The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: Rutgers 'Security List' (incl. - Archives (1988)
DOCUMENT: Rutgers 'Security List' for March 1988 (27 messages, 23375 bytes)
NOTICE: recognises the rights of all third-party works.


From:      NET%"[email protected]"  2-MAR-1988 23:00
To:        [email protected]
>Tie the  operation of the software to a piece of hardware.  i.e.,
>send a piece of HW that can be read by the PC.  Perhaps it has to
>be inserted in the joystick loop, perhaps it has to be plugged on
>to an RS-232 port, etc.

Not very convienent if your PC is in a cabinet.  Also if you're running in
a multitasking environment you will either run into dongle conflicts if
they don't allow passthru or will wind up with your machine in the middle
of the room to be able to plug in three feet worth of dongles :-)

					-- Rod --

Rod Dorman                       {allegra,philabs,cmcl2}!phri\
Big Electric Cat Public Unix           {bellcore,cmcl2}!cucard!dasys1!rodd
New York, NY, USA                               {sun}!hoptoad/         

[Moderator note:  *What* is a "dongle"??   _H*]
From:      STGEORGE%[email protected]  3-MAR-1988 17:29
To:        [email protected]
Do any of you know any court cases, completed or pending, which involve
enforcement of the Electronic Communications Privacy Act of 1986? Thanks
in advance.
From:      Larry Hunter <[email protected]>  3-MAR-1988 22:54
To:        "Robert W. Baldwin" <[email protected]>
Cc:        [email protected]
    	Does anyone have infomation about the capabilities and limitations
    of police radars for speed checking.  I'm looking for both technical
    limitations of the devices and for procedural limitations that are
    necessary to make a ticket stand up in court....
Although I've never looked for it in print, I've heard that some states 
require a radar gun to be calibrated periodically (like hourly).  If
you challenge a radar ticket in court by asserting that the gun was out 
of calibration, the prosecutor should have to produce evidence that the 
gun had been appropriately calibrated.  If the ticketing officer didn't
bring his calibration records with him to court that day, you'd probably
From:      [email protected]  4-MAR-1988 10:05
To:        Clement Taylor <CGTAYLO%[email protected]>
Cc:        [email protected]
	There has been some discussion of these issues on the RISKS
ARPAnet mailing list.  I don't know how or if this list can be
forwarded into BITNET, but the person to ask is the moderator,
Peter Neumann.  From the current issue:

The RISKS Forum is moderated.  Contributions should be relevant, sound, in good
taste, objective, coherent, concise, nonrepetitious.  Diversity is welcome. 
Contributions to [email protected], Requests to [email protected]
  For Vol i issue j, FTP SRI.COM, CD STRIPE:<RISKS>, GET RISKS-i.j.
  Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85).
Good Luck!
Jim Williams
From:      Clive Dawson <[email protected]>  4-MAR-1988 14:40
To:        goldstein%[email protected]
Cc:        [email protected]
  Many thanks for providing that legal analysis regarding export of
cryptographic software.  It was all most interesting and informative.
There's one point at the end which could use some further
clarification, however:

	If there is any reason to believe or suspect that a non-U.S. or
	non-Canadian national will gain access to that bulletin board, an
	export to a third country should be assumed and a license is

Let's say that a given bulletin board could somehow be confined within
the U.S. borders.  It is still the case that a LOT of non-U.S. or
non-Canadian nationals will have access to it, be they permanent
residents, foreign students, etc.  Is it really true that export to a
third country must be assumed in this case?  I'm guessing that Digital
itself has a lot of employees in this category.  Surely they are not
barred from looking at cryptographic software, or are they?  Even if
they sign confidentiality agreements with Digital, I would be
surprised if the State department would consider this sufficient for
export control purposes in general.  I guess what we need here is a
clear definition of what "export" means for the purpose of these

Clive Dawson
From:      Will Martin __ AMXAL_RI <[email protected]>  4-MAR-1988 18:47
To:        Clement Taylor <CGTAYLO%[email protected]>
	[Moderator note: part 1 of 2.   _H*]

Here is a compilation of data on the CHRISTMA EXEC virus which I collected
from postings in the RISKS Digest:

Regards, Will Martin

***Begin Included Messages***
From: minow%[email protected] (Martin Minow ML3-5/U26 223-9922)
Date: 11 Dec 87 11:55
Subject: Yet another virus program announcement fyi

From CRTNET, number 115.  From T3B%PSUVM.BITNET.
Subject:      Christmas Virus Warning

If you are at a CMS site and receive a program called CHRISTMA EXEC, please
(a) warn your postmaster and (b) discard the exec (or keep a copy for the
postmaster to look at, but DO NOT RUN IT).  This exec paints a Christmas
tree on your screen and then sends itself to everyone named in either your
NAMES or NETLOG files.  The result is potentially serious stress on Bitnet
and on your local spool system, and possibly a few system crashes here and
there as the number of reader files soars and exceeds the maximum.  The
Christmas tree isn't all that pretty, and the joke is pretty mean.
A word to the wise.  Your postmaster will thank you. Michael Sperberg-McQueen


From: [email protected] (Dave Curry)
Subject: IBM invaded by a Christmas virus
Date: Sat, 12 Dec 87 10:02:24 EST

  (From the Lafayette (Indiana) Journal & Courier, December 12, 1987.  Quoted
  without permission.)

