[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference noted::hackers_v1

Title:-={ H A C K E R S }=-
Notice:Write locked - see NOTED::HACKERS
Moderator:DIEHRD::MORRIS
Created:Thu Feb 20 1986
Last Modified:Mon Aug 03 1992
Last Successful Update:Fri Jun 06 1997
Number of topics:680
Total number of notes:5456

337.0. "PASSWORDS A SECRET?" by CLOVAX::FORNER (Good times coming!) Mon Oct 20 1986 23:13

I think this is a good place to put this note.  I need some information
regarding the function keys on a vt2xx series terminal.  I know that it
is possible to define the keys and then save them as permenant for when
the terminal is turned on, but a problem arises.  I am at a customer site
where it is not possible to check all the terminals for this situation.
The problem is that the users are defining accounts and passwords into the
keys.  I have found the control sequence to clear out the keys, but that
is only good when the terminal is on, when the terminal is turned off and
back on again, all the keys are back with the accounts and passwords.
Now the question, Is there a way that I can clear the keys and then tell
the terminal to save the settings, i.e. the save option of the setup menu,
through software or an escape sequence.  This is a very important issue,
and any suggestions will be accepted, any harassement will be taken with
a grain of salt.

Thanks in advance.

Paul Forner
T.RTitleUserPersonal
Name		DateLines
337.19600 baud typist?SKYLAB::FISHERBurns Fisher 381-1466, ZKO1-1/D42Tue Oct 21 1986 14:3412
    I wonder if you might have better luck coming at it from another
    angle. Suppose you wrote a process which intercepted the user's
    logins and timed them.  If they are typing at 9600 baud, chances
    are they have it programmed into their terminals.
    
    On VT100s, the only way to write NVR (the non-volatile memory where
    setup features are kept) is manually from the keyboard.  I don't
    know about 200s, but I would not be surprised if it were the same.
    Users don't like their setup features screwed around with.
    
    Burns
337.2More info on PASSWORDS A SECRET?CLOVAX::FORNERGood times coming!Tue Oct 21 1986 20:3042
    Well, let me try to give a little example and more information of
    what was happening.  I am working on a ROLM switch and what I program
    into key F6 would be "CALL MUMBLE<cr><cr>FOO"  where MUMBLE is the
    machine that I want to get to and FOO is the password for that machine
    group.  Next in key F7 I would program in my account and password
    i.e. "FORNER<cr>MUMBLEFOO<cr>".  Now when I press return after sitting
    down, I get my prompt of
    
    CALL, DISPLAY, OR MODIFY
    
    press f6  and computer types in
    CALL MUMBLE
    ENTER DATAGROUP PASSWORD
    FOO
    Calling 2902934
    CALL COMPLETE
    
    press return and get the system prompts
    ONLINE...
    Username:
    
    Press the F7 key now and let the terminal do the rest
    
    Username: FORNER
    Password:
    
    		Welcome to VAX/VMS V4.4 NODE MAR001
    .
    .
    .
    This is a problem that I can't really have because the users are
    puting in 4 and 5 accounts and passwords in this thing, so
    I can't really intercept whether or not the person is using the
    keys to enter in his account, they can also do this from dial up
    terminals.  So the only other thing would be to have the keys cleared
    on the logout and then SAVE it somehow, then on the users login,
    let them define the keys as they want, just do it everytime they
    log in.
    
    Thanks again for any input on this matter.
    
    Paul
337.3How ?CHOVAX::YOUNGDr. Memory...Wed Oct 22 1986 01:1810
    Please explain HOW these users are loading and saving function key
    definitions.  My VT200 series programming manual says that "user
    definable keys are cleared (lost) when power is turned off."
    
    There's no set-up sequence that I know of or can find that allows
    you to load the user-definable keys.  Only a program can load them,
    and then they are lost at power-off anyway.  So whats going on here?
    Are these some kind of vt200-clone?
    
    -- Barry
337.4Answerback is savedCSC32::BOWMANBob Bowman, CSC/CS SPACE TeamWed Oct 22 1986 03:242
    The answerback is saved however, also a potential place to "hide"
    a login sequence.
337.5PASTIS::MONAHANWed Oct 22 1986 05:4017
    	If SYS$ANNOUNCE contained the escape sequence to trigger
    answerback, then since type-ahead is disabled at that point a random
    amount of the returned type-ahead should be lost before the Username
    prompt is complete.
    
    	This should cause slightly more difficulty to the users in making
    use of the type-ahead buffer, but also if the <CR> that they would
    have to put in gets there later than the prompt then they will have
    an invalid username entered. For these cases, the repeated pattern
    of a failed login attempt followed by a succesful one a fraction
    of a second later would reveal which users are doing this.
    
    	Your SYS$ANNOUNCE could also contain the code to clear function
    keys so they would have to define the in their LOGIN.COM after logging
    in successfully

    		Dave
337.6Save New Answerback MessageVAXUUM::DYERThe Weird Turn ProWed Oct 22 1986 05:5510
^E in SYS$ANNOUNCE is a cute hack!

To thwart the stuff in the answerback buffer, just change it.  The VT200
 has menus, and you can go into the appropriate menu and change the
  answerback buffer.  The main menu has a SAVE selection.

On a VT100, you have to go to "Setup B."  To change the answerback mess-
 age, you hit SHIFT-A (that is, capital A) and type something new.  Then
  hit SHIFT-S to save it.
   <_Jym_>
337.7set proc/priv=allNAC::CHALMERSFerrari KidWed Oct 22 1986 13:526
      
    I agree with .5......Have each person define his/her account/password
    in their login.com. That way whatever terminal their on will be
    set correctly.
337.8Are we talking about the same thing?CLOVAX::FORNERGood times coming!Wed Oct 22 1986 16:3512
    I think that we are getting away from the real topic.  I just wanted
    to know if the 200 series terminal could be forced to "SAVE" it's
    settings without going into the menus, i.e. some sort of escape
    sequence.  The terminals that I'm using are WYSE85 terminals and
    they have been emulating 200's down to a tee so far.  I don't have
    a DEC vt2xx terminal to check for the function keys menu, but on
    the wyse, there is room on the menu to put stuff in the function
    keys, if you save it per "SAVE" on the menu, the keys are saved
    in permanent memory.  Some interesting ideas are coming out of this
    one though, keep 'em coming.
    
    Paul
337.9Not on VT200's.CHOVAX::YOUNGDr. Memory...Wed Oct 22 1986 23:5712
    I would suggest checking the Terminals notes file (they are the
    experts), but I am pretty sure that VT200's do NOT have this feature.
    
    If you could describe the menu sequence as exact as possible, I
    will gladly check on mine.
    
    By the way, the answerback could not be used on your system, to
    bypass security (as your site has defined it) because you are making
    an intermedite connection before your Vax connection.  Some characters
    are invariably lost in the in-between time.
    
    -- Barry
337.10The bottle just reached my island...CLT::GARYBGary BartonTue Oct 20 1987 18:0118
    A year late, but better than never...
    
    A long time ago I can up with a scheme to discourage people from
    storing passwords in answer back messages and function keys.
    Hack login so that after the User prompt it prints a random
    string and a number between 0 and MinPasswordLength.  The user
    must insert the string into his password after the number of characters
    specified.  Login removes the characters and throws them away.
    
    Example:
    		User: ANYONE
		Insert "YQH" after 2nd character in your password
    		Password: FOYQHOBAR
    
    It's rather obnoxious, but it prevents function key hacks on all
    but the smartest terminals.
    
    -Gary