Multiprise 3k for personal Use?

Discussion:

(too old to reply)

Kevin Keith

2010-06-02 23:02:41 UTC

Hi,
I know this idea might sound crazy, but I was wondering about the prospects
of an IBM mainframe for personal use. I'm aware of the hurdles considering
the Service Element (hard drives being detroyed, etc.) HMC, OSes, and other
problems. My question is where would one go about looking for one of these?
I could obviously buy one from a reseller for thousands of dollars, but I
can't really afford that. I feel like there are many of these machines
being dumped and scrapped (especially since they are relatively recently no
longer supported) is there any way to get one just ONE of these before its
destroyed by a scrapper?

Thanks for your help
-Kevin

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Linda Mooney

2010-06-02 23:43:12 UTC

Permalink

Hi Kevin,

Just a thought, but for government entities (fed, state, local, educational) and some large businesses, equipment is put up for surplus bid. That generally results in getting someone to take it away for something between a little bit of money going in either direction, or sometimes free. You could watch the postings on the sellers purchasing or surplus websites. You might have to contact the 'possibilities' and let them know of your interest. Some organizations send invitations to bid to folks on a list, some post on a website available to the public.

You can use the web to find out what computer systems many public entities run. It is probably easiest to find out what a college or university has. The generally have meetings that are open to the public, and their minutes are typically posted on their website. Just do a site search and you can probably find the minutes of the meeting where the original machine purchase was approved. A peek at the page for computing services will tell you who to call so that you can ask if they still have the one you want.

You could contact a company that deals in the equipment you want. Used dealers sell to the secondary market, they sell to third party maintenance providers, and to individuals. Be sure to communicate your requirements well, best to do it in writing. Check out the companies before sending money. I'm sure you know the drill. :-)

Third party maintenance providers can be a good source. Often they will remove working and under maintenance equipment for a customer. The advantage of this is that you can often get the maintenance history, and they will often arrange transport and setup for you, if you want that. They can probably supply any missing parts, too. Some of the third party maintainers only do maintenance for companies, but some will do maint for individuals, if you want that.

HTH,

Linda Mooney

----- Original Message -----
From: "Kevin Keith" <***@GMAIL.COM>
To: IBM-***@bama.ua.edu
Sent: Wednesday, June 2, 2010 3:52:02 PM GMT -08:00 US/Canada Pacific
Subject: Multiprise 3k for personal Use?

Hi,
I know this idea might sound crazy, but I was wondering about the prospects
of an IBM mainframe for personal use. I'm aware of the hurdles considering
the Service Element (hard drives being detroyed, etc.) HMC, OSes, and other
problems. My question is where would one go about looking for one of these?
I could obviously buy one from a reseller for thousands of dollars, but I
can't really afford that. I feel like there are many of these machines
being dumped and scrapped (especially since they are relatively recently no
longer supported) is there any way to get one just ONE of these before its
destroyed by a scrapper?

Thanks for your help
-Kevin

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Shane Ginnane

2010-06-02 23:53:19 UTC

Permalink

We've got one sitting in the corner of the office computer room, holding floor tiles in place. I suspect
others (closer to you) will be in similar situations.
I tried to get a couple of flavours of Linux running on it, but couldn't get the comms side of it sorted.
Gave up in frustration.

Shane ...

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Kevin Keith

2010-06-03 01:54:36 UTC

Permalink

Well I hate to look like a solicitor, but, if there is anyone out there,
particularly in the Houston area, with a multiprise (actually, any mainframe
for that matter, I mean it depends, but if you have ANYTHING talk to me)
that is just going to waste that'll be trashed anyway, it would be going to
a good home.

Thanks,
-Kevin

Post by Shane Ginnane
We've got one sitting in the corner of the office computer room, holding
floor tiles in place. I suspect
others (closer to you) will be in similar situations.
I tried to get a couple of flavours of Linux running on it, but couldn't
get the comms side of it sorted.
Gave up in frustration.
Shane ...
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
Thanks,
Kevin

Kevin Keith
OLPC Volunteer

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

William Donzelli

2010-06-03 17:42:16 UTC

Permalink

Post by Kevin Keith
Well I hate to look like a solicitor, but, if there is anyone out there,
particularly in the Houston area, with a multiprise (actually, any mainframe
for that matter, I mean it depends, but if you have ANYTHING talk to me)
that is just going to waste that'll be trashed anyway, it would be going to
a good home.

I have been asking for older equipment for the collection for several
years, and I do not think anyone really takes offense. There have been
some extremely generous people on this list - and I would once again
like to give a public THANK YOU to them. Saving an old machine, a pile
of docs, or some reels of tape can go a long way, and in just about
every way is better than the stuff going to the scrapper.

Someday IBM may have some sort of non-commercial license for their
mainframe software - perhaps something like Syntegra/Control Data or
HP/Digital has. Save the software first, then worry about the legal
issues. Once the software is gone, it is GONE.

--
Will

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Anne & Lynn Wheeler

2010-06-08 12:54:34 UTC

Permalink

In one sense, we need to be careful about what we ask for. Do we want
z/OS to be easily available to those who want to find vulnerabilities
and crack the system? For security purposes are we better off with
some kind of regulated hobbyist access to z/OS running under z/VM at
data centers?

re:
http://www.garlic.com/~lynn/2010j.html#14 Multiprise 3k for personal Use?
http://www.garlic.com/~lynn/2010j.html#17 Personal use z/OS machines was Re: Multiprise 3k for personal Use?
http://www.garlic.com/~lynn/2010j.html#18 Personal use z/OS machines was Re: Multiprise 3k for personal Use?
http://www.garlic.com/~lynn/2010j.html#19 Personal use z/OS machines was Re: Multiprise 3k for personal Use?

aka, during the OCO-wars ... in the transition from freely available
source to object-code-only ... I don't remember being able to hide
threats and vulnerabilities being an argument ... it was about
protecting corporate property (i.e. source) in a competitive environment
with clone processors.

starting to charge for application software (23jun69 unbundling
announcement) was about various litigation ... but case had been made
that kernel/system software would still be free. later decision to start
charging for kernel software was in period when clone processors had
gained market foothold (during FS distraction, and my resource manager
was initial guinea pig for kernel software charging);
http://www.garlic.com/~lynn/submain.html#unbundle

OCO could be construed as further market inhibitors (in addition to
software no longer free).

sometimes (in OCO-wars) there were issues raised about protecting
customers from themselves ... that freely available source encourages
customer programmers to make modifications ... which would cause
problems/delays in moving to newer releases (things like newer source
was incompatible with older source). customer source modifications could
also result in delays in replacing existing machines with newer machines
(that might have various kinds of differences).

there was case where AT&T had gotten a highly modified versions of early
csc/vm system (w/o multiprocessor support) ... old csc/vm email
reference (long before OCO-wars, still when vm370 shipped with full
source maintenance):
http://www.garlic.com/~lynn/2006v.html#email731212
http://www.garlic.com/~lynn/2006w.html#email750430

AT&T then made a large number of their own source modifications (things
like virtual device support that ran over network connections ... aka
being able to run application at one AT&T facility ... thinking it was
doing i/o to local tape drive ... but tape drive was actually connected
to system at another AT&T facility) ... which was widely
distributed/used within AT&T.

