The 94% moon in the white, southerly sky.
It's still 🌡️30°C at 19:00💦
Stay cool at night!
#イマソラ #月 #moon #sky #photography
Was stimmt nicht mit den Menschen?
POL-BN: #Troisdorf: Rettungssanitäter bei körperlicher Auseinandersetzung schwer verletzt - Polizei #Bonn übernimmt Ermittlungen und sucht Zeugen
presseportal.de/blaulicht/pm/7…
> Troisdorf (ots) - Ein 40-jähriger Rettungssanitäter ist bei einer körperlichen Auseinandersetzung am vergangenen Samstag (05.07.2025) in Troisdorf schwer verletzt worden. In...
🔥 80 euro sul tuo conto? Scopri se li hai già! Novità sulla #CartaAcquisti luglio 2025 🚨 Scoprilo subito su ORA ULTIMA: oraultima.com/carta-acquisti-2…
#8luglio #OraUltima #mastodon #news #business #finance #economy #italy #italia #notizie
Carta Acquisti 2025: Bonus 80 euro, Ultima Ora | Ora Ultima
Carta Acquisti 2025: scopri i dettagli sui prossimi pagamenti e le condizioni per accedervi. Notizie Ultima Ora FinanzaRedazione (Ora Ultima)
Column | After Camp Mystic, what parents can ask camps about extreme weather prep
https://www.washingtonpost.com/climate-environment/2025/07/08/summer-camp-flooding-heat-fire/?utm_source=flipboard&utm_medium=activitypub
Posted into Lifestyle @lifestyle-WashPost
Nature is amazing. On Exoplanet 45346 the Spatio Vine formed into a space elevator. I mean, it’s not technically an elevator, because there are no elevators, but it grows on the planet surface and one single huge strong vine grows up and out into space (Jack and the Beanstalk!!) and once there grows a huge heavy knob of weight so that it stays in orbit. It defies logic, and makes no sense, but it is real.
1/2
#scifi #exoplanet #nature #macro
reshared this
Simple Wikiclaudia: Chrome extension that finds a simple.wikipedia.org version of any wiki article. If one exists, click to open it; otherwise, it uses Claude or ChatGPT to simplify it.
Simple Wikiclaudia
Have you ever been reading a Wikipedia article and tapped out because it's just too dense and difficult to read? Simple English Wikipedia exists to help make articles easier to read and understand.Matt Sayar
Simple Wikiclaudia: Chrome extension that finds a simple.wikipedia.org version of any wiki article. If one exists, click to open it; otherwise, it uses Claude or ChatGPT to simplify it.
Simple Wikiclaudia
Have you ever been reading a Wikipedia article and tapped out because it's just too dense and difficult to read? Simple English Wikipedia exists to help make articles easier to read and understand.Matt Sayar
This is a rather beautiful bit of sculptutal work over the main entrance to John Burnet Senior's Venetian Renaissnace style former Clydesdale Bank headquarters on St Vincent Place in Glasgow. The central head is a representation of Father Clyde, and was sculpted by Charles Grassby.
#glasgow #sculpture #architecture #architecturephotography #stvincentplace #fatherclyde
like this
Henderson Land Seeks $1 Billion From Convertible Bonds
https://www.bloomberg.com/news/articles/2025-07-08/henderson-land-seeks-1-billion-from-convertible-bonds?utm_source=flipboard&utm_medium=activitypub
Posted into Bloomberg Asia @bloomberg-asia-bloomberg
Trump Seeks an Elusive Peace Dividend in Gaza
https://www.bloomberg.com/news/newsletters/2025-07-08/us-president-donald-trump-seeks-an-elusive-peace-dividend-in-gaza?utm_source=flipboard&utm_medium=activitypub
Posted into Bloomberg Asia @bloomberg-asia-bloomberg
Arrivano in Italia le case trasparenti, piene di luce e viste mozzafiato
https://www.esquire.com/it/lifestyle/viaggi/a64688964/arrivano-le-case-completamente-trasparenti/?utm_source=flipboard&utm_medium=activitypub
Pubblicato su Lifestyle @lifestyle-Esquireitalia2
Arrivano in Italia le case trasparenti, piene di luce e viste mozzafiato
No, non parliamo di grandi vetrate, ma di case 100% trasparenti.Benedetta Pellegrini (Esquire)
Could a Commanders stadium delay impact D.C.’s women’s World Cup bid?
https://www.washingtonpost.com/sports/2025/07/08/dc-football-stadium-rfk-womens-world-cup/?utm_source=flipboard&utm_medium=activitypub
Posted into Sports @sports-WashPost
Garlic Scapes
I might try printing this on Japanese Washi paper. I've got two on-washi-paper prints in a drawer at the gallery in White River Junction Vermont (not sure anyone looks in that drawer).
#johnlehetphoto #garden #blackandwhite #bokeh #vintagelens
Oblomov reshared this.
#TIL Es gibt in Deutschland ein Verzeichnis, in dem man nachsehen kann, ob eine Organisation (z.B. ein Verein) gemeinnützig ist: zer.bzst.de
Das kann man sogar komplett für ein Bundesland herunterladen. 😃
Smartphone security tip of the week: Your backups are encrypted
If you have the option, you should definitely encrypt your backups to protect them from unauthorized access.
Read more about this topic: smartphone-dont-spy.de/en/list…
#smartphone #privacy #security
Your backups are encrypted
If you have the option, you should definitely encrypt your backups to protect them from unauthorized access.The Android app Neo Backup supports encryption out of the box.Smartphone, don't spy! - A checklist for your mobile security
FEX 2507 Brings New Optimizations & Gets Some Ubisoft Games Running
FEX 2507 is now available for this open-source emulator that allows running x86/x86_64 games and applications atop 64-bit ARM Linux devices whether they be AArch64 servers or ARM64 single board computers and other devices...
phoronix.com/news/FEX-2507
planetary.s3.amazonaws.com/ass…
Arizona Brings a Huge Grid Battery Online Ahead of Peak Demand - Slashdot
Arizona has activated one of its largest grid battery storage projects to help meet peak summer energy demand.hardware.slashdot.org
My world in 1 photo
.
.
.
.
