LINUX people learn a little VM.. Didn't we all have to learn VM at one time? and probably at least one other OS MVS or VSE.. Maybe IBM could supply a LINUX only directory using names like ROOT instead of MAINT. -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] Behalf Of Thomas Kern Sent: Tuesday, October 09, 2007 12:09 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Initial User Directory ( was: hacking vm/cms (probably old news)) unfortunately lots of new Linux-server VM systems are being run off that initial starter system. They deserve the most secure starter system that IBM can give them. /Tom Kern [EMAIL PROTECTED] wrote: > > Isn't that a bit of an overkill for a starter system?? > > > > > *Thomas Kern <[EMAIL PROTECTED]>* > Sent by: The IBM z/VM Operating System > > 10/09/2007 10:00 AM > Please respond to > The IBM z/VM Operating System > > > > To > IBMVM@LISTSERV.UARK.EDU > cc > > Subject > Initial User Directory ( was: hacking vm/cms (probably old news)) > > > > > > > > > > I would like it to go a step further, like with some linux installations > that ask for a root password and another userid to be added. I like > having ALL system related userids be AUTOONLY, LBYONLY, NOLOG or have a > randomly generated password. All userids that need to actually need to > be logged onto must have a LOGONBY record authorizing that initial > sysprog userid. After that initial setup, it isn't hard to replace the > passwords for those users that need to logged on. No one ever really > needs the password to those accounts if properly LOGONBY authorized. > That random password could be randomized daily, until you can properly > divide all accounts into the proper AUTOONLY, LBYONLY, NOLOG or personal > password categories. > > /Tom Kern > /301-903-2211 > > > > Nick Laflamme wrote: > > Robert Nix wrote: > >> Hi Alan; > >> > >> Given that the starting CP Directory is dynamically created, for the > most > >> part, today, how hard would it be to allow the installer to select a > >> "root > >> password" to be applied to all of the initial accounts? > >> > > > > I'll go one step further: how about a default of all userids except > > MAINT, OPERATOR, and CMSUSER (does that still ship on fresh system?) > > being LBYONLY, defaulting to MAINT as the user who can do LOGONBY. > > Anyone who wants a different LOGONBY user (or additional users) should > > know which trivial XEDIT command will change that. > > > > Nick > > > __ << ella for Spam Control >> has removed VSE-List messages and set aside VM-List for me You can use it too - and it's FREE! http://www.ellaforspam.com
Re: Initial User Directory ( was: hacking vm/cms (probably old news))
ROOT is already in the directory for Open Extensions. Let's not mess with a good thing. When we're teaching classes invariably there are a good mix of Linux people and mainframe (usually z/OS) people. Actually the last class that I taught, the Linux people kept up quite well with the z/VM parts and we're very intrigued by all that could be done with z/VM. Huegel, Thomas wrote: I'm sorry, but if I have to learn LINUX I think it only fitting that LINUX people learn a little VM.. Didn't we all have to learn VM at one time? and probably at least one other OS MVS or VSE.. Maybe IBM could supply a LINUX only directory using names like ROOT instead of MAINT. -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 rich.smrcina at vmassist.com http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2008 - Chattanooga - April 18-22, 2008
Re: Initial User Directory ( was: hacking vm/cms (probably old news))
Actually, I would rather have some mechanism that would prevent the starter system from being used in production. That has actually been the source of a fair number of problems reported on this list. Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of David Boyes Sent: Tuesday, October 09, 2007 9:23 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Initial User Directory ( was: hacking vm/cms (probably old news)) > Isn't that a bit of an overkill for a starter system?? Not really. If you start with a fairly buttoned-up system, you know exactly what holes you open because you do it deliberately (and it's completely your fault if you screw it up). What Tom's described is a pretty tight system, and it's not a bad default if you have few or no CMS users. The question we're really answering in this discussion: In this day and age, is there really any reason/excuse to ship a system in a state that is known to be insecure? I'd argue that the answer now is "no". We used to say "start with a simple system, and make it secure". What this discussion seems to be proposing is "let's start with a secure system, and open things as necessary". Seems like a Good Thing (tm) to me.
