Long ago I was asked for advice on proving that it was unsafe running
multiple levels of classified material on VM, in a data center where the
manager had -- of course -- insisted that it was.
Whether or not that was true (and whether or not it could be proven), I
suggested first
Hi
This is just for my knowledge sake.
While assembling a assembler source code I have seen few JCL using MODGEN
and AMODGEN sometimes.
Does it really makes any difference between the two ?
To my understanding they are just a target lib and distribution library.
Peter
On 5/7/2019 9:03 PM, Phil Smith III wrote:
Of course autorun was evil, but it did have some fun moments. At one point in
the Outlook 97 days, our network manager sent me a
note which, when opened, played VERY LOUDLY a .wav file that screamed "HEY
EVERYBODY! I'M LOOKIN' AT PORN OVER HERE!"
I had a Sev 1 APAR against PROFS (or when it became OfficeVision) by
pointing out that (at least on VM) sending a document with embedded .sy
control word could, say, quietly format recipient's A disk (for those
who've never touched VM, that's a VM user's personal storage). Tricky
fix was
Seymour J Metz wrote, re:
>> And when some "genius" at Microsoft thought it would be a good idea to
>> be able to embed arbitrary code in a document, it meant that someone could
>> do anything they wanted to do to your computer just by sending you a
>> document.
>To be fair, that issue
Daniel HJ Blake wrote:
>It's a very wide net being casted. I've gotten three email and
>one voice mail. The voicemail dude is out of NJ and he has
>called my cell four times. If you're not in my contact list I don't
>answer.
You mean for this job? Wow. Maybe they're desperate; someone
I was travelling and I have kind of lost track of where this thread has
gone. Let me throw three thoughts out there.
1. Our job is to make our platform -- and if you are at a customer, your
site -- as secure as reasonably possible. Not "more secure than Windows." It
is NOT like the joke about the
Yes, we have run extended tests. Yes, the CBU-test ten-day limit comes into
play. We have burned more than one CBU for a given DR test to accommodate our
current DR folks' requirements. (Interestingly, if you CBU your specialty
engines, they can't automatically downgrade you if you have an
Broadcom currently has two openings for senior level z/OS mainframe
software engineers in the Pittsburgh,PA area.
https://broadcom.wd1.myworkdayjobs.com/External_Career/job/USA-PA-Pittsburgh-Holiday-Drive/R-D-Software-Engineer-5_R006107
Yeah, about that: What ~is~ a "controled program"? I noticed that
qualification, but my background is apps development and I'm woefully
ignorant in spots.
---
Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313
/* Expecting the world to treat you fairly because you are a good person is
a
If you're talking about security, then there is a big difference between what
controls are available and what you deploy.
> The robber got into a house through a window that was closed but not
> locked?
That's a defective resident, not a defective window.
> IMHO /how/ access is acquired less
Remember that half of all security administrators are below average. Even when
they are competent, there may be management directives that prevent them from
properly securing the system. BTDT,GTS (no tee shirt, just the scars.)
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
On 5/7/19 2:54 PM, Seymour J Metz wrote:
RACF database unprotected? That's not a properly secured system,
any more than one with default passwords is.
That can be said about MANY things, not just mainframes or open systems.
The robber got into a house through a window that was closed but not
It may be a more common exposure than I would have predicted. I've run into
clients who have general read access to a high-level qualifier, let's say
SYS2.**, which sounds reasonable because SYS2 has lots of CLIST, load and
proc libs that all users need. But then they drop a lot of other things
BLKSIZE is intended for writing new datasets. If you're reading an existing
dataset then SDB isn't applicable.
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
From: IBM Mainframe Discussion List on behalf of
Paul Gilmartin
On Tue, 7 May 2019 21:00:45 +, Seymour J Metz wrote:
>The post quoted a message citing the block size. The obvious fix is
>BLKSIZE=32760, not BLKSIZE=0.
I agree. I'm pretty sure that coding BLKSIZE=0 for an existing data set
will have no effect because it is indistinguishable at OPEN time
The quoted text refers to controlled programs, which are not what users
normally run.
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
From: IBM Mainframe Discussion List on behalf of Bob
Bridges
Sent: Tuesday, May 7, 2019 5:02 PM
To:
It's a very wide net being casted. I've gotten three email and one voice mail.
