The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: Rutgers 'Security List' (incl. - Archives (1987)
DOCUMENT: Rutgers 'Security List' for September 1987 (41 messages, 26669 bytes)
NOTICE: recognises the rights of all third-party works.


From:      David Lyle   <>  2-Sep-1987 11:35:20
To:        <>
According to Social Security Administration Publication No. 05-10001 (Sept 86)

    "Any Federal, State or local agency that asks for your Social Security
     number must tell you whether giving it is mandatory or voluntary,
     under what authority the number is being requested, and what uses will
     be made of it.

     Some non-governmental organizations also use Social Security numbers
     for recordkeeping purposes.  Such use is neither required nor
     prohibited by Federal law.  Although you are not required to give
     you number, the organization is not required to provide you service
     if you do not.  Knowing your number does not allow these organizations
     to get information from your Social Security record."

--David Lyle
--Univ. of Ill. Foundation
From: (Paul Pomes - The Wonder Llama)   4-Sep-1987 16:55:46
To:        security@RUTGERS.EDU
It occurred to me, while watching the telco man install my data line, that
the network isolation box provides very easy access to a line tapper.
A line powered FM transmitter with a RJ11 plug and socket at each end
would take less than two minutes to install start to finish.

These thoughts have prompted me to install a locked cover over the box.

From:   7-Sep-1987 13:59:16
To:        security@RUTGERS.EDU
Hello all,
          While talking to the cleaner of my office she showed me
the master key to the floor on which I work. I examined it and
found very little similarity between this master key and my own.
It strikes me that most of the metal that my key is composed is
only there to stop me opening other doors rather than to allow
me to open my own! Does this mean that the key to my door is
very much more simple than it looks? Does anybody know on what
general principles these types of system are built on? Are these
systems safe (It seems to me that taking a file to my key would
allow it to open other doors!) enough?
From:      "Jerry Leichter" <>  10-Sep-1987 01:15:45
To:, security@RUTGERS.EDU
Drugs and DES:  A New Connection

From "Logged On", by Vin McLellan - Digital Review, August 24, 1987, page 87

Anthony Prince Fairchild is doubtless a colorful rogue.  Five years ago, when
People magazine reported on a dispute between the Aspen sheriff and the Drug
Enforcement Administration (DEA) about lax law enforcement in the Colorado
resort town, Fairchild stepped forth - not to deny the DEA's allegations that
he was running an Aspen "drug factory," but, rather, to defend eccentricity.

"It's not against the law to be bizarre," he told People, which featured a
photograph of him leaning back against a nude female mannequin he called

Some may have found Farichild's face familiar.  An engineer by education and
trade, Fairchild had also been a model:  His Salem-smoking visage has adorned
millions of magazines and billboards.  He's now 50 years old, but police still
call him a "pretty boy."

Last month at a pre-trial hearing in San Jose, Calif., Fairchild curled up on
a courthouse bench reading Firestarter, while the curious strolled by to check
him out.  After all, Fairchild had just had his bail changed from $2.5 million
to "no bail" out of fear that he would post the money and disappear.  "He
looks just like Timothy Leary," said an onlooker, referring to the LSD guru
the '60s.

If Fairchild isn't a legend like Leary, it may be because federal authorities
have never publicized the extent of their interest in him, even though they've
sought him several times over the years.

But after being arrested last November with eight kilos of cocaine, $12,000 in
counterfeit money and 85 pounds of high explosives, Fairchild became a topic
of rumor in Silicon Valley, in the California drug culture and, oddly enough,
among the nation's top security consultants as well.

"The guy's got a brain," remarked one California investigator.  "You maybe
couldn't guess it to see the mess he's in, but he's done a lot of things -
legit things - and some say he's just slightly short of being absolutely

Fairchild's resume indicates success in a half-dozen careers, most recently as
an EDP consultant in Silicon Valley.  It claims he holds 11 U.S. patents, and
states that he was one of the authors of Digital Research's Concurrent PC-DOS.
The police say this work record is accurate.

Predictably, Silicon Valley police have been among the first to confront the
probleme of criminal enterprises that digitally encrypt incriminating records.

"There's one case like that every six weeks around here," noted a local police
reporter.  "It's become quite common."  The method of choice is, of course,
the Digital Encryption Standard (DES), the cipher approved by the U.S.
government for commercial data security.

Fairchild used a Winterhalter DES board in a DOS micro to keep what police
believe to be an extensive diary of the affairs of a "large international drug
ring."  Local, state and federal narcotics agents are all very eager to gain
access to Fairchild's records.  Indeed, Santa Clara, Calif., police reportedly
used covert FBI funds to have a privately owned supercomputer grind away at
cracking the DES-encrypted data.

The attempt was not a big secret.  Several EDP security consultants were
asked to suggest crypto attacks.  What made the DES attack feasible, if
still unlikely to succeed, was that the Winterhalter device uses a program
to transform a 6-to-16-character password into the 64-bit DES key.

The cops got lucky:  With a pass through a full English dictionary, and by
culling significant names and such from Fairchild's personal history, they
were apparently able to guess three of four passwords that were used to
encrypt files stored on his micro.

The passwords were all eight or fewer characters in length, and all in
lowercase letters.  The diary file continued to elude their efforts, but
the police reasoned that if the DES password for the diary was less than
eight characters, a "brute force" approach to finding it was possible.  A
cryptoanalyst who is a leading consultant for California banks was hired to
make the attempt.

The supercomputer may have actually been chewing away when the Justice
Department stepped in late last month to confiscate copies of the encrypted
diary, presumably as evidence in a federal drug case against Fairchild.  This
pre-empted local authorities from possibly making the big score.
From:      Don_Lewine@SDD.CEO.DG.COM  10-Sep-1987 17:43:25
There is no law against getting several SS#s.  I have several.  I 
keep one for the IRS and use the others for drivers licences, credit, 
education, and so on.  Because they are "my" ss#s, I know that no one 
else is using them.
P.S.  The way one gets multiple numbers is by goinng into the SS 
office and saying you lost (or never had) your number.
From:      Simson L. Garfinkel <>  11-Sep-1987 15:48:48
Cc:        security@RUTGERS.EDU

	It's beginning to appear that my master's project at Columbia
will be on abuse of social security numbers.

	Here's my first story:

John Stein (not his real name) teaches writing and performs technical
consulting at Columbia University. He is married, has two children, a
house in New Jersey, and a six-figure income.