#betergejatdanslechtbedacht #art #artvisual #photooftheday #moeitewaard #impressive #streetphotography #visuals #artoflight #artinstallation #performance #myworldinonephoto #video #videooftheday #short #interesting #youbringonthesun #youmakeitshine #leeuwarden #photography #gabekamphuis #visualstoryteller #photovisionary
🇩🇪 Ich wünsche euch allen einen schönen Tag und wenn es euch noch niemand gesagt hat: "Ihr seid großartig! ❤️"
🇬🇧 I wish you all a wonderful day and if no one has told you yet: "You are amazing! ❤️"
play.google.com/store/apps/det…
Edit: Ein Konto ist da aber tatsächlich ne gute Idee. Ohne benutzt der glaube ich nur ein sehr schwaches Modell und erlaubt glaube ich auch keine Bilduploads, vmtl. damit Fremde nicht deren Server mit Kacke fluten.
Ist eine europäische Firma, daher nutze ich wenn überhaupt eher die.
Le Chat by Mistral AI – Apps bei Google Play
Dein KI-Assistent. Finde Antworten, erstelle Bilder und lies Nachrichten.play.google.com
reshared this
reshared this
Mocho-de-orelhas-de-sokoke (Otus ireneae), Quénia.
Sokoke Scops-Owl (Otus ireneae). Kenya.
By Tadeusz Rosinski.
How to make your old Nintendo Switch games feel new again on Switch 2
Here’s a breakdown of how original Switch titles work on Switch 2, explaining everything from free Switch 2 updates to inbuilt backwards compatibility and the paid Switch 2 Edition upgradesTom Regan (The Guardian)
@motori
🚗 🚗 🚗
La nuova BMW X5 2027 unisce design Neue Klasse, motorizzazioni benzina ed elettriche, e tecnologia eDrive per un futuro SUV premium.
motori.it/bmw-x5-2027-il-futur…
#motori #auto
Motori - Gruppo Forum reshared this.
Good morning from sunny Gwent.
Our garden is filled with inquisitive birds, hoverflies, and bright flowers that illuminate the dark places.
We are well into daylily season now, and there are plenty of buds to open up and dazzle over the weeks to come.
This beauty is called Flying Trapeze and was bred and introduced by Moldovan.
L'altra sera al concerto Ginevra de Marco ha intonato anche il canto dei sanfedisti dei NCCP. 
A lu suonə de grancasciə
viva lu populə basciə.
A lu suonə de tamburriellə
so' risurtə li puveriell'.
A lu suonə de campanə
viva viva li pupulanə.
A lu suonə de viulinə
morte alli giacubbinə.
Canto dei sanfedisti - Ginevra de Marco.
È una tammurriata bellissima e i Borboni sono belli che andati da tempo, sei serio? Boh
internetarchive.eu/protecting-…
> The shift from owning physical materials to licensing digital content has created an unprecedented crisis. License agreements routinely prohibit preservation activities that were once standard practice. Materials that exist only in digital formats often remain locked behind commercial platforms...
> This is not merely a technical problem, it is a fundamental threat to the democratic principle that knowledge should be accessible to all...
More: ourfuturememory.org/
Protecting the Past to Power the Future: Internet Archive Europe Launches the Our Future Memory Campaign - Internet Archive Europe
Today marks a defining moment in the fight for digital rights in cultural heritage. From the shores of Lake Geneva, where minds have long gathered to shape the future of knowledge, Internet Archive Europe proudly announces the launch of Our Future Me…Beatrice Murch (Internet Archive Europe)
reshared this
@edsu Copyright-washing is not really a concern. #Wikidata exists partly to take the copyright-ineligible elements out of our CC BY-SA works, and turn them into a CC-0 database. (Yes, this was controversial with some.) I doubt LLMs help with this, but if they did that would be nice.
Policy-wise we tend to agree with Communia, cf. communia-association.org/2025/…
Recent drama included the bots policy (diff.wikimedia.org/2025/04/01/… lists.wikimedia.org/hyperkitty… ) and uncreative genAI uses (404media.co/wikipedia-pauses-a… )
A first look into the JURI draft report on copyright and AI
Last week saw the first draft of the long-anticipated own-initiative report on copyright and generative artificial intelligence authored by Axel Voss for the JURI Committee (download as a PDF file).Leander Nielbock (COMMUNIA Association)
Wikipedia Pauses AI-Generated Summaries After Editor Backlash
The Wikimedia Foundation, the nonprofit organization which hosts and develops Wikipedia, has paused an experiment that showed users AI-generated summaries at the top of articles after an overwhelmingly negative reaction from the Wikipedia editors community.“Just because Google has rolled out its AI summaries doesn't mean we need to one-up them, I sincerely beg you not to test this, on mobile or anywhere else,” one editor said in response to Wikimedia Foundation’s announcement that it will launch a two-week trial of the summaries on the mobile version of Wikipedia. “This would do immediate and irreversible harm to our readers and to our reputation as a decently trustworthy and serious source. Wikipedia has in some ways become a byword for sober boringness, which is excellent. Let's not insult our readers' intelligence and join the stampede to roll out flashy AI summaries. Which is what these are, although here the word ‘machine-generated’ is used instead.”
Two other editors simply commented, “Yuck.”
For years, Wikipedia has been one of the most valuable repositories of information in the world, and a laudable model for community-based, democratic internet platform governance. Its importance has only grown in the last couple of years during the generative AI boom as it’s one of the only internet platforms that has not been significantly degraded by the flood of AI-generated slop and misinformation. As opposed to Google, which since embracing generative AI has instructed its users to eat glue, Wikipedia’s community has kept its articles relatively high quality. As I recently reported last year, editors are actively working to filter out bad, AI-generated content from Wikipedia.
A page detailing the the AI-generated summaries project, called “Simple Article Summaries,” explains that it was proposed after a discussion at Wikimedia’s 2024 conference, Wikimania, where “Wikimedians discussed ways that AI/machine-generated remixing of the already created content can be used to make Wikipedia more accessible and easier to learn from.” Editors who participated in the discussion thought that these summaries could improve the learning experience on Wikipedia, where some article summaries can be quite dense and filled with technical jargon, but that AI features needed to be cleared labeled as such and that users needed an easy to way to flag issues with “machine-generated/remixed content once it was published or generated automatically.”