The voicemail dude is out of NJ and he has called my cell four times. If
you're not in my contact list I don't answer.
;-D an
-Original Message-
From: IBM Mainframe Discussion List On Behalf Of
Phil
On 5/7/19 2:28 PM, Seymour J Metz wrote:
why MVS users nowadays need special authority to create a program dump?
My opinion is that:
A program (core) dump is tantamount to (obfuscated) source code.
In short, the algorithm is out. I hope your security wasn't based only
on the secrecy of
Well, more correctly, an installation ~can~ control users' ability to create
dumps. Here's a bit from the RACF manual:
"Your installation can control the dumping (with SYSUDUMP, SYSABEND, and
SYSMDUMP statements) of address spaces that contain controlled programs by
defining a profile to protect
The post quoted a message citing the block size. The obvious fix is
BLKSIZE=32760, not BLKSIZE=0.
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
From: IBM Mainframe Discussion List on behalf of
Jesse 1 Robinson
Sent: Tuesday, May 7, 2019
RACF database unprotected? That's not a properly secured system, any more than
one with default passwords is.
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
From: IBM Mainframe Discussion List on behalf of
Knutson, Samuel
Sent: Monday, May
(Resurrecting an old thread) We're being 'urged' to demonstrate that we can
fail over to our internal DR site, run for a while, then fail back. As I
indicated previously, we've done countless short tests but never allowed
production to run in DR; hence no need to fail back. My question here is
> And when some "genius" at Microsoft thought it would be a good idea to
> be able to embed arbitrary code in a document, it meant that someone could
> do anything they wanted to do to your computer just by sending you a document.
To be fair, that issue existed in Script way back when.
--
If you already have update access to APF libraries then it's no longer an issue
of OS security, but one of personnel security. Getting equivalent privileges in
windoze makes taking the machine over a no brainer. The issue is how easy it
to illicitly gain privileges in each OS.
--
Shmuel
With the thread having been rechristened, I'm not sure who gets the OP title. I
was the OOP. Turns out there was actually no BLKSIZE error. The problem was
Fault Analyzer's rush to judgment after an SQL data choke. OTOH I'm pretty sure
that BLKSIZE=0 would help only to set the max value of
. why MVS users nowadays need special authority to create a program dump.
?
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
From: IBM Mainframe Discussion List on behalf of Bob
Bridges
Sent: Tuesday, May 7, 2019 3:33 PM
To:
I got a ping for a z/OS sysprog job in Costa Mesa, CA, figured I'd point folks
on this list at it. If that's not OK let me know and I won't do it again.
To be clear: THIS IS NOT A JOB I'M HIRING FOR. DO NOT ASK ME ABOUT IT BECAUSE I
WON'T KNOW.
Ask this guy:
Gar Thompson, Safeguard
I think I side with Cliff Stoll on this: You're not doing any favors by
obscuring the vulnerabilities, because the bad guys already know. Go ahead and
talk about them. Be explicit. Get that knowledge into the hands of the good
guys too.
Or put it this way: ~Some~ of the bad guys know
On Tue, 7 May 2019 14:24:26 -0500, Paul Gilmartin wrote:
> At least support, for consistency:
>
> https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.bpxa400/pathname.htm
>
> ... A path name can be up to 1023 characters long, including
> all directory names, file
Last century there were frequent panics going around about viri conveyed by
email: "If you get an email whose subject line is 'yada yada', DON'T OPEN
IT!!! It'll delete your hard drive, give you boils and trigger an
earthquake!". I spent quite a bit of time reässuring my friends and
There are ways to collect IDs that might be used to penetrate the
mainframe:
- users defined to UADS but not to RACF.
- IBMUSER is active and password wasn't changed.
- Users assigned to products. until x/os 2.2, if no password assigned,
the password was the default group (TX ibm for
And thus what I said last night: MVS has been around longer, so it's had more
opportunity to find and plug holes. Give it another two decades and we may
find that even Windows is much more secure.
