----MESSAGE-BEGIN---- <1988030115200000> From: NET%"dasys1!rodd@rutgers.edu" 2-MAR-1988 23:00 To: misc-security@RUTGERS.edu Subj: [908] re: copy protection for micro software >Tie the operation of the software to a piece of hardware. i.e., >send a piece of HW that can be read by the PC. Perhaps it has to >be inserted in the joystick loop, perhaps it has to be plugged on >to an RS-232 port, etc. Not very convienent if your PC is in a cabinet. Also if you're running in a multitasking environment you will either run into dongle conflicts if they don't allow passthru or will wind up with your machine in the middle of the room to be able to plug in three feet worth of dongles :-) -- Rod -- Rod Dorman {allegra,philabs,cmcl2}!phri\ Big Electric Cat Public Unix {bellcore,cmcl2}!cucard!dasys1!rodd New York, NY, USA {sun}!hoptoad/ [Moderator note: *What* is a "dongle"?? _H*] ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1988030209490000> From: STGEORGE%unmb.bitnet@rutgers.edu 3-MAR-1988 17:29 To: security@rutgers.edu Subj: [157] Court Cases? Do any of you know any court cases, completed or pending, which involve enforcement of the Electronic Communications Privacy Act of 1986? Thanks in advance. ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1988030215140000> From: Larry Hunter 3-MAR-1988 22:54 To: "Robert W. Baldwin" Subj: [778] Re: police radar Cc: security@aim.rutgers.edu Does anyone have infomation about the capabilities and limitations of police radars for speed checking. I'm looking for both technical limitations of the devices and for procedural limitations that are necessary to make a ticket stand up in court.... Although I've never looked for it in print, I've heard that some states require a radar gun to be calibrated periodically (like hourly). If you challenge a radar ticket in court by asserting that the gun was out of calibration, the prosecutor should have to produce evidence that the gun had been appropriately calibrated. If the ticketing officer didn't bring his calibration records with him to court that day, you'd probably win. Larry ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1988030302250000> From: williams@nrl_css.arpa 4-MAR-1988 10:05 To: Clement Taylor Subj: [626] Re: BITNET Security Cc: security@ARAMIS.rutgers.edu There has been some discussion of these issues on the RISKS ARPAnet mailing list. I don't know how or if this list can be forwarded into BITNET, but the person to ask is the moderator, Peter Neumann. From the current issue: The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. For Vol i issue j, FTP SRI.COM, CD STRIPE:, GET RISKS-i.j. Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85). Good Luck! Jim Williams ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1988030307000000> From: Clive Dawson 4-MAR-1988 14:40 To: goldstein%star.DEC@SRC.DEC.COM Subj: [1212] Re: Export of "public domain" crypto software Cc: SECURITY@aim.rutgers.edu Andy-- Many thanks for providing that legal analysis regarding export of cryptographic software. It was all most interesting and informative. There's one point at the end which could use some further clarification, however: If there is any reason to believe or suspect that a non-U.S. or non-Canadian national will gain access to that bulletin board, an export to a third country should be assumed and a license is required.. Let's say that a given bulletin board could somehow be confined within the U.S. borders. It is still the case that a LOT of non-U.S. or non-Canadian nationals will have access to it, be they permanent residents, foreign students, etc. Is it really true that export to a third country must be assumed in this case? I'm guessing that Digital itself has a lot of employees in this category. Surely they are not barred from looking at cryptographic software, or are they? Even if they sign confidentiality agreements with Digital, I would be surprised if the State department would consider this sufficient for export control purposes in general. I guess what we need here is a clear definition of what "export" means for the purpose of these statutes. Clive Dawson ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1988030311070000> From: Will Martin __ AMXAL_RI 4-MAR-1988 18:47 To: Clement Taylor Subj: [40970] Re: BITNET Security [Moderator note: part 1 of 2. _H*] Here is a compilation of data on the CHRISTMA EXEC virus which I collected from postings in the RISKS Digest: Regards, Will Martin ***Begin Included Messages*** From: minow%thundr.DEC@decwrl.dec.com (Martin Minow ML3-5/U26 223-9922) Date: 11 Dec 87 11:55 Subject: Yet another virus program announcement fyi From CRTNET, number 115. From T3B%PSUVM.BITNET. Subject: Christmas Virus Warning If you are at a CMS site and receive a program called CHRISTMA EXEC, please (a) warn your postmaster and (b) discard the exec (or keep a copy for the postmaster to look at, but DO NOT RUN IT). This exec paints a Christmas tree on your screen and then sends itself to everyone named in either your NAMES or NETLOG files. The result is potentially serious stress on Bitnet and on your local spool system, and possibly a few system crashes here and there as the number of reader files soars and exceeds the maximum. The Christmas tree isn't all that pretty, and the joke is pretty mean. A word to the wise. Your postmaster will thank you. Michael Sperberg-McQueen ------------------------------ From: davy@intrepid.ecn.purdue.edu (Dave Curry) Subject: IBM invaded by a Christmas virus Date: Sat, 12 Dec 87 10:02:24 EST (From the Lafayette (Indiana) Journal & Courier, December 12, 1987. Quoted without permission.) IBM Woes -- Computerized grinch jams the mail BINGHAMTON, N.Y.