Re: Initial User Directory ( was: hacking vm/cms (probably old news))
I'm sorry, but if I have to learn LINUX I think it only fitting that LINUX people learn a little VM.. Didn't we all have to learn VM at one time? and probably at least one other OS MVS or VSE.. Maybe IBM could supply a LINUX only directory using names like ROOT instead of MAINT. -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] Behalf Of Thomas Kern Sent: Tuesday, October 09, 2007 12:09 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Initial User Directory ( was: hacking vm/cms (probably old news)) unfortunately lots of new Linux-server VM systems are being run off that initial starter system. They deserve the most secure starter system that IBM can give them. /Tom Kern [EMAIL PROTECTED] wrote: > > Isn't that a bit of an overkill for a starter system?? > > > > > *Thomas Kern <[EMAIL PROTECTED]>* > Sent by: The IBM z/VM Operating System > > 10/09/2007 10:00 AM > Please respond to > The IBM z/VM Operating System > > > > To > IBMVM@LISTSERV.UARK.EDU > cc > > Subject > Initial User Directory ( was: hacking vm/cms (probably old news)) > > > > > > > > > > I would like it to go a step further, like with some linux installations > that ask for a root password and another userid to be added. I like > having ALL system related userids be AUTOONLY, LBYONLY, NOLOG or have a > randomly generated password. All userids that need to actually need to > be logged onto must have a LOGONBY record authorizing that initial > sysprog userid. After that initial setup, it isn't hard to replace the > passwords for those users that need to logged on. No one ever really > needs the password to those accounts if properly LOGONBY authorized. > That random password could be randomized daily, until you can properly > divide all accounts into the proper AUTOONLY, LBYONLY, NOLOG or personal > password categories. > > /Tom Kern > /301-903-2211 > > > > Nick Laflamme wrote: > > Robert Nix wrote: > >> Hi Alan; > >> > >> Given that the starting CP Directory is dynamically created, for the > most > >> part, today, how hard would it be to allow the installer to select a > >> "root > >> password" to be applied to all of the initial accounts? > >> > > > > I'll go one step further: how about a default of all userids except > > MAINT, OPERATOR, and CMSUSER (does that still ship on fresh system?) > > being LBYONLY, defaulting to MAINT as the user who can do LOGONBY. > > Anyone who wants a different LOGONBY user (or additional users) should > > know which trivial XEDIT command will change that. > > > > Nick > > > __ << ella for Spam Control >> has removed VSE-List messages and set aside VM-List for me You can use it too - and it's FREE! http://www.ellaforspam.com
Re: Initial User Directory ( was: hacking vm/cms (probably old news))
unfortunately lots of new Linux-server VM systems are being run off that initial starter system. They deserve the most secure starter system that IBM can give them. /Tom Kern [EMAIL PROTECTED] wrote: Isn't that a bit of an overkill for a starter system?? *Thomas Kern <[EMAIL PROTECTED]>* Sent by: The IBM z/VM Operating System 10/09/2007 10:00 AM Please respond to The IBM z/VM Operating System To IBMVM@LISTSERV.UARK.EDU cc Subject Initial User Directory ( was: hacking vm/cms (probably old news)) I would like it to go a step further, like with some linux installations that ask for a root password and another userid to be added. I like having ALL system related userids be AUTOONLY, LBYONLY, NOLOG or have a randomly generated password. All userids that need to actually need to be logged onto must have a LOGONBY record authorizing that initial sysprog userid. After that initial setup, it isn't hard to replace the passwords for those users that need to logged on. No one ever really needs the password to those accounts if properly LOGONBY authorized. That random password could be randomized daily, until you can properly divide all accounts into the proper AUTOONLY, LBYONLY, NOLOG or personal password categories. /Tom Kern /301-903-2211 Nick Laflamme wrote: > Robert Nix wrote: >> Hi Alan; >> >> Given that the starting CP Directory is dynamically created, for the most >> part, today, how hard would it be to allow the installer to select a >> "root >> password" to be applied to all of the initial accounts? >> > > I'll go one step further: how about a default of all userids except > MAINT, OPERATOR, and CMSUSER (does that still ship on fresh system?) > being LBYONLY, defaulting to MAINT as the user who can do LOGONBY. > Anyone who wants a different LOGONBY user (or additional users) should > know which trivial XEDIT command will change that. > > Nick >
Re: Initial User Directory ( was: hacking vm/cms (probably old news))
> Isn't that a bit of an overkill for a starter system?? Not really. If you start with a fairly buttoned-up system, you know exactly what holes you open because you do it deliberately (and it's completely your fault if you screw it up). What Tom's described is a pretty tight system, and it's not a bad default if you have few or no CMS users. The question we're really answering in this discussion: In this day and age, is there really any reason/excuse to ship a system in a state that is known to be insecure? I'd argue that the answer now is "no". We used to say "start with a simple system, and make it secure". What this discussion seems to be proposing is "let's start with a secure system, and open things as necessary". Seems like a Good Thing (tm) to me.