Not perfect, of course, even then. Iron sharpens iron, so the Good Guys and
the Bad Guys
On Tue, 7 May 2019 13:37:55 -0500, Jerry Callen wrote:
>I recently discovered that the maximum path length for dynamic
>allocation key 8017 (Unix PATH name) is 255 characters, in spite of
>the fact that the text unit length field is 16 bits. While most "human
>generated" path lengths will not be
I was really talking about things I'd do once I got APF/RACF authority.
On Windows even if I got admin auth on a server, I wouldn't know what to
do with it.
On 5/7/2019 10:46 AM, Seymour J Metz wrote:
How will knowledge of control blocks, SVCs, etc., allow you to escalate your
privileges
On Tue, 7 May 2019 17:12:48 +, Jesse 1 Robinson wrote:
>When I explain mainframe security to the unwashed but curious, I cite history
>above all. The mainframe emerged from the primordial bit bucket soup at a time
>and in a form that utterly precluded individual users from possessing their
I recently discovered that the maximum path length for dynamic
allocation key 8017 (Unix PATH name) is 255 characters, in spite of
the fact that the text unit length field is 16 bits. While most "human
generated" path lengths will not be that long, software generated paths
can easily exceed that.
You probably want to add this statement to your TPX proc.
//IDIOFF DD DUMMY * Disable Fault Analyzer for z/OS *
-or-
Look in sys1.parmlib(idicnf00)
There is probably a
INCLUDE(TYPE(STC) type statement. We only allow FA to get involved with batch
jobs, so we exclude STC and
Hi
Cross posted
I am working on a tpx upgrade. When I start the address space for some
reason it reads the fault analyser dataset.
I have checked throughout the proc to see if by chance I have added that in
DD but there isn't any.
Not sure from where the TPX is pointing the Fault analyser
FYI - The Reusable JCL Collection has been restored to z/OS Basic Skills
(https://www.ibm.com/support/knowledgecenter/en/zosbasics/com.ibm.zos.zjcl/zjclc_intro2reusablejclcoll.htm)
This collection is designed to help new users quickly become productive in the
z/OS environment, while teaching
Yes you will find it in smf119 and you have to activate your Telnet records in
tcpip
Bin unterwegs hab nur iPhone zur Verfügung.
> Am 07.05.2019 um 15:04 schrieb Jorge Garcia :
>
> Hi all,
>
> We want to obtain LU name and RACF ID associated from SMF records or anyother
> source. We
Remember, that IEBCOPY has lots of examples and details on IBM.COM
https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.idau100/iebcopy.htm
Unless specified, the examples will tell you exactly how to copy from a LibA to
a LibB
Lizette
> -Original Message-
>
1964? What is the 7090, chopped liver?
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
From: IBM Mainframe Discussion List on behalf of
Bill Johnson <0047540adefe-dmarc-requ...@listserv.ua.edu>
Sent: Monday, May 6, 2019 8:21 PM
To:
How will knowledge of control blocks, SVCs, etc., allow you to escalate your
privileges beyond those assigned to your userid and groupid?
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
From: IBM Mainframe Discussion List on behalf of Tom
Well, I knew hw to crack SVS 40 years ago, and I reported a security issue much
more recently that allowed an operator to delete or overwrite data sets that
he didn't have access to.
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
From: IBM
Thanks Seymour and thanks to all who responded to my post.
On Tuesday, May 7, 2019, 11:39:43 a.m. EDT, Seymour J Metz
wrote:
COPYMOD is for load module reblocking. There are no load modules in a PDSE.
Off the top of my head I don't even recall whether it is valid for program
> I'm not sure what you mean by your statement > There are no load modules in a
> PDSE. <
I meant that there were no load modules in a PDSE. The format of a load module
is nothing remotely like the format of a program object.
Of course, you could allocate a PDSE that was not a library and copy
There were documented cases where you still needed an explicit block size for
the for the concatenation. Based on the OP, it would appear that there still
are.
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
From: IBM Mainframe Discussion List
While the old mainframes were too expensive for individual users, that changed
by the 1960s and moreso by the 1970s. Reme4mber the Honeywell Kitchen Computer?
The DEC PDP-5 and PDP-8?
As for mainframe security I don't believe that such operating systems as
IBSYS/IBJOB cleared storage between
When I explain mainframe security to the unwashed but curious, I cite history
above all. The mainframe emerged from the primordial bit bucket soup at a time
and in a form that utterly precluded individual users from possessing their own
computers. The notion of one-computer-one-user was
Thanks.