  IBM Woes -- Computerized grinch jams the mail

     BINGHAMTON, N.Y.- A computerized Grinch invaded IBM's electronic
  mail Friday.
     An illegal software-style so-called Christmas card sent through
  IBM's electronic mail jammed desk-top computer terminals, spokesman
  Joseph E. Dahm said.
     The so-called virus program forced plant officials to turn off
  internal links between computer terminals and mainframe systems to
  purge the message, Dahm said.
     IBM sources say the link was off from 45 minutes to 90 minutes
  depending on the location.
     The program is known as a virus because it enters computer programs
  and replicates itself automatically.
     Curious employees who read the message titles "Christmas" in the
  morning electronic mail discovered an illustration of a Christmas tree
  with "Holiday Greetings" superimposed on it.  A caption advised "Don't
  browse it, it's more fun to run it."
     "That was the hook," an IBM source said.  "A lot of people thought
  they could take a peek and then kill the message, but once opened, it
  was too late."
     The program automatically entered a security log listing contacts
  made from the individual computer terminal, duplicated and mailed
  itself to new victims.
     Like a Pandora's Box, once opened, the program rarely accepted
  commands to stop, sources said.  Operators who turned off their
  terminals to stop the Christmas message lost electronic mail or
  unfinished reports not filed in the computer.

This article seems to have a lot of things in it that the reporter didn't
understand.  I assume that the "terminals" in question are really PC's
connected to the mainframes; for one thing.  Plus, I presume the "Don't
browse it" refers to the VM/CMS "BROWSE" command used for looking through
files, and not just to the regular English word.

Does anyone have any more info from a source which understands all the
big words?
                                  --Dave Curry, Purdue University


Date: Mon, 14 Dec 87 09:38:55 est
From: Franklin Davis <[email protected]>
Subject: IBM invaded by a Christmas virus

    This article seems to have a lot of things in it that the reporter didn't
    understand.  I assume that the "terminals" in question are really PC's
    connected to the mainframes; for one thing.

Probably the users were connected by 3270 type terminals (or
emulations on a PC) which use a half-duplex block mode protocol.  If
you turn off such a terminal your session is aborted, and you lose
current edits.  It is also very difficult to interrupt an executing
program, since it "owns" the line.  There is a "system-attention" key,
but a busy system may take literally minutes to respond.  (I'm glad I
don't have to use an IBM mainframe any more!! :-)

--Franklin Davis         Thinking Machines Corp.         [email protected]     


Subject: IBM Xmas Prank
Date: Fri, 18 Dec 87 10:03:57 -0500
From: Fred Baube <[email protected]>

From Friday's Washington Post, excerpted without permission.

"The message popped onto desktop screens in IBM offices around
the country and even crossed the Atlantic and Pacific oceans,
showing up in IBM outposts in West Germany, Italy and Japan."

[as pictured                X
 in the article]           X X
                          X X X
                         X X X X
                        X X X X X
                       X X X X X X
                      X X X X X X X

A very happy Christmas and my best wishes for the next year.
             Let this run and enjoy yourself.
Browsing this file is no fun at all.  Just type Christmas.

"The message that bedeviled IBM was a comparatively benevolent
one and did not, as computer tricksters' creations sometimes do,
destroy other material in the system .. [although] rapidly
producing electronic gridlock."

"The culprit is unknown .. but preliminary investigation suggests
that the message originated outside the company.  IBM's mail
system is attached to those of several other institutions."

"From start to finish, the message survived only hours .."

"Does the world's biggest and most advanced computer company feel
embarassed about its Christmas chain ?  'We didn't want it to
happen, but we anticipated something like this might be attempted
and we were prepared to deal with it.'"

(1) An incoming message can contain an executable program,
    that can easily be run ?
(2) Such a message can be remailed under its contained program's
    control, presumably with the name of the last victim in the
    "From:" field ?
(3) Can IBM trace it to an originator, or was anonymity possible ?
(4) How/where can readers of RISKS submit something similar ?
    (strictly for professional testing purposes)
(5) Is the Internet similarly vulnerable ?

The prank seems to be benign, and therefore beneficial.
IBM seems to have dealt with it effectively (or have they ?).

Browsing this message is no fun at all.  Just type Christmas ..

          [Bay Area folks can read a long front-page article by John 
          Markoff on viruses in today's SF Chronicle-Examiner.  PGN]


Date:         Mon, 21 Dec 87 15:22:26 EST
From: Ross Patterson <A024012%[email protected]>
Subject:      Re: IBM Christmas Virus

    There  have  been  several  messages to  RISKS  lately  about  the
CHRISTMAs EXEC virus  on IBM's network.  This was an  extension of the
same problem  on BITNET and  its European counterpart, EARN.   Since I
raised the general alarm about it, I'd like to answer a few questions.

    The virus used two standard CMS files, called NAMES and NETLOG, to
help it infect other users.  The NAMES file contains a list of userids
and system names that you  correspond with frequently, allowing you to
abbreviate them  to a mnemonic  nickname when sending mail,  files, or
interactive messages.   I composed  this mail  by sending  to "RISKS",
which my NAMES file lists as user RISKS on system KL.SRI.COM.  You can
also list  phone numbers, paper  addresses, etc.  There is  a commonly
available program that  will print off a personal  phonebook from your
NAMES file ("Traveling  Sidekick" from the days BB  - Before Borland).
The  NETLOG file  lists all  users you've  sent mail  or files  to, or
received them from.   It's a very nice audit trail  when you're trying
to remember where you got that copy of Space Wars.

    After  typing  the Christmas  Tree  on  your terminal,  the  virus
proceeded to  read both  the NAMES and  NETLOG files to  get a  set of
target addresses.  It then sent a copy  of itself to each of them, and
finally deleted itself.

>I assume that the "terminals" in question are really PC's
>connected to the mainframes; for one thing.

    The terminals  mentioned are generally  IBM 3270's, and  PC's with
IRMA-type cards.  The virus ran on the host system, not on the PC.

>Plus, I presume the "Don't
>browse it" refers to the VM/CMS "BROWSE" command used for looking through
>files, and not just to the regular English word.