- A computerized Grinch invaded IBM's electronic mail Friday. An illegal software-style so-called Christmas card sent through IBM's electronic mail jammed desk-top computer terminals, spokesman Joseph E. Dahm said. The so-called virus program forced plant officials to turn off internal links between computer terminals and mainframe systems to purge the message, Dahm said. IBM sources say the link was off from 45 minutes to 90 minutes depending on the location. The program is known as a virus because it enters computer programs and replicates itself automatically. Curious employees who read the message titles "Christmas" in the morning electronic mail discovered an illustration of a Christmas tree with "Holiday Greetings" superimposed on it. A caption advised "Don't browse it, it's more fun to run it." "That was the hook," an IBM source said. "A lot of people thought they could take a peek and then kill the message, but once opened, it was too late." The program automatically entered a security log listing contacts made from the individual computer terminal, duplicated and mailed itself to new victims. Like a Pandora's Box, once opened, the program rarely accepted commands to stop, sources said. Operators who turned off their terminals to stop the Christmas message lost electronic mail or unfinished reports not filed in the computer. This article seems to have a lot of things in it that the reporter didn't understand. I assume that the "terminals" in question are really PC's connected to the mainframes; for one thing. Plus, I presume the "Don't browse it" refers to the VM/CMS "BROWSE" command used for looking through files, and not just to the regular English word. Does anyone have any more info from a source which understands all the big words? --Dave Curry, Purdue University ------------------------------ Date: Mon, 14 Dec 87 09:38:55 est From: Franklin Davis Subject: IBM invaded by a Christmas virus This article seems to have a lot of things in it that the reporter didn't understand. I assume that the "terminals" in question are really PC's connected to the mainframes; for one thing. Probably the users were connected by 3270 type terminals (or emulations on a PC) which use a half-duplex block mode protocol. If you turn off such a terminal your session is aborted, and you lose current edits. It is also very difficult to interrupt an executing program, since it "owns" the line. There is a "system-attention" key, but a busy system may take literally minutes to respond. (I'm glad I don't have to use an IBM mainframe any more!! :-) --Franklin Davis Thinking Machines Corp. fad@think.com ------------------------------ Subject: IBM Xmas Prank Date: Fri, 18 Dec 87 10:03:57 -0500 From: Fred Baube From Friday's Washington Post, excerpted without permission. "The message popped onto desktop screens in IBM offices around the country and even crossed the Atlantic and Pacific oceans, showing up in IBM outposts in West Germany, Italy and Japan." [as pictured X in the article] X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X A very happy Christmas and my best wishes for the next year. Let this run and enjoy yourself. Browsing this file is no fun at all. Just type Christmas. ________ "The message that bedeviled IBM was a comparatively benevolent one and did not, as computer tricksters' creations sometimes do, destroy other material in the system .. [although] rapidly producing electronic gridlock." "The culprit is unknown .. but preliminary investigation suggests that the message originated outside the company. IBM's mail system is attached to those of several other institutions." "From start to finish, the message survived only hours .." "Does the world's biggest and most advanced computer company feel embarassed about its Christmas chain ? 'We didn't want it to happen, but we anticipated something like this might be attempted and we were prepared to deal with it.'" Questions: (1) An incoming message can contain an executable program, that can easily be run ? (2) Such a message can be remailed under its contained program's control, presumably with the name of the last victim in the "From:" field ? (3) Can IBM trace it to an originator, or was anonymity possible ? (4) How/where can readers of RISKS submit something similar ? (strictly for professional testing purposes) (5) Is the Internet similarly vulnerable ? The prank seems to be benign, and therefore beneficial. IBM seems to have dealt with it effectively (or have they ?). Browsing this message is no fun at all. Just type Christmas .. [Bay Area folks can read a long front-page article by John Markoff on viruses in today's SF Chronicle-Examiner. PGN] ------------------------------ Date: Mon, 21 Dec 87 15:22:26 EST From: Ross Patterson Subject: Re: IBM Christmas Virus There have been several messages to RISKS lately about the CHRISTMAs EXEC virus on IBM's network. This was an extension of the same problem on BITNET and its European counterpart, EARN. Since I raised the general alarm about it, I'd like to answer a few questions. The virus used two standard CMS files, called NAMES and NETLOG, to help it infect other users. The NAMES file contains a list of userids and system names that you correspond with frequently, allowing you to abbreviate them to a mnemonic nickname when sending mail, files, or interactive messages. I composed this mail by sending to "RISKS", which my NAMES file lists as user RISKS on system KL.SRI.COM. You can also list phone numbers, paper addresses, etc. There is a commonly available program that will print off a personal phonebook from your NAMES file ("Traveling Sidekick" from the days BB - Before Borland). The NETLOG file lists all users you've sent mail or files to, or received them from. It's a very nice audit trail when you're trying to remember where you got that copy of Space Wars. After typing the Christmas Tree on your terminal, the virus proceeded to read both the NAMES and NETLOG files to get a set of target addresses. It then sent a copy of itself to each of them, and finally deleted itself. >I assume that the "terminals" in question are really PC's >connected to the mainframes; for one thing. The terminals mentioned are generally IBM 3270's, and PC's with IRMA-type cards. The virus ran on the host system, not on the PC. >Plus, I presume the "Don't >browse it" refers to the VM/CMS "BROWSE" command used for looking through >files, and not just to the regular English word. Both, actually. The intent was obviously to stop the reader from going further down into the file, where the real purpose of the program was quite obvious. The language used (IBM's REXX) is usually interpreted, so the program was sent in source form. Anyone who bothered to read below the second screen-full (like all of us paranoid Systems Programmers) began to see the trouble. It was slightly cloudy, as all the variable names were in German, but seeing was fair to good. >The culprit is unknown That is no longer the case. The culprit has been tracked down, and barred from access