Dan
-Original Message-
From: IBM Mainframe Discussion List On Behalf Of
Mark Jacobs
Sent: Tuesday, May 07, 2019 11:54 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [EXTERNAL MESSAGE] Re: COPYING PDS AND PDSE
They're called program objects in a PDS/e
Mark Jacobs
Sent
On Tue, 7 May 2019 11:19:47 -0500, Mark Zelden wrote:
>On Tue, 7 May 2019 15:54:19 +, Mark Jacobs wrote:
>
>>They're called program objects in a PDS/e
> ^
> PDSE
>Pedants unite! ;-)
>
On Tue, 7 May 2019 15:54:19 +, Mark Jacobs
wrote:
>They're called program objects in a PDS/e
^
PDSE
Pedants unite! ;-)
>
>Mark Jacobs
>
>
>Sent from ProtonMail, Swiss-based
On Tue, 7 May 2019 15:50:51 +, Blake, Daniel J [CTR] wrote:
>Shmuel,
>
>I'm not sure what you mean by your statement > There are no load modules in a
>PDSE. <
>
Those 306 members are not load modules.
> Data Set Information
>Command ===>
>
>Data Set Name . . . :
On Tue, 7 May 2019 15:33:39 +, Seymour J Metz wrote:
>Well, removed except when it wasn't; there were caveats.
>
???
>
>From: Tom Marchant
>Sent: Tuesday, May 7, 2019 11:02 AM
>
>>What about BUFL=? As I recall, I used to use this to keep from
They're called program objects in a PDS/e
Mark Jacobs
Sent from ProtonMail, Swiss-based encrypted email.
GPG Public Key -
https://api.protonmail.ch/pks/lookup?op=get=markjac...@protonmail.com
‐‐‐ Original Message ‐‐‐
On Tuesday, May 7, 2019 11:50 AM, Blake, Daniel J [CTR]
Shmuel,
I'm not sure what you mean by your statement > There are no load modules in a
PDSE. <
Data Set Information
Command ===>
Data Set Name . . . : TCPIP.SEZALOAD
General DataCurrent Allocation
Management class . . :
COPYMOD is for load module reblocking. There are no load modules in a PDSE. Off
the top of my head I don't even recall whether it is valid for program objects.
The COPY statement should work fine for PDSE.
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
Well, removed except when it wasn't; there were caveats.
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
From: IBM Mainframe Discussion List on behalf of Tom
Marchant <000a2a8c2020-dmarc-requ...@listserv.ua.edu>
Sent: Tuesday, May 7, 2019
On 5/7/19 6:49 AM, Carmen Vitullo wrote:
SNA networks we're pretty secure
I question how much of that ""security was the (largely) closed
ecosystem. As in it required different hardware, most of which wasn't
easily available or inexpensive.
I think Bigendian Smalls and / or Soldier of
On Mon, 6 May 2019 18:52:51 -0400, Steve Smith wrote:
>BLKSIZE=0 requests "System-Determined Block size". It is indeed the best
>option. Presumably the "system" has all the relevant facts and knowledge
>at its disposal. Which is likely at least as much as you know.
When a new data set is
On Mon, 6 May 2019 21:10:04 -0400, Steve Thompson wrote:
>What about BUFL=? As I recall, I used to use this to keep from
>having problems with concatenations...
Yes, until about 25 years ago, when the requirement that the first
data set of a partitioned data set concatenation have the largest
That is *exactly* how IBM handles it for z/OS. I am one of two people at my
location with access to the ResourceLink security portal. You ever wonder why
you go looking for the APAR info for a PTF, and you get a "document not found"
type of error? When we are actively applying maintenance,
On the flip side, I bet there are many folks who were prompted to check
their systems when they saw Phil Young's "Soldier of Fortran" web pages.
On 5/7/2019 7:49 AM, Nightwatch RenBand wrote:
Publishing "success stories" is a two edged sword. Don't and other
installations cannot protect
Publishing "success stories" is a two edged sword. Don't and other
installations cannot protect against the attach. Do and you spread the idea
among the bad guys.
