PM Mail/2 under a Novel/Pegasus system

Steve Lamb pmmail@rpglink.com
Thu, 18 May 2000 14:09:08 -0700 

Thursday, May 18, 2000, 1:12:39 PM, Simon wrote:
> You do go off a bit half cocked sometimes Steve - the smtp/pop system may
> have been running on Windows 3.1 for all you know, and certainly needn't
> have been secure - you've no idea if the the alleged securty reasons had
> anything to do with the email system! They may even have replaced NT with
> NetWare!

    In all cases they could have simply dropped in a decent 'nix.  So either
they were using one and moved to something else or they weren't and could have
moved to it.

    Half-cocked?  That would be you...

> Just 'cos something uses ip doesn't make it unix and it certainly doesn't
> make it secure (ip: the network system designed by the US defence research 
> agency that regularly used plain text passwords, hmmm!).

    ...since I never said it was unix to begin with.

> Have you ever heard of hackers breaking into a netware server?

    Security through obscurity is not a concept to trust a business upon.
Just because you don't hear about it being done on the evening news doesn't
mean it can't be done or hasn't been done.

    Just doing a quick, unscientific search I plugged in "netware" into the
bugtraq archives.  171 messages in the archives with that word in it.  A
scanning of the first 10 subjects revealed that they were discussion different
vulnerabilities.  Here is an example of one such report:

--- SNIP ---

                              Platform : Novell Netware
                           Application : NDS/NCP
                              Severity : High


Synopsis
--------

Armed with the MAC address of the Administrator, an intruder can hijack an
Admin's session and issue NCP calls as the the Admin on Netware servers.

Tested configuration
--------------------

The bug was tested with the following configuration :

Novell Netware 5, Service Pack 2 (with IPX configured)
Latest Client Software for Windows 95/98

Also confirmed on Netware 4.x.

--- SNIP ---

    If they are connecting to the outside world what they have done is chosen
"security through obscurity" over interoperability.  They /will/ have more
problems with interoperability than they would with the "insecure" SMTP/POP on
a properly configured box.  /THAT/ is what my *cough* was about.  If they
aren't connected to the outside world then they just caused a major shift and
didn't increase security one iota.  In doing so they reduced flexibility of
their office by 10-fold.

-- 
         Steve C. Lamb         | I'm your priest, I'm your shrink, I'm your
         ICQ: 5107343          | main connection to the switchboard of souls.
-------------------------------+---------------------------------------------