to his/her system. A note to that effect was broadcast to a number of mailing lists by the General Secretary of EARN. The source system had recently been attached to the West German section of EARN, and the user who started it all only intended to send a greeting to a few friends. To quote a TV commerical, "... and they'll tell two friends, and so on, and so on, ...". > .. but preliminary investigation suggests >that the message originated outside the company. IBM's mail >system is attached to those of several other institutions." Quite so. No one seems quite sure which of the gateways between BITNET/EARN and IBM's internal network, VNET, passed the first copy of the virus. It matters very little, since it found the VNET environment even more conducive to reproduction than BITNET/EARN. VNET'ers apparently keep much larger NAMES files than BITNET'ers. It wasn't long before the links were carrying more CHRISTMA EXEC's than anything else. >"From start to finish, the message survived only hours .." Per copy, perhaps. The first known instance of infection was at about 1300 GMT on Wednesday, December 9. Within BITNET, it was generally stamped out by the following Monday, December 14. On VNET, it didn't show up until a day later, and was mostly killed in a massive network shutdown on Friday. >(1) An incoming message can contain an executable program, > that can easily be run ? Yes. Please remember that the Internet is not the only network style in the world. In BITNET and VNET, mail is just another case of file transfer. File transfer is performed by the sender, not the receiver. These are store-and-forward networks, so the path from system A to system B need not be intact for the duration of the transfer. The viral program was transferred as a normal file, not as mail. >(2) Such a message can be remailed under its contained program's > control, presumably with the name of the last victim in the > "From:" field ? It wasn't mailed. Thus, there wasn't any From: field, etc. It did carry the system name and userid of the most recent victim, but not any trace-back information. >(3) Can IBM trace it to an originator, or was anonymity possible ? A task force of BITNET and EARN systems programmers traced it back to its source, by the usual disease-control procedures: Doctor: "Miss X, you've got a nasty case of viral . Who have you had contact with recently?". Miss X: "Just a moment, I'll check my notebook." A byproduct of the tool used to transmit the virus is an entry in the NETLOG file listing the userid and system name of anyone it was sent to, making it easier than usual for Miss X to remember. In some cases, the user had suppressed the NETLOG facility, but that is the exception, not the rule. >(4) How/where can readers of RISKS submit something similar ? > (strictly for professional testing purposes) Noplace safely. Please don't try it on anything but an isolated network, and then coldstart your spool afterwards. >(5) Is the Internet similarly vulnerable ? Not to this one. It plays on several things that the Internet doesn't have: 1) A large number of IBM VM/CMS systems. The program would only run in a CMS environment. There is no reason one couldn't write something similar in any other language, though. 2) A suitable file transfer system. FTP doesn't apply. It must provide a way for a user to receive an unsolicited file, in a runnable form. 3) A good method of determining targets. The CMS NAMES and NETLOG files provided an excellent source of information. I suppose in a Unix environment, ".alias" and "/etc/aliases" would be ok, but .alias is comparatively rare, while NAMES files are almost universal in CMS. >The prank seems to be benign, and therefore beneficial. That is being debated in several circles. I, for one, agree with you. >IBM seems to have dealt with it effectively (or have they ?). Yes, they have. >Browsing this message is no fun at all. Just type Christmas .. The lesson of this one is the same as for PC viruses: Never run something you don't recognize. When the virus first appeared, several people suggested that it was the work of students, and that it might be used negatively in an ongoing argument over whether students belong on BITNET. When we heard that "professionals" inside IBM were also running programs they didn't recognize, that particular suggestion vanished. This virus was quite sly, in that by sending itself to people listed in your NAMES and NETLOG files, those people would recognize the source (you) as a friend, and be generally less inquisitive, until things got nasty. Lesson #2: Even your friends sometimes make mistakes. Ross Patterson, Rutgers University [RISKS received an unusually large number of messages on this subject -- from Fred Baube, John Owens (2), Allan Pratt, Anne Louise Gockel, and Bruce O'Neel. I started trying to edit them down, but rapidly gave up that strategy -- inordinate overlap. So, I will take a new tack, which is to put out Ross' message -- which was the most comprehensive -- and then give Fred, John, Allan, Anne and Bruce first priority if THEY wish to comment marginally or additionally thereupon. Please be terse -- and avoid replicating ALL of the foregoing text in your messages, as some of you have been doing. (One of the joys of mailers?) PGN] ------------------------------ Organization: The MITRE Corp., Washington, D.C. Subject: The Christmas Card Caper, (hopefully) concluded Date: Mon, 21 Dec 87 11:45:03 EST From: Joe Morris (jcmorris@mitre.arpa) The following item was posted on the VMSHARE bulletin board. It describes the origin of the CHRISTMAS EXEC file, and makes valid points about the inability of computer systems to automatically recognize some types of ill-behaved programs quickly enough to prevent damage to a network. (VMSHARE is a closed bulletin board operated for the use of VM installations who are members of SHARE, the large IBM mainframe user group. Shadow copies of the VMSHARE traffic are distributed to many other nets, including VNET and BITNET.) Joe Morris (jcmorris@mitre) Append on 12/19/87 at 20:10 by Melinda Varian : The following statement, from a member of the EARN Board, answers the queries about the origin of the CHRISTMA EXEC. Clausthal-Zellerfeld is quite a new VM installation. When Heinz Haunhorst, of their staff, was notified that the first appearances of the virus on the networks