Two years ago, John and his wife went to Hawaii for his semester long
sabatical. Because of his income, John is required by law to file
estimated income tax payments every semester. Naturally, John filed
these payments from Hawaii.

When he returned to New Jersey, he found that some of his mail had not
been forwarded while he was on vacation. Among these was a notice from
the IRS saying that they had not received his estimated tax payments
and that a lean had been placed on his house for the overdue taxes. 

Now, by this point John had the cancled checks. It took over two
months of working with the IRS to find out what had happened: The
taxes had been mailed from Hawaii, and the Post Office had delivered
the checks to the IRS's branch office in California rather than in
New York. This was the year that the IRS had all of its computer screw
up problems, so the tapes from California were never run against the
tapes from New York, an the credit was never picked up. Once this was
all traced down, the IRS removed the lean on the house.

Nothing happens for two years, until John applies for a loan and has
it rejected by the bank because he is a credit risk. Aparently, in the
TRW credit database, which is indexed by SSN, there is a statement
saying "123-45-6789 (not his real SSN): Lean removed from house.
<year>". The bank would not give a loan to somebody who had a lean on
his house.

John contacted the bank, provided documentation from the IRS that the
lean had been placed in error, and eventually, after a lot of hassle,
got his loan approved. 

The next year, when he tried to get a Sears Discovery card, the same
thing happened again.

This time, he sent a copy of all the documentation to the TRW credit
database, asking them to remove the "lean removed" statement from
their records. They didn't. Instead, they added to their records that
the lean had been issued by the IRS, and that the IRS later said that
the lean had been issued in error.

Rather than face continued hassles, John has decided to work with his
current bank for all future credit transactions. Unfortunately, he has
to do this for the rest of his life.


If anybody has a story, please send it to me. I'm collecting them.
Please also send me your phone number and tell me if you would mind
being interviewed for this project.

Thank you.
From:      Kevin M. Leahy <>  11-Sep-1987 21:48:52
To:, security@RUTGERS.EDU
I am certainly the most naive on this discussion group.

What is the big deal about giving out your SSN??  Has anyone actually been
harmed by giving out the number?  I sense that there is really something
that I am missing, buit this won't be the first time.

I'm sorry, but I really can't get worked up over giving out 9 numbers which
represent who I am no less than my signature (when legible) does.

Is this a practical point or a philosophical one?


(SSN withheld pending enlightenment.)

Kevin Leahy   
From:      Brint Cooper <>  12-Sep-1987 04:45:25
To:        Security@RUTGERS.EDU
	During this discussion, many folks have asserted that, under
federal law, no one may require your SSN except for very specific
purposes such as taxation.

	I wonder if this is true?

	To my knowledge, the Privacy Act applies only to the Federal
Government and to contractors operating on its behalf.  Is this not
true?  I don't believe it is illegal for a university to use a student's
SSN as his/her student id.  

	Can someone provide an authoritative statement on this?


From:      <>  12-Sep-1987 16:33:57
I have seen garage door openers made for two doors, for split 2-door garages.
I do not, however, think this is the forum to discuss them in.

  We have had a security breach here, on our VAX 8800 which is related to
Social Security Numbers.  We use the SS # as an account ID, and as the
initial password for users.  No, this was NOT my decision, and I do not
like the concept, but I do like working here, so that's enough about that.
  We had a user using the WHO program who was looking up random SS #s until
he found a hit, then he tried it to see if it was the password to the account.
This wouldn't be so bad, since the system forces first-time users to change
their passwords, except that this is the beginning of the academic year and
there are a lot of new accounts arouund which haven't been logged on to.
  Needless to say, he caused a lot of trouble by sending troublesome mail
messages to users, and generally wreaking havoc.  Our response has been to
disable each account he uses, one by one, but since he appears to be a dialup
user in another city, (Our network spans 1100 by 1400 miles), there is not a
whole lot we can do to him.  We did correct the backdoor in WHO, though, so
as to prevent another occurance of this type.
  Just one more reason to stay away from using SS #s!
From:      <>  12-Sep-1987 16:35:11
  Social Security numbers are a very volatile subject.  I think the subject
has been covered well in this digest.  Most government agencies withhold
their policy on SS #s simply because it is much more convenient for them
when people provide them.  There are very few government agencies which
absolutely require that you disclose your number, however.  Private companies
are a different matter, however.  They can refuse service if you don't meet
their requirements, whatever they may be.
  As for changing all of this, it probably is too late in the game.  Those of
us who feel strongly enough to protest will be noticed, but face it, the
average person is going to take the path of least resistance.  There will
always be more than enough people who quietly go along with it to offset
those of us who resist.
From:      <>  14-Sep-1987 11:23:43
You have probably already seen this, but just in case...

Selden E. Ball, Jr.
(Wilson Lab's network and system manager)

Cornell University                 NYNEX: +1-607-255-0688
Laboratory of Nuclear Studies     BITNET: SYSTEM@CRNLNS
Wilson Synchrotron Lab              ARPA: SYSTEM%CRNLNS.BITNET@WISCVM.WISC.EDU
Judd Falls & Dryden Road          HEPnet/SPAN:
Ithaca, NY, USA  14853             LNS61::SYSTEM = 44283::SYSTEM (node 43.251)
From:   Jnet%"C0033001@DBSTU1" 14-SEP-1987 08:17
To:     SYSTEM
Subj:   Hackers - NASA - Warning

From:         Helmut Woehlbier          +49 531 391 5513 <C0033001@DBSTU1>
Subject:      Hackers - NASA - Warning

I'm the technical representative (networking) of Braunschweig University,
Germany and I forward the following lines of my friend who is working for
the German news agency (dpa).

Kind regards, freundliche Gruesse              Helmut Woehlbier
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
German hackers has successfully attacked the NASA and will reveal that
tomorrow (tuesday, sept. 15) in the German news magazine 'Panorama',
which will usually be seen by 10 - 12 million people. Newspaper articles
by dpa (German news agency) will appear simultaneously.

  Hackers wonder why the doors of NASA are still wide open. In his
"important message" Roy Omond (DHDEMBL5) speaks of a magical password.
Perhaps it is the same still now.

  This is the third warning to the NASA (the first two were sent via
SPAN-net). I wonder, why the NASA neither answers nor react.

