Xref: utzoo news.admin:4171 comp.mail.uucp:2451 Path: utzoo!utgpu!watmath!clyde!att!chinet!mcdchg!nud!dover!waters From: waters@dover.uucp (Mike Waters) Newsgroups: news.admin,comp.mail.uucp Subject: Re: How safe is UUCP? Summary: Many stupid holes exist to privilaged accounts Message-ID: <573@dover.uucp> Date: 4 Dec 88 03:58:06 GMT References: <4950@b-tech.ann-arbor.mi.us> <811@mailrus.cc.umich.edu> <1555@ssc.UUCP> Reply-To: waters@dover.UUCP (Mike Waters) Organization: Motorola CAD Mesa, AZ {dover} Lines: 29 In article <1555@ssc.UUCP> fyl@ssc.UUCP (Phil Hughes) writes: >Just to put our fears in perspective I learned the following while >Some vendor (I don't know their name) markets a software package for >Hospitals that runs under UNIX. The vendor requires that you have dial-in >access to your system avaiable to them and that you give them root access. >If this isn't bad enough, they require that you use a root password that >they specify. It turns out that they actually require all of their >customers use the same root password so that they won't have to remember >the specific one for your system. The first version of VMS (1.0) came with ann account FIELD, password SERVICE !!!!! DEC's field service got upset if you changed the password. Since my installation was expected to run classified (just confidential but ...), they got REAL mad at me! Since then I have reported this to DEC from several other sites, but STILL occasionally find this. > >I think I convinced my student to quit her job as the systems >administrator if her boss doesn't let her change their root password but I would hope that a demonstration of the harm (and violations of confidentiality etc.) would convince the admin.. But you are quite right some people just don't WANT to hear before something happens. -- Mike Waters (for your EDIFication) * Motorola CAD Group * Witty remark goes *HERE* Mesa, AZ ...!sun!sunburn!dover!waters * OR moto@cad.Berkley.EDU *