Nearly a decade later, the national account manager for AT&T tracked me
down looking for help in moving AT&T off that csc/vm system to a more
current vm370. This was related to 3081 ... which was only going to be
available in multiprocessor configuration ... and there was not going to
be a non-multiprocessor (although this was later modified to ship 3083
... in large part because ACP/TPF didn't have multiprocessor
support). Since that particular csc/vm system (w/o multiprocessor
support) was so entrenched in AT&T ... they were going to be forced to
going to clone processor vendor that was selling newer uniprocessor
machines (early csc/vm systems didn't have multiprocessor support until
after the version that had escaped to AT&T; except for version that
escaped to AT&T ... my csc/vm systems were limited to large number of
internal installations ... which I could keep current).

misc. recent posts mentioning 3083
http://www.garlic.com/~lynn/2010.html#1 DEC-10 SOS Editor Intra-Line Editing
http://www.garlic.com/~lynn/2010.html#21 Happy DEC-10 Day
http://www.garlic.com/~lynn/2010d.html#14 Happy DEC-10 Day
http://www.garlic.com/~lynn/2010d.html#79 LPARs: More or Less?
http://www.garlic.com/~lynn/2010e.html#23 Item on TPF
http://www.garlic.com/~lynn/2010i.html#24 Program Work Method Question
http://www.garlic.com/~lynn/2010i.html#78 IBM to announce new MF's this year

other reference to 3081 (& future system)
http://www.jfsowa.com/computer/memo125.htm

--
42yrs virtualization experience (since Jan68), online at home since Mar1970

Anne & Lynn Wheeler

2010-06-08 14:09:16 UTC

Permalink

Post by Anne & Lynn Wheeler
there was case where AT&T had gotten a highly modified versions of early
csc/vm system (w/o multiprocessor support) ... old csc/vm email
reference (long before OCO-wars, still when vm370 shipped with full
http://www.garlic.com/~lynn/2006v.html#email731212
http://www.garlic.com/~lynn/2006w.html#email750430

re:
http://www.garlic.com/~lynn/2010j.html#20 Personal use z/OS machines was Re: Multiprise 3k for personal Use?

also csc/vm email
http://www.garlic.com/~lynn/2006w.html#email750102

jan75, a couple engineers from POK came up to science center to talk
about doing a 5-way SMP skunkworks effort.

in the morph from cp67 to vm370 ... there was a lot of simplification
and dropping of code ... which accounted for large part of the effort to
move the cp67 csc/vm system to a vm370 base. I did get a bunch of
fastpath stuff put back in (that I had originally done as undergraduate
on cp67 in 1968) which shipped in vm370 release 1plc9 (aka vm370 had
monthly source maintenance mini-releases that were called plc or program
level change).

in any case, spring of '75, they roped me into helping with 5-way SMP
skunkworks effort called VAMPS ... which was eventually killed w/o even
being announced ... some past posts
http://www.garlic.com/~lynn/submain.html#bounce

I got to do a lot of microcode/machine design ... queued i/o and queued
i/o termination (something similar showed up later in "811" ... internal
codename for 370xa for the nov78 date on the registered confidential
documents). I also got to do multiprocessor dispatching interface
... somewhat similar to what showed up later in intel432 (but in
microcode rather than silicon ... the i432 group gave a talk about one
of the things that help kill i432 was putting really complex stuff into
silicon ... and then difficulty in shipping fixes/patches).

after VAMPS was killed ... one or two of the people from VAMPS helped
form another smp skunkworks effort for 16-way smp. this got killed and
some people invited to never appear in POK again, when the head of POK
was told that it might be decades before the POK favorite son operating
system had (effective) 16-way support.

misc. past posts mentioning SMP (&/or compare&swap instruction):
http://www.garlic.com/~lynn/subtopic.html#smp

misc. recent posts mentioning charlie inventing compare&swap instruction
(compare-and-swap was chosen because CAS are charlie's initials):
http://www.garlic.com/~lynn/2010b.html#67 How long for IBM System/360 architecture and its descendants?
http://www.garlic.com/~lynn/2010c.html#47 Extracting STDOUT data from USS
http://www.garlic.com/~lynn/2010d.html#20 search engine history, was Happy DEC-10 Day
http://www.garlic.com/~lynn/2010e.html#15 search engine history, was Happy DEC-10 Day
http://www.garlic.com/~lynn/2010g.html#80 What is the protocal for GMT offset in SMTP (e-mail) header time-stamp?
http://www.garlic.com/~lynn/2010h.html#86 Itanium had appeal
http://www.garlic.com/~lynn/2010i.html#31 IBM Unix prehistory, someone smarter than Dave Cutler

--
42yrs virtualization experience (since Jan68), online at home since Mar1970

Clark Morris

2010-06-08 16:06:39 UTC

Permalink

Post by Rick Fochtman
-----------------------------<snip>----------------------------

Post by William Donzelli

I have been asking for older equipment for the collection for several
years, and I do not think anyone really takes offense. There have been
some extremely generous people on this list - and I would once again
like to give a public THANK YOU to them. Saving an old machine, a pile
of docs, or some reels of tape can go a long way, and in just about
every way is better than the stuff going to the scrapper.
Someday IBM may have some sort of non-commercial license for their
mainframe software - perhaps something like Syntegra/Control Data or
HP/Digital has. Save the software first, then worry about the legal
issues. Once the software is gone, it is GONE.

------------------------------------<unsnip>----------------------------------
Clark, I think your concerns are valid, but unwarranted.
Even with a "disasembler", the complexity of the instruction set and the
complexity of z/OS code and interfaces would require a VERY sharp
Assembler programmer to be able to do serious "hacks" into z/OS. It's
taken 46 years to develop the current level and, like they say, "Rome
wasn't built in a day." Given the constant evolution of both hardware
and software, I'm not sure any of US could keep up with it effectively
enough to crack into it consistantly, and we're all experienced
professionals, some more so than others. And even a Disassembler won't
decode things like SVC parameter lists, PC parms, etc. or even what a
particular PC is intended to accomplish.

If I were looking for vulnerabilities, I wouldn't even go for the
source. I would just set up the system as a server and see what I
could get away with. The vulnerability can be in CICS, Websphere or
any other portal open to the outside world. My second line of attack
would be the CBT and JES mods to see if any of them have
vulnerabilities I could exploit. Having my own system would enable me
to see what flags are raised by various attempts. I don't think
enough like an intruder to make it worth while either as a white hat
consultant or a black hat thief but intimate code knowledge may not be
the only way to break the system. The ability to test exploits based
on APARs might be interesting.

