[Am-info] E-mail virus picks up speed
Mike Stephen
mikestp@telus.net
Sat, 04 Jan 2003 14:59:48 -0800
--_=_=_=IMA.BOUNDARY.HTML_2936728=_=_=_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
As far as security through obscurity..... OS/2 Warp MCP as well as ECS has some very very easy and glaring
problems with security. I have been able to get full admin status on about 20% of all Warp 4.0 installs and
40% of all ECS installs that I have tried. (admittedly I have only done this on about 20 servers, so it might just
be a coincidence that I am able to logon as admin to these..... Of the 20 servers I know of, I was able to logon
as admin to 7 of them. I only know of 5 servers running ECS, so the rates may be skewed with such a small
sample. The problems with ECS I think are that hardly anyone runs it because the installation is soooo flaky,
that few if any trust it anymore in a server environment. Warp 4.0 with all the fixpacks of the day (1997) used to
be a fairly robust system. But with the advent of the new MCP and then ECS, it has become a joke in IT
circles..
I think the only reason no one hears of the Warp breakins is because most everyone has left it far behind.
Even with the simple ease of admin login, people have to find the one in 2000 systems that use Warp.
All you need to do is know that because of really stupid programming on the part of the OS/2 team at IBM as
well as the people at ECS, is login as "userid" and add a password of "password". This allows me admin
status on the machines. Once you are logged onto one machine in any network, you can cruise through almost
all the machines that are connected. Including access to the mainframe login screen. Once at the mainframe
login, you can attempt to access it with rather normal passwords. There are many corporations running some
OS/2 machines that connect through a terminal emulator from the Warp boxes.... Additionally the remote login
services for OS/2 default to allow access to all resources... Because this is the default once you are in you are
likely to have all the resources of the entire network at your disposal.... ECS is even worse than Warp as the
ECS team really does not have the skills to fix this glaring error. Now you know......
On Fri, 03 Jan 2003 21:18:35 -0500 (EST), Erick Andrews wrote:
>On Fri, 3 Jan 2003 21:06:07 -0500, felmon davis wrote:
>>On Friday 03 January 2003 03:45, Erick Andrews wrote:
>>> , "If [...] OS was more popular, it would be attacked
>>>
>>> >just as often as Windows."
>>>
>>> Yes. When I hear them I think inside: "you're in denial or stupid
>>> or naive or immature or a moron or an asshole". But of course, I
>>> don't EVER say that. If those folks aren't open to other choices,
>>> conceptually, I politely move on. What else can you do? Maybe
>>> suggest giving them lessons in "soo-wave and de-boner"? Forget it.
>[...]
>Please accept my apology. It was vernacular. I got a bit carried away.
>Perhaps a better way to say it, or a "translation" of it, might be:
>"diplomacy and flair".
>--
>Erick Andrews
>_______________________________________________
>Am-info mailing list
>Am-info@lists.essential.org
>http://lists.essential.org/mailman/listinfo/am-info
--_=_=_=IMA.BOUNDARY.HTML_2936728=_=_=_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
<HTML>
<FONT SIZE="4" POINTSIZE="14" DEFAULT="SIZE">As far as security through obscurity..... OS/2 Warp MCP as well as ECS has some very very easy and glaring problems with security. I have been able to get full admin status on about 20% of all Warp 4.0 installs and 40% of all ECS installs that I have tried. (admittedly I have only done this on about 20 servers, so it might just be a coincidence that I am able to logon as admin to these..... Of the 20 servers I know of, I was able to logon as admin to 7 of them. I only know of 5 servers running ECS, so the rates may be skewed with such a small sample. The problems with ECS I think are that hardly anyone runs it because the installation is soooo flaky, that few if any trust it anymore in a server environment. Warp 4.0 with all the fixpacks of the day (1997) used to be a fairly robust system. But with the advent of the new MCP and then ECS, it has become a joke in IT circles..<BR>
<BR>
I think the only reason no one hears of the Warp breakins is because most everyone has left it far behind. Even with the simple ease of admin login, people have to find the one in 2000 systems that use Warp.<BR>
<BR>
All you need to do is know that because of really stupid programming on the part of the OS/2 team at IBM as well as the people at ECS, is login as "userid" and add a password of "password". This allows me admin status on the machines. Once you are logged onto one machine in any network, you can cruise through almost all the machines that are connected. Including access to the mainframe login screen. Once at the mainframe login, you can attempt to access it with rather normal passwords. There are many corporations running some OS/2 machines that connect through a terminal emulator from the Warp boxes.... Additionally the remote login services for OS/2 default to allow access to all resources... Because this is the default once you are in you are likely to have all the resources of the entire network at your disposal.... ECS is even worse than Warp as the ECS team really does not have the skills to fix this glaring error. Now you know......<BR>
<BR>
On Fri, 03 Jan 2003 21:18:35 -0500 (EST), Erick Andrews wrote:<BR>
<BR>
>On Fri, 3 Jan 2003 21:06:07 -0500, felmon davis wrote:<BR>
><BR>
>>On Friday 03 January 2003 03:45, Erick Andrews wrote:<BR>
>>> , "If [...] OS was more popular, it would be attacked<BR>
>>><BR>
>>> >just as often as Windows."<BR>
>>><BR>
>>> Yes. When I hear them I think inside: "you're in denial or stupid<BR>
>>> or naive or immature or a moron or an asshole". But of course, I<BR>
>>> don't EVER say that. If those folks aren't open to other choices,<BR>
>>> conceptually, I politely move on. What else can you do? Maybe<BR>
>>> suggest giving them lessons in "soo-wave and de-boner"? Forget it.<BR>
>[...]<BR>
><BR>
>Please accept my apology. It was vernacular. I got a bit carried away.<BR>
><BR>
>Perhaps a better way to say it, or a "translation" of it, might be:<BR>
><BR>
>"diplomacy and flair".<BR>
><BR>
>-- <BR>
>Erick Andrews<BR>
><BR>
>_______________________________________________<BR>
>Am-info mailing list<BR>
><FONT COLOR=0000ff><U>Am-info@lists.essential.org<FONT COLOR=000000 DEFAULT="COLOR"></U><BR>
><FONT COLOR=0000ff><U>http://lists.essential.org/mailman/listinfo/am-info<FONT COLOR=000000 DEFAULT="COLOR"></U><BR>
<BR>
</HTML>
--_=_=_=IMA.BOUNDARY.HTML_2936728=_=_=_--