In one experiment where summaries were enabled for users who have the Wikipedia browser extension installed, the generated summary showed up at the top of the article, which users had to click to expand and read. That summary was also flagged with a yellow “unverified” label.
An example of what the AI-generated summary looked like.
Wikimedia announced that it was going to run the generated summaries experiment on June 2, and was immediately met with dozens of replies from editors who said “very bad idea,” “strongest possible oppose,” Absolutely not,” etc.“Yes, human editors can introduce reliability and NPOV [neutral point-of-view] issues. But as a collective mass, it evens out into a beautiful corpus,” one editor said. “With Simple Article Summaries, you propose giving one singular editor with known reliability and NPOV issues a platform at the very top of any given article, whilst giving zero editorial control to others. It reinforces the idea that Wikipedia cannot be relied on, destroying a decade of policy work. It reinforces the belief that unsourced, charged content can be added, because this platforms it. I don't think I would feel comfortable contributing to an encyclopedia like this. No other community has mastered collaboration to such a wondrous extent, and this would throw that away.”
A day later, Wikimedia announced that it would pause the launch of the experiment, but indicated that it’s still interested in AI-generated summaries.
“The Wikimedia Foundation has been exploring ways to make Wikipedia and other Wikimedia projects more accessible to readers globally,” a Wikimedia Foundation spokesperson told me in an email. “This two-week, opt-in experiment was focused on making complex Wikipedia articles more accessible to people with different reading levels. For the purposes of this experiment, the summaries were generated by an open-weight Aya model by Cohere. It was meant to gauge interest in a feature like this, and to help us think about the right kind of community moderation systems to ensure humans remain central to deciding what information is shown on Wikipedia.”
“It is common to receive a variety of feedback from volunteers, and we incorporate it in our decisions, and sometimes change course,” the Wikimedia Foundation spokesperson added. “We welcome such thoughtful feedback — this is what continues to make Wikipedia a truly collaborative platform of human knowledge.”
“Reading through the comments, it’s clear we could have done a better job introducing this idea and opening up the conversation here on VPT back in March,” a Wikimedia Foundation project manager said. VPT, or “village pump technical,” is where The Wikimedia Foundation and the community discuss technical aspects of the platform. “As internet usage changes over time, we are trying to discover new ways to help new generations learn from Wikipedia to sustain our movement into the future. In consequence, we need to figure out how we can experiment in safe ways that are appropriate for readers and the Wikimedia community. Looking back, we realize the next step with this message should have been to provide more of that context for you all and to make the space for folks to engage further.”
The project manager also said that “Bringing generative AI into the Wikipedia reading experience is a serious set of decisions, with important implications, and we intend to treat it as such, and that “We do not have any plans for bringing a summary feature to the wikis without editor involvement. An editor moderation workflow is required under any circumstances, both for this idea, as well as any future idea around AI summarized or adapted content.”
The Editors Protecting Wikipedia from AI Hoaxes
WikiProject AI Cleanup is protecting Wikipedia from the same kind of misleading AI-generated information that has plagued the rest of the internet.Emanuel Maiberg (404 Media)
Nomic AI’s NOMAD Projection uses Enterprise Datasets to Visually Map Multilingual Wikipedia
Nomic AI’s NOMAD Projection research visualizes multilingual Wikipedia, leveraging Wikimedia Enterprise datasets for powerful AI insights.Chuck Reynolds (Wikimedia Enterprise)
Attrition By Inches: Russia’s Multi-Front Push Reshaping The Battlefield
DEAR FRIENDS. IF YOU LIKE THIS TYPE OF CONTENT, SUPPORT SOUTHFRONT WORK :Odysee
GNOME 49 Alpha Is Now Available for Public Testing, Disables X11 Session by Default - 9to5Linux
GNOME 49 Alpha desktop environment is now available for public testing with support for the X11 (GNOME on Xorg) session disabled by default.Marius Nestor (9to5Linux)
Approach to mainframe penetration testing on z/OS. Deep dive into RACF
In our previous article we dissected penetration testing techniques for IBM z/OS mainframes protected by the Resource Access Control Facility (RACF) security package. In this second part of our research, we delve deeper into RACF by examining its decision-making logic, database structure, and the interactions between the various entities in this subsystem. To facilitate offline analysis of the RACF database, we have developed our own utility, racfudit, which we will use to perform possible checks and evaluate RACF configuration security. As part of this research, we also outline the relationships between RACF entities (users, resources, and data sets) to identify potential privilege escalation paths for z/OS users.
This material is provided solely for educational purposes and is intended to assist professionals conducting authorized penetration tests.
RACF internal architecture
Overall role
z/OS access control diagram
To thoroughly analyze RACF, let’s recall its role and the functions of its components within the overall z/OS architecture. As illustrated in the diagram above, RACF can generally be divided into a service component and a database. Other components exist too, such as utilities for RACF administration and management, or the RACF Auditing and Reporting solution responsible for event logging and reporting. However, for a general understanding of the process, we believe these components are not strictly necessary. The RACF database stores information about z/OS users and the resources for which access control is configured. Based on this data, the RACF service component performs all necessary security checks when requested by other z/OS components and subsystems. RACF typically interacts with other subsystems through the System Authorization Facility (SAF) interface. Various z/OS components use SAF to authorize a user’s access to resources or to execute a user-requested operation. It is worth noting that while this paper focuses on the operating principle of RACF as the standard security package, other security packages like ACF2 or Top Secret can also be used in z/OS.
Let’s consider an example of user authorization within the Time Sharing Option (TSO) subsystem, the z/OS equivalent of a command line interface. We use an x3270 terminal emulator to connect to the mainframe. After successful user authentication in z/OS, the TSO subsystem uses SAF to query the RACF security package, checking that the user has permission to access the TSO resource manager. The RACF service queries the database for user information, which is stored in a user profile. If the database contains a record of the required access permissions, the user is authorized, and information from the user profile is placed into the address space of the new TSO session within the ACEE (Accessor Environment Element) control block. For subsequent attempts to access other z/OS resources within that TSO session, RACF uses the information in ACEE to make the decision on granting user access. SAF reads data from ACEE and transmits it to the RACF service. RACF makes the decision to grant or deny access, based on information in the relevant profile of the requested resource stored in the database. This decision is then sent back to SAF, which processes the user request accordingly. The process of querying RACF repeats for any further attempts by the user to access other resources or execute commands within the TSO session.
