The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: Rutgers 'Security List' (incl. misc.security) - Archives (1988)
DOCUMENT: Rutgers 'Security List' for January 1988 (29 messages, 42682 bytes)
SOURCE: http://securitydigest.org/exec/display?f=rutgers/archive/1988/01.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

-----------[000000][next][prev][last][first]----------------------------------------------------
From:      grm+@andrew.cmu.edu (Gretchen Miller)  7-Jan-1988 16:01:34
To:        security@aim.rutgers.edu
Hi!  I'm an operator at Carnegie-Mellon University Computing Services
department.  I am looking for information on how different organizations
physically identify magtapes.

We operate several different types of machines here (Dec-20s, VMS vaxes in
various sizes, and an IBM 3083 running VM/CMS).  The user-ids on these systems
has been a standard form: The user's first and last initial followed by single
digit number, followed by a single number or letter.  Mine, for instance, is
GM5B.

We maintain a large user and administrative tape library (approximately 3,700
user tapes, and about 1200 administrative tapes).  To physically identify each
tape, so  we can tell if the owner is the person trying to mount a tape, or
remove it from the tape library, we place an identifying label on the tape
case, which is the name people use when requesting a tape mount.  Tape names
are 6 characters: the first four are the owner's userid, and the last two are
unique identifying numbers or letters.  An example of a tape name might be
GM5BN2.  This worked very well until we got a UNIX system.  We now have a
system with userids that do not conform to the standard, and we will be
acquiring a tape drive for that system soon.  Therefore, we want to find out
how other sites identify tapes in their tape libraries, and particularly how
sites where the number of characters in userids varies identify their tapes.

Please mail replies to me, and, I'll post a summary of replies to this bboard.
Your help is greatly appreciated.

Gretchen Miller
Computing Services, Operations
Carnegie-Mellon University
-----------[000001][next][prev][last][first]----------------------------------------------------
From:      *Hobbit* <AWalker@RED.RUTGERS.EDU>   8-Jan-1988 16:24:29
To:        Security: ;
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

From: matt@oddjob.uchicago.edu (Schizophrenic Solipsist)
Subject: Re: SSN
Date: 10 Dec 87 05:15:58 GMT

Could some kind soul mail me a pointer to the relevant laws that
allow me to try to keep my SSN private?  Hardly a month goes by that
some sales person or public-service droid doesn't insist that their
company requires my SSN in order to do business, extend credit, or
answer a question.
________________________________________________________
Matt	     University		matt@oddjob.uchicago.edu
Crawford     of Chicago     {astrovax,ihnp4}!oddjob!matt

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date:     Wed, 9 Dec 87 17:35:07 PST
From:     gea@Romeo.Caltech.Edu (Gary Ansok)
Subject:  SSN's

In a recent message, Larry Hunter described some quite awful things happening
to a person because a police department get his name by mistake, and used
that as an argument against giving out your SSN.

Are such mixups more likely, or less likely, if police departments use
SSN's as a key rather than personal names (or whatever would be used
instead if we all refused to give out our SSN)?  If someone wants to
impersonate someone, they are as likely (or more) to do it on the basis
of a name as a social security number; you also have the possibility
of duplicate names (yes, these have also caused problems without any
misrepresentation by any party involved).

The problem is not the identifying key used; one problem is the non-
robustness of data (if the tattoo in Larry's example had been included
in the warrant and checked by the officers, this might not have arisen).
Any method of keeping data requires a unique key for a person.  One hopes
that in the case of critical data, there will be some secondary data
which, even if not unique, will verify that the primary key is valid.

What really worried me about Larry's story was the fact that a birth
certificate (which has no picture and only minimal physical description)
is often regarded as the ultimate ID in our society.

		Gary Ansok
		ansok@scivax.stsci.edu    or    gea@romeo.caltech.edu

P.S.  On a different topic, I salute my credit union:  My primary
	account number, which is the only one to appear on my
	checking and Visa statements, does not appear on either
	my checks nor my Visa card.  I have often wondered how secure
	banks are with all the numbers written on checks &c.

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date: Sun, 13 Dec 87 14:57:08 EST
From: Larry Hunter <hunter-larry@YALE.ARPA>
Subject: Re: SSN

Jonathan,      

I apologize for calling your characterization a bit naive.  Let's look
at where we might agree.   First, in my original posting I concluded
my nasty scenario with the following caveat:

        Paranoid?   Sure.  I don't think this sort of thing happens very
        often, but it provides an idea of the power in those 9 digits.
        I personally believe that the institutional (mis)use of SSNs
        is by far a worse problem than the kind of criminal behavior
        I just described, but I find the latter is more persuasive to
        people who are cavalier about having "nothing to hide".

You made this point more strongly:

    ... Injustice has happened before there were computers and widespread
    usage of SSN's.  I am sure that we will still have to continuing
    fighting these cases as long as there is civilization. However the
    possibility of the kind of hassle mentioned in the article to which
    I replied is probably less than that of being hit by a car, robbed
    at gunpoint, or harrassed in a more "traditional" manner.

Your point is well taken.  SSN based abuse is not all that likely.  On
the other hand, it is sobering to realize how important records about
us are to our well being.  People can indeed suffer significant harms
because of records about them.

    It is rather pointless to end up with high blood pressure, heart
    disease, depression, and lost productivity because you spend half
    of  your life fighting the phone companies or someone elses usage
    of your SSN or any other number.

This I have a harder time with.  Although I try not to get too stressed
out over it,  I think there are real problems arising from institutional
abuse of SSNs.  My concerns (and my reasons for holding my SSN closely)
are as I stated originally:

    The practical reasons to associate your SSN with as few records about
    you as possible have to do with the fact that large, powerful entities
    (like the IRS and large consumer products companies) use techniques
    like block modelling and record matching to exert significant power
    over individuals.

Do not underestimate the hidden uses of SSNs.  They are more important,
although sometimes less publically compelling than the criminal ones.
Consider some of the decisions that information associated with SSNs effects:

* Whether or not you get audited by the IRS.

* How much your health, life and property insurance cost, and whether
  or not it is available to you at all.

* Whether you are granted credit to buy a house, or a car, or get a credit
  card (the latter is used as an important distinguishing factor between
  "haves" and "have nots" in our society).

* Your access to government assistance (from farm loans to student aid
  to aid to families with dependent children).

* Who becomes the target of law enforcement investigations.  Computer
  matching of records is a rapidly growing source of prosecutions that
  strikes me utterly without probable cause.  Also, don't forget that the
  Church Committee investigation of the US intelligence community in the
  late 70's said that the ability of the government to track and monitor
  individuals, if turned to repressive ends, would be sufficient to squash
  all dissent.  Much of that ability derives from computer record keeping
  based on unique personal identifiers.

* How large corporations sell their goods to consumers.  Information
  associated with you (perhaps associated with SSNs, although it has not
  been demonstrated) is used to target specific advertising that has been
  shown to be effective on people "like" you.  Different (possibly
  contradictory) advertising may be shown to others.

* How politicians influence you to vote.  Although (like advertisers
  for consumer goods) use of SSNs has yet to be documented, politicians
  use techniques based on personal information similar to that of other
  advertisers to influence your political opinion.

Not all of these possible uses (and abuses) of SSNs are commonplace,
but many of them are.  Part of our role as members of this community
is to try to foresee threats to our privacy and security and inform others
about them.  I believe that, although such threats may pale in comparison
to physical violence, they are significant and worthy of discussion.
The Privacy Act of 1974 which limited uses of SSNs, held that unique
personal identifiers in wide use were an important threat to individual
rights.  I agree with that sentiment, and would suggest that threat is
more significant now than ever before.

                                        Larry Hunter
-----------[000002][next][prev][last][first]----------------------------------------------------
From:      *Hobbit* <AWalker@RED.RUTGERS.EDU>   8-Jan-1988 16:27:14
To:        Security: ;
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date: Wed, 25 Nov 87 13:09:33 EST
From: Dave Kucharczyk <ssr@tumtum.cs.umd.edu>
Subject: Re:  Infinity

 Yes, infinity transmitters do exist. they work on the principle that
the audio path is made even before a dialed phone starts to ring.
one sends a tone down the line which tells the infinity transmitter
to "pick up" the phone before the ringing starts, and can then listen
to teh location where the bug is planted. however these devices are
pretty much made obsolete by the fact that any of the ESS switches
do not open an audio path untill they receive answer supervision
from the dialed end.

ssr

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date: Thu, 26 Nov 87 11:51:35 EST
From: Larry Hunter <hunter-larry@YALE.ARPA>
Subject: Re: Infinity

    Ever heard of an "Infinity Transmitter"?
    
Yeah, they are pretty old tech bugging devices.  They used to work fine,
but with the advent of separate signalling and voice circuits in ESS
(the electronic version of Ma Bell's switching system) they became
obsolete.

The idea was that the bug would listen to the phone line for a tone.
When it heard the tone (or combination of tones -- they were called
harmonica bugs because people often used harmonica notes to trigger them)
it would pick up the phone and you could listen to what was going on
in the room that the phone was in, before the phone rang.  The problem
in ESS is that the caller is not connected to the line when it is
ringing -- the audio connection is only made when the phone is picked
up -- so the bug cannot hear the incoming tone.  No audio path to
transmit the tone, no infinity bugs.

One might imagine more sophisticated versions of the infinity bug;  It
could pick up the line WHENEVER it rings, check for the tone, do the
infinity bug thing is the tone is present and if the tone weren't present
it would have to generate its own ringing voltage (for the phone) and
ringing tone (for the caller) until the line really got picked up.   As
you might imagine, the ESS infinity bug would have to be much more
complicated (read more expensive and more likely to be detected) than
the old style ones.  I've never heard of anyone trying this.

There are lots of telephone exchanges that are not ESS (step and crossbar
are the two main alternatives) where the simple old infinity bugs still
work fine.  Any exchange where "Custom Calling" (e.g. call forwarding
or call waiting) is not available is probably not ESS.

People still sell things like infinity bugs as "home baby sitters" or
as burgler alarms, but they answer the phone all the time even though
they only turn the mike on if they receive a tone.  These are usueless
as bugs because no one can make calls TO the target -- the bug always
answers the phone.

You can rest easy re: infinity bugs, although you should be aware that
it is a pretty trivial task to use electronic surveillance these days
and that a lot of people do it.

                                             Larry
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date: Sun, 29 Nov 87 16:27:38 EST
From: Mark W. Eichin <eichin@ATHENA.MIT.EDU>
Subject: Infinity Transmitters

I saw an article on these once (on a bboard that got closed down about
a year later for phone credit card postings). The main idea was that
someone who wanted to tap the room would add this little circuit board
to the phone, which would detect some sort of tone on the line when
the phone first rang, inhibit the ring, and open the microphone.
Something was mentioned about ultrasound (unlikely, given the quality
of the phone lines, but it was being vague), and how you
could tap in from anywhere as long as you could dial direct (ie. even
from England). The main flaw was that the phone was of course busy (to
the outside world) the whole time you were monitoring. It was
allegedly used extensively by PI's to gather ``evidence'' for divorce
proceedings. 
	The article did not have much in the way of technical detail;
oh well.
			Mark Eichin
			<eichin@athena.mit.edu>
-----------[000003][next][prev][last][first]----------------------------------------------------
From:      <PRITCHAR%CUA.BITNET@CUNYVM.CUNY.EDU> (Hugh Pritchard)   9-Jan-1988 14:08:54
To:        SECURITY@RED.RUTGERS.EDU
[Repeated without permission from the business section of
_The_Washington_Post_ of Saturday, Jan 9, 1988]

[headlined] Reagan Signs Bill Governing Computer Data

President Reagan yesterday signed a bill intended to tighten security of
computer systems that store nonclassified data such as census, tax and
business records.  The National Bureau of Standards is to develop programs to
protect the machines from being illegally tapped by outsiders.