Re: Initial User Directory ( was: hacking vm/cms (probably old news))
Isn't that a bit of an overkill for a starter system?? Thomas Kern <[EMAIL PROTECTED]> Sent by: The IBM z/VM Operating System 10/09/2007 10:00 AM Please respond to The IBM z/VM Operating System To IBMVM@LISTSERV.UARK.EDU cc Subject Initial User Directory ( was: hacking vm/cms (probably old news)) I would like it to go a step further, like with some linux installations that ask for a root password and another userid to be added. I like having ALL system related userids be AUTOONLY, LBYONLY, NOLOG or have a randomly generated password. All userids that need to actually need to be logged onto must have a LOGONBY record authorizing that initial sysprog userid. After that initial setup, it isn't hard to replace the passwords for those users that need to logged on. No one ever really needs the password to those accounts if properly LOGONBY authorized. That random password could be randomized daily, until you can properly divide all accounts into the proper AUTOONLY, LBYONLY, NOLOG or personal password categories. /Tom Kern /301-903-2211 Nick Laflamme wrote: > Robert Nix wrote: >> Hi Alan; >> >> Given that the starting CP Directory is dynamically created, for the most >> part, today, how hard would it be to allow the installer to select a >> "root >> password" to be applied to all of the initial accounts? >> > > I'll go one step further: how about a default of all userids except > MAINT, OPERATOR, and CMSUSER (does that still ship on fresh system?) > being LBYONLY, defaulting to MAINT as the user who can do LOGONBY. > Anyone who wants a different LOGONBY user (or additional users) should > know which trivial XEDIT command will change that. > > Nick >
Re: hacking vm/cms (probably old news)
Auditors are the only snag in the works. Our Cyber/Network security people feel that if there is an IP address assigned, then the scriptkiddies can infiltrate our network and steal all of our secrets, or at least store all of their porn. Being FORCED to work on closing the directory before being able to bring up the TCPIP stack would help in dealing with them. /Tom Kern /301-903-2211 Huegel, Thomas wrote: I agree. Auditors need not even know a second level installation machine even exist, other than it is just another virtual machine.. Since I am always installing second level only the password for my second level machine needs to be secure. In my opinion this is a single user machine. All of this password manipulation can easily be done before turning the directory over to DIRMAINT and before going to production with a user written exec. -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] Behalf Of RPN01 Sent: Tuesday, October 09, 2007 9:44 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: hacking vm/cms (probably old news) As far as I'm concerned, until the system matches the production environment, it's mine, and auditors have no business looking at it at all; I'll do as I please. They can whine all they want; they don't have an ID on the installation system to look at anything with anyway, so how can they say it isn't secure? -- .~.Robert P. Nix Mayo Foundation /V\RO-OE-5-55200 First Street SW /( )\ 507-284-0844 Rochester, MN 55905 ^^-^^ - "In theory, theory and practice are the same, but in practice, theory and practice are different." On 10/9/07 9:25 AM, "David Boyes" <[EMAIL PROTECTED]> wrote: > > Easier, but you have no evidence that you actually did so if some > auditor yahoo comes and whines about it. You also can then ensure that > whatever new passwords assigned actually meet your password policies, > etc, etc, blah, blah. > __ << ella for Spam Control >> has removed VSE-List messages and set aside VM-List for me You can use it too - and it's FREE! http://www.ellaforspam.com
Re: hacking vm/cms (probably old news)