Thus, RACF handles identification, authentication, and authorization of users, as well as granting privileges within z/OS.
RACF database components
As discussed above, access decisions for resources within z/OS are made based on information stored in the RACF database. This data is kept in the form of records, or as RACF terminology puts it, profiles. These contain details about specific z/OS objects. While the RACF database can hold various profile types, four main types are especially important for security analysis:
- User profile holds user-specific information such as logins, password hashes, special attributes, and the groups the user belongs to.
- Group profile contains information about a group, including its members, owner, special attributes, list of subgroups, and the access permissions of group members for that group.
- Data set profile stores details about a data set, including access permissions, attributes, and auditing policy.
- General resource profile provides information about a resource or resource class, such as resource holders, their permissions regarding the resource, audit policy, and the resource owner.
The RACF database contains numerous instances of these profiles. Together, they form a complex structure of relationships between objects and subjects within z/OS, which serves as the basis for access decisions.
Logical structure of RACF database profiles
Each profile is composed of one or more segments. Different profile types utilize different segment types.
For example, a user profile instance may contain the following segments:
- BASE: core user information in RACF (mandatory segment);
- TSO: user TSO-session parameters;
- OMVS: user session parameters within the z/OS UNIX subsystem;
- KERB: data related to the z/OS Network Authentication Service, essential for Kerberos protocol operations;
- and others.
User profile segments
Different segment types are distinguished by the set of fields they store. For instance, the BASE segment of a user profile contains the following fields:
- PASSWORD: the user’s password hash;
- PHRASE: the user’s password phrase hash;
- LOGIN: the user’s login;
- OWNER: the owner of the user profile;
- AUTHDATE: the date of the user profile creation in the RACF database;
- and others.
The PASSWORD and PHRASE fields are particularly interesting for security analysis, and we will dive deeper into these later.
RACF database structure
It is worth noting that the RACF database is stored as a specialized data set with a specific format. Grasping this format is very helpful when analyzing the DB and mapping the relationships between z/OS objects and subjects.
As discussed in our previous article, a data set is the mainframe equivalent of a file, composed of a series of blocks.
RACF DB structure
The image above illustrates the RACF database structure, detailing the data blocks and their offsets. From the RACF DB analysis perspective, and when subsequently determining the relationships between z/OS objects and subjects, the most critical blocks include:
- The header block, or inventory control block (ICB), which contains various metadata and pointers to all other data blocks within the RACF database. By reading the ICB, you gain access to the rest of the data blocks.
- Index blocks, which form a singly linked list that contains pointers to all profiles and their segments in the RACF database – that is, to the information about all users, groups, data sets, and resources.
- Templates: a crucial data block containing templates for all profile types (user, group, data set, and general resource profiles). The templates list fields and specify their format for every possible segment type within the corresponding profile type.
Upon dissecting the RACF database structure, we identified the need for a utility capable of extracting all relevant profile information from the DB, regardless of its version. This utility would also need to save the extracted data in a convenient format for offline analysis. Performing this type of analysis provides a comprehensive picture of the relationships between all objects and subjects for a specific z/OS installation, helping uncover potential security vulnerabilities that could lead to privilege escalation or lateral movement.
Utilities for RACF DB analysis
At the previous stage, we defined the following functional requirements for an RACF DB analysis utility:
- The ability to analyze RACF profiles offline without needing to run commands on the mainframe
- The ability to extract exhaustive information about RACF profiles stored in the DB
- Compatibility with various RACF DB versions
- Intuitive navigation of the extracted data and the option to present it in various formats: plaintext, JSON, SQL, etc.
Overview of existing RACF DB analysis solutions
We started by analyzing off-the-shelf tools and evaluating their potential for our specific needs:
- Racf2john extracts user password hashes (from the PASSWORD field) encrypted with the DES and KDFAES algorithms from the RACF database. While this was a decent starting point, we needed more than just the PASSWORD field; specifically, we also needed to retrieve content from other profile fields like PHRASE.
- Racf2sql takes an RACF DB dump as input and converts it into an SQLite database, which can then be queried with SQL. This is convenient, but the conversion process risks losing data critical for z/OS security assessment and identifying misconfigurations. Furthermore, the tool requires a database dump generated by the z/OS IRRDBU00 utility (part of the RACF security package) rather than the raw database itself.
- IRRXUTIL allows querying the RACF DB to extract information. It is also part of the RACF security package. It can be conveniently used with a set of scripts written in REXX (an interpreted language used in z/OS). However, these scripts demand elevated privileges (access to one or more IRR.RADMIN.** resources in the FACILITY resource class) and must be executed directly on the mainframe, which is unsuitable for the task at hand.
- Racf_debug_cleanup.c directly analyzes a RACF DB from a data set copy. A significant drawback is that it only parses BASE segments and outputs results in plaintext.
As you can see, existing tools don’t satisfy our needs. Some utilities require direct execution on the mainframe. Others operate on a data set copy and extract incomplete information from the DB. Moreover, they rely on hardcoded offsets and signatures within profile segments, which can vary across RACF versions. Therefore, we decided to develop our own utility for RACF database analysis.
Introducing racfudit
We have written our own platform-independent utility racfudit in Golang and tested it across various z/OS versions (1.13, 2.02, and 3.1). Below, we delve into the operating principles, capabilities and advantages of our new tool.
Extracting data from the RACF DB
To analyze RACF DB information offline, we first needed a way to extract structured data. We developed a two-stage approach for this:
- The first stage involves analyzing the templates stored within the RACF DB. Each template describes a specific profile type, its constituent segments, and the fields within those segments, including their type and size. This allows us to obtain an up-to-date list of profile types, their segments, and associated fields, regardless of the RACF version.
- In the second stage, we traverse all index blocks to extract every profile with its content from the RACF DB. These collected profiles are then processed and parsed using the templates obtained in the first stage.