The law overrides a national security directive that Reagan issued in 1984
giving the Pentagon's National Security Agency responsibility for safe-
guarding the data.  Later, the White House created a new classification of
data for protection -- "sensitive but unclassified."

The measures led to criticism in Congress that the government was tightening
the flow of information and expanding military authority.  The new law places
responsibility for civilian computer security in civilian hands, but provides
for the NSA to give technical advice to the bureau.  The law also specifies
that nothing in it will be used to restrict disclosures under the Freedom of
Information Act.

[end of article]

/Hugh Pritchard,        Systems Programming             PRITCHARD@CUA.BITNET
The Catholic University of America Computer Center      (202) 635-5373
Washington, DC  20064  USA

Disclaimer:  My views aren't necessarily those of the Pope.
-----------[000004][next][prev][last][first]----------------------------------------------------
From:      Brendan O'Connor <BMOCONNO%pucc.bitnet@RUTGERS.EDU>  10-Jan-1988 04:54:05
To:        misc-security@RUTGERS.EDU
Is there any way to find out if someone else is using your SSN? I lost
my card in Motor Vehicles (one of the worst possible places, it seems to
me). Since I know that there's a big trade in SS cards to illegal aliens,
I suspect that mine was picked up and sold to somebody.

If this is the case, I want to find out if somebody is using it, and what
I can do to prevent future trouble for me.

UUCP   : ...{allegra,ihnp4,cbosgd}!psuvax1!PUCC.BITNET!BMOCONNO
ARPA   : BMOCONNO@PUCC.PRINCETON.EDU
BITNET : BMOCONNO@PUCC.BITNET
-----------[000005][next][prev][last][first]----------------------------------------------------
From:      <SYSTEM%CRNLNS.BITNET@CUNYVM.CUNY.EDU>  11-Jan-1988 12:05:17
To:        SECURITY@RED.RUTGERS.EDU
A recent discussion of DES software distribution on one
of the Bitnet mailing lists came to a definitive resolution.
Since this seems to be security related, I thought the
readers of this list might find it interesting.

Selden Ball
system@crnlns.bitnet
--------------------------------------------
Date:         Fri, 8 Jan 88 21:43:42 -0500
From:         Rayan Zachariassen <rayan@ai.utoronto>
Subject:      Re: DES
To:           "Selden E. Ball, Jr." <SYSTEM@CRNLNS>

After you read the following article (referred to earlier by Dennis Ferguson),
hopefully the DES discussion will disappear from this list.

Date: Mon, 26 Oct 87 17:18:36 PST
From: John Gilmore <hoptoad.UUCP!gnu@cgl.ucsf.edu>
Subject: Export control does *NOT* apply to publicly available software.
To: info-futures@bu-cs.bu.edu

I researched this topic pretty thoroughly last year, by going down to the
local Federal Building and wading through the rulebooks in Commerce Dept.
library.  What prompted me to do it was that I had a PD DES, that I had
posted to comp.sources.unix, which a Canadian reader claimed was in
violation of export laws.

Rich $alz took the info I got and talked with the NSA (US National
Security Agency) and some Boston-area cryptographers.  The upshot was
that NSA never came up with anything that contradicted the rules I
found, and Rich posted not only the DES code, for worldwide distribution,
but also the "crypt breaker's workbench" that decrypts the ancient Unix
"crypt" command.

Now, the way things wag with NSA is that if you ask them "Can I do this?"
the answer is almost always "No".  What you have to say is "Show me the rules
that say I can't do this.  I have some that say I can."  The courts have
regularly ruled that the government cannot enforce a policy which is not
written down and equally applied to everyone (it's called "secret law").
So if what *is* written down supports you, they are stuck with it.  They
can't secretly make new laws and tell you later that you broke them.

Since everyone else on this topic is shooting off their mouth without
having done any research (now we have *two* Canadians who are falsely telling
us what the US export law is -- thanks guys!), I figured I'd better post
my full references to make it credible.  Save this message; if I ever leave
the net somebody had better have a copy to shout down the clowns again.

From: gnu@hoptoad.uucp (John Gilmore)
Subject: There are basically no export controls on public domain information.
Date: 3 Oct 86 23:57:06 GMT

I got into a hassle last month for posting a DES program to mod.sources
because someone claimed that I was breaking the export control law.

I spent the afternoon down at the Federal Building and discovered that
export policy is in better shape than I thought.  Basically, you can
export any technical data to any destination if it "has been made
generally available to the public in any form".  This export is under
a "general license" which is available to everyone without any paperwork.

So, you should expect to see the DES posting again (it was canceled)
and to see Crypt Breaker's Workbench on mod.sources soon.

Here are the regs for all you policy hounds:

Export Administration Regulations, Part 370.2, Definitions.

        "General License.  A license established by the US Department
        of Commerce for which no application is required and for which
        no document is granted or issued.  It is available for use by
        all persons, except those listed in and prohibited by the
        provisions of Supplement No. 1 to Part 388, and permits export
        within the provisions thereof as prescribed in the Export
        Administration Regulations.  These general licenses are not
        applicable to exports under the licensing jurisdiction of agencies
        other than the Department of Commerce."

Part 379.1, Definitions.
        "...  All software is technical data."

Part 379.2, Licenses to Export.
        "Except as provided in Part 370.3(a), an export of technical
        data must be made under either a US Department of Commerce
        general license or a validated export license.  General
        licenses GTDA and GTDR apply to specific types of exports of
        technical data..."

Part 379.3, General license GTDA: Technical Data Available to all
Destinations.
        "A General License designated GTDA is hereby established
        authorizing the export to all destinations of technical data
        described in 379.3(a), (b), or (c) below:

                (a) Data Generally Available

        Data that have been made generally available to the public in
        any form, including--

        (1) Data released orally or visually at open conferences,
        lectures, trade shows, or other media open to the public; and

        (2) Publications that may be purchased without restrictions
        at a nominal cost, or obtained without costs, or are readily
        available at libraries open to the public.

        The term "nominal cost" as used in 379.3(a)(2) above, is intended
        to reflect realistically only the cost of preparing and distributing
        the publication and not the intrinsic value of the technical data.
        If the cost is such as to prevent the technical data from being
        generally available to the public, General License GTDA would not
        be applicable.

                (b)  Scientific or Educational Data ...

                (c)  Patent Applications ..."

------ (end of first message)

John here, talking to info-futures again.  Chris Lewis (the first
Canadian "expert") tried to pick the above to pieces, so I provided
more explanation by private mail, now revealed to the info-futures
readership for the first time ever!

Date: Sun, 12 Oct 86 16:57:06 PDT
From: gnu (John Gilmore)
Subject: Re: Export control revisited

Chris Lewis is still somewhat concerned about export control.  I will
try to explain the things he mentioned in his message of 8 October.

>>      "General License.  A license established by the US Department
>>      of Commerce for which no application is required and for which
>>      no document is granted or issued.  It is available for use by
>>      all persons, except those listed in and prohibited by the
>>      provisions of Supplement No. 1 to Part 388, and permits export
>                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>                           what is this section about?

It lists people who have abused the general license in circumstances
where it does not apply (eg shipping Vaxen to Russia).  The idea is that
you are innocent until proven guilty with regards to general licenses.
I looked in the supplement and it was a 3-page list of names and cities.
I was not on it.  :-)

>>      within the provisions thereof as prescribed in the Export
>>      Administration Regulations.  These general licenses are not
>>      applicable to exports under the licensing jurisdiction of agencies
>>      other than the Department of Commerce."

I also got myself a copy of the regulations on cryptographic material
export, but I didn't include it in my posting since it did not apply.
It's listed under Part 399.1, supplement #1 (the Commodity Control
List), "ECCN 1527A".  It mentions that computers when combined with
cryptographic software are covered under this ECCN, and says "Technical
Note:  No technical data or software controlled under this ECCN may be
exported or reexported under General License GTDR."  HOWEVER, we are
exporting under General License GTDA, not GTDR, and this is a valid
distinction.  There is nothing in this ECCN section that precludes
shipping cryptographic technical data (e.g. software) under general
license GTDA.  It also says, "Exporters requesting a VALIDATED LICENSE
from the Department of Commerce must provide a statement from the
Department of State, Office of Munitions Control, verifying that the
equipment intended for export is under the licensing jurisdiction of
the Department of Commerce." (emphasis mine)  However, we are not
requesting a validated license, we are using the general license, so
this requirement does not apply either.

In summary, I believe that the provisions of ECCN 1527A do not apply to
public domain software, and we are OK.  (I don't know of any other ECCN
sections that apply either.)

>>      "A General License designated GTDA is hereby established
>>      authorizing the export to all destinations of technical data ...
>>
>>      (1) Data released orally or visually at open conferences,
>>      lectures, trade shows, or other media open to the public; and
>>
>>      (2) Publications that may be purchased without restrictions
>>      at a nominal cost, or obtained without costs, or are readily
>>      available at libraries open to the public.

>       1) Has *this* DES program been formally published before?
>       2) Can it legally be?  Journals are supposed to be reviewed prior
>          to publication by one of the security agencies.  We're a loophole.
>       3) From another tack: can you make a DES program PD?

(1)  You elided the relevent section of the general license definition.
"(a) Data Generally Available: Data the have been made generally
available to the public IN ANY FORM, including... (1) and (2)...".
(emphasis mine.)  If something has been placed into the public domain
and its location advertised to the Usenet community, or placed into
a publicly accessible bulletin board, or posted to the Usenet, I claim
that it has been made generally available to the public.  (1) and (2)
are not the only ways something can be made available to the public;
they are just examples.

(2)  You can't be expected to know how things work in the U.S., being
Canadian, but there is NO requirement that "journals are supposed to be
reviewed prior to publication".  We have a free press here.  They tried
to impose something like this and it didn't work.  There is a
"voluntary" system whereby authors can submit manuscripts to the NSA
for review, but you are not even bound by the result -- they can only
make suggestions.  Mostly this is so they can recommend that you delete
certain phrases that might give away what they are working on, and you
are supposed to feel patriotic enough to go along.  Presumably they
could also try to go to court to stop you from publishing, but I don't
think that has happened to any paper that has been voluntarily
submitted under this program.  (They did go to court against the
magazine that published the "how to build an atom bomb" article.)

You may be confused between mandatory review of journals and the
Defense Department's right to review articles by people who they fund.
If you are doing government-sponsored research, they can write the
contract such that they get to OK any release of information derived
from the sponsored research.  But if I invent something on my own,
without gov't money, I can publish it.

(3)  Public Domain-ness is a state of ownership.  Since you can
certainly own a DES program (e.g. AMD owns the copyright of the 8068
DES chip; ATT owns crypt(1)), you can also renounce its ownership and
place it into the public domain.

>You didn't include anything from 370.3 (or is that a typo?) either.

