Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!linus!genrad!decvax!harpo!seismo!hao!hplabs!sri-unix!EE.GDS%MIT-OZ@mit-mc From: EE.GDS%MIT-OZ%mit-mc@sri-unix.UUCP Newsgroups: net.unix-wizards Subject: Re: Security Problem? Message-ID: <2652@sri-arpa.UUCP> Date: Wed, 29-Jun-83 17:45:00 EDT Article-I.D.: sri-arpa.2652 Posted: Wed Jun 29 17:45:00 1983 Date-Received: Fri, 1-Jul-83 06:01:57 EDT Lines: 21 From: Greg SkinnerThere is another way to hack user logins -- just wander around the Arpanet looking for a user named "smith" or "jones" who has an account with no password. I know instances of this happening with Unix machines -- in fact, when the TCP/IP switchover took place the users on our internet vaxes were required to give themselves passwords, or a password was chosen for them different from their name. Actually, if the host has a finger server, you could try all logged-in users looking for a non-password account. Also, some users stupidly have login and password names the same. This happens often when accounts are newly created and the user is not present at the creation time. The operator makes the username and password names the same. As far as I know, non-password accounts are allowed on Unix, and not on TOPS-20. --greg -------