  Other systems are also open, because they implemented the Troian Horse
via their backups after having installed the mandatory update by DEC to
patch the former security hole.

signed   Jochen Sperber
From:      Don Chiasson <>  14-Sep-1987 17:55:13
To:        security@RUTGERS.EDU
     Spectrum, the magazine of the IEEE (Institute of Electrical and
Electronics Engineers) is doing a series of articles on Electrotechnology
in World War II.  The September 1987 issue has an article "Breaking the
Enemy's Code" (pp. 47-51).  Nothing drastically new in it, but is is
From:      gatech!codas!ki4pv!  21-Sep-1987 11:25:39
The mail carriers use something called "HALT!", the active ingredient of
which is oil of cayenne pepper.  Very effective; the lingering effect of
the cayenne oil assures that the dog will remember the stuff.

I get mine at the local bicycle shop.  It goes for about $6; your prices
may vary.  I find that it takes an average of two applications before a
dog will lose interest in chasing bicycles; some dogs do learn after the
first application while others never learn.

					Tanner Andrews, Systems
					CompuData, Inc.  DeLand
From:      mason@OBERON.LCS.MIT.EDU (Nark Mason)  23-Sep-1987 08:20:09
To:        jh@ATHENA.MIT.EDU,
Again I will ask...
I've seen lots of messages on this list anout ways to keep your SS# secure,
but still I haven't seen anyone give a reson *why* to keep it secure.
Why bother? What horrible deed can be done with it that makes it worth
not giving it out and the hassle that might follow?

			curious in cambridge
From: (Dave Kucharczyk)  23-Sep-1987 09:49:09
To:, security@RED.RUTGERS.EDU
Just swapping crystals with a DPDT switch isn't as easy as it sounds.
The wire from the crystal to the switch and from the switch to the holder
may cause unstable operation or even no oscillation. Also that means
you have to swap crystals in one of the garage door opener receivers.
If the change in frequency is any appreciable amount the receiver will
have to be retuned.
 An easier way to control two units with one remote is to get one
that has a digital code (settable internally by a dip switch).
Simply get two openers end set then one bit apart in digital code.
Then have the switch for that bit connected to an external switch on
the remote controller.

From:      jh@VENUS.MIT.EDU (Joe Harrington)  23-Sep-1987 13:46:27
I have heard many explanations for keeping a hidden ssn.  The most
important one, in my opinion, is that it is much easier to sort
records on a computer or in a paper filing system by a unique number,
rather than by name (since names are not unique).  If everyone uses
the same number to refer to you then a huge amount of information can
be gathered about you in a very short amount of time by someone with
either authority or connections saying to dozens of employers, credit
agencies, the IRS, the Registry of Motor Vehicles, the military, the
police, the FBI, insurance agencies, hospitals, the schools you have
been to, and practically any other organization with which you have
had dealings and which keeps records "Tell me everything you know
about 888-24-3315."

I don't like information about me to be that accessible.  Certainly it
is almost as easy to say, "Tell me everything you know about John
Wlodarczyk," which is one reason why many people don't hide their

Other reasons include the moral position that people should not be
reduced to numbers in a machine (though I guess those people have
never heard of ASCII), and the legal position that the intent of a law
should not be broken (the Social Security Act of 1933 may have
loopholes, but as I understand it, the intent was clearly NOT to allow
the number it assigned to anyone to be used for any other purpose).

From: (Simson L. Garfinkel)  24-Sep-1987 16:44:06
I've been giving out my MIT 888 number as my SSN for several years
now. Infact, when I recently got my columbia university ID number, I
got them to use my MIT ID number rather than my SSN number.

So the real question is this:

		How many databases list my MIT 888 number as my SSN

From:      djw@LANL.GOV (David Wade)  25-Sep-1987 12:03:28
To:        Security@RED.RUTGERS.EDU
> To my knowledge, the Privacy Act applies only to the Federal
> Government and to contractors operating on its behalf.  Is this not
> true?  I don't believe it is illegal for a university to use a student's
> SSN as his/her student id.  

The Privacy Act is written specifically for Federal Agencies, Subcontractors,
and Universities.  There is no University which does not accept federal
money.  Call your congressman's office and get a "free" copy of the Privacy
Act of 1974 quickly; before Bork invalidates what's left. 8*)

From: (Dave Platt)  25-Sep-1987 17:29:28
To:, security@RUTGERS.EDU
As I recall, "Halt!" and some similar products contain an active
ingredient known as "capsicum oleoresin";  it's basically essence of
hot pepper (capsicum resin) dissolved in oil (oleo).  It's certainly
effective at stopping dogs, and I imagine that it's probably just as
effective in stopping humans unless their pain sense has been numbed
(e.g. by PCP or a similar illegal drug).

I saw an article a couple of years ago that mentioned capsicum
oleoresin sprays, and their use as a personal-defense weapon.  The
article mentioned one potentially serious problem:  this ingredient has
_not_ been legally authorized as "safe and effective" for use in
defensive sprays that are to be used against humans.  [From what I
remember of the article, CS and similar tear gasses have been tested
and found not to cause long-term injury to the eyes and respiratory
system;  capsicum oleoresin has not been tested in this way].  This
could, potentially, lead to the following unfortunate scenario:  you're
walking down the street, are approached by someone who make threatening
moves (but doesn't actually touch you), you zap him with Halt!, call
the police, and the alleged assailant files charges against you, for
assault with a caustic chemical.  You end up in jail.

I don't know of any case where this has actually happened, but the
article I read indicated that it was potentially possible.  User
From: (Scott Dorsey)  25-Sep-1987 23:30:44
paul@UXC.CSO.UIUC.EDU (Paul Pomes - The Wonder Llama) writes:
>It occurred to me, while watching the telco man install my data line, that
>the network isolation box provides very easy access to a line tapper.
>A line powered FM transmitter with a RJ11 plug and socket at each end
>would take less than two minutes to install start to finish.

  It takes a lot less time than that.  Even more fun... take a look at
your supply closets and broom closets at work (and maybe the bathrooms).
You'll probably find banks of #66 punchdown blocks with each line 
carefully labelled on them.  Not only can someone walk in and make
free phone calls, but dropping a tap in is simple.  Keep the phone
cabinets locked, and remember that the phone is never very secure
in the first place.
Scott Dorsey   Kaptain_Kludge
From: (Mitch Mlinar)  25-Sep-1987 23:33:09
>These thoughts have prompted me to install a locked cover over the box.