It was not a typo.  I don't have a copy of it here, but I don't think
it applies to us.  It's part of the "General Policy on Exports" section.

>If this program were to be published in a technical magazine (presumably
>safest in a real journal, not necessarily BYTE), then I'd feel safe
>because they've already had approval.  BYTE published one or two DES programs
>ages ago, but this was before the NBS standard was formalized.  Presumably
>you could publish *that* program (6502 assembler), but not anything written
>since then.  I haven't seen a DES program since (though, I don't read all
>that many journals...)

This objection is covered above -- there is no required government
review of publications here, and no government approval is required to
publish.

>I realize perfectly well that a court challenge on this would probably
>find in our favor - as in, is DES in software really DES?  But, I want
>to ensure that we stay well clear of the shadow (if not the substance)
>of the law.

Actually, this is not relevant.  The export control regs don't mention
DES at all.  They say "cryptographic equipment...designed to ensure
secrecy of communications...or of stored information...and "software"...
performing the functions of such cryptographic equipment", and then
make a few exemptions for things like simple scrambled voice, video, or
fax.

>I can't help remembering the export restrictions on crypt (which, I believe
>are still in effect *even tho* Enigma has been declassified for years),
>AT&T's security package, Motorola and Intel's encryption boards etc.
>I remember seeing discussions in trade journals 2-4 years ago about DES
>export restrictions, code-breaking discussions, other more recent encryption
>methods, but I can't remember where.

None of the above stuff is "technical data generally available to the
public", so it cannot be exported under the GTDA general license.  Note
that journal articles like the AT&T Tech Journal one on breaking crypt
are generally available to the public, and they are being exported
without trouble.  Ditto for _Cryptologia_.  It *DOES* take an export
license to export non-public technical data, e.g. the Unix crypt
command (licensed software), encryption boards (hardware, not
technical data), etc.

I must say that I felt the same way you do about this -- I had a general
feeling that exporting this stuff was illegal, even though I thought it
should be legal -- until I spent the time to research it.  My opinion of
the people who wrote US export law has gone up significantly.  They
really believe that if the US "public" can get it, it is exportable.

FYI, here is the definitive story on how the "export restrictions on
crypt" came about, from Dennis Ritchie himself.  As you can see, no
government agency ever said it could not be exported; AT&T and DEC
simply decided that applying for an export license was too much trouble.
I've also included a message from Gordon Moffett who says that Amdahl
is now exporting Unix with the crypt command without trouble.

From: dmr@research.UUCP
Subject: export controls
Date: 18 Sep 84 05:15:46 GMT
Posted: Mon Sep 17 22:15:46 1984

As has been said, there is indeed a special "International Edition"
of System V that differs from the ordinary system in that it
lacks the crypt command, the encrypting features of ed and vi, and the
encrypt entry of crypt (3).  The crypt entry, which is used for
passwords, is there, as is the underlying DES algorithm.

Here's how it happened.

About a year ago, I got mail from Armando Stettner saying basically,
"Do you know of any problems with exporting crypt?  Our lawyers
[at DEC] are worried about it."  I replied that such worries were
utterly unfounded for a variety of sensible reasons.

Now, as it has turned out, DEC was very justified in worrying about
export controls in general; they have recently been fined (I think) $500,000
for the Vaxen that almost got sent to Russia.  I conjecture that
the earliest stages of this or a similar incident were already in progress
and they were trying to be extra careful when they learned about crypt.

At any rate, the DEC lawyers communicated their fears to AT&T,
and the AT&T lawyers, equally cautious, sought government advice.

The problem, you see, is that cryptographic materials are under export
control.  There is a thing called the Munitions Control Board that worries
not only about machine guns going to Libya, but also about the crypt
command going to England.  In practice, the enforcement is done by the
Commerce department.

AT&T had a meeting with Commerce, the MCB, and NSA.  The upshot was
that they decided it would be simplest all around just not to export
the crypt command.  The gov't would almost certainly have granted
the license, but (probably wisely) AT&T decided it wasn't worth
the hassle.

In technical terms, the situation is ludicrous. The encrypt subroutine
is distinguished mainly by the excruciating care I took to make it
an exact transcription of the algorithm published in the Federal Register,
and by its slowness.   NBS, the caretaker of DES standardization,
is explicit that software implementations cannot be certified, so in that
sense encrypt is not "real" DES.  The underlying subroutine is still
there, only the simple command that uses it is missing.  So there is
actually nothing to protect, and even if there were, it's not protected.
Nevertheless, in the present situation we officially don't need
an export license, whereas with the crypt command we would.

In political terms, AT&T probably could have done better.  Conservative
and careful, they called a big meeting at which no one could possibly
have put forward anything but official positions about encryption
programs.  Private checking with well-placed people in the appropriate
agencies might well have done the job.  But who knows?

                Dennis Ritchie
-----

In article <3140@amdahl.UUCP> Gordon Moffett writes:
Our Corporate legal advisor says that the restrictions against
exporting encryption stuff has been lifted.  We used to have two
UTS's:  one with the crypt(3) stuff for domestic customers, and one
without export.  We no longer distiguish between the two -- we now ship
everything to non-USA customers just as to the USA sites.

I've already gotten one letter about this, asking me for further
confirmation that this is ``true''.  First, PLEASE DON'T ASK ME!  Talk
to *your* companies' legal advisors, or to the Federal Government
directly.  Second, I am sure we would hear about it from the Federalees
if our Corporation were making a mistake ....
--
Gordon A. Moffett               ...!{ihnp4,seismo,hplabs}!amdahl!gam

[Back to Chris's comments:      -- gnu]

>The definitive answer would be to see whether the current listing of
>restricted items includes DES, and in what forms.  I don't think excerpts
>from a different set of legislation is sufficient to answer this question.
>Further, there *may* be a difference between "legislation" and "regulation"
>here.  DES restriction might *not* be enshrined in legislation, but come
>out of some other department's regulatory powers.  The second paragraph
>I've quoted still leaves that whole question open.

I have spent the time researching it, and I think it's OK to export.
If you still think differently, please give details of the regulations
or laws involved.  I'm not interested in "maybes"; I have an answer
that came straight from the rule books, and won't be swayed from it
by anything less definitive.
-----------[000006][next][prev][last][first]----------------------------------------------------
From:      *Hobbit* <AWalker@RED.RUTGERS.EDU>  11-Jan-1988 17:23:10
To:        Security: ;
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date:     Tue, 24 Nov 87 11:46 EST
From:     APHRODITE <JPETTWAY@SUNRISE>
Subject:  PC Lab security

What we have done here is to designate one computer as a file server and put
everything on a hard disk in different directories. The directories with the
system software is read/only and the files are copy protected. Any software
that can be copied is designated as freeware.  We have set up a menu with all
of the software on it that we have.  When someone wants to use or do something
they can just pick it of of the menu. The file server is set up for several
applications.

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Subject: RE: Lab Security
From:    IP60577@PORTLAND
Date:    Mon, 23 Nov 87 23:24:18 EST

     Here at the University of Southern Maine, We have a Lan network with
 Zenith 248 terminals.  The students have no access to files through channels
 of hidden sub-directories, with hidden files.
     There is a public domain program from PcSig called Alter.Com that allows
 the changing of the archive bit.  I am sure that there are a number of others
 out there.
     This seems to work very well, here at the university.  There are
 occasions when students will try to find the files, but for the most part,
 there is no way that students can find them.  The programs are not executed
 by DOS Batch files.  There is a menu program that the students "myself
 included" must use. When a student boots the terminal, it gives them a selec-
 tion menu, that, will load a program simply by moving the up and down arrow
 keys to make the selection.  Once the selection is made, entering a carriage
 return will load the program.
     The only way for students to get around this is to dis-assemble the pro-
 gram.  However, how many students "who should be learning the programs them-
 selves" know how to do that?
     Simple suggestion.  The words I have archived here are of mine own intent,
 since I am a Student of the University of Southern Maine, and NOT Faculty.

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date: Sat, 5 Dec 87 11:36:20 EST
From: Michael Grant <mgrant@mimsy.umd.edu>
Subject: Copying Software

I've been of the opinion for a long time now that hardware vendors would
really LIKE people to be able to copy software with their hardware.  This
is a selling point for the hardware.  People who would otherwise not buy
the hardware, would because they could get lots of free software from
friends.

-Mike

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date: Mon, 7 Dec 87 12:53 EST
From: SPARKS@DRYCAS.CLUB.CC.CMU.EDU
Subject: Physically securing a pc

   What is the best way to secure a pc system against physical theft?  The
AT lock provides some protection, but none against a burglar carrying away the
whole cpu.
   I'm considering purchasing a security system which consists of attaching
steel plates to the pc and peripherals with a strong adhesive, and then
conneccting each of the plates via a cable and lock.
   However, I just wonder what my options are, and if this is a safe route
to follow.

Thanks,
Sparks@Drycas (bitnet)
MY0L@Andrew.cmu.edu (arpa/internet)

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date: Sat, 5 Dec 87 23:34:01 CST
From: Bob Kusumoto <kus3@sphinx.uchicago.edu>
Subject: Re: Student Lab Security and Preventing Trojan Horses

Just to let you know what has happened here a while back (don't remeber when,
maybe about a year ago), a BBS in the Chicago area called Mad Marty's, a
popular Mac board, had a section of software that was unprotected by various 
hackers and put in a "pirate" section of this BBS. An association of software 
developers for the Mac caught wind of this and promptly got the local
authorities involved. Generally, they came to an agreement, no copy protected
software to be distributed. If I remember correctly, a few Mac boards went
down because of this incident.

just wanted to let you know
Bob Kusumoto
(an Apple II user)

Internet:  kus3@sphinx.uchicago.edu
BITNET:    kus3@sphinx.uchicago.bitnet
UUCP:   ...{!ihnp4!gargoyle,!oddjob}!sphinx!kus3

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

From: rick@uwmacc.UUCP (the absurdist)
Subject: Re: Student Lab Security (hidden costs)
Date: 10 Dec 87 00:16:58 GMT

>I wonder about all these precautions to stop students from copying
>software.

Stolen software causes a direct overhead to the University in the form
of consultant's time wasted trying to help people who first rip
you off for the program;  then keep bugging you for help because
they have no manual for the program and are guessing how it works;
then have problems because their illegal copy doesn't get updated
by the manufacturer for bug fixes, and finally steal your copy
of the manual, leaving you with the bill.
	Two common tactics are (1) doing a label swap for "key" disks
(i.e., Lotus 123), so that it can be borrowed and a blank returned
in its place (at least $50 worth of hassle each time);  removing
pages from those lovely ring binder manuals everyone uses.
	There isn't ANY solution to theft that doesn't penalize honest
users heavily;  as it is our procedures are much more inconvenient
to our users than our original policies and we still have problems.
Still, doing nothing makes the situation even worse.
	For commonly ripped off programs we have at times resorted to
a roll-your-own copy protection (even for those programs which
weren't copy protected originally), just to begin to defend ourselves
against this problem.
	I don't support SELLING software as copy protected, but I think
any facility should have the option of protecting their own legal
copies to restrict them to their legal use.
-- 
Rick Keir -- all the oysters have moved away -- UWisc - Madison
"Watch the skies...."