It would seem that the best solution is:
1) Only discuss with people who have clearances and a "need to know",
2) Come up with a fix
All:
Has anyone seen or can point me to where IBM provides some guidelines for
doing exit work in Metal-C ? I saw an article on Developerworks and was
wondering if i could address some of our exits issues easier on Metal C.
--
*IDMWORKS *
Scott Ford
z/OS Dev.
“By elevating a friend
USS is definitely an integral part of z/OS so it's a legitimate mainframe hack.
However if more of the hacks are occurring via USS it does raise questions
about its quality from security perspective compared to the "classic" MVS side
of the mainframe. Buffer overruns are probably the most
agree, somewhat, in this case the PC/laptop needed to contact the company key
encryption server @ boot up to validate, this was a little more than encrypting
the drive, if the server was not contacted periodically or @ boot up, the
laptop would not boot. I don't know what would happen if you
ITschak Mugzach wrote:
>Funny credit card story. Here in Israel, a company had all cc on an
>encrypted hd. The person used the desktop took the hd home, booted from the
>hd and copied all data. Then, from Thailand, he tried to blackmail his
>employee.
>What value encryption offers in this
Yes. I want to perform a PDSE to PDSE copy.
On Tuesday, May 7, 2019, 7:59:47 a.m. EDT, Steve Smith
wrote:
It's sufficient if it does what you want, no?
sas
On Tue, May 7, 2019 at 7:44 AM esmie moo <
012780d99c7b-dmarc-requ...@listserv.ua.edu> wrote:
> Gentle Readers,
> Are
I want to copy the PDSE to another. I was told that COPYMOD was the
preferable parm when copying LOADLIBS. Is it okay just to use COPY?
On Tuesday, May 7, 2019, 8:09:09 a.m. EDT, Elardus Engelbrecht
wrote:
esmie moo wrote:
>Are there special parms that I need to use in the copy PDS
Funny credit card story. Here in Israel, a company had all cc on an
encrypted hd. The person used the desktop took the hd home, booted from the
hd and copied all data. Then, from Thailand, he tried to blackmail his
employee.
What value encryption offers in this vase?
בתאריך יום ג׳, 7 במאי 2019,
Hi all,
We want to obtain LU name and RACF ID associated from SMF records or anyother
source. We don't have available SMF record type 33. This LU name is available
in TELNET profile
LUGROUP LUMAJ
T900D001..T900D030
We don't know if there is some SMF records with the information
I'll also add, in spite of being flamed, SNA networks we're pretty secure, it
wasn't till TCP/IP and OPENMVS that we started having to rethink security I
know SNA was not 100% secure but that's why VTAM messages were scrutinized by
operators, sysprogs , automation and security, you don't see
Well ... at times when dealing with PDSE I had problems with copy or even
copymod (I don’t remember what the problems were) - as lonh as the source or
target was a PDSE, I found COPYGRP the best option
(te problem may have had to do with copying ALIAS , but I am niot 100% sure)
Chris Hoelscher
[Default] On 6 May 2019 20:10:27 -0700, in bit.listserv.ibm-main
0047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote:
>In most shops only 2 people have the required access to the RACF database.
>
Could someone use DF/DSS, DF/HSM, FDR or FDR/ABR to copy the database
and then
esmie moo wrote:
>Are there special parms that I need to use in the copy PDS & PDSE'S?
It depends. Do you want to copy all or specific members?
>For example if I want to copy a PDSE to another PDSE (some maybe LOADLIBS)
>would the following be okay?
PS: I have doctored your JCL sample for
It's sufficient if it does what you want, no?
sas
On Tue, May 7, 2019 at 7:44 AM esmie moo <
012780d99c7b-dmarc-requ...@listserv.ua.edu> wrote:
> Gentle Readers,
> Are there special parms that I need to use in the copy PDS & PDSE'S?
> For example if I want to copy a PDSE to another PDSE
Gentle Readers,
Are there special parms that I need to use in the copy PDS & PDSE'S?
For example if I want to copy a PDSE to another PDSE (some maybe LOADLIBS)
would the following be okay?/*
//COPYJCL1 EXEC PGM=IEBCOPY //SYSPRINT DD
79 matches
Mail list logo