    Both, actually.  The intent was  obviously to stop the reader from
going  further down  into  the file,  where the  real  purpose of  the
program was quite obvious.  The  language used (IBM's REXX) is usually
interpreted,  so the  program was  sent  in source  form.  Anyone  who
bothered to read below the second screen-full (like all of us paranoid
Systems  Programmers)  began to  see  the  trouble.  It  was  slightly
cloudy, as all the variable names  were in German, but seeing was fair
to good.

>The culprit is unknown

    That is  no longer the case.   The culprit has been  tracked down,
and barred from  access to his/her system.  A note  to that effect was
broadcast to  a number of  mailing lists  by the General  Secretary of
EARN.  The source system had recently been attached to the West German
section of EARN, and the user who started it all only intended to send
a greeting  to a  few friends.   To quote a  TV commerical,  "...  and
they'll tell two friends, and so on, and so on, ...".

>                        .. but preliminary investigation suggests
>that the message originated outside the company.  IBM's mail
>system is attached to those of several other institutions."

    Quite so.  No  one seems quite sure which of  the gateways between
BITNET/EARN and IBM's internal network, VNET, passed the first copy of
the  virus.   It  matters  very   little,  since  it  found  the  VNET
environment  even more  conducive  to  reproduction than  BITNET/EARN.
VNET'ers apparently keep much larger  NAMES files than BITNET'ers.  It
wasn't long before  the links were carrying more  CHRISTMA EXEC's than
anything else.

>"From start to finish, the message survived only hours .."

    Per copy, perhaps.   The first known instance of  infection was at
about  1300  GMT on  Wednesday,  December  9.  Within BITNET,  it  was
generally stamped out by the  following Monday, December 14.  On VNET,
it  didn't show  up until  a day  later, and  was mostly  killed in  a
massive network shutdown on Friday.

>(1) An incoming message can contain an executable program,
>    that can easily be run ?

    Yes.  Please  remember that the  Internet is not the  only network
style in the world.  In BITNET and  VNET, mail is just another case of
file  transfer.  File  transfer is  performed by  the sender,  not the
receiver.   These are  store-and-forward  networks, so  the path  from
system  A to  system B  need not  be intact  for the  duration of  the
transfer.  The viral program was transferred  as a normal file, not as

>(2) Such a message can be remailed under its contained program's
>    control, presumably with the name of the last victim in the
>    "From:" field ?

    It wasn't  mailed.  Thus, there  wasn't any From: field,  etc.  It
did carry  the system name and  userid of the most  recent victim, but
not any trace-back information.

>(3) Can IBM trace it to an originator, or was anonymity possible ?

    A task force of BITNET and EARN systems programmers traced it back
to its source, by the usual disease-control procedures:

   Doctor: "Miss  X, you've got a  nasty case of viral  <Y>.  Who have
            you had  contact with recently?".

   Miss X: "Just a moment, I'll check my notebook."

    A byproduct of the tool used to  transmit the virus is an entry in
the NETLOG  file listing the userid  and system name of  anyone it was
sent to, making it easier than usual  for Miss X to remember.  In some
cases, the  user had suppressed the  NETLOG facility, but that  is the
exception, not the rule.

>(4) How/where can readers of RISKS submit something similar ?
>    (strictly for professional testing purposes)

    Noplace safely.  Please  don't try it on anything  but an isolated
network, and then coldstart your spool afterwards.

>(5) Is the Internet similarly vulnerable ?

    Not to  this one.  It  plays on  several things that  the Internet
doesn't have:

   1) A  large number of IBM  VM/CMS systems.  The program  would only
      run in a CMS environment.  There is no reason one couldn't write
      something similar in any other language, though.

   2) A  suitable file transfer  system.  FTP doesn't apply.   It must
      provide a  way for a user  to receive an unsolicited  file, in a
      runnable form.

   3) A good method of determining  targets.  The CMS NAMES and NETLOG
      files provided an excellent source of information.  I suppose in
      a Unix environment, ".alias" and "/etc/aliases" would be ok, but
      .alias  is  comparatively rare,  while  NAMES  files are  almost
      universal in CMS.

>The prank seems to be benign, and therefore beneficial.

    That is being debated in several  circles.  I, for one, agree with

>IBM seems to have dealt with it effectively (or have they ?).

    Yes, they have.

>Browsing this message is no fun at all.  Just type Christmas ..

    The lesson of  this one is the  same as for PC  viruses: Never run
something you don't recognize.  When the virus first appeared, several
people suggested that  it was the work of students,  and that it might
be used negatively in an ongoing argument over whether students belong
on BITNET.   When we heard  that "professionals" inside IBM  were also
running  programs they  didn't recognize,  that particular  suggestion

    This virus  was quite  sly, in  that by  sending itself  to people
listed in  your NAMES and  NETLOG files, those people  would recognize
the source (you) as a friend, and be generally less inquisitive, until
things  got  nasty.   Lesson  #2: Even  your  friends  sometimes  make
                                    Ross Patterson, Rutgers University

    [RISKS received an unusually large number of messages on this subject --
    from Fred Baube, John Owens (2), Allan Pratt, Anne Louise Gockel, and 
    Bruce O'Neel.  I started trying to edit them down, but rapidly gave
    up that strategy -- inordinate overlap.  So, I will take a new tack,
    which is to put out Ross' message -- which was the most comprehensive --
    and then give Fred, John, Allan, Anne and Bruce first priority if THEY
    wish to comment marginally or additionally thereupon.  Please be terse
    -- and avoid replicating ALL of the foregoing text in your messages,
    as some of you have been doing.  (One of the joys of mailers?)  PGN]

Organization: The MITRE Corp., Washington, D.C.
Subject: The Christmas Card Caper, (hopefully) concluded
Date: Mon, 21 Dec 87 11:45:03 EST
From: Joe Morris ([email protected]) <[email protected]>

The following item was posted on the VMSHARE bulletin board.  It describes
the origin of the CHRISTMAS EXEC file, and makes valid points about the
inability of computer systems to automatically recognize some types of
ill-behaved programs quickly enough to prevent damage to a network.