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date:     Fri, 11 Dec 87 10:33 EDT
From:     Mike DeMaria (Pasart Harloc) <DEMARI58@SNYBUFVA>
Subject:  Copy protection

   The onbly way that anyone is going to be able to defeat software
piracy on campus, is to physically copy protect the disk.

One such program that I have found, is a game called "Write your own Murder
Party" by E.O.A.  They have physically put a Laser "ThumbPrint" on track 15
that is unduplicatable, even buy the most expensive disk duplicators.

To further the problem, the placed the main program on the back side of the
disk, with the FAT showing only one side.  This prevents a person from
loading the program and then looking for the "copy code".   Hats off to EOA
on this copy protection...

     H O W E V E R

How does the honest person who bought the program (me) make a backup?

-Pas

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

From: sundc!netxcom!dgidez@seismo.css.gov (Daniel Gidez)
Subject: virus attack!!!
Date: 21 Dec 87 17:14:28 GMT

I have seen several articles relating to the MSDOS virus, if there is
anyone out there in netland who has a command.com that they know is
infected, I would like to get a copy of it and NO I DONT WANT TO USE IT,
but merely try an isolate it and analyze it, Ive got a system rearin'
to go just for the test, if you have a copy of it, I would like to get it.
I am not the FBI or any other law enforcement angency (any definately not
microsoft) this would be appreciated and hopefully I could provide a solution
(the actual code thats being used..) All responses will be kept confidential
and I will even pay for it.
-----------[000007][next][prev][last][first]----------------------------------------------------
From:      *Hobbit* <AWalker@RED.RUTGERS.EDU>  11-Jan-1988 19:05:37
To:        Security: ;
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

From: motown!ninja!killer!elg@RUTGERS.EDU (Eric Green)
Subject: Re: Why secure systems?
Date: 6 Dec 87 17:16:07 GMT

>Since they probably have this funny thing called a "budget"
>to work within, the accountants most likely have forced them to find
>ways to equitabily charge out resource usage.

The cost of maintaining a large IBM mainframe and interconnecting Ethernets
(e.g. with PC's) is a constant, irregardless of usage.  While DP professionals
make it seem like you are using up a "resource" which must be "accounted for",
in actuality those expenses should be a constant number of dollars in the
Computing Center's budget. Any other form of accounting discourages use of the
available computer resources, thus harming productivity. Considering that a
big IBM 3090 installation can handle over 400 users easily for the "mere" cost
of 6 million dollars or so (about what a big computer costed 20 years ago!),
we have the anomoly of companies buying big computers for whatever reasons
(prestige? Array-processor coprocessor?), and then having that computer
languish mostly unused because of restrictive accounting and security
practices. 

This is not, of course, related to 3rd-party computing resources, i.e. you own
a mainframe, and local businesses contract with you for computing resources.
In that event, it of course makes sense to distribute your constant cost
amongst them based upon their usage of the system, plus a profit margin atop
that. But for internal computer resouces, not only is such an accounting
irrelevant (the company still spends the same amount of money, no matter WHAT
departments are charged for it), but counter-productive too (since it
discourages use of the computer resources). After all, why do you think that
personal computers have become so popular, despite being quite limited in what
they can do? Simple: people no longer have to go through 20 layers of
bureaucracy in order to gain access to computer resources, and they don't have
to cope with a mentality that says computer resources are limited and rare and
should be used sparingly -- a mentality that may have made sense when a large
timesharing computer costed $15,000,000 (in today's dollars) and accomodated
only 100 users, but in today's world, such an attitude is patently absurd (as
personal computers amply demonstrate).

--
     Eric Green   elg@usl.CSNET      Snail Mail P.O. Box 92191       
     {cbosgd,ihnp4}!killer!elg       Lafayette, LA 70509             
Hello darkness my old friend, I've come to talk with you again....

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date: 8 Dec 87 09:56:01 PST (Tuesday)
Subject: Re: Why secure systems?
From: "Russ_Housley.XOSMAR"@Xerox.COM

RE: "I did mean to imply that AIM caused Multics to be insecure."

Good.  The B2 rating mentioned by Eric Swenson (ejs%acorn@oak.lcs.mit.edu)
clearly states otherwise.

RE: "I meant that AIM probably causes Multics to be _unusable_, at least by
people trying to cooperate on a project, and that it is overkill for the
problem it tries to solve."

I have witnessed large program development projects on Multics, with AIM
enabled, and seen none of the problems you elude to.  Most program development
efforts deal with only one level of information (classification), so AIM does
not even come into play.  In those program with more than one level of
information, the developers are happy to have AIM because they can use the
existing separation mechanism instead of implementing their own. Management is
also pleased with AIM; a separation mechanism implemented in the operating
system is harder to thwart than one implemented in an application. The B2
rating also gives management a good feeling about the correctness of the
implementation.

Russ Housley
Xerox Special Information Systems
Vista Laboratory

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date: Tue, 8 Dec 87 08:39:29 pst
From: Doug Claar <dclaar%hpda@hplabs.hp.com>
Subject: Free and open systems counter argument

(I hope that this is the right place to send this...)

As an interesting contrast to the thought that computer systems should be
open and free to all, I thought I would forward this real-life situation 
(from soc.singles via comp.society) as a counter-argument.

Doug Claar
HP Information Technology Group
UUCP: { ihnp4 | mcvax!decvax }!hplabs!hpda!dclaar -or- ucbvax!hpda!dclaar
ARPA: hpda!dclaar@hplabs.HP.COM

---------------forwarded text follows--------------------

[This message is from USENET, the `soc.singles' group, and is an interesting
example not only of irresponsible computer administration, but a lack of 
knowledge that it is wrong (e.g. the person having to post to the group to
confirm what is obvious - that the administrators violated the privacy of
a users account).  -- Dave Taylor]

From: David Ehlert @ Portal Communications System

OK...Here is a dilemma that my SO [`Significant Other'] and I have run into.

We live about 70 miles apart, and rely on UUCP mail as our  primary way of
communicating.  Just this evening, I received a call from her about the
following problem.

Where she goes to school, two guys that she use to date, have superuser
priviliges.  Well, this evening, they went into her mail file.  They screwed
around with her login, and also deleted all saved mail messages.  When one
of the guys was approached about the happenings, he denied it.  Later, all
of my girlfriends files and all were deleted.  Now she has to re-construct
all of her labs so that she can pass a couple of classes.

The dilemma is actually a nuisance, but I would like everyone and anyone
to comment on what has happened.  I guess that the easiest way is to answer 
the following question......

   What would you do [if someone] did that to you..??  and...

   What would your company/school do if they found out...??

Here are two guys who are about ready to graduate after at least 5 years
of school, and to me, it sounds as if they have still refused to grow up.

David...

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date: Fri, 11 Dec 87 13:00:19 EST
From: bzs@bu-cs.bu.edu (Barry Shein)
Subject: Why secure systems?

(response to Louis Judice responding to my note):

>I suspect that YOUR
>department head would have trouble if the comp center came to him/her
>and said, "oh, we're going to charge your department $40,000 for
>network usage which we cannot account for..."

First, an understanding, I'm not analyzing a black box, I *am*
management in said computing center, tho my relationship with
some of these entities is purely horizontal.

No, no one is imposing anything (at least in terms of some external
force with power saying "account for that!"), the buck stops here. The
only thing imposed is of course budget constraints. There are several
ways to manage these things.

On the one hand it sounds intuitively appealing to become a utility
and charge on a strict usage basis. On the other hand the two forces
working against that is, first, the fear (not entirely unrealized)
that a massive amount of the revenue for that sort of charging just
goes right back into the process of generating charges. For example,
systems programmers to add proper accounting methods to software,
applications programmers to build summary statistics and account
maintenance software, source licenses which might only be needed
because of a self-imposed requirement to account in a uniform manner,
administrative help to deal with accounts, apply chargebacks, chase
down delinquent accounts (eg. people who keep running up charges after
their grants run out, whaddya gonna do? sue them?), hear poverty cases
(also known as "if you could seed us this amount we could prototype
and get granted within two years", or, "I know I'm out of money but if
I don't get enough freebies to finish this grant the University's name
is mud"), management time to simply provide a design and guidelines
etc etc etc etc.

The second force is that we all do, at some level, eat out of the
same trough. Internally organizations (University's are not unique in
this respect) are really much more like socialist organizations with
perhaps a limited form of capitalism (eg. light and heat are paid for
by the central organization out of "heavy taxation", also known as
overhead chargebacks to contract income.) A lot of waste could be
saved by establishing uniform "taxation" to cover these costs just
as we do with other things on the campus. People who overuse such
facilities can be dealt with in other ways, the feedback mechanism
of chargeback systems is not at all ideal, just one possibility.

It's all rather subtle, really.

>I don't think the issue is security in central environments. It's
>just poorly managed central environments that don't serve user needs!

Oh, definitely agreed.

	-B

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date: Thu, 10 Dec 87 20:14:00 EST
From: Chris Torek <chris@mimsy.umd.edu>
Subject: Re:  Computer security systems.

	... Banks have safes. Houses and cars have locks. I doubt that the
	proponents of "open-systems" leave their houses and cars unlocked.

Probably true.  On the other hand, have you ever lived in an area
in which you can leave things unlocked, need not count your change,
and can trust your neighbors simply because they are your neighbors?
It usually comes as a shock to urbanites and suburbanites, but such
places do exist.  They are, alas, all too rare; that does not mean
we should not strive for them.  (Unfortunately, this seems to be
a direct effect of population density, and hence most people will
not experience it.)

Chris
-----------[000008][next][prev][last][first]----------------------------------------------------
From:      *Hobbit* <AWalker@RED.RUTGERS.EDU>  11-Jan-1988 22:22:49
To:        Security: ;
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

From: gwyn@brl-smoke.arpa (Doug Gwyn )
Subject: Re:  master key security
Date: 4 Dec 87 18:14:28 GMT

>am I correct
>in thinking that it would be within the realm of possibility for our
>locksmiths to re-do the master keying in such a way as to avoid the need
>to cut and issue new keys to residents (i.e. change ONLY the master keying)?

It depends to some degree on how the masterkeying scheme is set up,
but in general it would indeed be possible to switch to a different
master (at the level of the stolen one) while invalidating few or
none of the other keys in the system.  During the transition,
presumably legitimate possessors of the master would also have the
new one, so that the locks could be gradually changed over.

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date:    Tue, 08 Dec 87 08:09 LCL
From:    Ken De Cruyenaere <KDC@UOFMCC.BITNET> 474-8340
Subject: Master Key security

Sounds like you should abandon keys altogether and replace the locks
with push-buttom combination locks, or the more expensive option:
 a card access system.
Here at the Univ. of Manitoba we have a card access system controlling
access to our more important areas, including the mainframe computer room,
and one "terminal" area filled with IBM PS2s. (our system has just expanded
to 16 doors controlled by card access).
Other areas have combination locks.
  Both system allow quick and easy "rekeying" -if you
suspect the code has become known change the code. If a card is
lost or stolen - disable the card.
 We also have burglar alarm systems installed in most areas, sending
a signal to the campus police and to the computer room (staffed 24 hrs)
which has a bank of CCTV monitors showing the remote areas.