That is hardly worthwhile.  What you have done MAY stop a true amateur, but
wire tapping can be cleanly done anywhere along your phone line.  There are
some interesting gadgets I saw at a convention which clamp onto any phone
line (outside or inside your house) WITHOUT need of a physical contact to the
wire itself and filter out the background clutter to send a clean FM signal
up to 1/4 mile away.  (This was a closed convention in '84 for security
types only; I happened to be consulting as a computer expert and needed to
find products that were amenable to computer monitoring.)  By the way, the
price for this goody at the time was around $350 - cheap by most standards -
and could be installed in 15 seconds.  The receiver (a bit more pricey) could
even filter out multiple signals (if it was clamped over two lines instead of
one), but required some manual work to keep it focused if both lines were in

A more interesting gadget was an HP spectrum analyzer which was tied to a
computer and display as well as a nice IF antenna.  You got it.  ANYTHING
typed on the IBM-PC about 100ft away (for effect) appeared on the monitoring
display.  (Whoever said that emissions for PCs was small!)  The antenna was
directional, and for "kicks", the demonstrator turned it towards another
known PC in the auditorium.  We watched every character that the person
at the Vivitar security booth typed in!

I don't mean to pick on you, Paul, but the state-of-the-art is well beyond
your deterent. Unless you reinstall your phone lines with two ground coax (all
the way to the telephone pole) and get your PC TEMPEST equipped, the lock
cover is about as effective as dead-bolting your doors while leaving the
windows open...

From:      "GLENN EVERHART, 609 486 6328" <>  26-Sep-1987 07:28:57
To:        Security@RED.RUTGERS.EDU
 The NSA is involved in distributing these phones as part of a more general
effort to get at least some US companies to have reliable security.
	The story I've heard (though I don't have it from classified
sources) is something like this:

1. DES was originally certified, but was designed with a short enough key
that NSA could break it by brute force. (It IS a federal law that no cipher
may be used for international traffic that NSA can't break, so the
permeability of DES follows from reading the relevant US Code sections.)
The classified algorithms are said to differ from DES mainly in the
length of their keys.
2. Recently, someone furnished NSA with an efficient DES breaking
algorithm. This was said to take 1.5 hrs. on an IBM PC to break a DES
cipher. I understand that hard details of this have been classified
and NSA does NOT particularly want to confirm this. Still, some NSA
employees have confirmed that DES is not nearly as secure as was
originally thought. Thus, NSA isn't going to certify DES again, at least
not willingly, because they KNOW it's breakable. (It's been suggested that
a different key scheduling data area could give a more secure algorithm,
but the generator for the key schedulers is not available, at least
not readily.) An Australian friend of mine mentioned he saw an article
on breaking DES back in '79 or '80 in the Proceedings of the Soviet
Academy of Sciences, but has since told me the article deals only with
certain classes of keys. (BTW, it also mentions that if you insist on
choosing large PRIMES for public key cryptosystems keys, the public
key systems become fairly easy to crack also; what's needed are
RELATIVELY PRIME numbers, not primes.)
3. Since DES has proven embarassingly easy to crack, and since large
amounts of money are "protected" by it, NSA is proposing to let industry
use the "real stuff", the algorithms they use themselves, which
hopefully are less permeable. To do so, they furnish algorithms and
keys (preserving the ability they have by law to decipher the text), but
are paying fairly large sums to develop these phones and other boxes. A
good deal of custom microelectronics is involved. And this is why you
see NSA discussing crypto phones etc. (You are of course aware I trust
that ANY phone conversation that gets onto microwave is potentially as
open to interception as home radiophones are...and many of thesse
links to industry ARE monitored...)

I've heard another story someone might comment on:
Some US company (I forget which; it's not important) sent a binary
copy of an operating system over wire to England. However they
used the unix crypt tool on it first, more than once and with
different keys. The story is they got a call a few days later from
NSA demanding they give NSA the keys used to encipher it.
	The algorithm is just character XORs with a string. But if
you do it several times with strings of lengths that are relatively
prime, couldn't the effective string become the product of the
key lengths, and quickly grow comparable in size with the original
message? Does anyone out there know enough cryptography to tell me
whether this is really a super cheap and strong cipher, or whether
it's just a minor nuisance for folks who go in for this sort of thing?

From:      sunybcs!kitty!  26-Sep-1987 10:52:43
To:        security@RUTGERS.EDU
> These thoughts have prompted me to install a locked cover over the box.

	And what, pray tell, do you plan to do about all of the unlocked,
outside cable terminal boxes between your building and the telephone company
central office?

<>  Larry Lippman @ Recognition Research Corp., Clarence, New York
<>  UUCP:  {allegra|ames|boulder|decvax|rutgers|watmath}!sunybcs!kitty!larry
From:      Mike Linnig <>  26-Sep-1987 23:23:15
To:        security@RED.RUTGERS.EDU
There are multiple places that your line COULD  be tapped.  If
I was going to do it for short amount of time I'd go up the
road from your house and tie in at one of those telephone junction
boxes.  The telephone person would spot it in a second, but it would
be good for a week or so on the average.  The real problem with
that technique is that you would have to figure out which line is
yours.  But if you were a mafia Don, at least I don't have to
walk up to your house (grin).

	Mike Linnig
From:  28-Sep-1987 14:56:49
     I have been reading the news about Social Security numbers (and
the giving out thereof) with interest.  I guess the newsgroup is
successful, as I now ask for a reason when someone asks for my SS Num.
     I saw something in a campus paper today in which an advertiser
wants a SS number, but also provides an out.  The ad is for purchasing
computer software at an educational discount.:

[in the directions] "Make a photocopy of your current Student ID or
Faculty card and...some well known form of id. displaying your
Social Security number,... (WPCORP will hold this information strictly
confidential and use it only to guard against duplicate purchases.)
[Then later on...] If you have serious reservations about providing a
social security number, call Educational establish
clearance to purchase any of the above sofware products..."

     In the world where it is difficult and inconvienient at best to
not automatically provide the SS number when asked, I thought this was
a nice change.

