Xref: utzoo news.admin:4174 comp.mail.uucp:2452 Path: utzoo!utgpu!watmath!clyde!mcdchg!ddsw1!karl From: karl@ddsw1.MCS.COM (Karl Denninger) Newsgroups: news.admin,comp.mail.uucp Subject: Re: How safe is UUCP? Summary: How safe is VMS & business? My experience in the Chicago area. Message-ID: <2343@ddsw1.MCS.COM> Date: 4 Dec 88 17:35:47 GMT References: <4950@b-tech.ann-arbor.mi.us> <811@mailrus.cc.umich.edu> <1555@ssc.UUCP> <573@dover.uucp> Reply-To: karl@ddsw1.MCS.COM(Karl Denninger) Organization: Macro Computer Solutions, Inc., Mundelein, IL Lines: 58 In article <573@dover.uucp> waters@dover.UUCP (Mike Waters) writes: >In article <1555@ssc.UUCP> fyl@ssc.UUCP (Phil Hughes) writes: >>Just to put our fears in perspective I learned the following while >>Some vendor (I don't know their name) markets a software package for >>Hospitals that runs under UNIX. The vendor requires that you have dial-in >>access to your system avaiable to them and that you give them root access. >>If this isn't bad enough, they require that you use a root password that >>they specify. It turns out that they actually require all of their >>customers use the same root password so that they won't have to remember >>the specific one for your system. > >The first version of VMS (1.0) came with ann account FIELD, password >SERVICE !!!!! DEC's field service got upset if you changed the >password. That's nothing unusual. We have a customer that sells VMS (small VAX) systems. Each is equipped with a 1200 baud modem, set up so that CD is FORCED ON, as is DTR. The terminal port is defined as a TERMINAL, not a modem. They do this because they're too cheap to (1) figure out how to make a proper cable which will enable the modems to work right, (2) they like to use REALLY cheap modems which don't handle the EIA signals right anyways, and (3) they want to be able to log out and back in without calling back long-distance. This is bad enough. If you hang up, the system doesn't know about it, and your job stays active...... if you were logged in privileged, and you're not the first person back to the machine after the disconnect...... What's worse is that DEC ships VMS with a "SYSTEM" account, with the password "MANAGER". This firm neither changes that password nor tells others to do so; as a result there are some 200 VMS systems across the country where the default system password IS valid! As a further "slap" at security, all of these machines have a second, also-privileged account, which is the same at each site (with the same password) for vendor maintenance. So, their laziness extends to an inability to keep a password database or call voice for a password first! ARRRRRGHHH!! We successfully got one site to remove this firm's access to their machine by changing these passwords (actually, change system password and disable the other account entirely, as well as enable all security audit alarms). We _failed_ in our attempts to get two other sites to do the same thing; they simply would NOT offend this vendor and risk being without their "service", even when reminded that a formatting of their disk would cause much more trouble than the need to reset a password! Security is _useless_ on an Operating System when you have vendors doing this kind of thing with their clients. None of their systems have ever been _provably_ attacked from the outside, but there have been several strange occurrances on a few of them, including the disappearance of several directories.... -- Karl Denninger (karl@ddsw1.MCS.COM, ddsw1!karl) Data: [+1 312 566-8912], Voice: [+1 312 566-8910] Macro Computer Solutions, Inc. "Quality solutions at a fair price"