In article <[log in to unmask]>, James F. Knight wrote:
>
>  Actually, it's important for systems managers to know how people can
>attack your system.  I managed to snag a document on hacking the hp3000
>that was floating around on the Internet.
 
Undoubtedly.  Do you really want hackers to know more about breaking
your system than you do?  I recently saw the following information in
the alt.2600 FAQ, which is posted regularly to that newsgroup and is
freely available via anonymous FTP from rtfm.mit.edu and other sites:
 
>>20. What is this system?
>>
>>[...]
>>
>>Hewlett Packard MPE-XL
>>~~~~~~~~~~~~~~~~~~~~~~
>>MPE XL:
>>EXPECTED A :HELLO COMMAND. (CIERR 6057)
>>MPE XL:
>>EXPECTED [SESSION NAME,] USER.ACCT [,GROUP]   (CIERR 1424)
>>MPE XL:
>>
>>[...]
>>
>>21. What are the default accounts for XXX?
>>
>>[...]
>>
>>Hewlett Packard MPE-XL
>>~~~~~~~~~~~~~~~~~~~~~~
>>HELLO           MANAGER.SYS
>>HELLO           MGR.SYS
>>HELLO           FIELD.SUPPORT     HPUNSUP or SUPPORT or HP
>>HELLO           OP.OPERATOR
>>MGR             CAROLIAN
>>MGR             CCC
>>MGR             CNAS
>>MGR             CONV
>>MGR             COGNOS
>>OPERATOR        COGNOS
>>MANAGER         COGNOS
>>OPERATOR        DISC
>>MGR             HPDESK
>>MGR             HPWORD
>>FIELD           HPWORD
>>MGR             HPOFFICE
>>SPOOLMAN        HPOFFICE
>>ADVMAIL         HPOFFICE
>>MAIL            HPOFFICE
>>WP              HPOFFICE
>>MANAGER         HPOFFICE
>>MGR             HPONLY
>>FIELD           HPP187
>>MGR             HPP187
>>MGR             HPP189
>>MGR             HPP196
>>MGR             INTX3
>>MGR             ITF3000
>>MANAGER         ITF3000
>>MAIL            MAIL
>>MGR             NETBASE
>>MGR             REGO
>>MGR             RJE
>>MGR             ROBELLE
>>MANAGER         SECURITY
>>MGR             SECURITY
>>FIELD           SERVICE
>>MANAGER         SYS
>>MGR             SYS
>>PCUSER          SYS
>>RSBCMON         SYS
>>OPERATOR        SYS
>>OPERATOR        SYSTEM
>>FIELD           SUPPORT
>>OPERATOR        SUPPORT
>>MANAGER         TCH
>>MAIL            TELESUP
>>MANAGER         TELESUP
>>MGR             TELESUP
>>SYS             TELESUP
>>MGE             VESOFT
>>MGE             VESOFT
>>MGR             WORD
>>MGR             XLSERVER
>>
>>Common jobs are Pub, Sys, Data
>>Common passwords are HPOnly, TeleSup, HP, MPE, Manager, MGR, Remote
 
Scary, isn't it?  But ignoring it isn't going to make it go away, and
it's not going to make the thousands of people who see it every month
forget that it's there, or keep them from trying to sign on to YOUR
system using one of these accounts.  Hopefully this information will
help some of the administrators out there secure their systems, and it
should definitely be included in the FAQ.
 
> Security through obscurity is certainly nonsense.
 
This is true in many cases, but not always.  Publicizing security problems
for which solutions exist is a good thing--the information above is a prime
example.  On the other hand, publicizing security problems for which no
workaround has been found is irresponsible, because it allows (and even
encourages) people who otherwise may not get the information to attack
systems which -cannot- be protected.  The ongoing controversy over the
8lgm announcements is a good example of the issues involved in full
disclosure of security problems.
 
---------------------------------------------------------------------
 John Caruso                                    [log in to unmask]
 Unix/VMS System Administrator                  caruso@UMUC (Bitnet)
 University of Maryland University College      (301) 985-7447
---------------------------------------------------------------------