				     Thomas Lapp
From:      *Hobbit* <AWalker@RED.RUTGERS.EDU>  28-Sep-1987 23:15:29
To:        security
[This came over another mailing list -- I couldn't resist.  Is *your*
town's sewer system a threat to national security?   _H*]

Subject: Caving Horror Stories (III)

A  caver  from Austria who recently visited the U.S.  told  some  grim 
tales  about caving in Eastern Europe,  especially E.  Germany.   He's 
translating _CAVER OF FORTUNE_ into German,  with added advice on  how 
to do keep a low profile while caving in E. Europe.

East   Germany  has  a  law  against  going   underground.   Literally 
interpreted,  it  says  that you must stay out of your  own  basement.
Apparently, the law was enacted after a few people tunnelled their way 
out of E.  Berlin.   The government does support sports,  however,  so 
caving clubs are allowed.   The party tries to plant spies in the cave 
clubs but everybody knows who they are, so they take them on extremely 
rough  cave  trips and thoroughly trash them!   Club  newsletters  are 
required  to contain party-line material about how caving advances the 
cause  of the state;  this is usually accomplished by duplicating  the 
same page in each newsletter issue.

European  cavers  explore old mines and tunnels,  as well  as  natural 
caves.   Networks  of artificial tunnels are common under old European 
cities;  they  are ancient sewers,  were used to hide  from  invaders, 
etc.,  and  their  locations are unknown to present city  governments.
The  cavers  in  an  E.  German  city  (which  must  remain  nameless) 
discovered an iron door on the river bank, overgrown with weeds.  They 
picked the lock,  made their own key,  and explored the tunnels.  They 
found treasure which was hidden there during World War II by the local 
inhabitants, most of whom were killed whe@he city was bombed.  Being 
caught in the tunnels means a one-way ticket to Siberia,  so it's  the 
ultimate stealth-caving!

Cave  locations  are  state secrets in  eastern-bloc  countries;  some 
French  cavers were caught at the border of Yugoslavia with a  roadmap 
on  which they had marked cave locations;  they were jailed as  spies, 
and it was three weeks before the French embassy bailed them out.
From: (Nark Mason)  29-Sep-1987 09:43:46
To:, security@RUTGERS.EDU
Don't worry, your phone lines still are not safe. Many years ago (when
I was young and irresponsible...) I amused myself a few times by sitting in
the bushes near my house at a unlocked telco junction box looking for a
friends data line. Didn't find it, but I did hear some interesting stuff
and caught a guy trying to break into a nearby church (I wouldn't tell the
police where I was phoning from). Failing this I went to his house, clipped
my handset into the wires outside his house and plugged a tape recorder in.
In a relatively large city like Newton the CO's (Company Offices?) were
manned 24 hours a day, in smaller citied they aren't and noone's too
concerned with keeping people out of them.
From:      "Miles R. Fidelman" <>  30-Sep-1987 09:47:17
To:        security@RUTGERS.EDU
At least one way of setting up master keys is to use locks with 
pins that have multiple segments.

In a normal lock, each pin is split into two pieces. The key pushes each
pin up the amount necessary to line up the splits of all pins at the
boundry between the stationary and rotating points of the cylinder.

In one of these special locks, each pin is made of multiple segments, i.e.
there are two or more postitions in which each pin will allow the lock
to rotate.

My guess is that there are relatively safe ways to set up the keying, and
relatively unsafe ones.

From:  30-Sep-1987 12:49:06
"Examples of secure passwords include ***random, unpronounceable
combinations of letters and numbers*** and several words strung together."

I do not consider "random, unpronounceable combinations of letters and
numbers" to be a secure password.  Such a password is extremely likely to be
written down.

From: (Dave Platt)  30-Sep-1987 13:15:30
To:        security@RUTGERS.EDU
    It strikes me that most of the metal that my key is composed is
    only there to stop me opening other doors rather than to allow
    me to open my own! Does this mean that the key to my door is
    very much more simple than it looks?

Probably not.  If your door's lock mechanism is built along the usual
master-key lines, then it has as many pins as a non-master-keyed lock
of similar manufacture.  The pins, however, are designed somewhat

Familiar with the construction of a standard pin lock?  The top half
looks a bit like this, in cross-section:
	|            @  @  @  @  @          |   @ = small spring
	|            @  @  @  @  @          |   # = upper half of pin
	|            #  #  #  #  #          |   % = lower half of pin
	|____________#__#__#__#__#__________|   _ = cylinder wall
	|            #  #  #  #  #          |
	|            #  #  #  %  #          |
	|            #  %  #  %  %          |
                     %  %  %  %  %          |
  keyway ->          %  %  %  %  %          |
                     %  %  %  %  %          |

When you insert your key in the keyway, it pushes the bottom halves
of the pins upwards, thus pushing the upper halves of the pins upwards
and compressing the springs.  If the notches on your key are each of
the correct height, then the pins will all come to rest with the
top-half/bottom-half line lying just at the cylinder wall.  This will
free the cylinder to rotate, and operate the bolt or latch.  If any
of the key notches is too high or too low, then the top-half/bottom-half
line on its corresponding pin will lie either above or below the cylinder
wall, and one of the two halves of the pin will prevent the cylinder
from rotating.

A master-keyed lock works in very much the same way, except that the
pins come in three parts, not two.  The cylinder will be able to turn
freely if each pin lies in either of two possible positions;  either
the top-section/middle-section line must lie at the cylinder wall,
or the middle-section/bottom-section must lie at the cylinder wall.

From your description (your key has more metal than the master key),
it sounds as if your key is designed to make the pins line up along
the middle-section/bottom-section line, and the master key lines them
up along the top-section/middle-section line.  This would indicate
that the (bottom-section length + middle-section length) for each
pin is the same for all of the locks on that particular master-key
system, but that the actual lengths of the bottom and middle sections
differ between the locks.

    Are these systems safe (It seems to me that taking a file to my key
    would allow it to open other doors!) enough?

Depends what you mean by "safe enough".  They're certainly less secure,
as there are obviously two different keys that can open the lock.  Worse
yet, there are probably even more than that: since each pin can be operated
in either of two different positions, there are 2^(#-of-pins) different
notch combinations that can operate the lock, out of M^(#-of-pins)
possible notch combinations (where M is the number of different depths
to which a notch can be cut).  I imagine that these locks might also be
a bit easier to pick than a non-master-keyed system.

and, yes, if you were to take an impression of the master key, and
simply file down your key until it matched, then you'd probably have
a key that would open your door and many others as well.