originated at his node, he pursued the matter vigorously and skillfully. Helmut Woehlbier, of the Technical University of Braunschweig, also did an excellent job in helping to determine the originating node. <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> Date: Wed, 16 Dec 87 18:33:58 GMT Sender: EARN Technical Group From: Michael Hebgen <$02@DHDURZ1> Comments: To: EARN Executive , EARN Board of Directors Comments: cc: German EARN Executive , German EARN node administrators , Heinz Haunhorst , "Dr. Gerald Lange" , Otto Bernd Kirchner To: Melinda Varian Subject: CHRISTMAS EXEC Dear colleagues, after some very sophisticated detective work it is clear that the origin of the CHRISTMAS EXEC is the EARN node DCZTU1. A student there has writ- ten this EXEC to send christmas greetings to his colleagues and another student has used it without knowing what he is doing (as many of our network users) and started the explosion. The node DCZTU1 has already blocked the Userid of the author and done all necessary steps. Every node in the network can be the next starting point of a similar explosion and distribute virus programms or other bad things. As far as I know the EDP-systems there is no way to prevent users from their own mistakes. The only solution I can think of for this type of behaviour is to observe "EDP-hygiene": If you receive an executable file (EXEC, CLIST, program) from another might be unknown user do NOT execute without control because it can result in gross missdemanour and serious damage. Check all EXECs/CLISTs, what they are doing, before you execute them and check all executable programs, where they come from and what they do. As in normal life uncontrolled behaviour may result in serious consequences (I am not going to mention AIDS). You as a user are responsable for all what you are doing. I propose to include such statements (in better english formulation) into the CODE OF CONDUCT and to start an "enlightenment" process for the end- users Best regards, merry christmas (without tree) and a happy new year Michael Hebgen EARN director of Germany and General secretary of EARN *** APPENDED 12/19/87 20:10:47 BY PU/MELINDA *** ADDED NOTE FROM JOE MORRIS: Did any contributor suggest how the message jumped from EARN (or BITNET) into VNET? Supposedly the gateways (one at Yorktown, I believe) are monitored closely so that the ability of a message to cross without supervision is quite limited. I'm told that a few years ago there was something of a major flap when a meeting of relatively high IBM brass was shown a message Melinda Varian (the BITNET source of the EARN message I forwarded) had sent to an IBM'er via VNET (WITH the permission of IBM...upper management in IBM just hadn't been aware of the arrangement). My guess would be that it came through an account on a customer machine but assigned to an IBM'er who could pass mail into the IBM network. Thought for the week: was this supposed to be a demonstration of a computerized Christmas distribution TREE? Second thought on the word "tree" (swiped from an undergraduate thesis at MIT from the 60's): Problems are posed by fools like me, but only heuristics can search a tree. Joe Morris ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1988030313280000> From: mgrant@cos.com 4-MAR-1988 21:08 To: security@rutgers.edu, BALDWIN@xx.lcs.mit.edu Subj: [938] Re: police radar The police radar's that I've played with have had an audio feedback. With the audio feed back, you hear an obnoxious buzzing and whistling which represents the doppler shift comming back from the object you are clocking. I found that by listening and watching, I could very accuratly determine exactly who I was aiming at, even with 2 or more cars comming at me. I would point the gun at an aproacing car and I'd hear a high pitched whine, point it away and the whine would go away. Point it at two cars and I'd hear 2 whines at different pitches. Moving the gun twards one car made one whine louder and the other softer. Of course, I've very rarly seen police officers actually holding the radar guns. Most of them I've seen were aimed forward or backwards attached to the window in the left rear. I can't imagine that it would be too easy to figure out who exactly you were aiming at with the gun in this position. -Mike Grant ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1988030402370000> From: Wes Williams 5-MAR-1988 10:17 To: BALDWIN@xx.lcs.mit.edu Subj: [1188] Re: police radar Cc: security@rutgers.edu, GZT.EWW@oz.ai.mit.edu The procedures vary widely from state to state as well as from the local municipality and counties. The research you need to do starts on the local level and will be interesting. I have found that the following can be true: 1. Local police departments may require periodic testing of the units by an in/outside tech type that will validate the Radar unit for safety (rads) as well as the degree of accuracy for the unit. 1a. This may be out of date as well as never done. 1b. State requirements may be downgraded and be illegal. 1c. There may be no requirements (state or local). 1d. The testing (when performed inside) may be done by someone that does not have the qualifications nor the capabilities. 2. Find out if the locality is a constantly watched spot. A police eye (ie: trained observer) that is on the scene and is familiar with the traffic patterns as well as the time involved for a car to pass point A and get to B is as good (in some cases) as the Radar gun. This is also subject to state and local laws. 3. Final note..... READ THE TICKET! In general, a typo or misprint anywhere on the ticket is the real loophole. You can be away clean. Luck... ------- ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1988030406140000> From: Douglas Allen Luce 5-MAR-1988 13:54 To: sdcsvax!misc-security@rutgers.edu Subj: [1612] Re: copy protection for micro software Shipping a piece of hardware that must be plugged into the computer before the software will run has been tried, with only moderate success. There are a couple ways to circumvent this scheme, both fairly straightforward: copy the piece of hardware or remove or rewrite the piece of code in the program that checks to see if the hardware is where it should be. I've only seen this implemented for very small computers; Atari 8 bit machines and commodore 64 computers. Basically, a