Re: hackers on bruker SGIs

John Chung (chung@scripps.edu)
Fri, 05 Feb 1999 09:52:17 -0800

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Michael Strain: "Re: hackers on bruker SGIs"
Previous message: Gary Strahan: "Re: hackers on bruker SGIs"
Maybe in reply to: John Chung: "hackers on bruker SGIs"
Next in thread: John A.: "Re: hackers on bruker SGIs"

My apologies to Bruker and anyone who might have thought that I was in any
way blaming Bruker for any of this security hole.

My only reason for starting with 'let the Bruker users community know' was
because the Varians don't use SGI boxes, and Solaris OS has a different format
where it is at least more difficult to have a look at the encrypted passwords
without some sort of root/admin privilege. I was aware that Bruker was not
doing anything to 'introduce' these holes but merely passing on the hardware
as is.

Nevertheless I apologize to anyone who might have been misled by my statement.
Thanks for pointing this out, Clemens. I agree with everything you said.

Sincerely,

John Chung

Clemens Anklin wrote:

> Howdy John
>
> just one small comment.
>
> It is not Bruker who makes these O2's insecure,
> that is the way they come from SGI.
>
> Any SGI computer is being shipped with many accounts unprotected.
> You might want to check demo guest uucp EZsetup etc.
>
> Your warning applies to all SGI boxes.
>
> Bruker is only loading NMR software on these systems, we do not
> change the basic settings of the operating system.
>
> SGI recommends to use the Security and Access Control Menu in the System Manager
> to improve system security.
>
> Please don't blame the reseller for "features" that the manufacturer installs.
>
> Best Regards
>
> Clemens Anklin
>
> >
> > Just wanted to let the Bruker users community know that the O2's
> > and some Indy's that come as defaults on the newer Avance machines
> > have security holes in the password file which have allowed some
> > hacker to get into 3 of our Avance machines recently (two O2's on
> > DRX and one Indy on DMX) as the login
> >
> > lp
> >
> >
> > I advise people with Bruker supplied SGI boxes to at least check
> > the /etc/passwd files (do a simple 'grep ::') to see if there are
> > any lines without passwords (nuucp is another that had no password).
> > Put in a simple * in the blank password fields.
> >
>
> --
> Clemens Anklin, Ph.D. Director of NMR Applications
> Bruker Instruments Inc. Phone:(978)667-9580 ext.144
> 19 Fortune Drive Fax:(978)667-2955
> Billerica MA 01821 e-mail: clemens.anklin@nmr.bruker.com
> ----- for Applications Support try our new HOTLINE at extension 444 ------

Next message: Michael Strain: "Re: hackers on bruker SGIs"
Previous message: Gary Strahan: "Re: hackers on bruker SGIs"
Maybe in reply to: John Chung: "hackers on bruker SGIs"
Next in thread: John A.: "Re: hackers on bruker SGIs"