(VMSHARE is a closed bulletin board operated for the use of VM installations
who are members of SHARE, the large IBM mainframe user group.  Shadow copies
of the VMSHARE traffic are distributed to many other nets, including VNET
and BITNET.)                            
                                               Joe Morris ([email protected])

  Append on 12/19/87 at 20:10 by Melinda Varian <BITNET: [email protected]>:
  The following statement, from a member of the EARN Board, answers the
  queries about the origin of the CHRISTMA EXEC.  Clausthal-Zellerfeld
  is quite a new VM installation.  When Heinz Haunhorst, of their staff,
  was notified that the first appearances of the virus on the networks
  originated at his node, he pursued the matter vigorously and skillfully.
  Helmut Woehlbier, of the Technical University of Braunschweig, also did
  an excellent job in helping to determine the originating node.
  <>  <>  <>  <>  <>  <>  <>  <>  <>  <>  <>  <>  <>  <>  <>  <>  <>  <>
  Date:         Wed, 16 Dec 87 18:33:58 GMT
  Sender:       EARN Technical Group <[email protected]>
  From:         Michael Hebgen <[email protected]>
  Comments: To: EARN Executive <[email protected]>,
                EARN Board of Directors <[email protected]>
  Comments: cc: German EARN Executive <[email protected]>,
                German EARN node administrators <[email protected]>,
                Heinz Haunhorst <[email protected]>,
                "Dr. Gerald Lange" <[email protected]>,
                Otto Bernd Kirchner <[email protected]>
  To:           Melinda Varian <[email protected]>
  Subject:      CHRISTMAS EXEC
  Dear colleagues,
  after some very sophisticated detective work  it is clear that the origin
  of the CHRISTMAS EXEC is the EARN  node DCZTU1. A student there has writ-
  ten this EXEC  to send christmas greetings to his  colleagues and another
  student has  used it  without knowing what  he is doing  (as many  of our
  network users) and started the explosion.
  The node  DCZTU1 has already  blocked the Userid  of the author  and done
  all necessary steps.  Every node in the network can  be the next starting
  point  of a  similar explosion  and distribute  virus programms  or other
  bad things.
  As far as  I know the EDP-systems  there is no way to  prevent users from
  their own  mistakes. The only  solution I can think  of for this  type of
  behaviour is to observe "EDP-hygiene":
     If you receive an executable  file (EXEC, CLIST, program) from another
     might be  unknown user  do NOT execute  without control  because it
     can result in gross missdemanour and serious damage.
     Check all EXECs/CLISTs,  what they are doing, before  you execute them
     and  check all  executable programs,  where  they come  from and  what
     they do.
     As in normal life uncontrolled behaviour may result in serious
     consequences  (I am  not going  to mention  AIDS). You  as a  user are
     responsable for all what you are doing.
  I propose to include such statements (in better english formulation) into
  the CODE OF CONDUCT and to  start an "enlightenment" process for the end-
  Best regards, merry christmas (without tree) and a happy new year
  Michael Hebgen
  EARN director of Germany and
  General secretary of EARN
  *** APPENDED 12/19/87 20:10:47 BY PU/MELINDA ***

Did any contributor suggest how the message jumped from EARN (or BITNET) into
VNET?  Supposedly the gateways (one at Yorktown, I believe)  are monitored
closely so that the ability of a message to cross without supervision
is quite limited.  I'm told that a few years ago there  was something of a
major flap when a meeting of relatively high IBM brass was shown a message
Melinda Varian (the BITNET source of the EARN message I forwarded) had sent
to an IBM'er via VNET (WITH the permission of IBM...upper management in IBM
just hadn't been aware of the arrangement).  My guess would be that it came
through an account on a customer machine but assigned to an IBM'er who could
pass mail into the IBM network.

Thought for the week: was this supposed to be a demonstration of a computerized
Christmas distribution TREE?

Second thought on the word "tree" (swiped from an undergraduate thesis at 
MIT from the 60's):

  Problems are posed by fools like me,
  but only heuristics can search a tree.

Joe Morris

From:      [email protected]  4-MAR-1988 21:08
To:        [email protected], [email protected]
The police radar's that I've played with have had an audio feedback.
With the audio feed back, you hear an obnoxious buzzing and whistling
which represents the doppler shift comming back from the object you
are clocking.  I found that by listening and watching, I could very
accuratly determine exactly who I was aiming at, even with 2 or more 
cars comming at me.

I would point the gun at an aproacing car and I'd hear a high pitched
whine, point it away and the whine would go away.  Point it at two cars
and I'd hear 2 whines at different pitches.  Moving the gun twards one
car made one whine louder and the other softer.

Of course, I've very rarly seen police officers actually holding the
radar guns.  Most of them I've seen were aimed forward or backwards
attached to the window in the left rear.  I can't imagine that it would
be too easy to figure out who exactly you were aiming at with the gun
in this position.

-Mike Grant
From:      Wes Williams <[email protected]>  5-MAR-1988 10:17
To:        [email protected]
Cc:        [email protected], [email protected]
The procedures vary widely from state to state as well as from the local
municipality and counties. The research you need to do starts on the local
level and will be interesting. I have found that the following can be true:
1. Local police departments may require periodic testing of the units by
an in/outside tech type that will validate the Radar unit for safety (rads)
as well as the degree of accuracy for the unit.
	1a. This may be out of date as well as never done.
	1b. State requirements may be downgraded and be illegal.
	1c. There may be no requirements (state or local).
	1d. The testing (when performed inside) may be done by
	    someone that does not have the qualifications nor the
2. Find out if the locality is a constantly watched spot. A police
eye (ie: trained observer) that is on the scene and is familiar with
the traffic patterns as well as the time involved for a car to pass point
A and get to B is as good (in some cases) as the Radar gun. This is also
subject to state and local laws.