I agree. Auditors need not even know a second level installation machine even exist, other than it is just another virtual machine.. Since I am always installing second level only the password for my second level machine needs to be secure. In my opinion this is a single user machine. All of this password manipulation can easily be done before turning the directory over to DIRMAINT and before going to production with a user written exec. -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] Behalf Of RPN01 Sent: Tuesday, October 09, 2007 9:44 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: hacking vm/cms (probably old news) As far as I'm concerned, until the system matches the production environment, it's mine, and auditors have no business looking at it at all; I'll do as I please. They can whine all they want; they don't have an ID on the installation system to look at anything with anyway, so how can they say it isn't secure? -- .~.Robert P. Nix Mayo Foundation /V\RO-OE-5-55200 First Street SW /( )\ 507-284-0844 Rochester, MN 55905 ^^-^^ - "In theory, theory and practice are the same, but in practice, theory and practice are different." On 10/9/07 9:25 AM, "David Boyes" <[EMAIL PROTECTED]> wrote: > > Easier, but you have no evidence that you actually did so if some > auditor yahoo comes and whines about it. You also can then ensure that > whatever new passwords assigned actually meet your password policies, > etc, etc, blah, blah. > __ << ella for Spam Control >> has removed VSE-List messages and set aside VM-List for me You can use it too - and it's FREE! http://www.ellaforspam.com
Re: hacking vm/cms (probably old news)
> As far as I'm concerned, until the system matches the production > environment, it's mine, and auditors have no business looking at it at > all; > I'll do as I please. They can whine all they want; they don't have an ID > on > the installation system to look at anything with anyway, so how can they > say > it isn't secure? Maybe for your auditors. In other places, some pigs are more equal than others. 8-(
Re: hacking vm/cms (probably old news)
Furthermore, the AUTOLOG permissions given to MAINT and OPERATOR are useless as a CLASS A user can XAUTOLOG anyone, that is, without an AUTOLOG record in the CP directory. 2007/10/9, David Boyes <[EMAIL PROTECTED]>: > > > I'll go one step further: how about a default of all userids except > > MAINT, OPERATOR, and CMSUSER (does that still ship on fresh system?) > > being LBYONLY, defaulting to MAINT as the user who can do LOGONBY. > > With all the service machine ids having AUTOLOG lines for AUTOLOG1, > OPERATOR and MAINT. > > Personally, I'd NOLOG CMSUSER. I can't think of the last time I've > actually used it. > > > Anyone who wants a different LOGONBY user (or additional users) should > > know which trivial XEDIT command will change that. > > Or should have a directory manager. > > Requirement? > > -- db > -- Kris Buelens, IBM Belgium, VM customer support
Re: hacking vm/cms (probably old news)
As far as I'm concerned, until the system matches the production environment, it's mine, and auditors have no business looking at it at all; I'll do as I please. They can whine all they want; they don't have an ID on the installation system to look at anything with anyway, so how can they say it isn't secure? -- .~.Robert P. Nix Mayo Foundation /V\RO-OE-5-55200 First Street SW /( )\ 507-284-0844 Rochester, MN 55905 ^^-^^ - "In theory, theory and practice are the same, but in practice, theory and practice are different." On 10/9/07 9:25 AM, "David Boyes" <[EMAIL PROTECTED]> wrote: > > Easier, but you have no evidence that you actually did so if some > auditor yahoo comes and whines about it. You also can then ensure that > whatever new passwords assigned actually meet your password policies, > etc, etc, blah, blah. >
Re: hacking vm/cms (probably old news)
The auditor problem is why I would like ALL userid setups to be done automatically by the install process before being inserted into a default DIRMAINT server before I as the installer ever get to edit the master directory. And all of the default settings should be as closed down as possible, OPERATOR/MAINT in LBYONLY mode, other servers in AUTOONLY, placeholders in NOLOG and only the real interactive userids that I added through a programmed dialog with the passwords that I assigned. I wish password syntax validation could be added but that sort of means more code in DIRMAINT or having RACF as the automatic ESM. /Tom Kern /301-903-2211 David Boyes wrote: Actually, it's much easier, at least in my opinion, to do the massive edits to the directory before handing off the first version to DirMaint or some other directory manager. Why do in 100 or more dirm commands what you could do in three or four xedit commands. Easier, but you have no evidence that you actually did so if some auditor yahoo comes and whines about it. You also can then ensure that whatever new passwords assigned actually meet your password policies, etc, etc, blah, blah. I'm not disagreeing that doing it before the load into DIRM is a lot easier, just been dealing with too many whiny auditor types recently to think it's likely to get past some of them. But, your suggestion is certainly better than the current situation, anyway. Whatever happened to RPWLIST FILE in the install process? There was a step in the VM/SP or HPO installation that forced you to change the default passwords, and you couldn't use anything that was in RPWLIST FILE, which included the dumb defaults (same as userid, easy guess, etc). That step appears to have fallen out of the current install. -- db
