HP3000-L Archives

December 1998, Week 1

HP3000-L@RAVEN.UTC.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: HP3000/Internet Security Was: Dialup to a 3000
From:
Stan Sieler <[log in to unmask]>
Reply To:
Stan Sieler <[log in to unmask]>
Date:
Wed, 2 Dec 1998 13:23:41 -0800
Content-Type:
text/plain
Parts/Attachments:
text/plain (74 lines) 
Chris wrote:
> > Whereas a phone line makes you vulnerable to a (limited area of) phone
> >  hackers, few of them will dial long distance to try to break into a system
> >  anymore (some yes, but most no). OTOH, an Internet connection is the
> >  equivalent of a local phone call from every hacker/miscreant on earth; 24
> >  hours a day, 365 days a year.

Wirt writes:
> Let me stand by my original statement: I still don't see a great deal of
> difference in vulnerability or threat posed to a production HP3000 between a
> modem connected to the switched telephone network and a internet-based telnet
> connection.

I have to agree with Chris.  On MPE/iX, there's basically only one way
to access a 3000 over an ordinary dialup modem:  the "HELLO" command.
(On MPE V, there could be two methods: HELLO and JOB, but "JOB" isn't
allowed on MPE/iX)   (I'm excluding user-implemented things like
touch-tone access systems)

Granted, many people routinely misconfigure their modems (both at the
modem side and the HP 3000 side), opening a gaping hole in security.

But...as a community, we *understand* the security implications of modems.
The number of holes is extremely small indeed: two

   1) insecure logons (e.g., common/easy-to-guess passwords; no logon-lockout
      after N failed attempts (without extra software))

   2) non-terminated sessions (e.g., a hangup not terminating the session)

Far more holes can be opened with network access...hole #1 from above
for telnet access, hole #1 from above for VT3K access, and a host of
new ones (FTP holes, tftp? holes, and potentially more).

> Indeed, you could profitably argue that you actually have higher security
> capabilities with telnet than you do with the switched network (Chris began to
> outline some of the advantages in his posting).

You'd profit if someone was paying you for your time ... you'd lose if someone
was charging you for each service interruption.  (Granted, service interruption
includes far more than just security ... but it's a problem with network access.)

> Any vulnerabilities that you face with telnet can be easily duplicated over
> the switched network. Phone phreaking allows anyone to call from anywhere,

Not so.  non-terminated sessions aside, Telnet has the same vulnerabilities
plus new ones.

> without incurring charges (as an aside, phone phreaking was Steve Jobs' sole
> "occupation" before he teamed up with Steve Wozniak to create Apple). Further,
> callerid is no protection. In reaction to the sensitivities of AIDS patients
> and others, before callerid was implemented nationwide, it was made mandatory
> that each individual subscriber have the right to request that their phone
> numbers not be transmitted by callerid. Any reasonable hacker would certainly
> request that option.

And you can reject calls without Caller ID.

> Further, with telnet-like access attempts, there is the possibility to simply
> begin rejecting all incoming packets from any particular address (forged or

Causing a service interruption, potentially...a larger scale interruption
than simply turning off the modem.


That aside, I like having a 3000 on the network :)
...and telnet/FTP/vt3k access is far better than modem access for almost
every use I've had!   (With the exception of security, of course, as discussed
above)

--
Stan Sieler                                          [log in to unmask]
                                     http://www.allegro.com/sieler.html

ATOM RSS1 RSS2