dagg@Csa2.LBL.GOV (Darren Griffiths) (04/19/88)
This is a follow up to my recent article. In the article I talked about
problems with the latest security patch from DEC. In summary the problems were
caused by a fix to the TTDRIVER that helped stopp trojan horse programs. The
fix, in some situations also broke the VAX Workstation Software, stopping uses
from autologging into a window. Other things that were broken include programs
like PHOTO that use psuedo-terminal drivers to act as session loggers.
It seems that some of the programs that use psuedo-terminal drivers will have
to be modified before they will be able to work again. This is unfortunate,
but it is necessary to provide extra security on VMS systems. I believe DEC is
planning to send out a letter describing these problems.
The problems with workstation software being broken can easily be fixed.
Patches to WTDRIVER.EXE and UISBG.EXE were distributed with the security
update, when these patches are installed the workstation software will work as
advertised with a secure TTDRIVER. The problem is that the procedure that
checks to see if the workstation has VWS installed has a bug in it, and it
sometimes reports that the workstation software isn't installed when it is. If
this happens the good software won't be installed and things will be broken.
The easy fix is to look in the install save set for four images:
WTDRIVER031.EXE;1 WTDRIVER032.EXE;1
UISBG031.EXE;8 UISBG032.EXE;1
Take the oens appropiate for your versions and place them in
SYS$SYSTEM:WTDRIVER.EXE and SYS$SYSTEM:UISBG.EXE, that should fix things up.
I do encourage everyone to install these security fixes. They ARE important
and they do help protect your system. DEC has been getting a lot of flames
regarding their policy towards security issues, I am not sure that all of these
flames are deserved. DEC engineers have spent a lot of time helping find this
problem, and they have always been eager to look for problems and suggest
solutions. Before we go and flame DEC, why not spend some time flaming the
people (pond-scum?) who are trying to break into systems and wasting valuable
time and resources. It is people like this who are the true cause of the
problem, not companies like DEC.
I have heard comments recently that suggest it is the computer managers
responsibility to maintain a secure environment for the users. While this is
true it can only be taken so far. It is reasonable to ask home owners to lock
their front door when they leave, it is not reasonable to ask them to hire
security guards and install a $10,000 alarm system. At the same time it is
reasonable to ask computer managers to have a secure environment, it is not
reasonable to ask them to spend a good part of their life tracking down idiots
who persist on penetrating systems, particularly when the majority of these
systems have no useful or interesting information online.
--darren
DAGG@LBL.GOV
-------