Post by Rick Fochtman
A regulated hobbyist with access to z/OS running under z/VM could crack
into that system just as easily as a "home user". Then what? Also, by
putting it under z/VM, you could be giving him access to two systems to
crack: z/OS AND z/VM.

Here I would assume a hardened and monitored VM NOT controlled by the
z/OS hobbyist user. There also might be some vetting of the person
before access is allowed.

Post by Rick Fochtman
We are now all holding, or have held, positions of grave responsibility
in our various organizations, be they private industry or government;
along with that comes trust and our ability to prove that the trust is
not misplaced. The ultimate bottom line: sooner or later the honesty of
the user, or system programmer, has to be proven and that's probably the
hardest part of dealing with this whole set of interrelated issues.
Rick

Clark

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

R.S.

2010-06-03 11:17:50 UTC

Permalink

Post by Kevin Keith
Hi,
I know this idea might sound crazy, but I was wondering about the prospects
of an IBM mainframe for personal use. I'm aware of the hurdles considering
the Service Element (hard drives being detroyed, etc.) HMC, OSes, and other
problems. My question is where would one go about looking for one of these?
I could obviously buy one from a reseller for thousands of dollars, but I
can't really afford that. I feel like there are many of these machines
being dumped and scrapped (especially since they are relatively recently no
longer supported) is there any way to get one just ONE of these before its
destroyed by a scrapper?

Obviously you can have MP3K and use it, BUT. The gotcha is software
license. YOU HAVE TO PAY FOR THE SOFTWARE! There are not z/OS licences
"for home&fun use". It's a pity, but reality.
BTW: MP3K is relatively small, but not less affordable than big 9672.

BTW2: I know some guy in Poland who owns two z/800 boxes and has licence
for z/OS.e. In Parallel Sysplex, with ISC cards, sysplex timer, external
DASD, etc. Just for fun. <g>
--
Radoslaw Skorupka
Lodz, Poland

--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego,
nr rejestru przedsibiorców KRS 0000025237
NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2009 r. kapita zakadowy BRE Banku SA (w caoci wpacony) wynosi 118.763.528 zotych. W zwizku z realizacj warunkowego podwyszenia kapitau zakadowego, na podstawie uchway XXI WZ z dnia 16 marca 2008r., oraz uchway XVI NWZ z dnia 27 padziernika 2008r., moe ulec podwyszeniu do kwoty 123.763.528 z. Akcje w podwyszonym kapitale zakadowym BRE Banku SA bd w caoci opacone.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

David Crayford

2010-06-03 12:07:26 UTC

Permalink

Post by R.S.

Yes, what a shame. IF you could license z/OS just for fun (Hercules)
then there are a lot better hardware platforms than a MP3K to run it on.
A medium sized Intel server would nuke a MP3K.

Post by R.S.
BTW2: I know some guy in Poland who owns two z/800 boxes and has
licence for z/OS.e. In Parallel Sysplex, with ISC cards, sysplex
timer, external DASD, etc. Just for fun. <g>

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Tony Harminc

2010-06-03 15:31:00 UTC

Permalink

Post by R.S.
BTW: MP3K is relatively small, but not less affordable than big 9672.

Nomen Nescio

2010-06-03 13:55:50 UTC

Permalink

The hardware is the least of your problems.

What are you going to run on it?

Timothy Sipples

2010-06-03 14:21:12 UTC

Permalink

My latest Mainframe Blog post discusses acquiring and configuring a
personal mainframe:

http://mainframe.typepad.com/blog/2010/05/my-personal-mainframe-2010-edition.html

I tend to think that a used z890 (2086-110) is currently the "ideal"
personal mainframe, possessing an excellent balance of capabilities,
acquisition price, software licensing options, and likely useful service
life from a technology relevance point of view. However, I think the z800
(2066-0E1) is still a viable second choice provided you can get a
substantially better price, and provided you understand the technology
currency issues (notably that DB2 9 is the last version that will run on
the z800/z900). Obviously if you can get a heck of a deal on a used z9 BC
or z10 BC you would jump on it.

Note that in the blog post I do *not* assume that you would qualify for
PartnerWorld software licensing if you own and operate a physical mainframe
in your home data center, but that is another possible option for software
licensing if you can meet the terms and conditions. I assumed full
commercial licensing because I assumed that you might be entering the time
sharing business in order to share the costs of your personal mainframe
equitably, co-op style. I did, however, assume that you (and any time
sharing users) could meet zNALC terms and conditions.

I very much appreciate the offer that an IBM-MAINer made to send me a
Multiprise 3000. It was (and is) extremely generous, thank you. Perhaps
that offer (or similar) would be open to you, Kevin. I considered it very
carefully and almost said yes. But in the end there was just too big a gap
between an MP3000 and today's (or even yesterday's) software licensing and
software capabilities. A second or first generation z/Architecture machine
just seems like a much better financial and technical proposition all
around at this point in time for a personal mainframe (assuming a physical
one). Yes, it is possible to run 31-bit Linux on an MP3000, but I couldn't
figure out any use cases where that capability would provide unique value
nowadays given Linux's technical ability to cross-compile.

And no, you're not crazy, Kevin. Or if you are, so am I. :-)

- - - - -
Timothy Sipples
Resident Architect (Based in Singapore)
STG Value Creation and Complex Deals Team
IBM Growth Markets
E-Mail: ***@us.ibm.com
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Tony Harminc

2010-06-03 15:45:14 UTC

Permalink

Post by Kevin Keith
I know this idea might sound crazy, but I was wondering about the prospects
of an IBM mainframe for personal use. I'm aware of the hurdles considering
the Service Element (hard drives being detroyed, etc.) HMC, OSes, and other
problems. My question is where would one go about looking for one of these?
I could obviously buy one from a reseller for thousands of dollars, but I
can't really afford that. I feel like there are many of these machines
being dumped and scrapped (especially since they are relatively recently no
longer supported) is there any way to get one just ONE of these before its
destroyed by a scrapper?

It is a problem - some would call it market failure of a kind. There
are resellers who have, or claim to have, just about any IBM hardware
you'd like, and as you say, they ask a huge amount for it. I'm not
sure I understand their business model, but I'm sure in many cases
they don't actually have the hardware in question, and act more as
brokers. On the other side, these machines are going to the scrapper
all the time (I just saved one from that fate), where they have in
effect negative value, i.e. you have to pay someone to take it away,
and depending on where you are, pay various recycling charges because
there may be lead-acid and/or NiCad batteries, and other non RoHS
stuff inside.

I think you've done exactly the right thing - ask on this list, and
the several other mainframe related ones. Doubtless somewhere a reader
of these lists knows that the boss is deciding that it's cleanup time
for that dusty corner of the datacentre, and typically these things
happen suddenly. If you are prepared to pay for quick packaging and
shipping (evidently not as outrageous as I imagined), are prepared to
arrange drive wiping so they won't be physically destroyed, and remind
people occasionally that you're looking, I think your chances are
pretty good.