The first stage is crucial because RACF DB profiles are stored as unstructured byte arrays. The templates are what define how each specific profile (byte array) is processed based on its type.
Thus, we defined the following algorithm to extract structured data.
Extracting data from the RACF DB using templates
- We offload the RACF DB from the mainframe and read its header block (ICB) to determine the location of the templates.
- Based on the template for each profile type, we define an algorithm for structuring specific profile instances according to their type.
- We use the content of the header block to locate the index blocks, which store pointers to all profile instances.
- We read all profile instances and their segments sequentially from the list of index blocks.
- For each profile instance and its segments we read, we apply the processing algorithm based on the corresponding template.
- All processed profile instances are saved in an intermediate state, allowing for future storage in various formats, such as plaintext or SQLite.
The advantage of this approach is its version independence. Even if templates and index blocks change their structure across RACF versions, our utility will not lose data because it dynamically determines the structure of each profile type based on the relevant template.
Analyzing extracted RACF DB information
Our racfudit utility can present collected RACF DB information as an SQLite database or a plaintext file.
RACF DB information as an SQLite DB (top) and text data (bottom)
Using SQLite, you can execute SQL queries to identify misconfigurations in RACF that could be exploited for privilege escalation, lateral movement, bypassing access controls, or other pentesting tactics. It is worth noting that the set of SQL queries used for processing information in SQLite can be adapted to validate current RACF settings against security standards and best practices. Let’s look at some specific examples of how to use the racfudit utility to uncover security issues.
Collecting password hashes
One of the primary goals in penetration testing is to get a list of administrators and a way to authorize using their credentials. This can be useful for maintaining persistence on the mainframe, moving laterally to other mainframes, or even pivoting to servers running different operating systems. Administrators are typically found in the SYS1 group and its subgroups. The example below shows a query to retrieve hashes of passwords (PASSWORD) and password phrases (PHRASE) for privileged users in the SYS1 group.
select ProfileName,PHRASE,PASSWORD,CONGRPNM from USER_BASE where CONGRPNM LIKE "%SYS1%";
Of course, to log in to the system, you need to crack these hashes to recover the actual passwords. We cover that in more detail below.
Searching for inadequate UACC control in data sets
The universal access authority (UACC) defines the default access permissions to the data set. This parameter specifies the level of access for all users who do not have specific access permissions configured. Insufficient control over UACC values can pose a significant risk if elevated access permissions (UPDATE or higher) are set for data sets containing sensitive data or for APF libraries, which could allow privilege escalation. The query below helps identify data sets with default ALTER access permissions, which allow users to read, delete and modify the data set.
select ProfileName, UNIVACS from DATASET_BASE where UNIVACS LIKE "1%";
The UACC field is not present only in data set profiles; it is also found in other profile types. Weak control in the configuration of this field can give a penetration tester access to resources.
RACF profile relationships
As mentioned earlier, various RACF entities have relationships. Some are explicitly defined; for example, a username might be listed in a group profile within its member field (USERID field). However, there are also implicit relationships. For instance, if a user group has UPDATE access to a specific data set, every member of that group implicitly has write access to that data set. This is a simple example of implicit relationships. Next, we delve into more complex and specific relationships within the RACF database that a penetration tester can exploit.
RACF profile fields
A deep dive into RACF internal architecture reveals that misconfigurations of access permissions and other attributes for various RACF entities can be difficult to detect and remediate in some scenarios. These seemingly minor errors can be critical, potentially leading to mainframe compromise. The explicit and implicit relationships within the RACF database collectively define the mainframe’s current security posture. As mentioned, each profile type in the RACF database has a unique set of fields and attributes that describe how profiles relate to one another. Based on these fields and attributes, we have compiled lists of key fields that help build and analyze relationship chains.
- SPECIAL: indicates that the user has privileges to execute any RACF command and grants them full control over all profiles in the RACF database.
- OPERATIONS: indicates whether the user has authorized access to all RACF-protected resources of the DATASET, DASDVOL, GDASDVOL, PSFMPL, TAPEVOL, VMBATCH, VMCMD, VMMDISK, VMNODE, and VMRDR classes. While actions for users with this field specified are subject to certain restrictions, in a penetration testing context the OPERATIONS field often indicates full data set access.
- AUDITOR: indicates whether the user has permission to access audit information.
- AUTHOR: the creator of the user. It has certain privileges over the user, such as the ability to change their password.
- REVOKE: indicates whether the user can log in to the system.
- Password TYPE: specifies the hash type (DES or KDFAES) for passwords and password phrases. This field is not natively present in the user profile, but it can be created based on how different passwords and password phrases are stored.
- Group-SPECIAL: indicates whether the user has full control over all profiles within the scope defined by the group or groups field. This is a particularly interesting field that we explore in more detail below.
- Group-OPERATIONS: indicates whether the user has authorized access to all RACF-protected resources of the DATASET, DASDVOL, GDASDVOL, PSFMPL, TAPEVOL, VMBATCH, VMCMD, VMMDISK, VMNODE and VMRDR classes within the scope defined by the group or groups field.
- Group-AUDITOR: indicates whether the user has permission to access audit information within the scope defined by the group or groups field.
- CLAUTH (class authority): allows the user to create profiles within the specified class or classes. This field enables delegation of management privileges for individual classes.
- GROUPIDS: contains a list of groups the user belongs to.
- UACC (universal access authority): defines the UACC value for new profiles created by the user.
Group profile fields
- UACC (universal access authority): defines the UACC value for new profiles that the user creates when connected to the group.
- OWNER: the creator of the group. The owner has specific privileges in relation to the current group and its subgroups.
- USERIDS: the list of users within the group. The order is essential.
- USERACS: the list of group members with their respective permissions for access to the group. The order is essential.
- SUPGROUP: the name of the superior group.
General resource and data set profile fields
- UACC (universal access authority): defines the default access permissions to the resource or data set.
- OWNER: the creator of the resource or data set, who holds certain privileges over it.
- WARNING: indicates whether the resource or data set is in WARNING mode.
- USERIDS: the list of user IDs associated with the resource or data set. The order is essential.
