[Info-vax] VMS - Virtual Terminals - A security risk way back yonder OR was that an Old Wives Tale ?

Thu Feb 11 06:31:25 EST 2016

On Thursday, February 11, 2016 at 9:54:26 PM UTC+11, Sum1 wrote:
> IanD
> 
> As you and I are both in Australia (I assume) and I have been playing 
> with VMS since 1977...there were some entertaining issues that were 
> noticed in the past, starting in no particular order...
> 
> - for a "special purpose", I used to connect a datascope (? I think it 
> was called that...) between the serial line ant the LAT device and 
> capture data streams...including usernames/passwords...prior to LAT, 
> just connect near DZ11 etc....or anywhere in the link
> - for another "special purpose", I monitored and decoded LAT traffic on 
> the wire, again capturing usernames/passwords
> - using assorted terminal server hardware and LAT configurations, you 
> could impersonate a disconnected session and "take it over"
> 
> Of course, had there been adequate physical security of hardware and 
> networks, life would have been more difficult...but it rarely was.
> 
> It just may have been that you ran into a difficult System Manager 
> because, even though I was doing that stuff from the late 70s, System 
> Managers only really became aware of "security" in the mid/late 80s.  
> Even the Big 8 consulting firms had no experience in this field, and 
> their "IT/DP Auditors" spent all there time looking at accounting-based 
> controls.
> 
> Cheers

I remember I used to fire up wireshark a long time ago and pick out the packets heading into the VMS boxes and scan for username password strings :-)

I didn't do any of the session disconnect tricks and then taking over their sessions. I'm was more of a nice hacker back then :-)  The worst thing I used to do was run a session duplicator program and inject random characters into one person's terminal session after he had boosted he was god's gift to data entry and challenged all to a data entry competition. Surprising he lost because his accuracy sucked in a showdown ;-)
We had a great laugh afterwards with him and yes, he was actually one of the fastest key-punchers I had ever seen!

It probably was a difficult systems manager way back then. I know the systems were limited in size and frustration used to mount over people who would not log off at the end of the day or even when they went to lunch - I remember the horrible implementation of session killers too that had to grow ever more complex and yet never seemed to really master properly what sessions to kill and what ones were really doing work

and yes, I am in Australia :-) 

The question was more of a historical interest question and I had a burning desire to know if there was actually a security issue with virtual terminals or not...