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

From: awr@tybalt.caltech.edu (Bruce Rossiter)
Subject: Re: master key security
Date: 8 Dec 87 13:48:51 GMT

	I'd suggest putting the most important areas on *non-master* keys.
For example, if you have a distinct area within the building that can be
locked up tight, with *very* restricted keying and no mastering, that might be
a viable method.  I'd also suggest some alarm systems for the computers
themselves, if not for the whole area.  You  might also look into pressure
sensitive alarm pads, so that if a computer is moved more than a preset
amount, alarms go off at the campus security area, or even the local police
station.  Personally, I'd vote for a Medeco, non-master system on the doors.
Good luck!

						-Bruce
----------
ARPAnet  awr@tybalt.caltech.edu
BITNET   awr@caltech.BITNET
UUCP    {amdahl,rutgers}!cit-vax!tybalt.caltech.edu!awr

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date: Tue, 8 Dec 87 19:49:30 EST
From: Douglas Humphrey <deh@eneevax.umd.edu>
Subject: Re: master key security

I can feel for this mans problems ! I would suggest that you find the funds
(take a PC or two to the pawn chop if need be) and buy some Medecos and 
have them installed on the doors. So what if they are not mastered. 
So what if people end up with a boat load of keys. That seems to be 
the way it has to be in the short run. A thousand dollars or two can save
you the money and hassle expenses, and might just let you sleep at
night, which is worth a LOT of money all by itself. 

In the long run, an electronic system with DOOR BOLTS and not strikes
might be a good way to go. You can do this yourself pretty cheaply,
or contract it out if you don't have the man hours available.

Doug

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

From: mitch@stride1.UUCP (Thomas P. Mitchell)
Subject: Re: master key security
Date: 10 Dec 87 17:50:41 GMT

>We know they are after a master, the locksmiths know.
>Can anyone else offer any suggestions?

The only sugestion I can offer is to add an alarm system to the
rooms.  When I was in school security was terrible.  The same
type of locks was used on a door to a 10 Million dollar lab as
was used on a class room with two nubs of chalk and a worn out
eraser.  Portable equipment PC's, typeriters, calculators,
terminals, copy machines and the like need better security from
theft.  But the problem is more than theft.

The loss of control of master keys is a real nasty problem in a
university. I got nailed by this at least once when I was in
school.  Two years after the fact I heard a tail of a quant.
chem.  class that someone aced the curve on because he 'salted'
the samples in the drying ovens (He made a master key to get in
the lab.).  I spent five weeks trying to get two analyses to
check within the required limits.  When I drew a new sample I was
done in no time.  I can only assume that my sample was one of the
ones 'salted'.  I was also not the only one in the lab night
after night.

Theft of passwords or introduction of a virus in a computer lab
opens the same door of abuse.

Thomas P. Mitchell (mitch@stride1.Stride.COM)
Phone:	(702) 322-6868 TWX:	910-395-6073
MicroSage Computer Systems Inc. a Division of Stride Micro.
Opinions expressed are probably mine. 

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date: Thu, 10 Dec 87 12:56:06 pst
From: quintus!gregg@Sun.COM (W. Gregg Stefancik)
Subject: RE: Best control wrench

I suggest a test to determine the actual effectiveness of such a tool.
According to my source (a book published by the National Locksmith devoted
to the subject of interchangeable cores the name of which currently escapes
me), this designing this type of tension wrench made it much easier for him
to pick the control shear.  Some one out there must have a Best core and the
proper tools to design and use the tension wrench.  If I had a Best core or
access to one I would be more than happy to test this technique out, but
unfortunately I don't currently own any Best cores.

The tension tool I saw pictured in the book looked like the average tension
wrench (of the HPC variety) with a groove filed such that the wrench would
contact the control shell only.

Gregg

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

From: cvl!dlm@cuuxb.att.com (Dennis L. Mumaugh)
Subject: Re: master key security
Date: 11 Dec 87 00:54:37 GMT

Look at what the "pros" do.  At  NSA  the  system  is  different.
Yes,  they  may  have  master key systems, but for really serious
areas they have a special deal:  The lock is a dead bolt which is
surrounded  with  at metal shell with a flap.  The flap is a hasp
with a flange though it for a normal pad lock.  When locking, one
locks  the  normal  dead  bolt  lock.  Then  closes the hasp, and
places a combination pad lock through the hasp and locks the  pad
lock.  One has to rip off the whole assembly to get in.

The pad lock is a Sargent-Greenleaf lock that is  very  difficult
to  open normally and almost impossible to pick.  The work factor
of  the  whole  system  is  10  hours.   Obviously  cleaning  and
maintenance  people need appointments to get in.  Security has to
have a sealed envelope with the combination (or a cutting torch).
-- 
=Dennis L. Mumaugh
 Lisle, IL       ...!{attunix,ihnp4,cbosgd,lll-crg}!cuuxb!dlm

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

From: ncoast!mikes@RUTGERS.EDU (Mike Squires)
Subject: Re: master key security
Date: 20 Dec 87 08:48:55 GMT

As a freshman at Caltech in 1963 I took an unofficial course in locks
from a club dedicated to the opening of locked doors called the "Mickey
Mouse Club".  I suspect that a few years later the members were hacking
computer systems rather than mechanical locks.  The members were only
interested in the locks, rather than the contents; one of the leaders took
a job at an office in a former bank so that he could work on the old vault
lock (unfortunately he opened in in 1/2 hour but had to stay at that job for
the rest of the summer).  To make a long story short, one of the pieces of
information one learned was the combination for the north and south campus
grand masters.  It is my understanding that this situation was well known
to the administration, but that they were unwilling to spend the money to
rekey the campus (was it ever done? ) and realized that the new combination
could be discovered in minutes anyway, with some luck.  In any case, all of
the students learned to pick pin tumbler locks in seconds so that possession
of the master key was not very important.

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

From: meow!kyle@uunet.uu.net (kyle)
Subject: Re: master key security
Date: 23 Dec 87 04:13:31 GMT

Sure, but a K-tool only works on deadbolts.  If you want to remove the core
from a doorknob you will have to resort to other means.  (maybe use the flat
end of an ax? :-) )
-- 
		Kyle Rhorer
		meow!kyle@nuchat.UUCP
-----------[000009][next][prev][last][first]----------------------------------------------------
From:      Stan Horwitz <V4039%TEMPLEVM.BITNET@CUNYVM.CUNY.EDU>  11-Jan-1988 22:43:42
To:        <SECURITY@RED.RUTGERS.EDU>
  Has anyone ever considered the cause of software piracy?  I have a
possible answer.  Though no one can condone software piracy I believe that
many software publishing houses are their own worst enemies.  If software
were priced within the reach of your average student, perhaps software
piracy on the part of students would decrease.  It is not your average
student that has over two or three hundred dollars to pay for legal copies
of many of the popular software packages used on campuses these days.
If these products were more reasonably priced, people, especially students,
might not feel as obliged to steel them.  My personal opinion is that it
takes a lot of nerve to charge such high amounts for any software package
for individual (non NETWORK) use.

More companies should use Borland as an example and price their software
as they do.  Also, many software publishers claim large losses due to soft-
ware piracy.  I honestly wonder about the true losses involved.  Many people
I know who make thier living programming micro-computers learned their
trade in large part due to software they gained illegally.  Then when they
were out making money off this software, almost all purchased legal copies
of the software and now often recommend others to buy these popular software
packages.  So software companies should consider that while it is true that
they are being ripped off, at least their software is getting some publicity
and quite often generating dollars for them in the future.

   One other point should be considered.  How much does it cost a typical
software publisher to develop a challenging copy protection scheme?  Not
being a micro-computer user, I do not know the challenges involved in the
development of copy protection schemes.  I think copy protecting software
is silly.  It is like putting a dead bolt lock on a paper bag.  Why bother
considering the cost?  I know of many people who can break software without
even breaking a sweat.  Realistically, copy protection serves only one
purpose ... to incovenience legitamate owners of software.  Those who wish
to subvert copy protection will find a way to do so.  Instead of investing
time and energy into this silliness, why not just lower the cost of the
software or put more effort into perfecting the software?  So far, the vast
majority of software packages are not very good and could stand a lot more
improvement.

Please understand, that I DO NOT codone software piracy.  Also understand
that I do not condone consumer ripoffs via the outrageous prices charged
for poorly written, poorly developed, and often inadequate software.

Sicerely Stan Horwitz    My opinions are my own and I am sure my employer
V4039 at TEMPLEVM        would not agree with what I have just typed.
Temple University        Oh well, that's why we have katsup and mustard.
Philadelphia, PA
-----------[000010][next][prev][last][first]----------------------------------------------------
From:      gwyn@brl_smoke.arpa (Doug Gwyn )  12-Jan-1988 04:43:37
To:        misc-security@uunet.uu.net
Dennis Mumaugh stated that the government-style S&G padlock is hard to
"pick".  That's misleading.  I manipulated one open in less than ten
minutes when I was in the ASA.  (We were locked out of a laboratory/
classroom.  The instructor had already called someone to come open the
lock so I had to lock it back up.)
-----------[000011][next][prev][last][first]----------------------------------------------------
From:      *Hobbit* <AWalker@RED.RUTGERS.EDU>  12-Jan-1988 05:00:30
To:        Security: ;
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

From: hplabs!felix!zemon@RUTGERS.EDU (Art Zemon)
Subject: Re: Home security
Date: 4 Dec 87 22:04:57 GMT

The best suggestions from our local police (courtesy of many
Neighborhood Watch meetings) are simply to make your home an
unattractive target.  The ways to do this are pretty simple
and inexpensive.

Install exterior lights and leave them on all night -- not
just until you go to bed.

Make the house look occupied at all times.  Leave lights and
maybe a radio or TV turned on when you are not home.  If you
really want to get carried away, unhook the phone ringers.
This isn't really necessary because most burgleries are not
carefully plotted and schemed.  Almost no one is going to
bother phoning to see if the lights are on but nobody is
home.

Make sure your windows are locked with locks that don't give
way easily.  A burgler will try to pry a window open
(silently) but usually won't bother with the mess (and
noise) of breaking glass.

Start a Neighborhood Watch program.  Your best protection is
the nosy neighbor across the street who is always peering
out the front window and ready to dial 9-1-1.
--
	-- Art Zemon
	   By Computer:	    ...!hplabs!felix!zemon
	   By Air:	    Archer N33565
	   By Golly:	    moderator of comp.unix.ultrix

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date:         Tue, 08 Dec 87 16:06:23 EDT
From:         Jeffrey R Kell <JEFF%UTCVM.BITNET@WISCVM.WISC.EDU>
Subject:      Re: Driveway Metel Detector

>I am very interested in obtaining the schematics for the
>circuitry that electronically detects cars at left turn lanes, etc.

A quick, inexpensive way of doing this would be using 'electric eye' type
circuits but with GaAs infrared LED's.  They're inexpensive, easy to hide,
and give off no visible light.  Put the LED transmitter on the end of
your driveway (such as on a mailbox, or concealed on a driveway marker)
and have it transmit diagonally across the driveway to a detector at the
house.  That's the basics, but you can have false-alarms with a single
beam.  Using two parallel beams about 4 feet apart, setting 'alarm' only
on a double-break, would avoid scaring the wife when a dog strolls by.
This would seem much easier than tearing up your driveway to install or
repair a pressure-sensitive or metal-detecting device.