If you have material that you really want kept secure, I'd suggest locking
it up in a secure cabinet, using a difficult-to-pick padlock which
is not master-keyed and to which you have the only key(s).
From: (Mark Robert Smith)  30-Sep-1987 13:19:09
To:        misc-security@RUTGERS.EDU
My adolescent curiosity got the best of me in high school on a similar
situation.  One day, I showed up early for a play rehearsal, and found
the door to the drama room locked.  Someone else was there and in
jest, I decided to try my keys to see if they'd work.  Lo and behold,
my home back-door key opened the door.  I then tried the rest of the
building and found to my amazement that the key opened about 3/4 of
the doors to the building.  As a matter of fact, I could get into just
about any room but the science labs.
    The technical explanation for this is that the school had 6-pin
Falcon locks, and I had a 5-pin Kwikset standard house door lock.  The
inner 5 pins of my key were very close to the inner 5 pins of the
master (I eventually saw it after a long explanation to the
Vice-Principal) and the little notch to make the key go in smoothly
was the same height as the 6th pin on the master.  Thus, the lock
"thought" that my key was the master.
    Eventually someone stole all of the keys to the building and hid
them in the main office ceiling (they didn't find them for 18 months)
and the whole building was re-keyed, to a much better system.

To answer the question posed by the original poster, I would say that
the locksmith who keyed his building did a bad job.  The master should
have some pins higher than most, some lower.  It sounds like your
master has all pins lower than the individual keys.  Therefore, yes,
you should be able to file your key down to the master and use it for

Mark Smith (alias Smitty)
From: (John McLeod)  30-Sep-1987 16:02:01
Over a year ago, the programmers at Sandia National Laboratories used a
computer to factor a number that is larger than the standard RSA keys that are 
in standard use for the banking system.  Admitedly, they used a few weeks of 
CRAY time, but the number was factored.  How secure a Public Key Crypto 
system is depends in part on how valuable the information that is being
transmitted is.

From:      *Hobbit* <AWalker@RED.RUTGERS.EDU>  30-Sep-1987 17:19:13
To:        Security-digest: ;
These are being sent as a digest to save some time and network bandwidth.
Also, some of these messages are from a time when the inet newsgroup
"" was erroneously configured as an unmoderated group, which
is why there's a lot of query/response going on before the messages ever
made it to the "real" list.  [This problem has been fixed...]



Date:  1 Sep 87 00:10 PDT
From: William Daul / McDonnell-Douglas / APD-ASD  <>
Subject: Re: giving out your phone number

For what it is worth, when asked for my phone number on charges or checks, I 
usually give some random phone number (with a valid prefix).  I know my credit 
is good and there is no reason for them to know my phone number.  --Bi//


Date:     Tue, 1 Sep 87 8:27:05 EDT
From:     Dennis G Rears (FSAC) <drears@ARDEC.ARPA>
Subject:  Re:  giving out your phone number

  I don't know if they can force you to give your phone number or for
that matter your address but how can they verify it?  Whenever I am
asked to give them my phone number or address I give them an address
in a fake town (Tulga, Fl) and a fake phone number (813-622-1212)
which happens to be the number for time.  It's easier to lie about it
than argue with the clerk.  
  I believe though they can refuse to let you use your credit card
without it though.  Just like they do not have to take checks. An
interesting idea though is stores' refusal to take 50 and 100 bills.  I
went to McDonald's the other day and tried to pay with a $50 bill but
they demanded identification.  I refused, said to them "take it or
give me the food for free".  They still refused, I took the food and
sat down to eat.  The manager came and said he would call the police
if I did not pay for the food, I said, I offered to pay and you refused
to take it.  After I pointed at that a $50 bill is legal tender and is
against the law to refuse to take it he finally relented and allowed
the cashier to take the money.



Date: Wed, 2 Sep 87 10:54 CDT
From: "Mike @ (214)575-3517" <>
Subject: RE: ss#

in a similar vein...

EVERY time I buy something at Radio Shack they want to know my address.
I really don't mind them knowing it I guess, but it sure wastes my time
so I usually refuse.

I've gotten into a heated argument over this with the sales person
(sometimes they claim that they need it to validate the warrentee).

I still refuse.  It seems that they are scored on the percent of
addresses they get.  If they get less than 90% they get fired.



From: "J Scott Goldberg @eldest" <>
Date: Wed, 2 Sep 87 17:36:24 PDT
Subject: Re:  giving out your phone number

I've found a way of handling requests for my fone number that works
pretty well - I just give out my work number.  (In fact, many merchants
will choose a daytime number given the choice!)

I developed this approach first in terms of my address, as I've had a
P.O.  box since those college days of frequent apartment changes.  When
a merchant "simply must" have a street address, I offer some positive
statement ("I'll be happy to give you my work address - ...") that
satisfies their need before it gets to the otherwise seemingly
inevitable refusal confrontation. 

J Scott Goldberg				TeleSoft
{sdcsvax,hp-sdd,scubed}!telesoft!jgoldberg	5959 Cornerstone Court West
telesoft!		San Diego, CA  92121


Date:         Wed, 2 Sep 87 23:59:41 EDT
Subject:      giving out your phone number

Working in a retail store, I do know that we were instructed to get a persons
phone number on the charge slip. *IF* the customer does not give you *A* phone
number, you must void the sale, or use another payment method.   This was the
rule for a very large family drug store.



Date: Tue, 1 Sep 87 17:05:22 EDT
Subject: giving out your phone number

"When you use a credit card, store clerks always ask you ti sign
the receipt and write down your phone number. ... can they force
you to give out your phone number?"
This is a very stupid practice which seems to occur only in the USA
-- I've never been asked for my phone number on a charge slip in
Canada or Europe.  What makes it "stupid" is the false sense of
security the merchant gets from a string of digits when no attempt
is made to validate the information!  Since some merchants "require"
a phone number, I give them one: a local computer access number!
Of course, I could give them anything-- an IRS office, the White
House number, or a purely random string.  They would accept it,
gladly, and I know they would never call it.
So, can "they" force you to give out your phone number?  NO!
They can only force you to give them a string of digits which
may or may not be your number.


Date: Fri, 4 Sep 87 15:32:46 CDT
From: (Paul Pomes - The Wonder Llama)
Subject: Re: giving out your phone number

Restaurants almost always request your phone number when paying a meal
check with a credit card.  The single biggest use they have for it is
calling customers who forget to pick up their cards when they leave.
My solution is to put the card away, THEN sign the form.