Tony H.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Kevin Keith

2010-06-03 15:50:17 UTC

Permalink

Thanks for the encouragement Tony. Like I said, I know of several z9s that
have been scrapped, that would've been perfect (they were ECs). You'd think
in a huge city like Houston, with all the industry, oil companies, etc, it
would be easy to find such things, but I've not had any luck yet. Right now
I'm hoping for a Multiprise 3000, and I hope to some day acquire a z9 EC (I
actually think this may not be THAT ridiculous).

Post by Kevin Keith

Post by Kevin Keith
I know this idea might sound crazy, but I was wondering about the

prospects

Post by Kevin Keith
of an IBM mainframe for personal use. I'm aware of the hurdles

considering

Post by Kevin Keith
the Service Element (hard drives being detroyed, etc.) HMC, OSes, and

other

Post by Kevin Keith
problems. My question is where would one go about looking for one of

these?

Post by Kevin Keith
I could obviously buy one from a reseller for thousands of dollars, but

Post by Kevin Keith
can't really afford that. I feel like there are many of these machines
being dumped and scrapped (especially since they are relatively recently

Post by Kevin Keith
longer supported) is there any way to get one just ONE of these before

its

Post by Kevin Keith
destroyed by a scrapper?

It is a problem - some would call it market failure of a kind. There
are resellers who have, or claim to have, just about any IBM hardware
you'd like, and as you say, they ask a huge amount for it. I'm not
sure I understand their business model, but I'm sure in many cases
they don't actually have the hardware in question, and act more as
brokers. On the other side, these machines are going to the scrapper
all the time (I just saved one from that fate), where they have in
effect negative value, i.e. you have to pay someone to take it away,
and depending on where you are, pay various recycling charges because
there may be lead-acid and/or NiCad batteries, and other non RoHS
stuff inside.
I think you've done exactly the right thing - ask on this list, and
the several other mainframe related ones. Doubtless somewhere a reader
of these lists knows that the boss is deciding that it's cleanup time
for that dusty corner of the datacentre, and typically these things
happen suddenly. If you are prepared to pay for quick packaging and
shipping (evidently not as outrageous as I imagined), are prepared to
arrange drive wiping so they won't be physically destroyed, and remind
people occasionally that you're looking, I think your chances are
pretty good.
Tony H.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
Search the archives at http://bama.ua.edu/archives/ibm-main.html

David Andrews

2010-06-03 16:15:45 UTC

Permalink

Doubtless somewhere a reader of these lists knows that the boss is
deciding that it's cleanup time for that dusty corner of the
datacentre

Well, you make me go and look. There across the parking lot, in an
attic over a farm equipment shop and accessible by forklift, still sits
a bus-and-tag 3088 CTC - plastic wrapped against the elements.

Some people don't throw ANYTHING away.

--
David Andrews
A. Duda and Sons, Inc.
***@duda.com

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Anne & Lynn Wheeler

2010-06-03 16:42:33 UTC

Permalink

Post by David Andrews
Well, you make me go and look. There across the parking lot, in an
attic over a farm equipment shop and accessible by forklift, still sits
a bus-and-tag 3088 CTC - plastic wrapped against the elements.

one of the battles my wife lost when she served her stint responsible
for loosely-coupled architecture in POK ... was added more features to
3088 (code-name trouter) than simply acting like multi-arm ctc. one of
the reasons a little later she started pushing hyperchannel ... put was
opposed by people that had pushed vanilla 3088 and were worried that if
there was a lot of hyperchannel out there ... it would interfere with
eventually being able to ship escon.

she had done peer-coupled shared data architecture
http://www.garlic.com/~lynn/subtopic.html#sharedata

which saw little uptake (except for ims hot-standby) until sysplex.
other battles that contributed to her not staying long in the position
was SNA camp trying to force all loosely-coupled operations thru VTAM.

prior to taking the position in POK ... she had been in the JES group
working on merged JES2/JES3 (figuring out what were the missing things
in one ... that the customers of the other couldn't live w/o) ... JES
Ultimate System.

--
42yrs virtualization experience (since Jan68), online at home since Mar1970

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Rick Fochtman

2010-06-03 20:24:58 UTC

Permalink

-------------------------------<snip>----------------------------

Post by David Andrews

Doubtless somewhere a reader of these lists knows that the boss is
deciding that it's cleanup time for that dusty corner of the
datacentre

-----------------------------<unsnip>---------------------------------
I can match that with a matched pair of fully-configured bus/tag 2914
switches. :-) Anyone need a boat anchor that intermittently floats?

Rick

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Thompson, Steve

2010-06-03 16:14:09 UTC

Permalink

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@bama.ua.edu] On
Behalf Of Tony Harminc
Sent: Thursday, June 03, 2010 10:30 AM
To: IBM-***@bama.ua.edu
Subject: Re: Multiprise 3k for personal Use?

Post by R.S.
BTW: MP3K is relatively small, but not less affordable than big 9672.

Not less?

For the home user it's not only a question of acquisition cost. The
MP3000 is a great little box, because it is entirely self-contained
(DASD, network, etc.) and because it runs on an ordinary household
power circuit. It uses about as much electricity as a largish PC
server, and of course puts out a matching and not huge amount of heat,
so it's entirely reasonable for home use.

On the other hand, having just helped put one into the back of an SUV
(on its way to Mike Ross's corestore.org), I can tell you that it's
not a light box, even with all the DASD, fans, side and end covers,
and several other things removed!
<SNIPPAGE>

How well you make my point about needing a drop, plug, LOAD and IPL type
of entry box. In my opinion this is the way to have an entry level
[starter?] system.

You want to replace my Intel type servers with a mainframe? I have 1
file server, 2 DB Servers, and a print server. I don't have a SAN. And I
have 25 users.

So, I need, per IBM today, a z/9 (or 10), raised flooring, special power
circuits, and a RAID box. The entry to a mainframe is quite expensive.

Today, my hardware costs are less than $10K, everything runs on 120VAC
single phase, and I don't have to put in a Liebart or some such.

So to convert to a mainframe it is not cost effective until I hit that
"magical" 30 Server number. But by then, when you factor the software
migration costs, it is still not cost effective to go to a z box.

I really wish that IBM would re-think this area.

Regards,
Steve Thompson

-- Opinions expressed by this poster may not reflect those of poster's
employer --

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Rick Fochtman

2010-06-03 20:22:49 UTC

Permalink

---------------------------------------<snip>---------------------------------
For the home user it's not only a question of acquisition cost. The
MP3000 is a great little box, because it is entirely self-contained
(DASD, network, etc.) and because it runs on an ordinary household power
circuit. It uses about as much electricity as a largish PC server, and
of course puts out a matching and not huge amount of heat, so it's
entirely reasonable for home use.

On the other hand, having just helped put one into the back of an SUV
(on its way to Mike Ross's corestore.org), I can tell you that it's not
a light box, even with all the DASD, fans, side and end covers, and
several other things removed!

<SNIPPAGE>

How well you make my point about needing a drop, plug, LOAD and IPL type
of entry box. In my opinion this is the way to have an entry level
[starter?] system.