small jumpered plug was inserted into the joystick port. The program then matched out signals through the joystick port to see if the plug was there. Finding the code in the programs wasn't a complex job; one could pull up a machine language debugger and monitor the joystick port for accesses. From there, the code could be broken down and the part that controlled access replaced with an "ok" code. One would no longer need a piece of hardware to run the program. Also, these plugs were fairly simple to copy. All one had to do was to crack open the device (I think they called them "dongles," a name I hate for some reason), look at the way the inside worked (usually simple, a jumper or two) and then make a new one out of a $.75 joystick plug and a few pieces of wire. A company would generally have a single "dongle" to run all their programs; pirates had only to make one "dongle" to run a whole family of programs. I haven't seen it implemented for the PC's or anything above, but I would think that the same measures could be taken to circumvent copy protection. Douglas Luce Carnegie Mellon ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1988030606470000> From: Russ_Housley.XOSMAR@xerox.com 7-MAR-1988 14:27 To: security@rutgers.edu Subj: [715] Re: copy protection for micro software Cc: Housley.XOSMAR@xerox.com In the 4-Mar-88 edition of Security Digest, hp-sdd!dag@hp-lsd.hp.com suggests that "operation of the software to a piece of hardware." Some vendors of equipment for use on Ethernets (or IEEE 802.3 networks) do just as he suggests. The software checks the 48-bit source address of the host it is running on. If the address is different than expected, the software fails to work. This scheme has failed (i.e., not permitted legal software to function correctly) when the equipment had a second Ethernet port installed. In this case, the equipment had two 48-bit source addresses, and the software checked the "wrong" one. Russ Housley Xerox Special Information Systems Vista Laboratory ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1988030806460000> From: "David M. Balenson" 9-MAR-1988 14:26 To: misc-security@seismo.css.gov Subj: [1276] Submission for misc-security Can anyone provide any information concerning the use of the AMD DES chip within the SUN workstations (e.g., 3/50, 3/140, 3/160, 3/180)? I understand that the CPU boards have any empty socket which will accomodate the AMD chip (AmZ8068) and that the kernel has to be reconfigured to make use of the chip. Is that all there is to it? Will this permit the 'des' command to use the AMD chip, rather than use software? I have also heard that two additional chips may or may not be necessary -- one is a TTL support chip, the other a PAL. What exactly are these chips for? Are they necessary, or not? Is anyone out there, in particular anyone at SUN, currently using the AMD chip? Thanks. David M. Balenson (balenson@icst-ssi.arpa) National Bureau of Standards (301) 975-2910 ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1988030807450000> From: tjfs@otter.hple.hp.com 9-MAR-1988 15:25 To: misc-security@ucbvax.berkeley.edu Subj: [633] RE: Secure labs with PC-LOCK Dan Keizer writes: > security by non-disclosure is no security at all. I *totally* agree. If more people believed this, we wouldn't have the problems we have now with exporting crypt, ... It seems to me it's a philosophical battle between those who say "we won't tell you anything about it to make it more secure" and those who say "if we can't study it, we can't tell if it is secure (and it probably isn't)". With the advent of decent public key encryption, one-way encryption of passwords etc it seems to me a *good thing* that security systems become more understood so that the state of the art continues to advance. Tim ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1988030913360000> From: Will Martin __ AMXAL_RI 10-MAR-1988 21:16 To: security@aim.rutgers.edu Subj: [2549] Re: SSNs, the SSA, and giving out info Back on 25 Feb., I posted a note about a local (St. Louis) newspaper advice column which stated baldly that the SSA would give people info about an individual if you gave them their SSN. Here are the relevant paragraphs from that original posting: >If they cannot answer your questions directly, they may be willing to >give you her Social Security number. You can then trace her whereabouts >through the Social Security Administration. > >At 63, she may have retired, and if she is receiving Social Security >payments, you might be able to get her current address. If she is >deceased, the SSA should be able to tell you that, also. I promised that, when I had time, I would check with the SSA office here and let the list know what they said about this -- was it true or not? Well, I finally had a chance to check today. The word from them is that the SSA will NOT give an inquirer info about a person just because that inquirer provides the subject's SSN. What they will do, though, is to take information from the inquirer, and then write the subject of the inquiry a letter, saying something like, "John Smith, who claims to be your cousin, is trying to get in touch with you. His name, address, and phone are: xxxxxx. You may contact him there if you wish to." In other words, they will act as a conduit to the party whose SSN is provided, but will not give out information about that person to another. (I didn't think to go into detail about just what the SSA would do if the person was listed as deceased, unfortunately.) This actually strikes me as being very helpful, and more likely to be something that the SSA would do theoretically than that they are likely to do in real life! I was asking this as an hypothetical question, showing the SSA representative the newspaper column, and wasn't actually asking them to DO anything. I wouldn't be surprised if this was something so out-of-the-ordinary, so unlike standard procedure, that it would be next to impossible to get the SSA to do this in reality. After all, to do the search and write the letter would take some hours of time, and, considering SSA employees are rated on how many cases they can process in a day, it would be a rare find indeed to locate one who would be willing to delay normal processing, buck the system, and do an inquiring stranger this favor! Nonetheless, from a privacy issue