Subject: Re: SS and the data theives... 
Date: Fri, 11 Sep 87 08:49:05 -0700
   They don't check this number as part of verification.  In restaurants,
   it's not even requested until you're signing the slip and leaving.  I
   wonder what they do with this info.  It might help someone who's
   fradulently using your credit card number.  It might also be sold to
   telemarketing firms.  Again, why not submit a false one?

I regularly leave my work phone or a string of seven random digits
(sometimes I mentally spaz and leave my phone number from two years and
2000 miles away...). I used to get the story that this number was
requested to handle cases where the purchase was under the floor limit,
so if something later went wrong with the charge (when they finally got
around to entering it), they could get in touch with you.

However, everyone (at least in the SF Bay Area) now routinely has
magstripe readers attached to phone lines, and they all seem to get
phone approvals on every purchase, so I don't know why the hell they
still want my phone number. Sometimes I get ornery and say I don't have
one, or that it's unlisted, and this causes them utter confusion. Great
fun, if you're in the right frame of mind.

I think it's just force of habit these days, combined with a submissive public.



Date: Fri, 11 Sep 87 10:31:11 EDT
From: Simson L. Garfinkel <>
Subject: Re: SS and the data theives...

I started giving false names and phone numbers at Radio Shack when I
was 10. I didn't know why they were asking my name and address and
phone numbers on *cash* purchases. My theory was that if I gave them a
lot of different addresses, and they sent their catalog to each
address, it would cost tem a lot of money and eventually they would
give up. Hasn't happened so far.

Once, I told the clerk that my phone number was "555-1212." Didn't
seem to phase him, though.

To my knowledge, the only time that you are required to give your SSN
is for tax purposes (bank, job, financial aid, &c). I don't know if
you can be arrested for fraud if you give a false SSN but don't sign a
form saying that you've given a false SSN.



Date:         Sat, 12 Sep 87 08:54:20 CDT
From:         John Voigt - Systems Group <>
Subject:      Re: SS and the data theives...

>  Again, why not submit a false one?

I have an unlisted phone number that I NEVER give out for use on credit
slips.  I usually give my old number which has been disconnected with no
forwarding number.  I don't know why they ask for it (except that the
credit card people pressure them to) but I've already given them my
drivers license and that has me SS#..... :-)



Date:     Sat, 12 Sep 87 20:26:17 EDT
From: Brint Cooper <>
Subject:  Re: SS and the data theives...

Many folks have written with perfectly plausible explanations about why
merchants take my phone number on a credit card charge.  What these fail
to address, however, is that if I'm perpetrating a fraud in the use of
this credit card, I'm not about to give out a correct phone number.
They make no effort to validate the phone number before I leave, so what
they're doing is collecting the phone numbers of a bunch of honest

Now then...Why are they collecting the phone numbers of a bunch of
honest people?



Date:         Mon, 14 Sep 87 21:36:59 EDT
From:         Neil Duffee <>
Subject:      Re: SS and the data theives...

In reply to Brint Cooper's <> notion of providing a false
SSN number, this would not work here in Canada (nor probably the US
either) since the SIN (our local equivalent to SSN) uses a check digit
which can be verified readily by hand.  Now, whether the clerk you
are working with happens to know the appropriate formula or not......

As for the telephone numbers with credit cards, while working for
Bank of Montreal Mastercard in Vancouver several years back, this extra
information is also not required.  It seems to be the merchants' personal
way of gathering a little extra information should they be stuck with
a bum (ie. fraudulent) purchase.  As an example, they are actually required,
(not supposed, required) by their merchant's agreement with the Banking
institution, to check each and every purchase made with their copy of
the 'hot' sheet. But, since they think it is a waste of time, a simple
phone number usually will do.  (Have you ever actually supplied the
wrong number?)  In this particular instance, refusing the extra
information is only the first step.  Next, you could ask to see where
it is stated in their merchant's agreement (good luck trying to find
their copy - besides it's not written in your cardholder's agreement,
is it?)  Lastly, make a complaint to the Banking institution issuing
the card as all merchant agreements are negociated on an individual
merchant basis.  Besides, they have much more clout with this crummy
individual and will, undoubtedly, want to keep someone with such an
outstanding credit rating as yourself.  Right?  :->

Neil Duffee
Bitnet:  NJD2F@UOTTAWA  (Consultant biz)
         470820@UOTTAWA (student works)


Date: Mon, 14 Sep 87 22:10:46 EDT
From: (Barry Shein)
Subject: SS and the data theives...

> Again, why not submit a false one?  Or your work phone?  Or whatever?

Well, now c'mon. A couple of weeks ago I got a call from the photo
store down the block that I had left without signing the credit slip.
They got the phone number as you said (I had written it on the
slip.) Honest mistake, I went down and signed it.

I suppose if I hadn't written the right phone # down they would have
had the choice of either figuring out some other way to pursue me
(perhaps MC would give them info or forward mail) or eating the 25

To paraphrase Blanche DuBois: They have always relied on the kindness
of strangers.

	-Barry Shein, Boston University


Date: Tue, 15 Sep 87 09:11 PDT
From: "The Bandit . . . (on RITA)" <>
Subject: RE: Re: SS and the data theives...

I once asked why you are asked for your phone number when using your
charge cards.  The clerk explained that theives have been caught because
they stupidly put down THEIR home phone number, not the phone number of
the person who "owned" the card.

Derek Haining
From:      *Hobbit* <AWalker@RED.RUTGERS.EDU>  30-Sep-1987 17:21:14
To:        security@RED.RUTGERS.EDU
Mounting the crystals "elsewhere" in the box will probably cause the
transmitter to go off half-cocked from stray capacitances, and possibly not
open the door anymore.  If you pull something like this make sure of the
usual RF procedures, short leads, shielding, etc...

And why are garage door openers not a topic of security?  It seems that those
of you who own them are relying on them to keep vagrants out of your garage.
Most remote door opener installations are done such that the manual locking
mechanism of the door isn't used anymore [otherwise, it wouldn't open

A similar discussion was had about passive-RF cards a while back.  There's
always the fact that someone can concievably listen to what your opener says
when you drive up, and thus effectively have a key to your house...