You want to replace my Intel type servers with a mainframe? I have 1
file server, 2 DB Servers, and a print server. I don't have a SAN. And I
have 25 users.

So, I need, per IBM today, a z/9 (or 10), raised flooring, special power
circuits, and a RAID box. The entry to a mainframe is quite expensive.

Today, my hardware costs are less than $10K, everything runs on 120VAC
single phase, and I don't have to put in a Liebart or some such.

So to convert to a mainframe it is not cost effective until I hit that
"magical" 30 Server number. But by then, when you factor the software
migration costs, it is still not cost effective to go to a z box.

I really wish that IBM would re-think this area.
---------------------------------<unsnip>--------------------------------------
IBM should DEFINITELY rethink this area, especially now that they're the
"only kid on the block". :-)

Rick

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

B***@cs.com

2010-06-08 17:00:58 UTC

Permalink

Rick,

Clark's concerns are very warranted. There are integrity holes in all of
our z/OS systems. Some of them were delivered to us by IBM who is very
busily fixing the ones they know about. Others have been introduced by ISV
software. And, others have been introduced either from places like the CBT
Tape website or from installation installed SVCs.

How many installations have the "get me in Supervisor State SVC" installed
on their systems? Yes, it is convenient, but what a security exposure! I
saw a recent posting on a list, which shall remain nameless, where some
system programmer posted a code snippet and, in there, was the magic SVC.
Now, that systems programmer, opened up the door. And it is not to the very
select few System Programmers who you feel are valued and trustworthy, it is
to any Batch or TSO user of the system. With the SVC, any user could now
get into RACF PRIVILEGED state and obtain access to any dataset without any
security system controls or loggings.

And, I am not just talking about the magic SVCs. Ray Overby, who used to
work for me at SKK in the development of ACF2, found a vulnerability in an
ISV product that was exploitable with an 11 line REXX Exec. Although it
would have taken expertise to find the vulnerability and develop the
exploit, it would not have taken that much knowledge to enter the REXX Exec
into a TSO session and gain access to anything. Anyone with TSO access
would have been able to exploit this!

We cannot just sit by and believe that our z/OS systems are secure. It is
not only hobbyists that are looking for ways to crack into our systems.
Countries that are not friendly to ours also have access to z/OS systems and
have bright people. So do criminal organizations. They can and will
develop exploits for our vulnerabilities. We have to take whatever action
we can to be sure our systems have as much integrity as we can achieve.

Ray Overby has developed a product, the Vulnerability Analysis Tool, which
investigates the integrity of z/OS systems. While this product does not
find ALL of the system integrity exposures on z/OS systems, shockingly it
finds a good number of them. With the results of this analysis in hand,
installations are in a position to demand that ISV's fix their software or
that their own internal staff stop using Magic SVCs and develop safe methods
of achieving the functionality that these SVCs are used for or for the own
internal development teams use the proper z/OS guidelines.

Ray has just signed an agreement with Ron Pimblett, who is also representing
the renowned set of Compilers from Dignus, for the marketing of his product.
So, if you are truly interested in protecting the security of your z/OS
systems you should contact Ron at ***@kr-inc.com or
***@kr-inc.com.

Of course, I'll be happy to also talk about topic since it is very important
to me. My e-mail is ***@cs.com. When I started the whole data
security push for IBM Operating Systems in 1972 at SHARE, it was obvious to
all of us that system integrity was a prerequisite to system security. Out
of those meetings came the SHARE requirements for Data Security which are
still very relevant today. And system integrity remains as their
foundation.

Barry

--
Barry Schrager
***@cs.com

George Orwell

2010-06-08 20:03:25 UTC

Permalink

Post by B***@cs.com
How many installations have the "get me in Supervisor State SVC" installed
on their systems? Yes, it is convenient, but what a security exposure! I
saw a recent posting on a list, which shall remain nameless, where some
system programmer posted a code snippet and, in there, was the magic SVC.
Now, that systems programmer, opened up the door.

How do you figure? You can write all the SVCs in the world, but unless you
have somebody *at your shop* who is stupid enough to install it or give
some bonehead RACF access to an APF-authorized library, there is no
exposure.

z/OS has no holes, but your procedures sure might.

Il mittente di questo messaggio|The sender address of this
non corrisponde ad un utente |message is not related to a real
reale ma all'indirizzo fittizio|person but to a fake address of an
di un sistema anonimizzatore |anonymous system
Per maggiori informazioni |For more info
https://www.mixmaster.it

starwars

2010-06-08 20:12:29 UTC

Permalink

Post by B***@cs.com
And, I am not just talking about the magic SVCs. Ray Overby, who used to
work for me at SKK in the development of ACF2, found a vulnerability in an
ISV product that was exploitable with an 11 line REXX Exec. Although it
would have taken expertise to find the vulnerability and develop the
exploit, it would not have taken that much knowledge to enter the REXX
Exec into a TSO session and gain access to anything. Anyone with TSO
access would have been able to exploit this!

Holes in 3rd party products do not equal holes in z/OS. Get the vendor to
fix his mess.

Howard Brazee

2010-06-08 20:44:16 UTC

Permalink

On Tue, 8 Jun 2010 22:12:29 +0200 (CEST), starwars

Post by starwars
Holes in 3rd party products do not equal holes in z/OS. Get the vendor to
fix his mess.

I don't know if this is necessarily true.

B***@cs.com

2010-06-08 21:28:19 UTC

Permalink

Post by Howard Brazee

Post by starwars
Holes in 3rd party products do not equal holes in z/OS. Get the vendor to
fix his mess.

I don't know if this is necessarily true.

You're right, it's not true. Holes in 3rd party products are holes in the
z/OS system. After a system is penetrated, are you going to say, gee, it
wasn't an IBM error that got us, it was xyz company error. Big deal. Your
system and, therefore your company, was taken.

And, right now, 3rd party vendors are either not aware of the issues or not
taking them seriously. There are holes in the 3rd party products and there
are even some holes in z/OS that IBM is working on fixing. Now, the
difference is that IBM, when it is pointed out to them, says, we will fix it
as we honor the Statement of Integrity. 3rd party vendors sometimes have to
be pushed and prodded and threatened.

So, what are the holes on your system -- don't you want to know so you can
start taking action to close them? Or would you rather be dumb and happy
until disaster strikes. Then you can just say, gee, I didn't think there
were any serious hole ...

--
Barry Schrager
***@cs.com

Pinnacle

2010-06-08 21:38:56 UTC

Permalink

----- Original Message -----
From: <***@cs.com>
Newsgroups: bit.listserv.ibm-main
Sent: Tuesday, June 08, 2010 5:28 PM
Subject: Re: Personal use z/OS machines was Re: Multiprise 3k for personal
Use?

Post by B***@cs.com

Post by Howard Brazee

Post by starwars
Holes in 3rd party products do not equal holes in z/OS. Get the vendor to
fix his mess.

I don't know if this is necessarily true.