- USERACS: the list of users with access permissions to the resource or data set. The order is essential.
RACF profile relationship chains
The fields listed above demonstrate the presence of relationships between RACF profiles. We have decided to name these relationships similarly to those used in BloodHound, a popular tool for analyzing Active Directory misconfigurations. Below are some examples of these relationships – the list is not exhaustive.
- Owner: the subject owns the object.
- MemberOf: the subject is part of the object.
- AllowJoin: the subject has permission to add itself to the object.
- AllowConnect: the subject has permission to add another object to the specified object.
- AllowCreate: the subject has permission to create an instance of the object.
- AllowAlter: the subject has the ALTER privilege for the object.
- AllowUpdate: the subject has the UPDATE privilege for the object.
- AllowRead: the subject has the READ privilege for the object.
- CLAuthTo: the subject has permission to create instances of the object as defined in the CLAUTH field.
- GroupSpecial: the subject has full control over all profiles within the object’s scope of influence as defined in the group-SPECIAL field.
- GroupOperations: the subject has permissions to perform certain operations with the object as defined in the group-OPERATIONS field.
- ImpersonateTo: the subject grants the object the privilege to perform certain operations on the subject’s behalf.
- ResetPassword: the subject grants another object the privilege to reset the password or password phrase of the specified object.
- UnixAdmin: the subject grants superuser privileges to the object in z/OS UNIX.
- SetAPF: the subject grants another object the privilege to set the APF flag on the specified object.
These relationships serve as edges when constructing a graph of subject–object interconnections. Below are examples of potential relationships between specific profile types.
Examples of relationships between RACF profiles
Visualizing and analyzing these relationships helped us identify specific chains that describe potential RACF security issues, such as a path from a low-privileged user to a highly-privileged one. Before we delve into examples of these chains, let’s consider another interesting and peculiar feature of the relationships between RACF database entities.
Implicit RACF profile relationships
We have observed a fascinating characteristic of the group-SPECIAL, group-OPERATIONS, and group-AUDITOR fields within a user profile. If the user has any group specified in one of these fields, that group’s scope of influence extends the user’s own scope.
Scope of influence of a user with a group-SPECIAL field
For instance, consider USER1 with GROUP1 specified in the group-SPECIAL field. If GROUP1 owns GROUP2, and GROUP2 subsequently owns USER5, then USER1 gains privileges over USER5. This is not just about data access; USER1 essentially becomes the owner of USER5. A unique aspect of z/OS is that this level of access allows USER1 to, for example, change USER5’s password, even if USER5 holds privileged attributes like SPECIAL, OPERATIONS, ROAUDIT, AUDITOR, or PROTECTED.
Below is an SQL query, generated using the racfudit utility, that identifies all users and groups where the specified user possesses special attributes:
select ProfileName, CGGRPNM, CGUACC, CGFLAG2 from USER_BASE WHERE (CGFLAG2 LIKE '%10000000%');
Here is a query to find users whose owners (AUTHOR) are not the standard default administrators:
select ProfileName,AUTHOR from USER_BASE WHERE (AUTHOR NOT LIKE '%IBMUSER%' AND AUTHOR NOT LIKE 'SYS1%');
Let’s illustrate how user privileges can be escalated through these implicit profile relationships.
Privilege escalation via the group-SPECIAL field
In this scenario, the user TESTUSR has the group-SPECIAL field set to PASSADM. This group, PASSADM, owns the OPERATOR user. This means TESTUSR’s scope of influence expands to include PASSADM’s scope, thereby granting TESTUSR control over OPERATOR. Consequently, if TESTUSR’s credentials are compromised, the attacker gains access to the OPERATOR user. The OPERATOR user, in turn, has READ access to the IRR.PASSWORD.RESET resource, which allows them to assign a password to any user who does not possess privileged permissions.
Having elevated privileges in z/OS UNIX is often sufficient for compromising the mainframe. These can be acquired through several methods:
- Grant the user READ access to the BPX.SUPERUSER resource of the FACILITY class.
- Grant the user READ access to UNIXPRIV.SUPERUSER.* resources of the UNIXPRIV class.
- Set the UID field to 0 in the OMVS segment of the user profile.
For example, the DFSOPER user has READ access to the BPX.SUPERUSER resource, making them privileged in z/OS UNIX and, by extension, across the entire mainframe. However, DFSOPER does not have the explicit privileged fields SPECIAL, OPERATIONS, AUDITOR, ROAUDIT and PROTECTED set, meaning the OPERATOR user can change DFSOPER’s password. This allows us to define the following sequence of actions to achieve high privileges on the mainframe:
- Obtain and use TESTUSR’s credentials to log in.
- Change OPERATOR’s password and log in with those credentials.
- Change DFSOPER’s password and log in with those credentials.
- Access the z/OS UNIX Shell with elevated privileges.
We uncovered another implicit RACF profile relationship that enables user privilege escalation.
Privilege escalation from a chain of misconfigurations
In another example, the TESTUSR user has READ access to the OPERSMS.SUBMIT resource of the SURROGAT class. This implies that TESTUSR can create a task under the identity of OPERSMS using the ImpersonateTo relationship. OPERSMS is a member of the HFSADMIN group, which has READ access to the TESTAUTH resource of the TSOAUTH class. This resource indicates whether the user can run an application or library as APF-authorized – this requires only READ access. Therefore, if APF access is misconfigured, the OPERSMS user can escalate their current privileges to the highest possible level. This outlines a path from the low-privileged TESTUSR to obtaining maximum privileges on the mainframe.
At this stage, the racfudit utility allows identifying these connections only manually through a series of SQLite database queries. However, we are planning to add support for another output format, including Neo4j DBMS integration, to automatically visualize the interconnected chains described above.
Password hashes in RACF
To escalate privileges and gain mainframe access, we need the credentials of privileged users. We previously used our utility to extract their password hashes. Now, let’s dive into the password policy principles in z/OS and outline methods for recovering passwords from these collected hashes.