Re: hacking vm/cms (probably old news)
> Actually, it's much easier, at least in my opinion, to do the massive > edits > to the directory before handing off the first version to DirMaint or some > other directory manager. Why do in 100 or more dirm commands what you > could > do in three or four xedit commands. Easier, but you have no evidence that you actually did so if some auditor yahoo comes and whines about it. You also can then ensure that whatever new passwords assigned actually meet your password policies, etc, etc, blah, blah. I'm not disagreeing that doing it before the load into DIRM is a lot easier, just been dealing with too many whiny auditor types recently to think it's likely to get past some of them. But, your suggestion is certainly better than the current situation, anyway. Whatever happened to RPWLIST FILE in the install process? There was a step in the VM/SP or HPO installation that forced you to change the default passwords, and you couldn't use anything that was in RPWLIST FILE, which included the dumb defaults (same as userid, easy guess, etc). That step appears to have fallen out of the current install. -- db
Re: hacking vm/cms (probably old news)
On Oct 9, 2007, at 12:41 AM, Alan Altmark wrote: But the true gems in it are about human behavior: Failure to change the default passwords, failure to use an ESM to eliminate the need for minidisk passwords, failure to reject trivial passwords, failure to set a low number for lockout of a userid due to excessive invalid passwords within some time interval, putting mdisk passwords in EXECs, and so on. Most of those technology cannot fix. Sure they can! Cutting the power is a technological fix. Adam
Initial User Directory ( was: hacking vm/cms (probably old news))
I would like it to go a step further, like with some linux installations that ask for a root password and another userid to be added. I like having ALL system related userids be AUTOONLY, LBYONLY, NOLOG or have a randomly generated password. All userids that need to actually need to be logged onto must have a LOGONBY record authorizing that initial sysprog userid. After that initial setup, it isn't hard to replace the passwords for those users that need to logged on. No one ever really needs the password to those accounts if properly LOGONBY authorized. That random password could be randomized daily, until you can properly divide all accounts into the proper AUTOONLY, LBYONLY, NOLOG or personal password categories. /Tom Kern /301-903-2211 Nick Laflamme wrote: Robert Nix wrote: Hi Alan; Given that the starting CP Directory is dynamically created, for the most part, today, how hard would it be to allow the installer to select a "root password" to be applied to all of the initial accounts? I'll go one step further: how about a default of all userids except MAINT, OPERATOR, and CMSUSER (does that still ship on fresh system?) being LBYONLY, defaulting to MAINT as the user who can do LOGONBY. Anyone who wants a different LOGONBY user (or additional users) should know which trivial XEDIT command will change that. Nick
Re: hacking vm/cms (probably old news)
Actually, it's much easier, at least in my opinion, to do the massive edits to the directory before handing off the first version to DirMaint or some other directory manager. Why do in 100 or more dirm commands what you could do in three or four xedit commands. -- .~.Robert P. Nix Mayo Foundation /V\RO-OE-5-55200 First Street SW /( )\ 507-284-0844 Rochester, MN 55905 ^^-^^ - "In theory, theory and practice are the same, but in practice, theory and practice are different." On 10/9/07 8:34 AM, "David Boyes" <[EMAIL PROTECTED]> wrote: > >> Anyone who wants a different LOGONBY user (or additional users) should >> know which trivial XEDIT command will change that. > > Or should have a directory manager. > > Requirement? > > -- db