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date:         Tue, 08 Dec 87 23:24:44 PLT
From:         Shawn Clabough <24847843%WSUVM1.BITNET@WISCVM.WISC.EDU>
Subject:      Re: Driveway Metel Detector

Most left turn signals detect a car waiting with a coil of wire buried
beneath the pavement.  When the car travels over the coil, current is
made and detected by the turn signal circuit.  One problem with this
is that some small cars and many motorcycles will not cause enough
current to trigger the light.  A better and cheaper way to detect a car
pulling up in the driveway is to use a light sensor, like what is used
in 7-elevens when you enter the door, the light is obstructed and a
bell is sound.  Using this system, your driveway would not have to be
dug up to install a coil.  Placed at the bottom of the driveway, the
light sensor will detect any vehicle entering the driveway.  I'm not
sure what one of these cost, but I'm sure your nearest Radio Shack will
have information on these systems.
                                       Shawn Clabough
                                       Bitnet (24847843@WSUVM1)
-----------[000012][next][prev][last][first]----------------------------------------------------
From:      C. P. Yeske <CY13@TE.CC.CMU.EDU>  12-Jan-1988 07:52:53
To:        security@RED.RUTGERS.EDU
> They have physically put a Laser "ThumbPrint" on track 15.

In fact, this is one of the EASIEST methods of copy protection to defeat.
The Laser Thumbprint does not even need the most sophisticated methods of
duplication.  It is pretty much a gimmick.  Also, the vendor can not provide
this means of protection for every type of media now available.

Curt Yeske
Technical Administrator
Carnegie Mellon Computing Services
-----------[000013][next][prev][last][first]----------------------------------------------------
From:      Will Martin __ AMXAL_RI <wmartin@ALMSA_1.ARPA>  12-Jan-1988 12:01:25
To:        security@RED.RUTGERS.EDU
I just saw an ad showing a type of key I had never seen before; this might
be old hat to many of you, but it's new to me, and I'm wondering if someone
could post a note identifying just what kind of key (and lock) this is.

The ad is on page 31 of the December '87 issue of Government Product News,
a tabloid-sized product-info and advertising freebie magazine aimed at
people who buy stuff for state, local, or federal government departments.

The ad is actually for a product that uses this key and lock as part of
its design -- a fuel-dispensing pump system which can keep track of the
fuel used by a particular vehicle in your fleet and prevent unauthorized
personnel from stealing fuel. They push this "unique coded key" as a
"pick-proof" method of control. Each vehicle has a differently coded
key, so the key not only opens the lock, but also identifies which
particular key is in use, so the automated inventory-control system can
keep track of how much fuel is going into which vehicle (assuming the
operator doesn't just fill a can or two extra each time... :-). The
company and product is the ITI Tri-Scan Fuel Management System, located
in Burlington, MA. (1-800-323-3265, or (617) 272-7233). The ad copy says
that the system is used extensively in Europe, so maybe this is a non-US
key and lock assembly.

Anyway, the key body is a solid tube with scoop-type notches cut or ground
out on the top and at least one side. (It appears roughly like a smooth ear
of corn with bites taken out here and there.) The picture shows only one
side, so I don't know if there are notches on the other side, too. The
bottom is smooth. The working part of the key looks to be about 2 1/2 inches
long. Anyone recognize this?

By the way, there is another locksmithing-oriented item in this issue;
on page 14 there is a blurb about a book, LOCKS & LOCKPICKING -- A BASIC
GUIDE FOR LAW ENFORCEMENT, SECURITY, AND MILITARY. $10 from R&R Publishing
of Hermosa Beach, CA. "Completely revised and updated from a similar
manual of 8 years ago."

Regards, Will Martin
-----------[000014][next][prev][last][first]----------------------------------------------------
From:      *Hobbit* <AWalker@RED.RUTGERS.EDU>  12-Jan-1988 17:18:02
To:        Security: ;
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

From: mimsy!cvl!decuac!netsys!wb8foz@RUTGERS.EDU (David Lesher)
Subject: Re: Car alarms
Date: 6 Dec 87 18:45:57 GMT

Most of the inexpensive auto alarms use a current transformer or 
a voltage sensor on the internal wiring harness. In either case
the system looks for a step change, indicating a dome lamp
has come on. Of course, if the trunk or hood has no light,
or the passenger door switch is bad, or the rear doors have no switches,
well then you are SOL.
Conversely, if the clock motor starts, or the cellular phone receives a call
everybody knows it.
-- 

Have you ever WATCHED cable TV, Judge Kennedy?
decuac!netsys!wb8foz

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date: Sat, 5 Dec 87 07:46:53 EST
From: Chris Torek <chris@mimsy.umd.edu>
Subject: Re:  virus alert

There is a flaw in this announcement.  Nowhere does it mention
that this affects IBM PCs.  It became obvious to me when it
mentioned Norton utilities, but only because I have IBM PC
knowledgeable friends.  (It does mention PC somewhere, but not
IBM PC.)

Chris

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date: 10 Dec 87 08:09:25 EST
From: *Hobbit* <AWalker@RED.RUTGERS.EDU>
Subject: Abloy

Abloys are "high security" locks, on a par with Medeco as far as the commercial
market is concerned.  I cannot believe that Manhattan locksmiths can't deal
with it; there are Abloys in use all *over* NYC.

The reason there's so much slop is that the key doesn't push pins up, it
turns little disks around inside to a certain amount, allowing a sidebar
type of thing to drop into slots when they line up.  It works much like a
dial-type combination lock, except that the disks all turn together as you
rotate the key through the first 90 degrees.  The clearance between the
key and the holes in the disks is not too critical; the angle to which the
disk is turned is what is.

I would heartily recommend that you hang on to your Abloy, try to find
someone who can dupe a key for it.  If you're feeling enterprising you can
take the thing apart and see how it works, and make yourself a duplicate key
with a little creative metalwork.

_H*

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Subject: Re: Lock Query
Date: Thu, 10 Dec 87 22:52:36 -0500
From: Fred Blonder <fred@brillig.umd.edu>

	I inherited an "Abloy" lock on my front door.  Was wondering
	if the lock theory experts on this list have had any
	experience or comments about this sort of lock.

Here's what I recall from an article about the Abloy lock in Popular
Science (yeah, I used to read it) when it first came on the market.

Instead of having pins, the Abloy has a series of disks, stacked
in a row along the lock's horizontal axis (Figure 1). Each disk
has a cutout in the shape of an Archimedes Spiral: the
distance-from-the-center-axis varies linearly with the angle.
Initially, all the disks are lined up so that the maximum spiral-size
lines up with the keyway, to make room for the maximally-large key,
that is one with no cuts. When the key is inserted - unlike in a
pin-tumbler lock - nothing moves to 'feel' the key's shape (Figure 2).
The unlocking action does not occur as soon as the key is fully
inserted.

As the key is rotated in the lock, it eventually comes up against
the spiral edges of the cuts in the disks. Since the surface is
spiraled, the exact point in the key's rotation where this occurs
depends on the height that the key has been cut to at the point
where it passes through that particular disk. Once the key is
touching the disk, further rotation of the key drags the disk along
with it for the remainder of the key rotation. At the end of
rotation, the disks will be in a scrambled state, at least as
determined by the inner spiral cut, but one which conveniently
happens to line up the notches in the outer edges of the disks,
which allows a bar which spans the disks, to drop into the groove
formed by the lined-up notches.  (Sort of like in a combination
lock.) Further rotation of the key, disks, and bar, finally slide
the bolt or whatever it is that the lock is controlling. When
rotating the key back the other way, it presses against the
non-spiraled edge of the disks' inner cutouts, and drags them all
back to the starting configuration. A consequence of all this is
that the wrong key will rotate in the lock, but not open it.

I think the difficulty in picking it arises mainly by virtue of
the fact that it is so bizarre.  You'd need to manipulate the little
disk-thingys while attempting to get the bar to drop. Sort of the
worst of picking a pin-tumbler lock combined with picking a
combination lock.

	Disks +-+-+
	  v v v v v

	  | | | | |    ___
	  | |_| | | _|/   \
	/-|/| |\|_|/ |     | <- This key is fictitious. Any resemblance
	\_|_|_|_|_|__|     |    to the bitting on anyone's actual key
	  | | | | |  |\___/     is purely coincidental.
	  | | | | |

	Figure 1. (Side view)

	The notch (Actual position may vary.)
	      |
	      V
	     _ _____
	   _- U__   -_
	  -   - ^|    -
	 /   /  H|     \     (The thing consisting of the letters H and U
	/   |   H|      \     and the caret, is a cross-section of the key,
	|    \_ H|      |     in case you can't guess.)
	\      \U|      /
	 \      -      /
	  -_         _-
	    -_______-

	Figure 2. (Front view)

					Fred Blonder (301) 454-7690
					seismo!mimsy!fred
					Fred@Mimsy.umd.edu

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date: Fri, 11 Dec 87 13:47:23 EST
From: bzs@bu-cs.bu.edu (Barry Shein)
Subject: Bumper Beepers.

There is a company called "Recco" (I think that's right, I know it's
pronounced Reek-oh) which manufactures a variety of little boxes that
can be worn or carried by outdoors people to assist in rescuing in the
event of a problem (eg.  buried under snow.) They've been advertising
their stock on FNN.

I don't know if they sell the locator which they presented as being in
the possession of typical rescue units, such as helicopter mounted.

	-B

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

From: macleod@drivax.UUCP (MacLeod)
Subject: Abloy locks
Date: 13 Dec 87 09:33:27 GMT

My father was an eccentric sort of character who liked challenges.  Through
friends, he was contacted by some organized crime types who wanted a pick for
Abloy locks.  From what I understood, at the time the casinos in Nevada had
just changed over to these locks on their slot machines.  

The keys to these locks were cylindrical and had cuts made at (I think)
multiples of 15 degrees.  My father built a peculiar looking device that
took a lot of complex machining, with a half dozen or so (one for each cut)
fingers that lifted into place and then were stopped down with a friction
collar.  The pick was inserted and manipulated until the fingers "read" the
bevels in the lock, locked down, and withdrawn.  The user then went off and
made a key to those specs. 

I don't know if he ever perfected the scheme, but it was complex enough to
keep him occupied and interested for about six months.

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date:         Sat, 12 Dec 87 09:28:54 EST
From:         "Wayne S. Mery" <LUWSM%LEHIIBM1.BITNET@WISCVM.WISC.EDU>
Subject:      Re: All related computer crimes and out come.

This past summer I atteneded a regional ISSA conference near Baltimore, MD.
The conference was in Timonium, MD and sponsored by the Easterm PA and
Baltimore ISSA chapters.
A portion of the proceedings was given to a panel consisting of 2 Baltimore
county PD officers who comprise that PD's computer/electronic crimes section,
an FBI agent, a Secret Service agent, and others.
The PD unit up to that time had a 100% conviction rate.  Several investigations
were pending at that time.  Some of their cases, including convictions, were
interstate crimes.
You would do well to contact these people.  I expect in addition to first hand
info., that they have excellent connections to other organizations who could
help in your study.
John Imhoff, FBI
William Wess, Secret service
Det. Calvin Lane, Baltimore County PD
Det. Frank Simmons, Baltimore County PD

Happy hunting

Wayne S. Mery
Systems Programmer
Lehigh University
Bethlehem, PA

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

From: darrell@sdcsvax.ucsd.edu (Darrell Long)
Subject: Finding a long-lost person
Date: 17 Dec 87 20:43:18 GMT

I'd like to start a discussion of how to  find  a  person.   For,
example,  suppose you want to find an old friend from high school
who left the state 10 years ago because the  Hell's  Angels  were
after him.  I don't know anyone like that, but just suppose...