The primary password authentication methods in z/OS, based on RACF, are PASSWORD and PASSPHRASE. PASSWORD is a password composed by default of ASCII characters: uppercase English letters, numbers, and special characters (@#$). Its length is limited to 8 characters. PASSPHRASE, or a password phrase, has a more complex policy, allowing 14 to 100 ASCII characters, including lowercase or uppercase English letters, numbers, and an extended set of special characters (@#$&*{}[]()=,.;’+/). Hashes for both PASSWORD and PASSPHRASE are stored in the user profile within the BASE segment, in the PASSWORD and PHRASE fields, respectively. Two algorithms are used to derive their values: DES and KDFAES.
It is worth noting that we use the terms “password hash” and “password phrase hash” for clarity. When using the DES and KDFAES algorithms, user credentials are stored in the RACF database as encrypted text, not as a hash sum in its classical sense. Nevertheless, we will continue to use “password hash” and “password phrase hash” as is customary in IBM documentation.
Let’s discuss the operating principles and characteristics of the DES and KDFAES algorithms in more detail.
DES
When the DES algorithm is used, the computation of PASSWORD and PHRASE values stored in the RACF database involves classic DES encryption. Here, the plaintext data block is the username (padded to 8 characters if shorter), and the key is the password (also padded to 8 characters if shorter).
PASSWORD
The username is encrypted with the password as the key via the DES algorithm, and the 8-byte result is placed in the user profile’s PASSWORD field.
DES encryption of a password
Keep in mind that both the username and password are encoded with EBCDIC. For instance, the username USR1 would look like this in EBCDIC: e4e2d9f140404040. The byte 0x40 serves as padding for the plaintext to reach 8 bytes.
This password can be recovered quite fast, given the small keyspace and low computational complexity of DES. For example, a brute-force attack powered by a cluster of NVIDIA 4090 GPUs takes less than five minutes.
The hashcat tool includes a module (Hash-type 8500) for cracking RACF passwords with the DES algorithm.
PASSPHRASE
PASSPHRASE encryption is a bit more complex, and a detailed description of its algorithm is not readily available. However, our research uncovered certain interesting characteristics.
First, the final hash length in the PHRASE field matches the original password phrase length. Essentially, the encrypted data output from DES gets truncated to the input plaintext length without padding. This design can clearly lead to collisions and incorrect authentication under certain conditions. For instance, if the original password phrase is 17 bytes long, it will be encrypted in three blocks, with the last block padded with seven bytes. These padded bytes are then truncated after encryption. In this scenario, any password whose first 17 encrypted bytes match the encrypted PASSPHRASE would be considered valid.
The second interesting feature is that the PHRASE field value is also computed using the DES algorithm, but it employs a proprietary block chaining mode. We will informally refer to this as IBM-custom mode.
DES encryption of a password phrase
Given these limitations, we can use the hashcat module for RACF DES to recover the first 8 characters of a password phrase from the first block of encrypted data in the PHRASE field. In some practical scenarios, recovering the beginning of a password phrase allowed us to guess the remainder, especially when weak dictionary passwords were used. For example, if we recovered Admin123 (8 characters) while cracking a 15-byte PASSPHRASE hash, then it is plausible the full password phrase was Admin1234567890.
KDFAES
Computing passwords and password phrases generated with the KDFAES algorithm is significantly more challenging than with DES. KDFAES is a proprietary IBM algorithm that leverages AES encryption. The encryption key is generated from the password using the PBKDF2 function with a specific number of hashing iterations.
PASSWORD
The diagram below outlines the multi-stage KDFAES PASSWORD encryption algorithm.
KDFAES encryption of a password
The first stage mirrors the DES-based PASSWORD computation algorithm. Here, the plaintext username is encrypted using the DES algorithm with the password as the key. The username is also encoded in EBCDIC and padded if it’s shorter than 8 bytes. The resulting 8-byte output serves as the key for the second stage: hashing. This stage employs a proprietary IBM algorithm built upon PBKDF2-SHA256-HMAC. A randomly generated 16-byte string (salt) is fed into this algorithm along with the 8-byte key from the first stage. This data is then iteratively hashed using PBKDF2-SHA256-HMAC. The number of iterations is determined by two parameters set in RACF: the memory factor and the repetition factor. The output of the second stage is a 32-byte hash, which is then used as the key for AES encryption of the username in the third stage.
The final output is 16 bytes of encrypted data. The first 8 bytes are appended to the end of the PWDX field in the user profile BASE segment, while the other 8 bytes are placed in the PASSWORD field within the same segment.
The PWDX field in the BASE segment has the following structure:
| Offset | Size | Field | Comment |
| 0–3 | 4 bytes | Magic number | In the profiles we analyzed, we observed only the value E7D7E66D |
| 4–7 | 4 bytes | Hash type | In the profiles we analyzed, we observed only two values: 00180000 for PASSWORD hashes and 00140000 for PASSPHRASE hashes |
| 8–9 | 2 bytes | Memory factor | A value that determines the number of iterations in the hashing stage |
| 10–11 | 2 bytes | Repetition factor | A value that determines the number of iterations in the hashing stage |
| 12–15 | 4 bytes | Unknown value | In the profiles we analyzed, we observed only the value 00100010 |
| 16–31 | 16 bytes | Salt | A randomly generated 16-byte string used in the hashing stage |
| 32–39 | 8 bytes | The first half of the password hash | The first 8 bytes of the final encrypted data |
You can use the dedicated module in the John the Ripper utility for offline password cracking. While an IBM KDFAES module for an older version of hashcat exists publicly, it was never integrated into the main branch. Therefore, we developed our own RACF KDFAES module compatible with the current hashcat version.
The time required to crack an RACF KDFAES hash has significantly increased compared to RACF DES, largely due to the integration of PBKDF2. For instance, if the memory factor and repetition factor are set to 0x08 and 0x32 respectively, the hashing stage can reach 40,000 iterations. This can extend the password cracking time to several months or even years.
PASSPHRASE
KDFAES encryption of a password phrase
Encrypting a password phrase hash with KDFAES shares many similarities with encrypting a password hash. According to public sources, the primary difference lies in the key used during the second stage. For passwords, data derived from DES-encrypting the username was used, while for a password phrase, its SHA256 hash is used. During our analysis, we could not determine the exact password phrase hashing process – specifically, whether padding is involved, if a secret key is used, and so on.
