Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!ucbvax!GE-CRD.ARPA!EVERHART%ARISIA.decnet
From: EVERHART%ARISIA.decnet@GE-CRD.ARPA
Newsgroups: comp.risks
Subject: Re: reach out and spy on someone
Message-ID: <8902281909.AA24523@ucbvax.Berkeley.EDU>
Date: 28 Feb 89 14:19:00 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 27
Approved: risks@csl.sri.com

There have been several programs on the DECUS VAX SIG tapes and in other
places for this purpose over the years. Best one so far is WATCH which was
on the Fall '88 tapes (complete with source). It allows you to monitor
what goes on at any other terminal, except DECnet remote terminals
(whose internal architecture is very different from all other examples.)
  When used in conjunction with PHOTO one can very easily obtain a 
machine readable log of someone else's session. If used also in conjunction
with BOSS, one can do this without giving up one's terminal.
  This involves some extra processes and system diddling, but is not
too heavy a load even for a 750. However, watching someone's terminal
sessions is not something that's desirable overall due to the
generation of lots of junk information.
  The best way to handle people who are suspect seemed to be to force
them in their logins to fire up PHOTO with a logfile that can be read
later as needed, then log the session out if PHOTO finished. A logfile
created in this way could perhaps be transferred via mail to a
holding area where it could be examined and would be outside the security
domain of the victim. Since it would be open during the entire session,
it could not be deleted from the photo session. (Batch or the like are
another matter; a short window would have to exist.) This avoids need
for things like WATCH. However, WATCH is very handy for dialins, both
to ensure they are attempting nothing dangerous and to offer help as
needed. It needs hefty privs to run, but since it's PD, the capability
exists in essentially ALL VMS installations. Does Unix have a similar
capability? Is it PD?
Glenn Everhart
everhart%Arisia.decnet@ge-crd.arpa