3000s still worthy of work to secure them
March 20, 2015
While an HP 3000 might be an overlooked resource at some companies, it's still mission-critical. Any server with 40 years of history can be considered essential if it's still part of a workflow this year. Managers of 3000s don't automatically think of protecting their essential resource from the malware and hackers of 2015, though.
That was illustrated in a recent thread on the 3000 newsgroup traffic. A 3000 manager serving the Evangelical Covenant Church needed help restarting an old Series 9x7. (By definition, any Series 9x7 is old. HP stopped building this first generation of entry-level 3000s more than 20 years ago.) The manager said the 9x7 had been "in mothballs," and he wanted to run an old in-house app.
I was able to boot up and login as OPERATOR.SYS but cannot remember/find the password for MANAGER.SYS. Is there anyway to reset, clear, or overwrite the password file? I know the old machine is a very secure one, but now I am hoping there is a way around it.
And then on the newsgroup, advice on how to bypass 3000 security began to emerge. It surprised one consultant who's recently closed down a big 3000 installation full of N-Class servers. Should the community be talking about how to hack a 3000, he wondered? The conversation really ought to be about how to ensure their security, practices we chronicled a few years ago.
Please remember that even though these are legacy systems, providing expert level security tricks and secrets to help people break into systems is still probably not a great idea on an open forum. I suggest you reply with your hacking suggestions in private email messages.
Not many 3000s sit on open, public networks. But the servers which they communicate with are often on accessible networks. Who's to say what's even accessible these days? Unisys, which is a long way from relevant in the enterprise computing field by now, is selling its newest products as Stealth Computing. "You can't hack what you can't find," they say in their ads on NPR.
Security is never so simple as that. But hackers navigate complex protection all the time. HP sold a security software product that one support expert said "implements directory encryption." The kingpin of 3000 security is of course Security/3000 from Vesoft. (Founder Vladimir Volokh called today to report things are looking up in his company, so to speak. Q1 of 2015 is more robust than Q1 of 2014.)
Controlling who can login as an operator is a great way to enable tighter security for a 3000. Passwords for OPERATOR.SYS are an excellent practice. If a 3000 is in mothballs with no sensitive data on it, these kinds of habits aren't essential. But how can you be sure no data is essential, of no use to hackers or competitors? Better secure than sorry.