I audited IBM's mainframe security with a student account and a statistical framework I built. 50 findings.
Source: Dev.to
Overview
IBM z/OS mainframes process ~87 % of global credit‑card transactions. The password‑hashing system protecting those systems—RACF Legacy DES—has 42.17 bits of effective entropy instead of the advertised 56 bits. At that entropy level the hash can be cracked in ≈7.6 minutes on a consumer‑grade GPU, costing roughly $0.08.
Validation
The entropy measurement was validated bit‑for‑bit on a real IBM z15 running z/OS V2.5. The model matched the production implementation 4 out of 4 times.
All findings were obtained using a standard student account—no exploits, no privilege escalation—solely by applying a statistical framework (CASI, IEEE peer‑reviewed, ICECET 2026) and analyzing the system’s own output.
Findings & Fixes
- Total findings: 50 (documented in a 15‑page technical report)
- The required fix for every finding already exists in z/OS:
- KDFAES (available since 2007)
- AT‑TLS, MQ SSL, ICSF authorization – each can be remedied with a single configuration change
The issue is not a lack of capability but a configuration gap.
Full Technical Report
https://doi.org/10.5281/zenodo.18755826
Responsible Disclosure
Disclosure to IBM PSIRT has been initiated.