() () () () () () () () () () () () ()
(                                    )
(      Getting in the Back Door      )
(      A Guide to Some Popular       )
(         Operating Systems          )
(          By Mike Salerno           )
(              [2600]                )
(                                    )
() () () () () () () () () () () () ()

     There are four popular operating systems on DEC machines
that are supported by DEC. Two of these, TOPS-10 and TOPS-20,
run on the KL10 and the KS10 36 bit machines; TOPS-10 also runs
on the older KA10 and KI10. The other two are UNIX and VMS for
the VAX and PDP-11 series. The VAX is a 32 bit machine, with a
32 bit virtual address space. The PDP-11 is also a 32 bit
machine. VMS is a very intricate operating system, with its
loopholes, as you will see.

     TOPS-10 is an operating system that uses two octal numbers
to identify a 'user' or 'account'. This is usually printed in
the form of [565,11]. The first number tells which 'project' the
user belongs to, and the second is which 'programmer' the user
is. Passwords are any printing character up to 6 characters
long, containing only upper case alphabetics. Also associated
with the project programmer number (PPN) is the username, or
'user ID'. This is usually either a department name, or a
personal name. Now, we all know what some people like doing,
i.e., using parts of their name or department as their password
(usually initials, or first names). The only problem that
remains is how to get these usernames, right? Wrong! TOPS-10 is
one of the few remaining operating systems, besides TOPS-20,
that lets you do a few things while not logged in. This includes
running a program called SYSTAT that will give you various
performance statistics, along with a list of users on the
system. If this system is running version 7 of TOPS-10, you can
use SYSTAT to give you what you want. Just type 'SYSTAT US'.
This will give a short listing, giving only users on the system
and their usernames. Useful, isn't it? If the version is
previous to version 7, you can get a SYSTAT and then, using the
job number in the left column, type 'PJOB n' where 'n' is the
user's job number. This will give you his username. If this is
too tedious, type 'QUEUE'. This will show you a list of users
who have entered print and batch requests, along with their
username. To login, just type 'LOGIN', a space, and the 'PPN'
with a comma. Really taking over is not easy, unless you've
worked with TOPS-10 for awhile. There are a few accounts that
might have been left with the default passwords set, like [1,3]
password OLD or OLDLIB, [1,4] password SYS or SYSLIB, [1,5]
password NEW or NEWLIB, [6,6] password MAINT or FIXIT or FIX-IT,
and [7,7] password OPER or OPR.

     Like TOPS-10, TOPS-20 allows you to do certain things which
are helpful to hackers. Accounts on TOPS-20 are up to 39
alphanumer characters including hyphens and/or periods --
passwords are the same. To login, type 'LOGIN', a space, the
username, a space, and the password. The password will not echo.
SYSTAT can be run whether you're logged in or not on most
machines. If the host is on ARPANET, use FINGER to give a list
of users on the system, along with their personal names! There
are not many privileged accounts that will have their password
set to something abvious, but one may be MAINT or F-S or FIELD,
with a password FIXIT, FIX-IT, or MAINT. If the host is on
ARPANET and you can login, try FTP, which stands for File
Transfer Protocol. With this, you can transfer files from
another host on ARPANET to the one you're on, or vice versa. You
have to have an account and password to use on the other system,
but guess what? TOPS-20 systems all have an ANONYMOUS account
that any person using FTP can log into, with any password!

     UNIX is a pretty simple operating system, but has some good
security measures. The only way you can get full file access, or
any other privilege is by issuing the SU command and entering
the appropiate password, which is the 'root' account's password.
Accounts and passwords are stored in text form, in the directory
'/etc' in the file 'password'. All the passwords are coded in
such a way that there is no way to decode them. The program
responsible for checking these password codes the password you
give, then checks it against the already coded password stored
in the file. The only time the real password is handled by the
user is when the user himself sets it. All the fields in the
password file are separated by a colon. The first field is the
username, the second the password. If there is no password --
two colons after the username -- then that account can be logged
into without a password. Some of these may be 'help' or 'learn'
which actually may let you into the system's command level. The
account 'synch' is used to synchronize things so that UNIX can
be crashed (never crash a UNIX system, it may leave the disks in
an undesirable state). One useful account which is usually left
with no password is 'who', which will give you a list of users
on the system, just like typing 'who' at the command level
would. You can scan through these and see if you can find an
account with no password. If this doesn't work, then hang it up.
One thing about UNIX -- it thinks upper and lower case are
different. This allows for file names and even passwords in
upper and lower case!

     VMS stands for Virtual Memory System. The VAX's 32 bit (4
gigabytes!) virtual address space is exploited fully by VMS. The
introduction of the new VAX 8600 with the speed of four VAX
780's is an impressive move by DEC. This system should be able
to support up to 256 users. One 'good' thing about VMS is that
it lets you do nothing without first logging in. If the system
has only been in operation for about 6 months or so,, there is a
good chance that the default accounts supplied with VMS are
still there. These include the system manager's account SYSTEM
with the password MANAGER, the field service account FIELD with
password SERVICE, and the system program test account SYSTEST
with password UETP. All these accounts either have full
privileges or have the privileges to give themselves full
privileges. If you can't access some files from FIELD or
SYSTEST, this is because you're the latter. To give them to
yourself, just type 'SET PROCESS/PRIVE=ALL'. Once you have full
privileges, you can run the system program AUTHORIZE. This
program allows you to print usernames, owners, etc., and insert
new users. You can NOT print passwords, since the login program
works like UNIX's does. If the VAX is hooked into DECNET, which
is DEC's supported network, you can access any unprotected file
on any 'node' on the network.

     One thing about DEC's machines is that they can all
communicate with one another. Using ETHERNET, you can connect
to, send mail to, and transfer files to and from almost any
other DEC system. There should be on-line help for the network,
just type HELP.
