Copyright 1992-2016 by Kevin G. Barkes All rights reserved. This article may be duplicated or redistributed provided no alterations of any kind are made to this file. This edition of DCL Dialogue is sponsored by Networking Dynamics, developers and marketers of productivity software for OpenVMS systems. Contact our website www.networkingdynamics.com to download free demos of our software and see how you will save time, money and raise productivity! Be sure to mention DCL Dialogue! DCL DIALOGUE Originally published April, 1992 Common Sense Security By Kevin G. Barkes Security is a hot topic. Glance through any computer publication and you'll see loads of articles warning of despicable viruses and advertisements touting various hardware and software products which will make your environment as secure as Fort Knox. Still, it's been my experience the greatest security threat is the most obvious and, paradoxically, the most overlooked: simple physical access to the computer or to the terminals attached to it. I know of more than a few sites that spend big bucks on exotic dial-back modems and whiz-bang software, only to leave the doors to their computer rooms unlocked and their consoles permanently logged in to the system account. How many companies have strict policies about bringing "alien" diskettes on site, run virus-scanning programs on a regular basis, then leave literally acres of PCs wide open when everyone goes home for the night? While doing research at one customer location ("research" consisting of retiring to the men's room with the latest copy of the VAX Pro), I noticed a small plastic object on the floor of the stall next to me. It turned out to be a DAT tape containing several gigabytes of sensitive, proprietary data belonging to my client. The system manager made a pit stop on his way from the computer room to his office and the media fell out of his pocket. No big deal... this fellow frequently left several backup tapes on his desk, easily accessible to the scores of employees who walked past his office daily. So, lesson number one is simple: lock 'em up! Restrict access to your computer room. Keep the keys to the computer in a secure location. Be careful of small-format media; keep the tapes numbered for easy identification, and audit them on a regular basis. PERSONAL SECURITY What about the concerns of the end user? You're not a system manager, just a grunt with a no-privilege account. What should you know about security? Well, you should be aware that anything you put on the system is potentially visible to the system manager and his minions. Company policy and ethics notwithstanding, you shouldn't put anything in a file in your "private" directory that you wouldn't put in or on your desk. I've known many a bored system manager to cruise the user files on his VAX, looking for perceived contraband. One went so far as to print out all the resumes he found, adding pithy comments and posting them for others to see. And forget about sticking the files in a subdirectory and renaming the .DIR file to something innocuous... most astute managers run ANALYZE/DISK regularly and wade through the contents of SYSLOST for tantalizing nuggets. Short of encryption, there's not much you can do. So be forewarned. Of course, that doesn't mean you should skip setting protections on your files. Just do it sensibly. Denying SYSTEM access to your files just means you're going to attract attention to yourself and peeve a lot of people who unsuccessfully try to send you mail. PASSWORD FOLLIES The debates which swirl around password policies often reach a religious fervor. And it's a tough call. Sites which institute system-generated passwords or require frequent password changes often end up with users who write down their passwords and tape them in potentially accessible locations. My personal preference is to pick two words and separate them with three numbers. For example, TREK000PHASER. Don't use proper names or common phrases. Sticking numbers into a password royally fouls up most cracking schemes. TERMINAL ACCESS It's also a good idea to make your terminal worthless to others when you're not there. Don't run long programs and procedures interactively. A nefarious evil-doer could control-y out and have access to your files. Run 'em in batch. Idle process killers have been covered here many times. If your site doesn't use one, and you're worried about being unexpectedly called away from your desk for extended periods (or forget to log out when you go to lunch or leave for the day), consider the subprocess-based killer which appeared in the January column. You can also "lock" your terminal. Various terminal lockers are available from DECUS, commercial vendors, and other sources. I prefer the little procedure shown in the Program. It doesn't generate fancy graphics or engage in any other contortions. It just blanks the screen, permits you to enter a password, then waits for you to re-enter it. It's a good idea to eliminate the SET NOCONTROL line until you're certain you've debugged your copy. Otherwise you may find yourself in the embarassing position of having to ask the system manager to kill your process so you can regain control of your terminal. My single-user VAXstation system is in the basement office of my house, so conventional security isn't a major consideration to me. However, I do have a pair of cats who are fascinated by the tactile feedback of my keyboard and apparently like the sound of the 3100's whirring disks. TERMLOCK.COM has spared me a few unpleasant surprises. ****************************** Kevin G. Barkes is an independent consultant who wonders if his hardware service agreement covers keyboard cat hair contamination. He can be found lurking on comp.os.vms or reached at kgbarkes@gmail.com. ************************** PROGRAM $! TERMLOCK.COM $ SET NOCONTROL $ SET TERM/NOECHO $ ESC[0,7]=27 $ WRITE SYS$OUTPUT ESC+"[00H"+ESC+"[0J" $ LOOP1: $ READ/PROMPT="" SYS$COMMAND PWI $ PWI = F$EDIT(PWI,"COLLAPSE,UPCASE") $ IF PWI .EQS. "" THEN GOTO LOOP1 $ LOOP2: $ READ/PROMPT="" SYS$COMMAND PWO $ PWO = F$EDIT(PWO,"COLLAPSE,UPCASE") $ IF PWO .NES. PWI THEN GOTO LOOP2 $ SET TERM/ECHO $ SET CONTROL $ EXIT