home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.os.vms
- Path: sparky!uunet!ulowell!woods.ulowell.edu!welchb
- From: welchb@woods.ulowell.edu
- Subject: Failures in system security.
- Message-ID: <1992Nov12.130323.1@woods.ulowell.edu>
- Lines: 22
- Sender: usenet@ulowell.ulowell.edu (News manager - ulowell)
- Organization: University of Lowell
- Date: Thu, 12 Nov 1992 18:03:23 GMT
-
- Does anyone have a program which monitors the phone object (29) to
- catch "blast" programs. A blast program is defined as one which allows
- the user to make an unidentified message appear on another user's
- screen (in real time).
- We have been having a lot of trouble with such users. (I should
- complain? They typically tell a pretty girl to report to the computer room.)
-
- More generally, for an operating system (VMS) which is considered
- so secure, the blast message is a poke in the eye. I hear that DEC's
- answer will be to simply remove the phone utility.
- But a perhaps worse hole is the "fake mail" message, i.e., it uses
- the mail utility (object 27), but the name of the sender is replaced with a
- fake one. [If I receive a message that says for me to report to the president's
- office at 7am, and act upon it, that is not a secure system.] It seems to me
- that DEC could easily change mail to check for this switch, but maybe I do
- not understand about who is really accessing the object (is it the privileged
- system or is it the unprivileged user?). And maybe if DEC changes the mail
- utility, the user will simply be able to supply an alternate one, for
- reasons unclear to me.
- Does anyone have a program to check for this problem also?
- --
- Brendan Welch, UMass/Lowell, W1LPG, welchb@woods.ulowell.edu
-