3. Final note..... READ THE TICKET!   In general, a typo or misprint
anywhere on the ticket is the real loophole. You can be away clean.

From:      Douglas Allen Luce <dl2p+%[email protected]>  5-MAR-1988 13:54
To:        [email protected]
Shipping a piece of hardware that must be plugged into the computer before the 
software will run has been tried, with only moderate success.

There are a couple ways to circumvent this scheme, both fairly 
straightforward: copy the piece of hardware or remove or rewrite the piece of 
code in the program that checks to see if the hardware is where it should be.

I've only seen this implemented for very small computers; Atari 8 bit machines 
and commodore 64 computers.  Basically, a small jumpered plug was inserted 
into the joystick port.  The program then matched out signals through the 
joystick port to see if the plug was there.

Finding the code in the programs wasn't a complex job; one could pull up a 
machine language debugger and monitor the joystick port for accesses.  From 
there, the code could be broken down and the part that controlled access 
replaced with an "ok" code.  One would no longer need a piece of hardware to 
run the program.

Also, these plugs were fairly simple to copy.  All one had to do was to crack 
open the device (I think they called them "dongles," a name I hate for some 
reason), look at the way the inside worked (usually simple, a jumper or two) 
and then make a new one out of a $.75 joystick plug and a few pieces of wire.  
A company would generally have a single "dongle" to run all their programs; 
pirates had only to make one "dongle" to run a whole family of programs.

I haven't seen it implemented for the PC's or anything above, but I would 
think that the same measures could be taken to circumvent copy protection.

Douglas Luce
Carnegie Mellon
From:      [email protected]  7-MAR-1988 14:27
To:        [email protected]
Cc:        [email protected]
In the 4-Mar-88 edition of Security Digest, [email protected] suggests
that "operation of the software to a piece of hardware." Some vendors of
equipment for use on Ethernets (or IEEE 802.3 networks) do just as he suggests.
The software checks the 48-bit source address of the host it is running on. If
the address is different than expected, the software fails to work.

This scheme has failed (i.e., not permitted legal software to function
correctly) when the equipment had a second Ethernet port installed. In this
case, the equipment had two 48-bit source addresses, and the software checked
the "wrong" one. 

Russ Housley <[email protected]> 
Xerox Special Information Systems
Vista Laboratory
From:      "David M. Balenson" <[email protected].edu>  9-MAR-1988 14:26
To:        [email protected]
Can anyone provide any information concerning the use of the AMD DES
chip within the SUN workstations (e.g., 3/50, 3/140, 3/160, 3/180)?

I understand that the CPU boards have any empty socket which will
accomodate the AMD chip (AmZ8068) and that the kernel has to be
reconfigured to make use of the chip.  Is that all there is to it?
Will this permit the 'des' command to use the AMD chip, rather than
use software?  I have also heard that two additional chips may or may
not be necessary -- one is a TTL support chip, the other a PAL.  What
exactly are these chips for?  Are they necessary, or not?

Is anyone out there, in particular anyone at SUN, currently
using the AMD chip?


David M. Balenson ([email protected])
National Bureau of Standards
(301) 975-2910
From:      [email protected]  9-MAR-1988 15:25
To:        [email protected]
Dan Keizer writes:

> security by non-disclosure is no security at all.

I *totally* agree.  If more people believed this, we wouldn't have the problems
we have now with exporting crypt, ...

It seems to me it's a philosophical battle between those who say "we won't tell
you anything about it to make it more secure" and those who say "if we can't
study it, we can't tell if it is secure (and it probably isn't)".  With the
advent of decent public key encryption, one-way encryption of passwords etc it
seems to me a *good thing* that security systems become more understood so that
the state of the art continues to advance.

From:      Will Martin __ AMXAL_RI <[email protected]_1.ARPA>  10-MAR-1988 21:16
To:        [email protected]
Back on 25 Feb., I posted a note about a local (St. Louis) newspaper
advice column which stated baldly that the SSA would give people info
about an individual if you gave them their SSN. Here are the relevant
paragraphs from that original posting:

>If they cannot answer your questions directly, they may be willing to
>give you her Social Security number. You can then trace her whereabouts
>through the Social Security Administration.
>At 63, she may have retired, and if she is receiving Social Security
>payments, you might be able to get her current address. If she is
>deceased, the SSA should be able to tell you that, also.

I promised that, when I had time, I would check with the SSA office here
and let the list know what they said about this -- was it true or not?
Well, I finally had a chance to check today. The word from them is that
the SSA will NOT give an inquirer info about a person just because that
inquirer provides the subject's SSN. What they will do, though, is to take
information from the inquirer, and then write the subject of the inquiry a
letter, saying something like, "John Smith, who claims to be your cousin, is
trying to get in touch with you. His name, address, and phone are: xxxxxx.
You may contact him there if you wish to."

In other words, they will act as a conduit to the party whose SSN is
provided, but will not give out information about that person to another.
(I didn't think to go into detail about just what the SSA would do if
the person was listed as deceased, unfortunately.)

This actually strikes me as being very helpful, and more likely to be
something that the SSA would do theoretically than that they are likely
to do in real life! I was asking this as an hypothetical question,
showing the SSA representative the newspaper column, and wasn't actually
asking them to DO anything. I wouldn't be surprised if this was
something so out-of-the-ordinary, so unlike standard procedure, that it
would be next to impossible to get the SSA to do this in reality. After
all, to do the search and write the letter would take some hours of
time, and, considering SSA employees are rated on how many cases they
can process in a day, it would be a rare find indeed to locate one who
would be willing to delay normal processing, buck the system, and do an
inquiring stranger this favor!