You're right, it's not true. Holes in 3rd party products are holes in the
z/OS system. After a system is penetrated, are you going to say, gee, it
wasn't an IBM error that got us, it was xyz company error. Big deal. Your
system and, therefore your company, was taken.
And, right now, 3rd party vendors are either not aware of the issues or not
taking them seriously. There are holes in the 3rd party products and there
are even some holes in z/OS that IBM is working on fixing. Now, the
difference is that IBM, when it is pointed out to them, says, we will fix it
as we honor the Statement of Integrity. 3rd party vendors sometimes have to
be pushed and prodded and threatened.
So, what are the holes on your system -- don't you want to know so you can
start taking action to close them? Or would you rather be dumb and happy
until disaster strikes. Then you can just say, gee, I didn't think there
were any serious hole ...

Barry,

It would be nice if someone actually documented a hole, instead of all the
urban legends we hear. Outside the magic SVC, or a trusted person planting
malware in an APF library, I don't know of any "holes". Please share.

Regards,
Tom Conley

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Tony Harminc

2010-06-08 21:56:01 UTC

Permalink

Post by Pinnacle
It would be nice if someone actually documented a hole, instead of all the
urban legends we hear. Outside the magic SVC, or a trusted person planting
malware in an APF library, I don't know of any "holes". Please share.

Well no one is going to step up and document a current hole that they
may know about. Two holes I happen to know of that were fixed so long
ago that it can't possibly matter now, are the whole GAM
implementation, which happily accepted a user-supplied address and
branched to it in supervisor state, and the ability of any user to run
a line trace on a 37x5 without the possibility of control by the
installation. These were fixed in the 1970s and 1980s respectively.

Tony H.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

B***@cs.com

2010-06-08 23:02:31 UTC

Permalink

Post by Tony Harminc
Well no one is going to step up and document a current hole that they
may know about. Two holes I happen to know of that were fixed so long
ago that it can't possibly matter now, are the whole GAM
implementation, which happily accepted a user-supplied address and
branched to it in supervisor state, and the ability of any user to run
a line trace on a 37x5 without the possibility of control by the
installation. These were fixed in the 1970s and 1980s respectively.

Tony,

I agree. It certainly would be irresponsible to post such an item on a
public newsgroup. And, we all are responsible parties here.

Barry

--
Barry Schrager
***@cs.com

Pinnacle

2010-06-09 00:16:02 UTC

Permalink

----- Original Message -----
From: "Tony Harminc" <***@HARMINC.NET>
Newsgroups: bit.listserv.ibm-main
Sent: Tuesday, June 08, 2010 5:56 PM
Subject: Re: Personal use z/OS machines was Re: Multiprise 3k for personal
Use?

Post by Tony Harminc

Post by Pinnacle
It would be nice if someone actually documented a hole, instead of all the
urban legends we hear. Outside the magic SVC, or a trusted person
planting
malware in an APF library, I don't know of any "holes". Please share.

Tony,

Thank you for at least posting two concrete examples of past holes. There
was a recent article in zJournal about hacking z/OS, but it was
disappointing, limited to what we've discussed here. The article quoted a
number of noted gurus (some on this thread), and they all basically said the
same thing. Authorized code can hack MVS, unauthorized code can't. Also,
like your examples above, none of the examples of hacking quoted in the
article were less than 20 years old.

Regards,
Tom Conley

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Binyamin Dissen

2010-06-09 09:54:11 UTC

Permalink

On Tue, 8 Jun 2010 20:14:29 -0400 Pinnacle <***@ROCHESTER.RR.COM> wrote:

:>same thing. Authorized code can hack MVS, unauthorized code can't.

The security exposures exist when the authorized code "trusts" an address
passed by unauthorized code.

Authorized code cannot trust anything provided by unauthorized code. That
means going into the callers key when fetching or modifying storage based on
an address provided and should the caller pass the address of a protected
control block, such as a TCB address, verifying that the address is in fact of
a TCB and it is where such service is allowed. Should an exit be allowed, such
as a DCB OPEN exit, SYNCH back to problem state and key must be used. And,
obviously, no workareas of the authorized routine are allowed to be in a key
that allows the unauthorized routine ability to update (and, perhaps, even
fetch).

--
Binyamin Dissen <***@dissensoftware.com>
http://www.dissensoftware.com

Director, Dissen Software, Bar & Grill - Israel

Should you use the mailblocks package and expect a response from me,
you should preauthorize the dissensoftware.com domain.

I very rarely bother responding to challenge/response systems,
especially those from irresponsible companies.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

B***@cs.com

2010-06-09 12:15:17 UTC

Permalink

Tom,

If you are a member of LinkedIn, take a look at the MainframeZone discussion
list. There was a similar discussion there on the zJournal Mainframe
Hacking article.

Barry

Rick Fochtman

2010-06-09 03:09:30 UTC

Permalink

----------------------------------<snip>------------------------------
Well no one is going to step up and document a current hole that they
may know about. Two holes I happen to know of that were fixed so long
ago that it can't possibly matter now, are the whole GAM implementation,
which happily accepted a user-supplied address and branched to it in
supervisor state, and the ability of any user to run a line trace on a
37x5 without the possibility of control by the installation. These were
fixed in the 1970s and 1980s respectively.
--------------------------------<unsnip>-------------------------------
I those, since we didn't use any of that type of equipment.

OS/360 had a FREEDBUF macro that could SYNCH to a user-supplied exit in
Supv. state Key-0. IIRC, it was part of BDAM.

Rick

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

shmuel+ (Shmuel Metz , Seymour J.)

2010-06-11 00:46:13 UTC

Permalink

Post by Rick Fochtman
OS/360 had a FREEDBUF macro that could SYNCH to a user-supplied exit
in Supv. state Key-0. IIRC, it was part of BDAM.

Fishing with dynamite, are we? OS/360 had so many holes[1] that most
people lost count. Take ISAM - please.

MVS may have holes, but it's harder to find them and IBM is willing to
fix them. It's my fault that the operator can no longer blow you away
with a simple START command.

[1] One of which I exploited in a storage zap program.
--
Shmuel (Seymour J.) Metz, SysProg and JOAT
ISO position; see <http://patriot.net/~shmuel/resume/brief.html>
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Anne & Lynn Wheeler

2010-06-11 15:22:15 UTC

Permalink

re:
http://www.garlic.com/~lynn/2010j.html#32 Personal use z/OS machines was Re: Multiprise 3k for personal Use?

it was also about the time that the corporation hired a new CSO, long
distinquished career in gov. ... things like having been head of
presidential detail; knew a lot about physical security. I got asked to
run around with him some; supposedly the corporate computer/information
security expert (a few details about physical security would rub off).

other posts in this thread:
http://www.garlic.com/~lynn/2010j.html#14 Multiprise 3k for personal Use?
http://www.garlic.com/~lynn/2010j.html#17 Personal use z/OS machines was Re: Multiprise 3k for personal Use?
http://www.garlic.com/~lynn/2010j.html#18 Personal use z/OS machines was Re: Multiprise 3k for personal Use?
http://www.garlic.com/~lynn/2010j.html#19 Personal use z/OS machines was Re: Multiprise 3k for personal Use?
http://www.garlic.com/~lynn/2010j.html#20 Personal use z/OS machines was Re: Multiprise 3k for personal Use?
http://www.garlic.com/~lynn/2010j.html#22 Personal use z/OS machines was Re: Multiprise 3k for personal Use?

