Xref: utzoo misc.headlines:2529 comp.sys.dec:590 comp.os.vms:5282 Path: utzoo!mnetor!uunet!yale!husc6!cfa!ward From: ward@cfa.harvard.EDU (Steve Ward) Newsgroups: misc.headlines,comp.sys.dec,comp.os.vms Subject: Re: Hacker hits VMS Message-ID: <923@cfa.cfa.harvard.EDU> Date: 19 Mar 88 17:14:49 GMT References: <3749@mtgzz.UUCP> Organization: Harvard-Smithsonian Ctr. for Astrophysics Lines: 36 Keywords: DEC, Chaos Computer Club Summary: security hole or all-to-common stupidity? In article <3749@mtgzz.UUCP>, gcm@mtgzz.UUCP (XMRP20000[khw]-g.c.mccoury) writes: > From The Star-Ledger(Newark NJ) 3/17/88 > > TEEN HACKER 'INVADES' NEW SECURE COMPUTER > > PARIS(Reuters)- A 19-year-old West German hacker has succeeded > in breaking into one of the world's top-selling computers, > Digital Equipment Corp.'s VAX system, in what experts say is a > new blow to confidence in computer security. Does anyone know if this is a REAL security hole in VMS or just the usual 1) failure to change default password(s) on sys, maint, user, userp accounts as shipped from DEC. or 2) autologins left activated by local sys manager. or 3) other equivalent act of stupidity. Often these sensational stories are due to vulnerability caused by stupidity. I have never had much trouble in "hacking" a login to a multiuser system when testing for security, usually by just trying the time-honored guess-the-password approach. Of course, hacking to TEST for security on your own computers is quite different from the vandalism and criminalism of attacking someone else's machines, whether one is hacking through cleverness or taking advantage of the lax management of computer systems on all os's that is out there. I know of large numbers of machines that are accessible to the world where the local users object strongly to being forced to periodically change passwords or insist on using any password, including very short passwords, last names, etc. The ability to "hack" a login is inversely proportional to the number of login accounts on the system :-) Of course, all os's exhibit true security hole bugs from time to time. Is this one?