Nonetheless, from a privacy issue standpoint, the info I got was
reassuring. At least the SSA claims it will not wantonly distribute data
about you to anyone who happens to know your SSN. 

Regards, Will Martin
From:      [email protected]  11-MAR-1988 22:42
To:        [email protected]
     The  communications on  exporting the  DES  algorithm which  have
appeared on the net recently are ALL correct.   Huh? What did you just
say?  Read on.

     If something not  subject to  ITAR  regulations is in the  public
domain, or "widely  published"  in the US,  any  citizen has a general
license to export that information.  If fact you  may go  overseas and
speak publicly about what  you know, and  that will create information
subject to license  requirements,  qualify it for general license, and
export it.  In other  words, as  an American citizen,  your freedom of
speech does not end at the waters' edge.  (The  country where you give
the  speech might not  like what  you   say, but  that  is a different

     However, if you have information subject  to ITAR regulations (no
matter how you got it), you (or your company) can be prosecuted if you
export it  without  State   Department  approval.   See the  "aid  and
comfort" clause in the constitution. Since  some crypto information is
clearly  protected this way, most  company lawyers "take  the easy way
out" and advise the company not to export any crypto software, without
checking to see if it falls under the ITAR rules.

    (Apply standard disclaimers to what follows at least  twice.) Last
time I checked the "opinion" of State was that  the  DES algorithm was
not subject to ITAR rules,  although  certain implementations (usually
in the  form  of chips)  were  protected.   Note  that  any government
employee must be vague here, either he knows all the (classified) uses
of crypto (and where is YOUR need  to know) but  can't tell you, or he
doesn't know and  can't be    more specific.   Therefore the  standard
procedure is  to    request   an  opinion  before    exporting  crypto
implementations, and if you don't get something on  the order of "your
application does not currently appear to fall under ITAR rules..." you
talked to the wrong person (or  you really are trying to  export a 300
MIP DES chip 8^> ).

     If you do ACCIDENTLY export  something subject to ITAR rules, you
probably won't  go to jail.    In  any violation,  your rights to free
speech must be shown to conflict with other constitutional powers, and
the balence must tilt strongly against you before the ITAR regulations
have any  standing.  If you   intentionally violate  the   ITAR  regs,
however you might not have any constitutional protection.

     Let me give   you a realistic  example.  You   buy a Zowie   1000
portable computer  and  take it  with  you to England.  Unbeknownst to
you, the Zowie 1000 is  used in a  test system for Stealth  Bomber ECM
equiptment.  You  violated the   ITAR regulations, but   in the normal
course of events, you won't even know it, because the DoD  is unlikely
to  tell  the Customs  people which  COTS   (commercial off the shelf)
equipment is used on black projects.  In any case  your  violation was
innocent and is probably protected.

     Second case,  an ATE specialist  on  the Stealth project  buys  a
Zowie 1000 for personal use  because he uses it at  work and likes it.
He takes  it  (and some  of his software)  to England on his vacation.
Dumb, and the  security folk at  the plant may  have a  long talk with
him, but if it was innocent probably  no long term repercussions.  The
third  case of course,  is  he  takes it with him  and  sells it  to a
foriegn  agent for $100,000 -- and  twenty years hard labor.  What did
you think the ITAR regulations were for anyway?

     So now you  know  why  all the  weasel words.    If you   take my
(knowingly incoorect) advice (or someone elses) and innocently violate
the ITAR  regs, I'm guilty and  you  are not...   "So  you're going to
Berlin on  your  vacation?  Could you  do   me a favor?   I  have this
package for  my sister,  but the mail takes weeks.   I'll give you ten
bucks for your trouble."  You are only guilty if you think  he's a spy
and do it anyway...  Each case is  different, and an awful lot depends
on intent.

     It would be nice if someone who has  requested and recieved (from
the government, not from a company lawyer) a recent opinion on the DES
algorithm, would post the opinion here.  If no one out in net land has
a recent opinion,  someone should go  ahead and request one.  The most
recent opinion  I have seen was  two companies back,  and   things can
change in either direction.

					Robert I. Eachus

Disclaimer: Oh boy, do I need one here.  If you  have any intention of
exporting  anything which might  be subject to  ITAR  rules, have your
lawyer check with the State Department and get a written opinion.   If
you decide to create a test case and  take  it  to  the Supreme Court,
I'll be glad to come cheer, but if you expect me to get up  and say it
was all my idea, you didn't read carefully.

Second  Disclaimer: I  didn't ask MITRE,   MITRE's lawyers, or  anyone
elses lawyers  for their opinion of  this message, but if  I  did, I'm
sure that they would waffle at least as well as I did.
From:      Wes Williams <GZT.EWW%[email protected]>  12-MAR-1988 19:19
To:        GZT.EWW%[email protected]
Just by chance, the other day, I tipped over the box that the bookcase
type holder for DbaseIII+ was in, and found a warning from the manufacturer
that this product may be covered by the State Dept. Regs. for exporting.

Thinking about an upcomming trip to a neighboring country, I was agast 
that I may have run afoul of customs (forgetting that I had a copy in
the trunk).   Is this type of program really covered under these laws?
From:      [email protected] (Mitch Che)  13-MAR-1988 19:58
To:        misc-security
>[Moderator note:  *What* is a "dongle"??   _H*]

Every so often I feel like I've just passed through a time-warp.
Unfortunately, it's always backwards.  ADAPSO supported this idea which
died a timely death about a year or so ago.  A "dongle" refers to the
little device which plugged into the back of the PC into the RS-232
port.  A fair amount of research apparently went into these and some
software actually shipped with this protection scheme.  ADAPSO pulled its
support of any kind of standard for use.  Copy protection seems to be
a non-issue.  With the crash of the PC software industry, copy
protection is just what a small company needs to go under.  If your
software is still copy-protected, rest assured your software is not
available in my shop.
Mitch Che   Pacific Bell		 "Fine Corinthian leather?  Of course.
---------------------------------------	  From fine Corinthian cows..."
From:      Jim Duncan <[email protected]>  14-MAR-1988 04:41
To:        [email protected]
Years ago, when I was an avid C-64 user, my favorite word processor was
PaperClip from Batteries Included (in Toronto, I think).  They allowed
(encouraged) copying their software for backup purposes; to use the program,
you had to have an electronic key, called a `dongle', plugged into one of the
joystick ports.  I have seen that word used in other documentation to mean the
same thing.