How would you go  about  finding  such  a  person?   The  obvious
security  issue  here  is perhaps this person does not want to be
found.  DMV records would be the first place I would  look,  then
perhaps at Social Security.  But who has access to these records?

Suppose you had a female friend that you'd lost track of: there's
a  good  chance  she  has married and thus changed her name.  How
does this complicate the search?

What rights w.r.t. privacy does one have if they do not  want  to
be  found?   (As  we  know  from  the  Bork hearings, there is no
Constitutional right to privacy.)

DL
-- 
Darrell Long
Department of Computer Science & Engineering, UC San Diego, La Jolla CA 92093
ARPA: Darrell@Beowulf.UCSD.EDU  UUCP: darrell@sdcsvax.uucp
Operating Systems submissions to: comp-os-research@sdcsvax.uucp

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date: Sun Dec 27 22:25:18 1987
From: wrtfac!hassler@lognet2.ARPA (Barry D. Hassler)
Subject: Link Encryption Devices

        Has anyone had any experience with link encryption devices?   I  am
looking  for  information  on  devices  which  can  encrypt synchronous and
asynchronous lines at speeds at least up to 56 Kbps.  Of  special  interest
would  be devices that can be used in a dial-up environment (I imagine this
would mean being able to turn the  encryption  on  and  off  to  control  a
modem).   Please respond to me directly - I'll attempt to summarize back to
the group if there is enough interest.

-BDH

Barry D. Hassler                                hassler%wrtfac@lognet2.arpa
System Software Analyst
Control Data Corp.

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Date: Tue, 15 Dec 87 19:41:09 EST
From: John Hanley <hanley@cmcl2.nyu.edu>
Subject: Re:  Picking locks on pay phones

Maybe pay phones maintained by the BOCs don't have alarms, but
a friend of mine is having an independent manufacturer install
a pay phone at his store, and he claims that not only can it be
programmed to call a number when it's coin box is full and announce
in an incredibly sultry voice that it's time to collect, but it
can also dial a number and shout for help when it thinks it's being
broken into.
						--JH
-----------[000015][next][prev][last][first]----------------------------------------------------
From:      Mike Linnig <LINNIG@eg.ti.com>  12-Jan-1988 17:42:23
To:        security@RUTGERS.EDU
You might get a passive infared motion sensor and aim it at the
drive way.  Radio shack sells one for about $60 and they are pretty
immune to false alarms.  Also you can buy these gadgets hooked
to flood lights so that the lights come on when someone enters
the yard.

btw, driving over a coil does not cause a current to flow.  These
devices usually use the coil as an inductor.  Driving near the
coil changes its inductance.  The inductor may be part of
an oscillator thats freq depends on the inductance.

	Mike Linnig,
	Texas Instruments
-----------[000016][next][prev][last][first]----------------------------------------------------
From:      david@david.UUCP (David A. Roth)   13-Jan-1988 00:21:26
To:        
I am looking for recommendation of national burglary alarm companies that offer
monitoring services including fire detection and water. I am
interested in pricing and first-hand experience dealing with them.

Please reply directly by e-mail since my site currently does not
receive this newsgroup.

Thanks in advance.

David A. Roth
Columbus, Ohio
...ihnp4!david!david
...cbosgd!osu-cis!david!david
...cbosgd!n8emr!david!david
...rutgers!david!david
-----------[000017][next][prev][last][first]----------------------------------------------------
From:      James Ford <JFORD1%UA1VM.BITNET@CUNYVM.CUNY.EDU>  13-Jan-1988 08:48:08
To:        security@red.rutgers.edu
Here at the Univ. of Ala. (in Tuscaloosa), we have a graphics lab in which
drawing students use ACAD 2.62 (among other programs).  To insure that
students won't "borrow" the software, we use the following procedure.....

The main program is called PC-Lock.  When this program is installed, the user
has to supply a password to access the hard disk.  IF they decide to boot up
with a DOS disk in drive "A", they are unable to access the hard drive.
Nortons Adv, PcTools, Explorer, Ultra-Util. and other programs return a
"Invalid Drive" message when used.  Also, using PC-Lock, CNTL-BRK can be turned
off permantly. :-) Then all one has to do is make a simple menu to run after
PC-Lock accepts a valid password.

   Advantages:  No multiple sub-directories or "hidden" sub-directories.

                Easy to write menus (use your favorite "freeware" menu pgm).

                Only way to get to hard disk is via the passwords..or, you
                can use DEBUG to format the drive again, (G=C800 and the such,
                however the data is lost.......    :-)

                You can use a total of 5 passwords (1 administrator and 4 user
                passwords).  ANY key combination is allowed...even backspaces.
                If a user messes up entering the password, striking ENTER gives
                him another chance.

Disadvantages:  You have to make some files "normal" again to edit them
                (adding new programs to the drive..etc).

                If a person happens to buy the program, (since he knows the
                passwords for that class) he can change them.  *BUT*, since
                the errorlevels passed will be the same, he/she/it still
                can't get to the software.  The supervisor can then enter
                his own password and change all of them to whatever he wants.

                Unlimited attempts at trying the passwords..however, it
                would take someone quite some time to figure out a 16
                character password.

                CTRL-ALT-DEL is removed from operation until the correct
                password is typed in.......

I'm not quite sure how PC-Lock works, but if you use FDISK, the hard drive is
seen as a non-DOS disk.....maybe it moves the FATs to another part of the disk?

                   Just though ya'll might be interested....

                               James Ford
                               1611 Bryant Dr. Apt #3
                               Tuscaloosa, Ala  35401
                               (205) 752-4901
-----------[000018][next][prev][last][first]----------------------------------------------------
From:      "Bob_Hewitt.WBST129"@Xerox.COM  13-Jan-1988 11:09:05
To:        security@RED.RUTGERS.EDU
The best solution I have found for home security at night, is to install an
infrared sensor which turns on spotlights and any type of noisemaker you want.
I installed one on our deck, near the garden, and it serves two purposes.
First, it detects any motion of a warm body (prowler) within its adjustable
range, and second, it detects racoons in the summer if the sensitivity is set
properly.  We have two spotlights and a Sonalert wired to the device so that we
are alerted if someone enters the field of detection and the racoons are scared
off by the light and high pitched sound of the Sonalert.  We were able to have
our own corn for the first time in years!  

The device can be used in the driveway to detect motion of a car or person
approaching the house and turn on a light or any other device you want.  As I
mentioned, the range and sensitivity can be adjusted.  It is capable of
detecting a car at 100 fet if adjusted for high sensitivity and detects a warm
body at 35-50 feet.  I bought ours at a local supply house called Hechingers
complete with the dual spotlight fixture for $34.95 last year.  I'm sure the
security houses sell them too, although I didn't check them out.

Bob
-----------[000019][next][prev][last][first]----------------------------------------------------
From:      Jack Holleran <Holleran@DOCKMASTER.ARPA>  14-Jan-1988 07:51:15
To:        security@RED.RUTGERS.EDU
SUMMARY:  Two ex-boyfriends use their superuser abilities to delete
          files necessary to complete coursework and allegedly read
          private mail.

If this happened to my 'SO' or one of my daughters, this is what I would 
recommend.

1-Document the circumstances in a one page summary and present it to them.

2-Tell them that if the data isn't restored in 2 hours (or some nominally
short time), she is prepared to present her summary to the dean (or whoever
the powers-to-be are).  I choose 2 hours because most superusers or hackers
really can't destroy data before copying it somewhere for back-up.  If the 
data has truly been destroyed, then anytime frame is insufficient.  But if
it exists, the superusers are under pressure (deservedly so!!) to restore
the files.  (I'm not sure that I wouldn't also do step 3 even if the
files are restored.)

3-If the threat doesn't bring the data back, then present the document to the
dean.  If an apology AND a public policy isn't made, then escalate to the next
step.

4-Tell the local school paper and the local town paper.  The local school 
paper will present her side of the argument BEFORE the superusers.  In most
public presentations of arguments in an unemotional manner (facts, not 
feelings) will put the superusers in an awkward position.  Don't forget to
state your experience so the superusers can't show that your inexperience 
was the cause of the files being lost.

5-The school will probably react if the letter reaches the local area newspaper
because most schools "rent" or "lease" a portion of their computing power to 
local institutions to support workers doing research.  As an institution, I 
would be very displeased if I thought I might lose opportunities because of
some immature superusers.

The key to success is rational escalation.  While the timeframe is late
for immediate success, the superusers might learn an ancient phrase
"...hell hath no fury...".

Now for a management or a corporate point of view...

Everybody makes mistakes.  In this case, the superusers used poor judgment
based on the facts presented.  As a manager, I would allow one mistake due
to poor judgment or immaturity.  BUT THEY HAVE TO BE TOLD THAT THEY HAVE 
HAD THEIR MISTAKE!  The next one would be costly for the superusers.

When a superuser ABUSES the customer, it is time to re-evaluate the need
for that superuser.  The superuser is like the insider in the stockmarket,
he hears a lot of information but he is OBLIGED by law not to benefit by it.
A superuser can browse through a lot of data but he should do so by
invitation only!

Also, if you the customer want to be sure your files exist, you may have to
take the time yourself to make copies.  This is a risk that you have to
evaluate.  Books have been written on this subject so I won't expand here.

Jack Holleran (Holleran@DOCKMASTER.ARPA)
-----------[000020][next][prev][last][first]----------------------------------------------------
From:      Mike Bell <mcvax!camcon!mb@uunet.uu.net>  14-Jan-1988 22:25:34
To:        misc-security@ukc.ac.uk
> ... however these devices are
> pretty much made obsolete by the fact that any of the ESS switches
> do not open an audio path untill they receive answer supervision
> from the dialed end.

None of the electro-mechanical exchanges I've seen connect the audio
path until *after* the phone has been picked up...  (If there was,
you could just put a high pass filter on your line and get free
incoming phone calls:-)

As I understand it, the mode of operation of such devices is to send
the tone immediately *after* the called party has hung up, when an
audio path still exists.  The infinity transmitter then 'picks up'
the phone again to keep the line open. Only when the connection to
the subscriber is completely digital will this possibility go away.
(but lots of others will arise).

So if you get lots of `wrong numbers', and sometimes have difficulty
getting a dial tone...

Happy Paranoia!
-- 
---------------	 UUCP:  ...!ukc!camcon!mb | Cambridge Consultants Ltd
-- Mike Bell --	 or:    mb%camcon.uucp    | Science Park, Milton Road
---------------	 Phone: +44 223 358855    | Cambridge CB4 4DW
-----------[000021][next][prev][last][first]----------------------------------------------------
From:      Walter Ray Smith <ws0n+@andrew.cmu.edu>  18-Jan-1988 14:50:51
To:        security@red.rutgers.edu
This pay phone guy has made the big time: Weekly World News!  Right next to a 
diet ad...