standpoint, the info I got was reassuring. At least the SSA claims it will not wantonly distribute data about you to anyone who happens to know your SSN. Regards, Will Martin ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1988031015020000> From: eachus@mitre_bedford.arpa 11-MAR-1988 22:42 To: iconsys!bryan@uunet.uu.net Subj: [5022] Re: Question--Exporting the DES Algorithm The communications on exporting the DES algorithm which have appeared on the net recently are ALL correct. Huh? What did you just say? Read on. If something not subject to ITAR regulations is in the public domain, or "widely published" in the US, any citizen has a general license to export that information. If fact you may go overseas and speak publicly about what you know, and that will create information subject to license requirements, qualify it for general license, and export it. In other words, as an American citizen, your freedom of speech does not end at the waters' edge. (The country where you give the speech might not like what you say, but that is a different issue.) However, if you have information subject to ITAR regulations (no matter how you got it), you (or your company) can be prosecuted if you export it without State Department approval. See the "aid and comfort" clause in the constitution. Since some crypto information is clearly protected this way, most company lawyers "take the easy way out" and advise the company not to export any crypto software, without checking to see if it falls under the ITAR rules. (Apply standard disclaimers to what follows at least twice.) Last time I checked the "opinion" of State was that the DES algorithm was not subject to ITAR rules, although certain implementations (usually in the form of chips) were protected. Note that any government employee must be vague here, either he knows all the (classified) uses of crypto (and where is YOUR need to know) but can't tell you, or he doesn't know and can't be more specific. Therefore the standard procedure is to request an opinion before exporting crypto implementations, and if you don't get something on the order of "your application does not currently appear to fall under ITAR rules..." you talked to the wrong person (or you really are trying to export a 300 MIP DES chip 8^> ). If you do ACCIDENTLY export something subject to ITAR rules, you probably won't go to jail. In any violation, your rights to free speech must be shown to conflict with other constitutional powers, and the balence must tilt strongly against you before the ITAR regulations have any standing. If you intentionally violate the ITAR regs, however you might not have any constitutional protection. Let me give you a realistic example. You buy a Zowie 1000 portable computer and take it with you to England. Unbeknownst to you, the Zowie 1000 is used in a test system for Stealth Bomber ECM equiptment. You violated the ITAR regulations, but in the normal course of events, you won't even know it, because the DoD is unlikely to tell the Customs people which COTS (commercial off the shelf) equipment is used on black projects. In any case your violation was innocent and is probably protected. Second case, an ATE specialist on the Stealth project buys a Zowie 1000 for personal use because he uses it at work and likes it. He takes it (and some of his software) to England on his vacation. Dumb, and the security folk at the plant may have a long talk with him, but if it was innocent probably no long term repercussions. The third case of course, is he takes it with him and sells it to a foriegn agent for $100,000 -- and twenty years hard labor. What did you think the ITAR regulations were for anyway? So now you know why all the weasel words. If you take my (knowingly incoorect) advice (or someone elses) and innocently violate the ITAR regs, I'm guilty and you are not... "So you're going to Berlin on your vacation? Could you do me a favor? I have this package for my sister, but the mail takes weeks. I'll give you ten bucks for your trouble." You are only guilty if you think he's a spy and do it anyway... Each case is different, and an awful lot depends on intent. It would be nice if someone who has requested and recieved (from the government, not from a company lawyer) a recent opinion on the DES algorithm, would post the opinion here. If no one out in net land has a recent opinion, someone should go ahead and request one. The most recent opinion I have seen was two companies back, and things can change in either direction. Robert I. Eachus Disclaimer: Oh boy, do I need one here. If you have any intention of exporting anything which might be subject to ITAR rules, have your lawyer check with the State Department and get a written opinion. If you decide to create a test case and take it to the Supreme Court, I'll be glad to come cheer, but if you expect me to get up and say it was all my idea, you didn't read carefully. Second Disclaimer: I didn't ask MITRE, MITRE's lawyers, or anyone elses lawyers for their opinion of this message, but if I did, I'm sure that they would waffle at least as well as I did. ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1988031111390000> From: Wes Williams 12-MAR-1988 19:19 To: GZT.EWW%OZ.AI.MIT.EDU@MC.LCS.MIT.EDU Subj: Failed mail Just by chance, the other day, I tipped over the box that the bookcase type holder for DbaseIII+ was in, and found a warning from the manufacturer that this product may be covered by the State Dept. Regs. for exporting. Thinking about an upcomming trip to a neighboring country, I was agast that I may have run afoul of customs (forgetting that I had a copy in the trunk). Is this type of program really covered under these laws? ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1988031212180000> From: che@pbhyf.UUCP (Mitch Che) 13-MAR-1988 19:58 To: misc-security Subj: [1665] >[Moderator note: *What* is a "dongle"?? _H*] Every so often I feel like I've just passed through a time-warp. Unfortunately, it's always backwards. ADAPSO supported this idea which died a timely death about a year or so ago. A "dongle" refers to the little device which plugged into the back of the PC into the RS-232 port. A fair amount of research apparently went into these and some software actually shipped with this protection scheme. ADAPSO pulled its support of any kind of standard for use. Copy protection seems to be a non-issue. With the crash of the PC software industry, copy protection is just what a small company needs to go under. If your software is still copy-protected, rest assured your software is not available in my shop. -- Mitch Che Pacific Bell "Fine Corinthian leather? Of course. --------------------------------------- From fine Corinthian cows..." ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1988031221010000> From: Jim Duncan 14-MAR-1988 04:41 To: security@rutgers.edu Subj: [1196] dongle Years ago, when I was an avid C-64 user, my favorite word processor was PaperClip from Batteries Included (in Toronto, I think). They allowed (encouraged) copying their software for backup purposes; to use the program, you had to have an electronic key, called a `dongle', plugged into one of the joystick ports. I have seen that word used in other documentation to mean the same thing. Of course, versions of PaperClip which didn't need a dongle to operate proliferated as crackers everywhere found the code which checked for the dongle and detoured around it. I didn't care; PaperClip was so good, and the manual was so well written, that, like Turbo Pascal, it was worth it to me to have a legitimate version and the support that went with it. Batteries Included used the same system with other software they published, like Delphi's Oracle. Great word, huh? I'm suprised that it didn't find its way into a book of Sniglets. I'd like to see an etymology. Jim Duncan, Computer Science Dept, Old Dominion Univ, Norfolk VA 23529-0162 (804)440-3915 INET: jim@cs.odu.edu UUCP: ...!sun!xanth!jim ---------- Time flies like the wind, but fruit flies like bananas. --------- ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1988031619250000> From: gianni stifano 18-MAR-1988 03:05 To: SECURITY@aim.rutgers.edu Subj: [560] File: "SECURITY MAIL" being sent to you I've just graduated and i'm very interested in security aspects in MHS. Could anyone give me some information about research on document concea= ling or document signing in an X.400 environment? Thanks in advance. ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1988032002320000> From: GREENY 21-MAR-1988 10:12 To: security@aim.rutgers.edu Subj: [907] ATM machines What with all the viruses running about these days, I was wondering what sort of protection ATM machines have against such beasties. Specifically, I'm concerned about my $$$ in these machines. It has occurred to me that the machines which accept charge cards (such as Visa and MC), could not really verify that the PIN you key in is indeed your PIN. It takes up to 5 minutes for an authorization request to come back from a dept. store card reader when you make a purchase, yet the ATM is instanteanous.....this is wierd, either the PIN is stored on the card (read: very stupid) or the machine just ignores the PIN of credit cards..... Whats the deal? does anyone know about what actually goes on with these machines? bye for now but not for long Greeny [Moderator note: There was a discussion about these things a while back; however, I think the relevant messages have long since been rolled off to some dusty tape that I'd be hard put to locate... _H*] ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1988032007580000> From: NMIEP%NOBERGEN.BITNET@CUNYVM.CUNY.EDU 21-MAR-1988 15:38 To: security@aim.rutgers.edu Subj: [772] embezzlement Maybe the latest incident on computer embezzlement? Two employees of the largest Norwegian clearing house, Bankenes Betalingsentral BBS, are charged with attempted fraud. The scheme was apparently in accordance to the old dream of redirecting transactions to other accounts. The particular day of the attempt, there were to be a large number of social security benefit transfers. The possible outcome is said to be app. ! 250 million. One of the two had an operator type job, with access to tapes. However, the whole thing was set up in such a way that it was easilly detected by regular security checks. This hopefully shows that security does work, and that the notion that no cases have ever been spotted due to security routines, is not true. Eirik Kim Pedersen ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1988032302090000> From: gianni stifano 24-MAR-1988 09:49 To: SECURITY@aim.rutgers.edu Subj: [721] File: "SECURITY MAIL" being sent to you Does anyone know TeleTrusT International? It's an international working group about the security of telematic transactions, with particular respect to digital signature obtained by RSA Public Key Cryptosystem. I'd be interested in more deep information about the opportunity to introduce TeleTrusT concepts in X.400 based MHS. Thanks in advance and sorry for my bad english. ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1988032305240000> From: Steve Bui 24-MAR-1988 13:04 To: security@aim.rutgers.edu Subj: [589] Security package for MVS and VM systems Dear members: Arizona State University is in the process of getting a new security package for our systems, and would like to have your opinion, as well as any inputs on the security software topic. We would like to know: 1. Do you run both VM and MVS? 2. Which security package do you have on your Vm system (RACF, VmSecure...)? 3. Which security package do you have on your MVS system (RACF, ACF2...)? 4. Does the security package(s) perform to your satisfaction? 5. Any comment your security hits and miss? I appreciate your response to my userid, and many thanks for responding. ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1988032307110000> From: shafferj%BKNLVMS.BITNET@CUNYVM.CUNY.EDU 24-MAR-1988 14:51 To: security@aim.rutgers.edu Subj: [7328] major VMS security problems The following three messages should be of interest to this discussion. I'm posting them with the assumption that no one else has posted the information contained within them while the Bitnet distribution of Security was down. The last message of the group is particularly scary, because I'm on VMS v4.4 here and I've never heard of the bug. It would appear that our system managers here haven't heard of it either, because there have apparently been some break- ins lately. {See disclaimer at end!