Of course, versions of PaperClip which didn't need a dongle to operate
proliferated as crackers everywhere found the code which checked for the
dongle and detoured around it.  I didn't care; PaperClip was so good, and the
manual was so well written, that, like Turbo Pascal, it was worth it to me to
have a legitimate version and the support that went with it.  Batteries
Included used the same system with other software they published, like
Delphi's Oracle.

Great word, huh?  I'm suprised that it didn't find its way into a book of
Sniglets.  I'd like to see an etymology.

 Jim Duncan, Computer Science Dept, Old Dominion Univ, Norfolk VA 23529-0162
       (804)440-3915     INET: [email protected]    UUCP: ...!sun!xanth!jim
 ---------- Time flies like the wind, but fruit flies like bananas. ---------
From:      gianni stifano <[email protected]>  18-MAR-1988 03:05
To:        [email protected]
I've just graduated and i'm very interested in security aspects in MHS.
Could anyone give me some information about research on document concea=
ling or document signing in an X.400 environment?

Thanks in advance.
From:      GREENY <MISS026%[email protected]>  21-MAR-1988 10:12
To:        [email protected]
What with all the viruses running about these days, I was wondering what
sort of protection ATM machines have against such beasties.  Specifically,
I'm concerned about my $$$ in these machines.  It has occurred to me that
the machines which accept charge cards (such as Visa and MC), could not really
verify that the PIN you key in is indeed your PIN.  It takes up to 5 minutes
for an authorization request to come back from a dept. store card reader
when you make a purchase, yet the ATM is instanteanous.....this is wierd,
either the PIN is stored on the card (read: very stupid) or the machine just
ignores the PIN of credit cards.....

Whats the deal? does anyone know about what actually goes on with these

bye for now but not for long

[Moderator note: There was a discussion about these things a while back;
however, I think the relevant messages have long since been rolled off to
some dusty tape that I'd be hard put to locate...   _H*]
From:      NMIEP%[email protected]  21-MAR-1988 15:38
To:        [email protected]
Maybe the latest incident on computer embezzlement? Two employees of the
largest Norwegian clearing house, Bankenes Betalingsentral BBS, are charged
with attempted fraud.

The scheme was apparently in accordance to the old dream of redirecting
transactions to other accounts. The particular day of the attempt, there were
to be a large number of social security benefit transfers. The possible
outcome is said to be app. ! 250 million. One of the two had an operator
type job, with access to tapes. However, the whole thing was set up in
such a way that it was easilly detected by regular security checks.

This hopefully shows that security does work, and that the notion that
no cases have ever been spotted due to security routines, is not true.

Eirik Kim Pedersen
From:      gianni stifano <[email protected]>  24-MAR-1988 09:49
To:        [email protected]
Does anyone know  TeleTrusT International? It's an international
working group about the security of telematic transactions, with particular
respect to digital signature obtained by RSA Public Key Cryptosystem.
I'd be interested in more deep information about the opportunity to
introduce TeleTrusT concepts in X.400 based MHS.
Thanks in advance and sorry for my bad english.
From:      Steve Bui <KHAAM%[email protected]>  24-MAR-1988 13:04
To:        [email protected]
Dear members:

Arizona State University is in the process of getting a new security
  package for our systems, and would like to have your opinion, as well
  as any inputs on the security software topic.
We would like to know:
1. Do you run both VM and MVS?
2. Which security package do you have on your Vm system (RACF, VmSecure...)?
3. Which security package do you have on your MVS system (RACF, ACF2...)?
4. Does the security package(s) perform to your satisfaction?
5. Any comment your security hits and miss?

I appreciate your response to my userid, and many thanks for responding.
From:      shafferj%[email protected]  24-MAR-1988 14:51
To:        [email protected]
The following three messages should be of interest to this discussion.
I'm posting them with the assumption that no one else has posted the
information contained within them while the Bitnet distribution of Security
was down.

The last message of the group is particularly scary, because I'm on VMS v4.4
here and I've never heard of the bug. It would appear that our system managers
here haven't heard of it either, because there have apparently been some break-
ins lately. {See disclaimer at end!}

Forwarded messages begin:

From:         "XMRP20000[khw]-g.c.mccoury" <pacbell!att-ih!att-cb!clyde!whuts!
	      [email protected]>
Subject:      Hacker hits VMS