Copyright (C) 1988 Weekly World News
Reprinted without permission

Phone ranger rips off $500,000 from booths
FBI dragnet is out for the nickel-&-dime desperado

    Cops have circulated wanted posters throughout the country for an elusive 
bandit who they say has ripped open pay phone coin boxes for seven years--and 
made off with $500,000.
    The phantom phone bandit has been identified in a fugitive FBI warrant as 
James Clark, 47, who brazenly uses the name "James Bell" and pays bills with 
mountains of coins.
    "He's about as slippery as they get," said Powell Caesar of Ohio Bell in 
Columbus, Ohio.
    "He's like a crooked Houdini.  There isn't a coin box he can't crack."
    Clark, a former machinist and die-maker from Ohio, drives a blue van, 
wears cowboy boots, gold-rimmed glasses and has a ponytail.
    A special tool allows him to open phone boxes, steal the coins and quietly 
slip away, say phone officials.  He's been doing it for seven years, making 
$70,000 a year tax free.
    "Every telephone company from California to New York State would like to 
nail his hide," said Caesar.  "Sooner or later he'll slip up and we'll be 
waiting."
    Police believe Clark is in Arizona, California or another western state.  
He's supposed to be armed with a .38 caliber pistol.
    The wanted posters offer rewards for information leading to his capture.
-----------[000022][next][prev][last][first]----------------------------------------------------
From:      THE DOCTOR. <MSRS002%ECNCDC.BITNET@CUNYVM.CUNY.EDU>  18-Jan-1988 22:33:45
To:        <security@RED.RUTGERS.EDU>
Why mess with Floppy Disks at all, use a network.

I have been administering a PC network using Novell Netware, and overseeing
another for about a year now.  All the interesting stuff is on the network
file server where it's very convienient to access, and the .EXE files are
flagged EXECUTE ONLY.  The only thing you can do to an execute only file is
execute it and, if you're the system administrator, erase it.  All the extra
files associated with the program are marked SHARABLE READ ONLY ( with a
few annoying exceptions ).

If somebody does try to copy a program, they get everything except the .EXE
or the .COM file.  If they try to corrupt a program, they get a message
like "Access Denied."  Since all the files are bottled up inside the file
server, direct bios calls and the like won't get around the protection.

I mentioned annoying exceptions:

It seems some application programs read their .EXE files while they're
running.  If the file is set to Execute Only, they can't read it either, and
they usually report "EXE file not found," or something equally unhelpful.

Another trick Novell has is not permitting users to see a subdirectory.
When they do a DIR, the directory appears empty, and COPY *.* doesn't find
any files.  In order to copy a piece of software, they would have to explicitly
copy each file, and first they would have to find out all the filenames.
Unfortunately, some programs use directory search calls to find their files.

Novell's security system is quite transparent to well-behaved users, and if
carefully administered, very robust.

                                                     Tom Ruby
                                                    MSRS002@ECNCDC
-----------[000023][next][prev][last][first]----------------------------------------------------
From:      Larry Hunter <hunter_larry@YALE.ARPA>  20-Jan-1988 13:16:53
To:        darrell@sdcsvax.ucsd.edu
   How would you go  about  finding  such  a  person?   The  obvious
   security  issue  here  is perhaps this person does not want to be
   found.  DMV records would be the first place I would  look,  then
   perhaps at Social Security.  But who has access to these records?
   
First, your specific questions:  The friend who left town 10 years ago
because the Hell's Angels were after him is easy.  He's not really trying
to hide from you; try asking his relatives.  You can get DMV records pretty
easily; they're public.  Social security records are very tightly held, but
you can try impersonating the subject and asking for "your" records (highly
illegal).  Almost no one is entitled to look at SS records.   Your female 
friend's marriage certificate (and divorce certificate, if any) is listed
in both her maiden and married names (see below).

One has very little in terms of legal right to privacy regarding where
one lives.  Many of the relevant records (land ownership, leases, etc.)
are either explicitly public or not protected at all.  Most of the measures
one might take to "disappear" involve name changes to evade debts and/or
false id, both of which are illegal.   How hard it is to find someone
depends really on how badly they want to be lost.  Most people are
relatively easy to find.

Doing a skip trace (as these investigations are generally called) usually
begins with some last known address.  You should first check the phone
book for a new number or address.  The phone books from nearby towns
are often helpful.  Unlisted numbers at least tell you what town the
subject is in, and there are (illegal) ways of finding them out.

For $1, the post office will tell you of any active forwarding address
for a year after the move.  You can also send mail to the last known
address with the inscription: "Do not forward: address correction
requested" and save yourself 78 cents.  The post office is also required
to give out the actual address of businesses operating through PO boxes.
You can claim that you bought something from the subject's PO box and have not
received it; that is usually enough to get the real address of the
boxholder.

There are also the Polk directories that list names and phone numbers
by address.  You can call some of the subject's old neighbors, and with
a suitable pretext, get potentially useful information about the subject.
These directories also indicate numbers that have changed since the last
publication, highlighting recent moves.

Public records can also be of great assistance.  Marriage records are
listed by both husband and wife's original names, so find the married
name of your old flame is pretty easy.  You also might consider looking
in local newspapers around the date of the marriage for announcements.
These are goldmines of information about friends, addresses, employers,
etc.  Divorce records are also useful and available. Traffic tickets are
a matter of public record, and almost everybody gets them now and then;
they have names and addresses on them.  Birth and other records may yield
a parent's address, which can be very useful in tracking children.  Many
other city or county records (property tax, fishing licenses, auto or
boat registration, etc.) may provide information.  Try the several cities
and counties around the last known address.  Most records can be had be anyone
for a small fee.  Some clerks may try to tell you you need some official
permission to look at files.  This is incorrect: local files are a matter
of public record and anyone is entitled to look.

Private records, such as credit records, Equifax (an insurance
investigator) files, medical and banking records and so on may all be
accessible to various degrees.  It depends on your connections to insiders
in those companies or the quality of your pretext in asking.  Sometimes
a little money helps.  If you know the subject's old employer,  they
may have useful records; they may even be the ones who transferred him
to a new city.

Interviewing people who may have known the subject before he moved can
be very helpful.  People in the neighborhood (friends, local grocery
store, gardeners, landlords, water company) may have information.
Relatives are generally very knowledgable.  Lots of local businesses may
have forwarding addresses on file for returning deposits or for final
bills: phone company, water, gas, electric, landlord, etc.

Some people who WANT to disappear use phony mail drops, or "rented"
addresses.  There are lists of such addresses in a publication called
the National Mail Drop Directory.  Many of the operators of these services
will help a tracer find a true address.  Phony ID is pretty easy to come
by in the US, but it is a rare case that completely drops out of his
old life, never seeing old friends, never talking to family, etc.  Lee
Lapin's book How to Get Anything on Anybody may provide a useful
introduction to running a more difficult investigation.

Lapin includes a great idea from a sting operation run by the NY police
that caught dozens of fugitives.  They sent letters to last known addresses
that read as follows:

  "Congratulations!  You have been selected to join FIST TOURS on their
   inaugural trip to Atlantic City.  You and a companion will be our 
   guest in Atlantic City for free.  You'll recieve $15 in quarters each and
   a buffet lunch at the Regency Lounge.  The tour is complete with drinks en
   route and wine and cheese on the return trip.
   
   Also a surprise, which is free.

   This is absolutely free to you and your guest.  All we ask is that you fill
   out the attached reply card.  Your trip will be leaving at [a certain place]
   but you must call to confirm your reservation...."

More than fifty felons went to jail for answering that letter ("Also a
surprise, which is free").  Happy Hunting!

                                  Larry
-----------[000024][next][prev][last][first]----------------------------------------------------
From:      GOLD::HOBBIT 26-JAN-1988 08:02
To:        NET%"security-list",HOBBIT
A while back I mentioned that red.rutgers.edu, our last 20, is being
decomissioned and rolled out in Febrary [Snif!].  I now know which host
will serve as a replacement distribution point for the Security list --
this one, aim.rutgers.edu.  I've found that PMDF can suck up the entire
list in one gulp and not complain, and there's Gnu emacs to do the
editing hair with, so it should work out just fine.

Thus, this is the official announcement:  Security is moving.  Please
send all further submissions to security@aim.rutgers.edu, and administrative
matters to security-request@aim.rutgers.edu.  Archives will now live at
this site in <security>security.mail, in pseudo-VMS format.  To FTP files
from here, connect and log in as GUEST with no password.  The entry for this
list in interest-groups.txt will also eventually change as well.  You may
see a couple more messages forwarded from Red before the changeover is done.

Security@rutgers.edu or rutgers.arpa should also continue to work, but use of
this path is discouraged because "rutgers.rutgers.edu" is a small Sun dedicated
to lots of mail traffic, and has a perpetual load of over 10 or so.

Here's to fast networks and capable mailers,

_H*
-----------[000025][next][prev][last][first]----------------------------------------------------
From:      "David Madeo  drm4@lehigh" <DRM4%LEHIGH.BITNET@CUNYVM.CUNY.EDU>  27-JAN-1988 16:14
To:        security@aim.rutgers.edu
I was just wondering if anyone noticed that CPP security bought
Pinkertons recently.  Any comments?   This seemed to be the closest
digest for the question.

David Madeo

drm4@lehigh.bitnet
zdrmade@vax1.cc.lehigh.edu
dmadeo@lehi3b15.UUCP
-----------[000026][next][prev][last][first]----------------------------------------------------
From:      corwin@EDDIE.MIT.EDU 30-JAN-1988 03:13
To:        V4039%TEMPLEVM.BITNET@CUNYVM.CUNY.EDU
I work for Crystalline Creations, a small company based in Lexington
MA, whose sole product at the moment is the worlds strongest go
playing program.  Our official policy on copy protection is:  it's a
pain in the ass.  Both for us, since we would have to come up with a
copy protection scheme, and for our users.  And besides, we're
constantly improving the programs playing ability.  Liscensed users
get free upgrades, but if you steal a copy, eventually, you learn to
play better than it does, and then what do you do?  The policy seems
to work fine, since we are making money, or I have gotten paid, at any
rate.

However, come June, we are releasing a version for the NEC PC, the
IBMPC clone on the Japanese market (where we have a much larger
potential market than in the US).  However, the Japanese insist
that the software be copy protected, so we need a scheme.  So, does
anyone know any reasonable protection schemes, which are at least
slightly bothersome to thieves, but not too much of a pain to
implement.  If not, can anybody suggest where to look?

corwin
-----------[000027][next][prev][last][first]----------------------------------------------------
From:      NET%"simsong@westend.columbia.edu" 31-JAN-1988 13:02
To:        BMOCONNO%pucc.bitnet@rutgers.edu
I suggest that you contact the social security administration, tell
them what happened, and ask them if they will issue you another
number. 

Please let me know what happens.  I'm currently writing a book about
the abuse of social security numbers.

			Simson L. Garfinkel
			Graduate School of Journalism
			Columiba University
			NY, NY 10027
			718-230-0430
-----------[000028][next][prev][last][first]----------------------------------------------------
From:      NET%"RPollard.ElSegundo@Xerox.COM"  1-FEB-1988 20:51
To:        HOBBIT@aim.rutgers.edu
Some of the recent talk of buggung and electronic survailance got me to
wondering something.  I live in a condo and as such share common walls with
neighbors.  (Neighbors that I don't really know very well.)  If one of my
neighbors wanted to "bug" my unit for some reason what sort of methods would
likely be employed.  It occurred to me that it might not only be audio but
visual bugging as well.  Also, how would one go about detecting such devices?

Thanks for any info.
Rich

END OF DOCUMENT