B***@cs.com

2010-06-08 22:24:16 UTC

Permalink

Post by Pinnacle
Barry,
It would be nice if someone actually documented a hole, instead of all the
urban legends we hear. Outside the magic SVC, or a trusted person planting
malware in an APF library, I don't know of any "holes". Please share.
Regards,
Tom Conley

Tom,

Send me a private e-mail to set up a demonstration.

Barry

--
Barry Schrager
***@cs.com

Rick Fochtman

2010-06-09 03:06:06 UTC

Permalink

-------------------------------------<snip>------------------------------
It would be nice if someone actually documented a hole, instead of all
the urban legends we hear. Outside the magic SVC, or a trusted person
planting malware in an APF library, I don't know of any "holes". Please
share.
-------------------------------------<unsnip>----------------------------
Documenting a "hole" could be a seriously bad idea, since it might give
a potential troublemaker exactly the opening he's looking for.

In early versions of the IDMS SVC, there was an undocumented parm that
would place the caller in Supervisor state, Key-0. When we pointed this
out to CA, it was fixed in 48 hours.

Satisfied? :-)

Rick

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

R.S.

2010-06-09 06:54:23 UTC

Permalink

Post by Rick Fochtman
-------------------------------------<snip>------------------------------
It would be nice if someone actually documented a hole, instead of all
the urban legends we hear. Outside the magic SVC, or a trusted person
planting malware in an APF library, I don't know of any "holes". Please
share.
-------------------------------------<unsnip>----------------------------
Documenting a "hole" could be a seriously bad idea, since it might give
a potential troublemaker exactly the opening he's looking for.

Documenting a hole is very good idea. If you don't do it, hackers will
do it. What's better - to have a hole and don't know about it or to have
hole and be aware of that?
I choose he second option, definitely.
Last but not least: documented hole can be went around, avoided. Of
course, usually documenting hole is first step to fix it.

Example: BPX.DAEMON resource in FACILITY class. It can be understood as
a fix for the hole existing in original Unix standard. It is quite well
documented - that's why I know what is the purpose of the profile and
what is the risk if I don't have the profile. It can reside on "what you
have to protect" security checklist.

Regards
--
Radoslaw Skorupka
Lodz, Poland

--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego,
nr rejestru przedsibiorców KRS 0000025237
NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2009 r. kapita zakadowy BRE Banku SA (w caoci wpacony) wynosi 118.763.528 zotych. W zwizku z realizacj warunkowego podwyszenia kapitau zakadowego, na podstawie uchway XXI WZ z dnia 16 marca 2008r., oraz uchway XVI NWZ z dnia 27 padziernika 2008r., moe ulec podwyszeniu do kwoty 123.763.528 z. Akcje w podwyszonym kapitale zakadowym BRE Banku SA bd w caoci opacone.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

shmuel+ (Shmuel Metz , Seymour J.)

2010-06-11 00:46:45 UTC

Permalink

Post by Pinnacle
It would be nice if someone actually documented a hole, instead of
all the urban legends we hear.

I document security holes in IBM software when I report them to IBM. I
don't document them to anybody else until the exposure has been fixed.
I hope that others will do the same.

Please don't publicly disclose the details of a security hole while
the vendor is still developing a fix. Note that I'm *NOT* talking
about cases where the vendor can't be bothered to deal with security
issues, but I haven't had that problem with IBM in decades.
--
Shmuel (Seymour J.) Metz, SysProg and JOAT
ISO position; see <http://patriot.net/~shmuel/resume/brief.html>
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Non scrivetemi

2010-06-09 14:56:24 UTC

Permalink

Post by B***@cs.com

Post by Howard Brazee

Post by starwars
Holes in 3rd party products do not equal holes in z/OS. Get the vendor to
fix his mess.

I don't know if this is necessarily true.

It is a big deal because it all comes down to who is responsible, who do
you point the finger at, and who pays for damages. Blaming IBM or
criticizing z/OS security just makes the problem worse, because IBM and
z/OS are not part of the problem. You are, because you refuse to admit
what's really going on.

What you are saying can be compared to the following situation:

You buy a car and then you buy an aftermarket extra capacity gas tank. The
gas tank ruptures and burns through the car body and toasts you and your
family. Now you want to sue the car manufacturer for getting burned when
you really should be suing the 3rd party gas tank manufacturer. The car
manufacturer can't be responsible for modifications by 3rd parties, it has
no control over them. Futhermore, if the 3rd party departed from
established design conventions you have a very good chance of winning the
lawsuit. Yes, you still got burned. But that was your fault, because you
didn't ask the right questions when you bought your 3rd party gas tank. The
buck stops with you, the consumer.

z/OS is secure. You seem unable to make the distinction between who is
responsible for problems. IBM has created a secure OS. You trusted a 3rd
party to sell you software that wouldn't compromise the OS or your other
products. Or, you allowed somebody access to APF libraries who you should
not have allowed. Those are indefensible actions. There isn't any way to
make z/OS more secure than it is, but you will make it less secure if you
want to keep disguising where the real problems are. The bottom line is
people and policy. If you don't take responsibility for your own shop, why
would you expect any one else to do so?

It's your responsibility as a sysprog to ask about these issues before
installing software and document them so the right parties can be held
accountable. Vendor software should not be written based on PC or SVCs that
escalate authority for unauthorized callers. Vendors should be sued for
damages if your system is exploited because of reckless or irresponsible
practices in the code they sold you. If your manager forces you to install
a product you know has holes, email him and keep a copy of the email. He
will wind up on the bread line and you'll still have a job.

Ray Overby

2010-06-08 21:30:01 UTC

Permalink

- From an installations point of view all code that runs in system
key (0-7), supervisor state, or has the ability to do so:

- Should be considered part of the operating system (system
extensions if you like).
- Has the ability to circumvent the installation implemented
security (independent of the ESM).
- Should be corrected if an integrity exposure exists in the code.

The Vendor does not matter. A single integrity exposure from a single
vendor compromises your entire z/OS system regardless of whether you
think z/OS is secure or not. It also does not matter if you think the
ISV authorized code is part of z/OS or not. The reality is authorized
ISV code has the ability to modify the environment just like "real"
authorized z/OS code from IBM.