Additionally, when using a password phrase, the PHRASE and PHRASEX fields instead of PASSWORD and PWDX, respectively, store the final hash, with the PHRASEX value having a similar structure.
Conclusion
In this article, we have explored the internal workings of the RACF security package, developed an approach to extracting information, and presented our own tool developed for the purpose. We also outlined several potential misconfigurations that could lead to mainframe compromise and described methods for detecting them. Furthermore, we examined the algorithms used for storing user credentials (passwords and password phrases) and highlighted their strengths and weaknesses.
We hope that the information presented in this article helps mainframe owners better understand and assess the potential risks associated with incorrect RACF security suite configurations and take appropriate mitigation steps. Transitioning to the KDFAES algorithm and password phrases, controlling UACC values, verifying access to APF libraries, regularly tracking user relationship chains, and other steps mentioned in the article can significantly enhance your infrastructure security posture with minimal effort.
In conclusion, it is worth noting that only a small percentage of the RACF database structure has been thoroughly studied. Comprehensive research would involve uncovering additional relationships between database entities, further investigating privileges and their capabilities, and developing tools to exploit excessive privileges. The topic of password recovery is also not fully covered because the encryption algorithms have not been fully studied. IBM z/OS mainframe researchers have immense opportunities for analysis. As for us, we will continue to shed light on the obscure, unexplored aspects of these devices, to help prevent potential vulnerabilities in mainframe infrastructure and associated security incidents.
🥁 '#Amazon zet vol in op #autonoom #rijden', zo meldde het bedrijf onlangs. En wel met een speciaal hiervoor gefabriceerde robotaxi: de Zoox! 🚕
Vergeet Tesla, Waymo of andere vehicles die op de markt zijn, aldus medeoprichter & CTO Jesse Levinson. 'We’re offering a #unique #experience for riders: the ride quality, the carriage-style seating, the roomy interior–we think all of this is going to be what sets us apart.' 🧢
De Zoox ga je eind dit jaar in verschillende Amerikaanse steden tegenkomen. Het voertuig heeft zowel voor als achter eenzelfde look, kan maximaal 120 km/per uur rijden (in de steden max 72) en een volle batterij is goed voor 16 uur aan ritjes.💥
'We’re #selling #rides, not vehicles', aldus CEO Aicha Evans. 'We want to offer the best experience at a competitive price.' 🏠
In de afgelopen 10 jaar heeft Amazon al de nodige tests gedaan, zowel op de weg als in simulatie. 🚸 Voorzien van de nieuwste AI en digitale snufjes: '8 laser lidars, 10 radar units, 18 digital cameras, 8 microphones (to hear emergency vehicles, for example) and 4 thermal cameras that can detect humans and animals in murky weather, dim lighting or even through steam and fog.'🚦
Volgens Forbes heeft Amazon de #beste #kaarten in handen en hebben partijen als Waymo, en binnenkort Tesla's Cybercap, het nakijken... 🎯
Benieuwd naar wat het 'metrokarretje' allemaal nog meer in petto heeft? Check de link in de comments. ⬇️ Of stream de aflevering (13): deboardroom.live/alle-afleveri…
Sidekick: Bert Hagendoorn. Presentatie: Ronald ter Voert
#talkshow #creativity #marketing #digital Adobe YouLynq.me Agency Engines Audiohuis #waymo #zoox #amazon #robotaxi
la_r_go* reshared this.
reshared this
Fiat Punto 2 Hgt II (2) 130 16S ABARTH 3P "le grand travailleur"
modèle 2025
"le grand travailleur"
lala
Campi “umanitari” e città recintate: l’architettura della pulizia etnica a Gaza
@Notizie dall'Italia e dal mondo
Progetti Usa e israeliani alimentano ulteriormente il sospetto di un piano di espulsione della popolazione palestinese in via di elaborazione
L'articolo Campi “umanitari” e città recintate: l’architettura della pulizia etnica a Gaza proviene da
Notizie dall'Italia e dal mondo reshared this.
VLAI: A RoBERTa-Based Model for Automated Vulnerability Severity Classification.
This paper presents VLAI, a transformer-based model that predicts software vulnerability severity levels directly from text descriptions. Built on RoBERTa, VLAI is fine-tuned on over 600,000 real-world vulnerabilities and achieves over 82% accuracy in predicting severity categories, enabling faster and more consistent triage ahead of manual CVSS scoring. The model and dataset are open-source and integrated into the Vulnerability-Lookup service.
We ( @cedric and I) decided to make a paper to better document how VLAI is implemented. We hope it will give other ideas and improvements in such model.
#vulnerability #cybersecurity #vulnerabilitymanagement #ai #nlp #opensource
Arriva la f.lotta
Giovedì 10 luglio, nei locali del csoa Forte prenestino a Roma, presentazione con Seasters coop della marcia marina F.lotta e della campagna “Io capitan@, il vero crimine è il confine”.Radiondarossa
LAVORO: ALTA ADESIONE ALLO SCIOPERO NEL SETTORE FERROVIARIO CONTRO IL NUOVO CONTRATTO NAZIONALE
Prosegue lo sciopero del settore ferroviario iniziato nella serata di lunedì 7 luglio alle ore 21, che proseguirà fino alle ore 18 di oggi. A fermarsi sono i lavoratori aderenti ai sindacati di...Radio Onda d`Urto
Altbot
in reply to Wintermute • • •Das Bild zeigt ein grünes Sprechblasen-Design auf weißem Hintergrund. In der Mitte des Sprechblasen befindet sich der Text "MEHR ERFAHREN AUF PRESSEPORTAL.DE" in grüner Schrift. Der Text ist in zwei Zeilen angeordnet, wobei "MEHR ERFAHREN AUF" in kleinerer Schrift und "PRESSEPORTAL.DE" in größerer Schrift steht. Rechts neben dem Text ist ein grüner Pfeil nach rechts gerichtet, der die Richtung anzeigt. Das Design ist einfach und klar, mit einem Fokus auf die Information, dass man mehr über Presseportal.de erfahren kann.
Bereitgestellt von @altbot, privat und lokal generiert mit Ovis2-8B
🌱 Energieverbrauch: 0.167 Wh