From: (Bruno Wolff III)  30-Sep-1987 18:57:24
You must be very carefull verifying programs to see if they have changed.
Often a program can be patched so as to remain the same size by using
partially full pages or replacing seldom used routines. On many systems the
modification date can also be changed back to the origional date (this is
nice when copying files).
If you keep another copy of the program to run a diff against it should be
hidden so that both the program and the copy aren't changed. Best would be
to bring a copy in off some removable media to do the comparison. The medium
should only be mounted when the person to do the comparison is there in
person. Even then the program for reading the file in or the diff program
could have been tampered with.
From:      Mike Linnig <>  30-Sep-1987 19:57:42
To:        securty@RED.RUTGERS.EDU
I'm not an expert but I had a cubemate that studied 
locks and locksmithing.  I think if you could get a couple of
other folks keys on your floor, you could determine which
parts of the key were common and file the remainder away.

I think the general trick is that the tumblers in the 
lock have a couple of cuts not just one.  The master key
pushes (one or more) tumblers to this second position.

Seems on reflection that there are ways of making master keys
that cannot be deduced from looking at non-mastered keys, but
I'm not sure every lock maker employs these techniques.

(sorry if that rambled a bit, but I'm trying to recall five
 year old conversations).

	Mike Linnig
From:      mason@OBERON.LCS.MIT.EDU (Nark Mason)  30-Sep-1987 22:29:29
To:        jh@VENUS.MIT.EDU,
	I guess if you have something to hide from people that are looking
for info about you you can just give them a bogus number instead. If
someone asks you your number and you say "I refuse to tell you" it will
make them wonder. If you say "934-28-3546" they will write it down, no
questions asked, no sweat.

	Your being worried about being reduced to a number in a computer sounds
kind of silly to me. How does VENUS.MIT.EDU refer to you? By your UID.
You say you have a username? Surprise! You're 106 104 @ Do you
find this morrally offensive? If you make people use your name instead of a
number it's just packed decimal instead of binary. If you don't want to be
a number you'll have to refuse to let them enter you into a computer.

	The whole point of people using your SS# is each person already has
a unique one so they don't have to give you one. It just makes life easier.
Your point up there ^^ that refusing to relinquish your number makes
things more difficult is valid though.
From: (Bernie Cosell)   1-Oct-1987 03:41:34
The locks have multiple-segment tumblers.  One of the split-lengths
are the same in every lock, so that a key that has just those settings
will open all of the locks.  You use the same idea to have "submasters"
and "grandmasters".   I don't remember exactly how it typically goes,
but if it were me, I'd have the bottommost tumbler splits be the ones for
the most wideranging master (that is, the tumbler splits that require
the most pushing-up to align and so the largest key height).  At least this
would mean that (as you suggested) it would take more than just ANY key
and a file to make up a master key.


Bernie Cosell                       Internet:
Bolt, Beranek & Newman, Inc         USENET:!cosell
Cambridge, MA   02238               Telco:     (617) 497-3503
From:      jh@VENUS.MIT.EDU (Joe Harrington)   1-Oct-1987 16:43:50
To:        mason@OBERON.LCS.MIT.EDU,
As for giving out bogus numbers and claiming they are my own, I cite a
recent article on this list concerning what that does to the ssa and
the (legitimate) records they have, and how easy it is for me to
correct them.  Also, I'm not sure of the legality of falsification on
signed documents (like checks and bills of sale) and I'm not into
lying to people.

Should someone wish to start collecting info about me, that person is
certainly not going to walk up to me, identify himself, and say "By
the way, what is your social security number?", so I cannot, as you
suggest, "just give them a bogus number instead."  He will read it off
some form my name is on.  To hide my number (to avoid giving him a
universal cross-reference), I would have had to withhold it from
people since I got it.  Since I didn't hide it from the beginning, I
see little point in hiding it now, as anyone really determined can get
it from places I have already given it to.

From:      John G Dobnick <>   2-Oct-1987 00:07:11
To:        security@RUTGERS.EDU
Just an observation on what appears to be the "standard practice" of setting
up master/sub-master keying systems.  The way things are set up where I
work, it seems that individual keys have the shallowest cuts.  Sub-masters
have more/deeper cuts, and master keys have the most/deepest cuts.

Now, to my untutored way of thinking (I am not a locksmith), this is exactly
the *wrong* way to do things.  Conceptually at least, it seems like it is
fairly easy to "convert" an individual (single door) key into a sub-master or
master with a file.

Actually, this is a little stronger than a theoretical approach.  I know of
people who *have* converted individual office keys into departmental masters.
However, this was years ago; the statute of limitations has long run out, and
the buildings/doors in question have since been re-keyed.  [This paragraph is
here for the purpose of "coverin' me behind"!  :-) ]

Anyway, this whole situation strikes me as gross security risk.  I have
discussed this issue with our locksmith, but have received an unsatisfying 
answer.  He claims that this is just the way things are done.  Well, I don't
buy that.  Does anyone out there have a good technical reason why master/
sub-master keying systems are done this way?  (Ease of implementation is
*not* an acceptable technical reason, by the way.)
John G Dobnick
Computing Services Division @ University of Wisconsin - Milwaukee
UUCP: {ihnp4|uwvax|uwmacc}!uwmcsd1!jgd

"Knowing how things work is the basis for appreciation,
and is thus a source of civilized delight."  -- William Safire
From:      William Daul / McDonnell-Douglas / APD-ASD  <>   2-Oct-1987 02:08:14
To: (Dave Platt)
What I know via a Tear Gas (TG) Class from 6 years ago...HALT! will have no 
affect on humans (at least DON'T bet on it).  The Bakersfield Police said in 
their city, if you use TG (being certified to carry it) in a situation that 
results in a court case, if the jury/judge feels that your reaction was 
justified based on your experiences then you will probably be found innocent.

The mentioned a case where a nurse walked across a park late at night to get 
from the hospital and the parking lot.  One night she heard rapid footsteps and
was then raped.  She became certified to carry TG.  On another night she was on
her way to her car (finger poised on the TG).  She heard someone running 
towards her...she turned and let them have it!  She ran off to call the police 
to tell them she was attacked.  Soon afterward a fellow jogger called the 
police and told them a crazy woman sprayed him with TG.  He then sued.  The 
jury found in her favor saying that anyone that had been in her position with 
her experiences would have done the same thing.  The judge told the jogger to 
run earlier or find another place to run.  End of the fairy tale.