Re: hacking vm/cms (probably old news)
> I'll go one step further: how about a default of all userids except > MAINT, OPERATOR, and CMSUSER (does that still ship on fresh system?) > being LBYONLY, defaulting to MAINT as the user who can do LOGONBY. With all the service machine ids having AUTOLOG lines for AUTOLOG1, OPERATOR and MAINT. Personally, I'd NOLOG CMSUSER. I can't think of the last time I've actually used it. > Anyone who wants a different LOGONBY user (or additional users) should > know which trivial XEDIT command will change that. Or should have a directory manager. Requirement? -- db
Re: hacking vm/cms (probably old news)
Robert Nix wrote: Hi Alan; Given that the starting CP Directory is dynamically created, for the most part, today, how hard would it be to allow the installer to select a "root password" to be applied to all of the initial accounts? I'll go one step further: how about a default of all userids except MAINT, OPERATOR, and CMSUSER (does that still ship on fresh system?) being LBYONLY, defaulting to MAINT as the user who can do LOGONBY. Anyone who wants a different LOGONBY user (or additional users) should know which trivial XEDIT command will change that. Nick
Re: hacking vm/cms (probably old news)
Hi Alan; Given that the starting CP Directory is dynamically created, for the most part, today, how hard would it be to allow the installer to select a "root password" to be applied to all of the initial accounts? While putting the same password on everything is still not ideal, it is better than matching the userids and passwords, and would give a bit of security to the installation system, and to lazy systems programmers. -- .~.Robert P. Nix Mayo Foundation /V\RO-OE-5-55200 First Street SW /( )\ 507-284-0844 Rochester, MN 55905 ^^-^^ - "In theory, theory and practice are the same, but in practice, theory and practice are different." On 10/9/07 12:41 AM, "Alan Altmark" <[EMAIL PROTECTED]> wrote: > On Monday, 10/08/2007 at 05:05 EDT, Marty Zimelis > <[EMAIL PROTECTED]> wrote: >> Lionel, >>"Old news?" You really ought to read this stuff before forwarding > links to >> it. In the very first paragraph (after the intro), they show a > line-mode log >> on to VM/370 and make reference to 43xx and 30xx processors. > This material is >> 30+ years old. > > It may be 30+ years old and may have some antique references, but those > prompts are still in the system and appear on a linemode telnet session. > The password overlay in linemode hasn't worked properly, of course, since > CRTs came onto the scene. I suppose I should turn my attention to it one > of these days > > The system weaknesses it talked about: > - Allowing passwords on the LOGON and LINK command lines rather than > unconditionally requiring a prompt when entered from the console. > - Differentiating between a user that does not exist and an incorrect > password during LOGON > - Allowing the DIAL command without prior authentication > all still exist. > > But the true gems in it are about human behavior: Failure to change the > default passwords, failure to use an ESM to eliminate the need for > minidisk passwords, failure to reject trivial passwords, failure to set a > low number for lockout of a userid due to excessive invalid passwords > within some time interval, putting mdisk passwords in EXECs, and so on. > Most of those technology cannot fix. > > Alan Altmark > z/VM Development > IBM Endicott
Re: hacking vm/cms (probably old news)
This is true. When I was in college in the 70¹s, we toured the air traffic control center in Indianapolis. They had a large number of s/360 systems with huge amounts (then) of additional memory; so much so, that to shorten electrical paths, one memory cabinet for each system was hung from the ceiling over the CPU. We asked them at that time why they hadn¹t converted to s/370 boxes, and the response was ³Because this works; Why change it?² -- .~.Robert P. Nix Mayo Foundation /V\RO-OE-5-55 200 First Street SW / ( ) \ 507-284-0844 Rochester, MN 55905 ^^-^^ - "In theory, theory and practice are the same, but ³Join the story... Ride Ural.² in practice, theory and practice are different." On 10/8/07 4:34 PM, "Huegel, Thomas" <[EMAIL PROTECTED]> wrote: > It wasn't all that long ago, 5-6 years that they moved our air traffic control > system off s/360 hardware.
