| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 234.1 | MR1 and ZK have some security | NOBUGS::AMARTIN | Alan H. Martin | Thu Dec 11 1986 17:07 | 3 |
| Both MR1 and ZK's dialup terminal servers have a password. Neither
seems to be changed as often as weekly.
/AHM
|
| 234.2 | | CALLME::MR_TOPAZ | | Thu Dec 11 1986 17:52 | 6 |
| re .1:
I've been dialing in to ZK for several years -- right now, for example
-- and I've never used a password other than my host system password.
--Don
|
| 234.3 | Would you believe . . . | NOBUGS::AMARTIN | Alan H. Martin | Thu Dec 11 1986 18:01 | 2 |
| . . . ZK2?
/AHM
|
| 234.4 | Try again. | 2B::ZAHAREE | Michael W. Zaharee | Fri Dec 12 1986 01:19 | 5 |
| re .3:
Nope.
- M (zk2 resident)
|
| 234.5 | Well, would you believe ZK2-3? | NOBUGS::AMARTIN | Alan H. Martin | Fri Dec 12 1986 10:10 | 8 |
| Re .4:
Actually, the switch in front of the LAT said "ZK2 switch" this morning.
So you are obviously not in the swing of things here.
(I wish they just stuck the LAT on the phone lines, the switch doesn't
do a thing for me).
/AHM
|
| 234.6 | | QUARK::LIONEL | Reality is frequently inaccurate | Sat Dec 13 1986 09:20 | 12 |
| The DEVELCON switch in ZK (1 and 2) that you dial into has no
password. From that you can connect to a LAT box, but that has
the default LAT password which is never changed. Big deal - from
the DEVELCON switch you can get to almost every system in both
buildings.
Therefore, there is no dial-up security at ZK.
Some systems have implemented system passwords, where you have to
give a password before being told what system you're on or allowed
to try to log in, but these are rarities.
Steve
|
| 234.7 | Security in obscurity? | NOBUGS::AMARTIN | Alan H. Martin | Sat Dec 13 1986 10:20 | 21 |
| Re .6:
Frankly, I'm surprised that the apparently meaningless word I have to type
when I first connect, without benefit of prompt or echo, is not a password.
(But, then again, before reading you note, I didn't even know who made the
switch.) If it is in fact a command of some kind, then I concede that
someone familiar with DEVELCON switches would have no trouble with it.
However, the whole bogus procedure is so complex that it took two tries
before someone sent me correct directions for logging in after I got an
account here.
I would have no qualms about the LAT's password being changed a few
(2-4) times a year, as long as everyone was given 2 weeks notice. That
is essentially the situation I came from in Marlboro. You want to give
2 weeks notice to avoid inconveniencing people who go away on vacation
and want to read mail from home when they get back.
On the other hand, it would only slow down the dialup intruders, while
doing nothing to stop network hoppers. I wonder which are the bigger
problem on the net these days?
/AHM/THX
|
| 234.8 | | COVERT::COVERT | John Covert | Sat Dec 13 1986 10:33 | 5 |
| The right place for system security is on the individual systems. Follow the
rules for password selection and security in the VAX/VMS Guide to system
security and you don't need additional security on the dialup engines.
/john
|
| 234.9 | | CRVAX1::LAMPSON | Mike Lampson @DDO | Sat Dec 13 1986 17:57 | 19 |
| Re: .7
You're greatest number of curious "peekers" are probably
going to come across the net, but your most dangerous intrusions
will be across your local phones lines.
Re: .8
That's fine if each CPU accessible from the "dialup
engine" is secure. Right now, new VAXstations, and other
"personal" CPUs are appearing on our ethernet quite frequently.
Generally, it takes 1-10 weeks for the owner to realize his
machine isn't secure. Of course, most of this stems from how
microVMS is shipped.
The danger here is after an intruder gets into a microVAX
on the ethernet. He/She has almost unlimited ability to try
logging into any other machine on the net.
_Mike
_Mike
|
| 234.10 | | FDCV03::CROWTHER | A barn to raise & a day to do it! | Tue Dec 16 1986 09:43 | 16 |
| The Easynet and all the systems attached to it are like a vast building with
inner and outer doors. The inner doors have locks of varying, but generally
high quality. The outer doors are generally not locked, but hard to open. Once
past the outer doors, however, intruders can take as much time as they like to
try to open one of thousands of doors.
It has seemed to me that if the security people really understood the degree of
exposure, if systems people (developers/hackers/users) could tolerate the
inconvenience of another level of password-protection, and if the
financial/managerial types could discover the cost-benefit of investing in such
security, we'd have the necessary devices in place in a month.
We ought to protect remote access to systems at least as well as SAVE and the
Stock Purchase Plan are protected. If it weren't inconvenient and expensive,
we'd have done it long ago. And, given the benefit of a global telephone
system, this is certainly not simply a "facility" problem.
|
| 234.11 | | COVERT::COVERT | John Covert | Tue Dec 16 1986 13:02 | 8 |
| >We ought to protect remote access to systems at least as well as SAVE and the
>Stock Purchase Plan are protected.
If that's your measure, then VMS (and other) systems provide significantly
better protection than a four digit password. All without any additional
protection prior to reaching the USERNAME: prompt.
/john
|
| 234.12 | | PSW::WINALSKI | Paul S. Winalski | Sun Dec 21 1986 21:15 | 6 |
| RE: .7
The RS that you say to the Develcon switch allows the switch to determine
the baud rate and parity of your terminal in one go. That is its only purpose.
--PSW
|
| 234.13 | Colorado Springs is a GREAT Showcase | CSC32::C_SMITH | | Tue Feb 17 1987 21:18 | 20 |
| Quite frankly the Colorado Springs security system, DIANA, is very
impressive. However since there are dial-in modems an almost ALL
of the systems connected to the CX03 network that require nothing
more than the USERNAME: and PASSWORD: or individual system equivalent.
I wonder now; If we're really secure, or just fooling ourselves,
or possibly a showcase for our customers??
I'm currently dialed in through this system of multiple passwords.
This is the second week for the same password. Frequently they
are NOT changed for a couple of weeks. Let me tell you, whoever
changes these can dream up the most absurd passwords you could imagine
like ARTICMOOSEHUNT, with ARCTIC spelled wrong. Took me an hour
to figure that one out, of course I had a customer waiting for an
answer in one of the databases on this network..
The DECtalk that's used is rather humorous, especially the MALE
voice of DIANA trying to say ARTICMOOSEHUNT all as one word..
Clyde - CSC/CS Network Services
|