From: black.hole.4.spam{at}gmail.com (Don Hills)

In article , "Geo"
 wrote:
>
>Hold it. If you are trying to convince me that a mainframe can't be rooted
>by a user initiated virus you are nuts. Mainframes are just as exposed as
>any PC. In fact if the PC never existed and everyone was using dumb
>terminals today to access the internet and run video and such, the virus
>problem would be just as serious as it is today.

Nope, John is right. For example, IBM's Z/OS is secure. Period. If you
consider Z/OS security to equal that of Fort Knox, then the current state
of the art in PC security is equal to the petty cash tin in the office
drawer. That's no exaggeration. But don't take my word for it, here's an
overview: http://www.research.ibm.com/journal/sj/403/guski.html

As the authors point out, there's a huge amount of documentation freely
available if you want to explore any of the aspects in more detail, right
down to the architecture and instruction sets of the processors. You
certainly can't accuse IBM of security by obscurity.

At its most basic level, consider being given an instance (LPAR, similar in
concept to a VM in x86 land) on a zSeries processor. You can run anything
that'll run on a zSeries, such as Z/OS or Linux, or even write directly in
assembler. To you, it appears as if you have a full zSeries processor and
all its services and I/O devices available to you (those your instance has
been given permissions to, anyway.) But no matter what you do, you will be
unable to affect any other instances on that processor or Z/OS itself.
That's no idle boast. Take a look at the levels of security certification
achieved by zSeries and Z/OS. Each instance is considered to be as secure
as a separate physically isolated system.

Actually, we might be talking at cross purposes here. When you say
"mainframe", people such as John and I think of the whole system
- the hardware and the OS and everything running under it. If by
"mainframe" you mean your own instance as described above, then
you're only as secure as you make yourself. For example, you can probably
run an unpatched Apache server in your own instance and be rooted (assuming
the exploit is written in zSeries code rather than x86), but it's only your
instance that's affected. All of the OS supplied stuff such as the TCP/IP
services are already secure, so anything bad that happens in your instance
is all your fault. If you use middleware such as Websphere that was
designed with the zSeries security model in mind, you have even less to
worry about.

--
Don Hills    (dmhills at attglobaldotnet)     Wellington, New Zealand
"New interface closely resembles Presentation Manager,
 preparing you for the wonders of OS/2!"
    -- Advertisement on the box for Microsoft Windows 2.11 for 286

--- BBBS/NT v4.01 Flag-5