Re: hacking vm/cms (probably old news)
> I raid that the Dutch Railways are now planning for 2009 to move their > traffic management system away from VAX/VMS. You got a link for this? As it happens, I was at the signal box in Maastricht a couple of weeks ago to look at the system and work method there (the advantages of belonging to the local model railway club with a member who can now gain access). The front end stuff that I saw is Redmond OS based. -- Rod
Re: hacking vm/cms (probably old news)
On Monday, 10/08/2007 at 05:05 EDT, Marty Zimelis <[EMAIL PROTECTED]> wrote: > Lionel, >"Old news?" You really ought to read this stuff before forwarding links to > it. In the very first paragraph (after the intro), they show a line-mode log > on to VM/370 and make reference to 43xx and 30xx processors. This material is > 30+ years old. It may be 30+ years old and may have some antique references, but those prompts are still in the system and appear on a linemode telnet session. The password overlay in linemode hasn't worked properly, of course, since CRTs came onto the scene. I suppose I should turn my attention to it one of these days The system weaknesses it talked about: - Allowing passwords on the LOGON and LINK command lines rather than unconditionally requiring a prompt when entered from the console. - Differentiating between a user that does not exist and an incorrect password during LOGON - Allowing the DIAL command without prior authentication all still exist. But the true gems in it are about human behavior: Failure to change the default passwords, failure to use an ESM to eliminate the need for minidisk passwords, failure to reject trivial passwords, failure to set a low number for lockout of a userid due to excessive invalid passwords within some time interval, putting mdisk passwords in EXECs, and so on. Most of those technology cannot fix. Alan Altmark z/VM Development IBM Endicott
Re: hacking vm/cms (probably old news)
Hello! I believe that several Federal government agencies and too many state and city government ones are still using S/370 based systems. But I was aware of those notes on the proper means to hack a VM/CMS setup even before this list did so. And everyone is indeed correct about the fact that they are collector's items because they reflect on the history of the systems and software discussed here. -- Gregg C Levine [EMAIL PROTECTED] "The Force will be with you. Always." Obi-Wan Kenobi -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Huegel, Thomas Sent: Monday, October 08, 2007 5:34 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: hacking vm/cms (probably old news) It wasn't all that long ago, 5-6 years that they moved our air traffic control system off s/360 hardware. -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] Behalf Of Rob van der Heij Sent: Monday, October 08, 2007 4:30 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: hacking vm/cms (probably old news) On 10/8/07, Marty Zimelis <[EMAIL PROTECTED]> wrote: > "Old news?" You really ought to read this stuff before forwarding links to it. In the very first paragraph (after the intro), they show a line-mode log on to VM/370 and make reference to 43xx and 30xx processors. This material is 30+ years old. Brings back memories... ;-) But I had to giggle even more today when I raid that the Dutch Railways are now planning for 2009 to move their traffic management system away from VAX/VMS. Rob
Re: hacking vm/cms (probably old news)
Not much of a hacker. There were a lot better ways of hacking a VM system back in the '70s and '80s. Some tricks still work. But some of the tricks depend on a Systems Programmer trying to get some work done...easily. Tom Duerbusch THD Consulting FELINE PHYSICS: Law of Cat Motion A cat will move in a straight line, unless there is a really good reason to change direction. >>> "Lionel B. Dyck" <[EMAIL PROTECTED]> 10/8/2007 3:16 PM >>> This is probably old news to many of you but I just ran across it and it is new for me and probably new for some on this listserv: http://www.mirrors.wiretapped.net/security/info/textfiles/lod/LOD02-08.TXT and http://www.mirrors.wiretapped.net/security/info/textfiles/lod/LOD02-09.TXT Cheers Lionel B. Dyck, Consultant/Specialist Enterprise Platform Services, Mainframe Engineering KP-IT Enterprise Engineering 925-926-5332 (8-473-5332) | E-Mail: [EMAIL PROTECTED] AIM: lbdyck | Yahoo IM: lbdyck Kaiser Service Credo: "Our cause is health. Our passion is service. We?re here to make lives better.? ?Never attribute to malice what can be caused by miscommunication.? NOTICE TO RECIPIENT: If you are not the intended recipient of this e-mail, you are prohibited from sharing, copying, or otherwise using or disclosing its contents. If you have received this e-mail in error, please notify the sender immediately by reply e-mail and permanently delete this e-mail and any attachments without reading, forwarding or saving them. Thank you.