From The Star-Ledger(Newark NJ) 3/17/88


    PARIS(Reuters)- A 19-year-old West German hacker has succeeded
    in breaking into one of the world's top-selling computers,
    Digital Equipment Corp.'s VAX system, in what experts say is a
    new blow to confidence in computer security.
        Computer specialists broke the news yesterday at a computer
    conference already shocked by the arrest on Sunday of West
    German hacker Steffen Wernery, 26, as he arrived to take part
    in a panel debate on system security.
        Wernery is a member of the Hamburg-based Chaos Computer
    Club which caused a storm last year when it revealed it had
    penetrated more than 100 computers around the world, including
    the network of the U.S. space agency NASA.
        French police announced later that Wernery had been charged
    with "theft, destruction and damaging computer goods" and had
    been jailed pending trial.
        West German journalist and computer expert Hans Gliss, who
     was also held briefly by French police when he arrived in Paris
    on Sunday, said the unidentified 19-year-old from Munich had
    worked out how to enter VAX computers made by Digital.
        Gliss said the Munich hacker had breached the VAX system by
    using material openly available from Digital, which is based in
    Maynard, Mass.
        Digital executives were in a meeting and not available for
    comment, a spokeswoman said.
        Rudiger Dierstein, of West Germany's national space foundation
    DFVLR, said the consequences of the Munich hacker's achievement
    were "terrifying."
        "This person has given a full description of how to gain access
    to the system and gain full control. Imagine combining the
    intelligence of this hacker with a definite criminal intention,"
    he said.
        "Someone could take control of a satellite as they are all
    computer-controlled. That is why I tremble when I hear the initials
        SDI stands for President Reagan's proposed Strategic Defense
    Initiative, a space-based computer-guided defense system against
    nuclear missile attack.
        Dierstein said the 19-year-old had privately published his work
    in a pamphlet entitled "Hints on the Use of the VMS Operating System"
    but police had confiscated all the documents.
        The VMS(Virtual Memory System) is the main language used in
    Digital's VAX computers.
        Experts said other major computer manufacturers like IBM could
    not afford to be complacent as it was being shown their systems
    were equally vulnerable.
        Companies targeted by Chaos Computer Club "hackers" were unaware
    their systems had been tampered with until the club informed West
    German authorities.
        Experts at the Paris conference said Wernery had fixed a meeting
    with the French subsidiary of the Phillips electronic group - one
    of the companies penetrated by the hackers - before leaving for France.

                * Grover McCoury             *
                * ATT IS/Communications Laboratories *
                * Middletown NJ                 *


From:         Steve Ward <[email protected]>
Subject:      Re: Hacker hits VMS

Does anyone know if this is a REAL security hole in VMS or just the
1) failure to change default password(s) on sys, maint, user, userp
   accounts as shipped from DEC.
2) autologins left activated by local sys manager.
3) other equivalent act of stupidity.

Often these sensational stories are due to vulnerability caused by
stupidity.  I have never had much trouble in "hacking" a login to a
multiuser system when testing for security, usually by just trying
the time-honored guess-the-password approach.  Of course, hacking to
TEST for security on your own computers is quite different from the
vandalism and criminalism of attacking someone else's machines, whether
one is hacking through cleverness or taking advantage of the lax
management of computer systems on all os's that is out there.  I know of
large numbers of machines that are accessible to the world where the
local users object strongly to being forced to periodically change
passwords or insist on using any password, including very short
passwords, last names, etc.  The ability to "hack" a login is inversely
proportional to the number of login accounts on the system :-)

Of course, all os's exhibit true security hole bugs from time to time.
Is this one?


From:         Tony Li <[email protected]>
Subject:      Re: Hacker hits VMS

Yes, this is the result of a real hole.  Do you recall the V4.4

Tony Li - USC University Computing Services    "Fene mele kiki bobo"
Uucp: oberon!tli                        -- Joe Isuzu

End of forwarded messages

If anything further on this subject should be posted to the VAX discussion,
I'll forward it to the Security discussion.

Jim Shaffer, Jr.
ShafferJ%[email protected]
From:      [email protected]  24-MAR-1988 15:23
To:        [email protected]
> The AT&T UNIX Operating System Release 2.2 and Release 3 license
> agreements state that the "crypt" program, library, and associated
> documentation are not to be distributed with international versions

UNIX can't live without them, so they are not provided as library functions
or user commands in export versions, but the complete source for all those
functions is (of course) included if you buy a source license. Imagine that.
From:      [email protected]  29-MAR-1988 10:14
To:        [email protected]
Hello all,
          glad to see this list is alive again. Thanks to all who
answered my previous query on master keys. The response was great!
       I want to ask a question about computer security. Are there
any legal obligations (British or American) on a computer user
who finds a major flaw within a popular OS? How could a private
individual bring a bug to the attention of a computer manufacturer
given that site computing personnel take a dim view of anybody who
finds these bugs?
These questions are for my own interest and are not meant to
represent any actual situations or occurrences.
From:      [email protected]  29-MAR-1988 13:45
To:        [email protected]
Were yea verily used on PC class machines.  Autodesk used on on their 
2.6 release of AutoCad.  Their response when i called them about it was

	1> if it breaks within a year fed ex it back and they will fed
			ex a replacement.
	2> after a year as 1> but with a small charge
	3> if it gets stolen or misplaced you are up the creek.  They
		suggested insuring it.

After many people complained and enough people didn't buy the upgrade they
tossed the idea.

Other software which use dongles are Novell Netware and Banyan Vines.  There
is breaker software for Novell.  I am not sure for Vines.


PS The person I talked to at AutoDesk told me someone had broken the dongle
code withing 24 hours and was distributing the fix within 48.

From:      [email protected]  1-APR-1988 06:20
To:        [email protected]
      Technically dongles can be made to work, and a number of vendors
sell them.  See any issue of PC Tech Journal for ads for such gadgets.
But they are very unpopular with users, and you get nasty reviews in Byte
if you put one on your product.

      The most successful dongles do something useful that the program
needs to function.  Some dongles have a CPU in them, typically an 8-bit
microcontroller.  If some obscure but crucial part of the processing is
performed in the dongle itself, it can be very difficult to operate the
program without it.  

      An excellent example is Cubicomp, which sells an animation package
that requires a special graphics board only available through Cubicomp.
There's actually nothing exciting about their graphics board; it's just
a marketing ploy, and one clever enough that few people have figured it
out yet.

      These strategies are generally for high-end software.  At the low
end, games, the future probably lies with compact disk technology.
But that's another story.

					John Nagle