JSPEAR@MC.LCS.MIT.EDU ("Jon L. Spear") (02/10/86)
Little known security problem with VMS4.2: Indirect dialup, which could be controlled under VMS 3.7, is no longer controllable under 4.2. Under 3.7 if you had VAX A with modems DECnetted to VAX B who didn't have modems, and B had all accounts set DISDIALUP in the UAF, it was not possible to SET HOST from a VAX A modem line and login to VAX B. Under 4.2 it is. When I asked TSC about this, nobody there believed it was a feature under 3.7 until they were able to dust off a VAX still running 3.7 and try it. Three days later they called back to say that at least two VMS engineers were aware of the problem and that it would probably be fixed some time in the future, maybe as early as VMS 4.4. They suggested that if this was an important feature to me that I should submit an SPR to help further encourage them. I have. I am sending this to INFO-VAX to let you know about it, and to suggest that you too send in an SPR if you feel this is a useful feature to you. It appears that DEC needs some prodding on this given that it was overlooked for this long, and given the difficulty I had in convincing TSC that there even was a problem. (Unfortunately, I could not point to any documentation of this feature, so if you know where it is documented, please let me know. Yes, I realize the degree of protection offered by this feature is limited, but it is better than nothing.) -Jon