[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: Marx Zelden - IPLINFO utility
From:       Radoslaw Skorupka <R.Skorupka () HOTMAIL ! COM>
Date:       2022-04-28 17:52:55
Message-ID: AM0PR07MB4163B840D00E488FFE7F2CD599FD9 () AM0PR07MB4163 ! eurprd07 ! prod ! outlook ! com
[Download RAW message or body]

Juan,

I think you missed my point, maybe I wasn't clear enough: we are not 
talking what should be, but we are talking about what is. Yes, that kind 
of information is available. It has been available for years. And 
despite of that z/OS is the most secure system available. It was checked 
and audited many times and it seems the information about APF list is 
not considered as vulnerability. Before we disagree with that we should 
think twice, just to respect the knowledge of many people who analysed 
the system from security point of view.

Yes, I see no value in keeping APF list secret. I see huge value in good 
protection of APF list. That means all the libraries are 
DATASET-protected, but also APF list modification is strictly controlled 
and audited. And the same for LNKLST (guess why). And for LPA.
However the names on the list are not secret.

Regarding your last sentence - I have no z/OS. The owner of the z/OS has 
its own rules, I think it's obvious.
Last, but not least: can you see a difference between information 
available to every TSO user and information on public website?
And especially for you, APF list:
SYS1. LINKLIB
SYS1.LPALIB
SYS1.MIGLIB
SYS1.CSSLIB
SYS1.SIEALNKE
ISF SISFLOAD
ISP.SISPLOAD
TCPIP.SEZALNK2
...


-- 
Radoslaw Skorupka
Lodz, Poland




W dniu 27.04.2022 o  17:54, Mautalen Juan Guillermo pisze:
> I don't care about machine model. But I do care about my APF libraries names and \
> SETROPTS options, for instance. I see your point: if you have all your APF \
> libraries perfectly write protected, then knowing their names is irrelevant. I \
> disagree. I have my APF libraries well protected AND I prefer that not everyone \
> know their names. That kind of obscurity can be considered an extra security layer, \
> much less important than DATASET protection, I agree, but I prefer to have it. 
> And if you take the famous premise "security by obscurity is not security" to an \
> extreme, then just upload all your z/OS configuration to some public webpage... 
> Juan G. Mautalen
> 
> -----Mensaje original-----
> De: RACF Discussion List <RACF-L@LISTSERV.UGA.EDU> En nombre de Radoslaw Skorupka
> Enviado el: miércoles, 27 de abril de 2022 12:16
> Para: RACF-L@LISTSERV.UGA.EDU
> Asunto: Re: [RACF-L] Marx Zelden - IPLINFO utility
> 
> CUIDADO: Este correo electrónico se originó fuera de la ANSES. No haga clic en \
> enlaces / links, ni abra los adjuntos salvo que sepa que el contenido es seguro. 
> 
> 
> W dniu 26.04.2022 o 14:04, Mautalen Juan Guillermo pisze:
> > Hi!
> > 
> > I have just tried the IPLINFO utility by Mark Zelden. It runs as a TSO command \
> > and provides LOT of IPL and System Information. It seems very good and useful. 
> > However, from a security viewpoint, it worries me a little. The utility runs \
> > without any privilege, and any TSO user can execute it. I assume that all the \
> > information it collects comes from control blocks that are available to any \
> > program. Is this right? Do you find reasonable to show such kind of information \
> > without requiring any specific authorization? 
> The answer is: security by obscurity is no security. Mark Zelden's IPLINFO is just \
> a tool which read and format available data. Everyone can write similar tool to get \
> any part of the information collected by Mark's excellent tool. Should that be \
> available to everyone? That's completely another question. BTW: how many years did \
> you take to find it out? :-) In my humble opinion vast majority of the information \
> from IPLINFO is neutral, so no - there is no need to hide it. And it has nothing to \
> do with Pervasive Encryption, because this feature is not to protect junk, but the \
> valuable information. Of course my humble opinion is irrelevant, because IBM \
> decides and IBM knows better whether it is possible to hide (I guess it would be \
> hard). 
> BTW: IEBCOPY is used to copy PDSes, but it also provides machine model and system \
> version. :-) 
> 
> My €0.02
> 
> --
> Radoslaw Skorupka
> Lodz, Poland
> 
> 


[prev in list] [next in list] [prev in thread] [next in thread]