As it turns out z/OS does have integrity exposures. Given that IBM is
the largest producers of authorized code for z/OS this should not be a
surprise. IBM has a statement of integrity. This is the basis for z/OS
to be a secure operating system. Any code you install on top of z/OS
should also have an integrity statement. However, the IBM statement of
integrity does not say that z/OS does not have any integrity exposures,
just that IBM will fix them when found. There are examples of integrity
exposures in IBM z/OS (the SMPE one for instance). It is also true that
ISV's also have integrity exposures. Probably in a larger proportion
than IBM does if you look at it statistically (number of modules to
number of integrity exposures). The bottom line is all integrity
exposures regardless of source (vendor) need to be fixed if you are to
have a secure z/OS.

Post by Howard Brazee
On Tue, 8 Jun 2010 22:12:29 +0200 (CEST), starwars

Post by starwars
Holes in 3rd party products do not equal holes in z/OS. Get the vendor to
fix his mess.

I don't know if this is necessarily true.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Andy Wood

2010-06-08 23:21:26 UTC

Permalink

On Tue, 8 Jun 2010 17:36:03 -0400, Pinnacle
<***@ROCHESTER.RR.COM> wrote:

. . .

I'm with Barry on this one.

For about twenty years my day job (or at least part of it) was to seek out
such exposures. I found dozens of problems in products from just about any
vendor you care to name, and yes, that includes IBM. What do I mean
by 'problem'? Well, in just about every case I was able to write a small
demonstration program which could get control in supervisor state.

Some of the vendors were extremely apathetic when it came to fixing such
problems. Often it took them two, three, or more attempts to get it right. A
certain well known vendor took five years to fix an issue.

A problem in another very popular product was uncorrected three vendors
(think takeovers) and eleven years later. I moved on so I don't know if it ever
got fixed - I suspect not.

Things have improved, but only very slowly. I first became aware of the user
key CSA issue about thirty years ago (!). User key CSA problems have only
really gone away in the last few years when IBM took the trouble to show
their disapproval.

As for magic SVCs, they obviously still exist, as a recent thread here proved.
More of a worry is the SVC which the author thinks is 100% safe, when it is
anything but. I'll bet that the old SPFCOPY SVC, or something derived from it,
is still out there on many systems. Those SVCs usually have as many holes as
a piece of fine emmentaler.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

B***@cs.com

2010-06-09 12:28:50 UTC

Permalink

Thanks Andy,

I think Ray Overby is slightly torn between getting enough MVS people to
recognize that there is a problem and not wanting to disclose enough
information to allow penetration of the z/OS systems. He has chosen to keep
vulnerabilities secret, between him, his clients and the vendors. But, each
of our systems is different and we must all take steps to assure that we
know what exposures are on our systems and take steps to remediate them.
And, as you pointed out, some vendors do not move very quickly to fix their
exposures and the more of our installations that make demands, the faster
the vulnerability will get fixed. Remember that vulnerabilities found can
be exploited in an identical manner on other, similarly configured, z/OS
systems.

One thing that Ray and I have discussed is, as part of his Vulnerability
Analysis Tool product license to include a Vulnerability Notification
Network. Each licensee will register the products they are using on their
z/OS systems with Key Resources. When a vulnerability is found in one of
these products, Key Resources will notify the licensee that there is a
vulnerability, with reference number xxx, on a product at a specific release
level, if that is known. Then the licensee can contact the vendor which
will put more pressure on the vendor to fix the problem sooner and also get
a remediation in place to patch the vulnerability.

Barry

Ed Gould

2010-06-11 05:08:45 UTC

Permalink

________________________________
From: Andy Wood <***@OZEMAIL.COM.AU>
To: IBM-***@bama.ua.edu
Sent: Tue, June 8, 2010 6:20:57 PM
Subject: Re: Personal use z/OS machines was Re: Multiprise 3k for personal Use?

On Tue, 8 Jun 2010 17:36:03 -0400, Pinnacle
<***@ROCHESTER.RR.COM> wrote:

. . .

Andy:

Unfortunately the person who found quite a few holes moved on and would not reveal what he found and how he found them.
I just know that he managed to find a lot of them. Now what is a lot, He admitted finding 5 but again would not give anyone hints at what they were. I can attest (by looking at dumps and the logrec entries and even some stand alone dumps that he found some as when ever he logged on the system we started seeing a lot more dumps with some really strange reason codes(and no reported issues from other IBM users). I can also say that he regularly was able to alter memory in any address space in the system. I could not prove but dumps and some other evidence told me he was doing things that MVS should have stopped but he was able to get into any state/key whatever he wanted. Once he got his code working it was hard to prove he had done something he was not supposed to. And just to reiterate that he did *NOT* have a special SVC or secret mod that allowed him to do so. we had pretty tight control over the OS and a few times we created a truly fresh system from
IBM and it did not make a bit of difference.

Bypassing RACF was his early on attempt and it took him maybe about 3 days to get around RACF. We attempted to stop him but the politics of the time would let it happen. (This was almost at the board level - maybe one step below).
It was frustrating trying to fix issues as it was (most of the time) difficult to figure out if it was an IBM issue or him playing around. When IBM got a dump he would look at it and if it looked strange and did not make any sense he would mark it as "user" and would toss it away. I know (because I was a party to some of the discussions between IBM and my upper management that they were as frustrated as he was as the politics involved were really rough. BTW the IBM person was excellent and he was not the type to not label something that was not an IBM issue as a user issue. He was exceedingly honest and after looking at the dumps before he got a hold of them several of us who previewed the dumps before we handed them over to IBM, some of them were just weird and could not be explained except someone was mucking around where they were not suppose to be.

Ed

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Paul Gilmartin

2010-06-09 13:38:50 UTC

Permalink

I wonder if anyone was able to exploit SMP/E to run arbitrary code in a
privileged state?

You're cruel.

Integrity exposures, like pregnancy, are pretty much devoid of
degree. If a program gets in KEY 0, it can modify system control
blocks. If it gets in Supervisor state, it can LPSW to KEY 0.
If it has AC=1, it can MODESET. If it can update APF libraries,
it can ...

And IBM considers the SMP/E problem fixed merely because they told
customers, "Don't do that!" Even though they haven't told us
what to not do.

-- gil

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Clark Morris

2010-06-10 01:27:51 UTC

Permalink

Post by Paul Gilmartin

I wonder if anyone was able to exploit SMP/E to run arbitrary code in a
privileged state?

It gets even better. If the goal is to invade a system for profit,
knowing the vulnerabilities in Websphere may be sufficient. It isn't
RACF directly that is preventing me from getting into someone else's
account when I log in to my bank which I believe is on z/OS. The
advantages of having your own machine to try out hacking is that you
don't alert someone else as to what you are doing. Figuring out the
vulnerability in SMP/E in and of itself may not be that useful if you
confine yourself to SMP/E because getting that far requires a valid
logon to TSO. Figuring out where else similar vulnerabilities might
exist from understanding that vulnerability could be profitable. If
REXX or JAVA can be executed through a web entry (Websphere, another
web server, etc.) then all sorts of interesting things might happen.
In short, the advantage of having your own system to explore
vulnerabilities is that you don't get anyone's security people aroused
when you probe.

Clark Morris

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html