Re: hacking vm/cms (probably old news)
On 10/8/07, Huegel, Thomas <[EMAIL PROTECTED]> wrote: > It wasn't all that long ago, 5-6 years that they moved our air traffic > control system off s/360 hardware. Yes, it's amazing how well a lot of old stuff keeps running. I am not going to take the train for some time when they roll out the new SOA stuff ;-) Rob
Re: hacking vm/cms (probably old news)
It wasn't all that long ago, 5-6 years that they moved our air traffic control system off s/360 hardware. -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] Behalf Of Rob van der Heij Sent: Monday, October 08, 2007 4:30 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: hacking vm/cms (probably old news) On 10/8/07, Marty Zimelis <[EMAIL PROTECTED]> wrote: >"Old news?" You really ought to read this stuff before forwarding links to it. In the very first paragraph (after the intro), they show a line-mode log on to VM/370 and make reference to 43xx and 30xx processors. This material is 30+ years old. Brings back memories... ;-) But I had to giggle even more today when I raid that the Dutch Railways are now planning for 2009 to move their traffic management system away from VAX/VMS. Rob __ << ella for Spam Control >> has removed VSE-List messages and set aside VM-List for me You can use it too - and it's FREE! http://www.ellaforspam.com
Re: hacking vm/cms (probably old news)
On 10/8/07, Marty Zimelis <[EMAIL PROTECTED]> wrote: >"Old news?" You really ought to read this stuff before forwarding links > to it. In the very first paragraph (after the intro), they show a line-mode > log on to VM/370 and make reference to 43xx and 30xx processors. This > material is 30+ years old. Brings back memories... ;-) But I had to giggle even more today when I raid that the Dutch Railways are now planning for 2009 to move their traffic management system away from VAX/VMS. Rob
Re: hacking vm/cms (probably old news)
Lionel, "Old news?" You really ought to read this stuff before forwarding links to it. In the very first paragraph (after the intro), they show a line-mode log on to VM/370 and make reference to 43xx and 30xx processors. This material is 30+ years old. Marty _ From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Lionel B. Dyck Sent: Monday, October 08, 2007 4:16 PM To: IBMVM@LISTSERV.UARK.EDU Subject: hacking vm/cms (probably old news) This is probably old news to many of you but I just ran across it and it is new for me and probably new for some on this listserv: <http://www.mirrors.wiretapped.net/security/info/textfiles/lod/LOD02-08.TXT> http://www.mirrors.wiretapped.net/security/info/textfiles/lod/LOD02-08.TXT and <http://www.mirrors.wiretapped.net/security/info/textfiles/lod/LOD02-09.TXT> http://www.mirrors.wiretapped.net/security/info/textfiles/lod/LOD02-09.TXT Cheers _ Lionel B. Dyck, Consultant/Specialist Enterprise Platform Services, Mainframe Engineering KP-IT Enterprise Engineering 925-926-5332 (8-473-5332) | E-Mail: <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] AIM: lbdyck | Yahoo IM: lbdyck Kaiser Service Credo: "Our cause is health. Our passion is service. We're here to make lives better." "Never attribute to malice what can be caused by miscommunication." NOTICE TO RECIPIENT: If you are not the intended recipient of this e-mail, you are prohibited from sharing, copying, or otherwise using or disclosing its contents. If you have received this e-mail in error, please notify the sender immediately by reply e-mail and permanently delete this e-mail and any attachments without reading, forwarding or saving them. Thank you.
hacking vm/cms (probably old news)
This is probably old news to many of you but I just ran across it and it is new for me and probably new for some on this listserv: http://www.mirrors.wiretapped.net/security/info/textfiles/lod/LOD02-08.TXT and http://www.mirrors.wiretapped.net/security/info/textfiles/lod/LOD02-09.TXT Cheers Lionel B. Dyck, Consultant/Specialist Enterprise Platform Services, Mainframe Engineering KP-IT Enterprise Engineering 925-926-5332 (8-473-5332) | E-Mail: [EMAIL PROTECTED] AIM: lbdyck | Yahoo IM: lbdyck Kaiser Service Credo: "Our cause is health. Our passion is service. We?re here to make lives better.? ?Never attribute to malice what can be caused by miscommunication.? NOTICE TO RECIPIENT: If you are not the intended recipient of this e-mail, you are prohibited from sharing, copying, or otherwise using or disclosing its contents. If you have received this e-mail in error, please notify the sender immediately by reply e-mail and permanently delete this e-mail and any attachments without reading, forwarding or saving them. Thank you. <>
