In TSS/8, there was an IOT ("WHO") that would return the current user's
username AND password in Rad50. It was simple to walk up to a terminal
someone had stepped away from for a few seconds, deposit and few values
from the command line, jump to it, examine the results,
and walk away with
the values for later decoding to alphanumeric (ascii)
characters.
The TSS/8 o/s at UWM (Milwaukee) was extensively rewritten, in part to
close those gaps. I don't know if it was Dick Bartlein or Sam Milosevich or
other folks (Al would probably know). They gave it real security, replacing
the WHO IOT with (I think) a LOGIN IOT.
They also made it refuse a login request unless you prefaced it with ^B.
That character would always break through to the o/s even if a program was
running, and prevented a form of trojan horse, wherein you could write a
simple program that would simulate the login prompts, capture your
username/password, stash it in a file, and silently log out. If you
attempted a login with that sort of trojan running, the o/s would intercept
the attempt, prevent the trojan from seeing any characters, and respond
?ALREADY LOGGED IN
-t
At 06:16 PM 4/22/2007 -0600, you wrote:
In article <462BF461.4090406 at compsys.to>,
"Jerome H. Fine" <jhfinedp3k at compsys.to> writes:
On the other hand, I suspect that the actual
clear text of
the userid / passwords should never have been stored in a
file in the first place. If that is what you described (based
on what you specified above), that was a VERY serious error
in the security of the system. [...]
Lots of systems made that error. For instance, RSTS/E stored the
passwords in cleartext and you could list them out if you were a
privileged (1,*) user. I discovered that when you submitted a batch
job through the @ processor, it ran as user batch on account (1,2).
So it wasn't too hard to submit a batch job that ran the ACCOUN
program to list out the passwords.
--
"The Direct3D Graphics Pipeline" -- DirectX 9 draft available for download
<http://www.xmission.com/~legalize/book/download/index.html>
Legalize Adulthood! <http://blogs.xmission.com/legalize/>
-----
784. [Kindness] Kind words do not cost much. Yet they accomplish much.
--Blaise
Pascal
--... ...-- -.. . -. ----. --.- --.- -...
tpeters at
nospam.mixcom.com (remove "nospam") N9QQB (amateur radio)
"HEY YOU" (loud shouting) WEB:
http://www.mixweb.com/tpeters
43? 7' 17.2" N by 88? 6' 28.9" W, Elevation 815', Grid Square
EN53wc
WAN/LAN/Telcom Analyst, Tech Writer, MCP, CCNA, Registered Linux User 385531