} **************** Forwarded messages begin: **************** From: "XMRP20000[khw]-g.c.mccoury" Subject: Hacker hits VMS From The Star-Ledger(Newark NJ) 3/17/88 TEEN HACKER 'INVADES' NEW SECURE COMPUTER PARIS(Reuters)- A 19-year-old West German hacker has succeeded in breaking into one of the world's top-selling computers, Digital Equipment Corp.'s VAX system, in what experts say is a new blow to confidence in computer security. Computer specialists broke the news yesterday at a computer conference already shocked by the arrest on Sunday of West German hacker Steffen Wernery, 26, as he arrived to take part in a panel debate on system security. Wernery is a member of the Hamburg-based Chaos Computer Club which caused a storm last year when it revealed it had penetrated more than 100 computers around the world, including the network of the U.S. space agency NASA. French police announced later that Wernery had been charged with "theft, destruction and damaging computer goods" and had been jailed pending trial. West German journalist and computer expert Hans Gliss, who was also held briefly by French police when he arrived in Paris on Sunday, said the unidentified 19-year-old from Munich had worked out how to enter VAX computers made by Digital. Gliss said the Munich hacker had breached the VAX system by using material openly available from Digital, which is based in Maynard, Mass. Digital executives were in a meeting and not available for comment, a spokeswoman said. Rudiger Dierstein, of West Germany's national space foundation DFVLR, said the consequences of the Munich hacker's achievement were "terrifying." "This person has given a full description of how to gain access to the system and gain full control. Imagine combining the intelligence of this hacker with a definite criminal intention," he said. "Someone could take control of a satellite as they are all computer-controlled. That is why I tremble when I hear the initials SDI." SDI stands for President Reagan's proposed Strategic Defense Initiative, a space-based computer-guided defense system against nuclear missile attack. Dierstein said the 19-year-old had privately published his work in a pamphlet entitled "Hints on the Use of the VMS Operating System" but police had confiscated all the documents. The VMS(Virtual Memory System) is the main language used in Digital's VAX computers. Experts said other major computer manufacturers like IBM could not afford to be complacent as it was being shown their systems were equally vulnerable. Companies targeted by Chaos Computer Club "hackers" were unaware their systems had been tampered with until the club informed West German authorities. Experts at the Paris conference said Wernery had fixed a meeting with the French subsidiary of the Phillips electronic group - one of the companies penetrated by the hackers - before leaving for France. * Grover McCoury * * ATT IS/Communications Laboratories * * Middletown NJ * **************** From: Steve Ward Subject: Re: Hacker hits VMS Does anyone know if this is a REAL security hole in VMS or just the usual 1) failure to change default password(s) on sys, maint, user, userp accounts as shipped from DEC. or 2) autologins left activated by local sys manager. or 3) other equivalent act of stupidity. Often these sensational stories are due to vulnerability caused by stupidity. I have never had much trouble in "hacking" a login to a multiuser system when testing for security, usually by just trying the time-honored guess-the-password approach. Of course, hacking to TEST for security on your own computers is quite different from the vandalism and criminalism of attacking someone else's machines, whether one is hacking through cleverness or taking advantage of the lax management of computer systems on all os's that is out there. I know of large numbers of machines that are accessible to the world where the local users object strongly to being forced to periodically change passwords or insist on using any password, including very short passwords, last names, etc. The ability to "hack" a login is inversely proportional to the number of login accounts on the system :-) Of course, all os's exhibit true security hole bugs from time to time. Is this one? **************** From: Tony Li Subject: Re: Hacker hits VMS Yes, this is the result of a real hole. Do you recall the V4.4 SECURESHR bug? Tony Li - USC University Computing Services "Fene mele kiki bobo" Uucp: oberon!tli -- Joe Isuzu **************** End of forwarded messages **************** If anything further on this subject should be posted to the VAX discussion, I'll forward it to the Security discussion. Jim Shaffer, Jr. ShafferJ%Bknlvms.Bitnet@cunyvm.cuny.edu ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1988032307430000> From: robert@pvab.pvab.se 24-MAR-1988 15:23 To: misc-security@enea.se Subj: [544] Re: Question--Exporting the DES Algorithm > The AT&T UNIX Operating System Release 2.2 and Release 3 license > agreements state that the "crypt" program, library, and associated > documentation are not to be distributed with international versions UNIX can't live without them, so they are not provided as library functions or user commands in export versions, but the complete source for all those functions is (of course) included if you buy a source license. Imagine that. ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1988032802340000> From: ORG5NMC@CMS1.UCS.LEEDS.AC.UK 29-MAR-1988 10:14 To: security@aim.rutgers.edu Subj: [607] Hello all, glad to see this list is alive again. Thanks to all who answered my previous query on master keys. The response was great! I want to ask a question about computer security. Are there any legal obligations (British or American) on a computer user who finds a major flaw within a popular OS? How could a private individual bring a bug to the attention of a computer manufacturer given that site computing personnel take a dim view of anybody who finds these bugs? *NOTE* These questions are for my own interest and are not meant to represent any actual situations or occurrences. ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1988032806050000> From: latzko@aramis.rutgers.edu 29-MAR-1988 13:45 To: security@aim.rutgers.edu Subj: [740] dongles Were yea verily used on PC class machines. Autodesk used on on their 2.6 release of AutoCad. Their response when i called them about it was 1> if it breaks within a year fed ex it back and they will fed ex a replacement. 2> after a year as 1> but with a small charge 3> if it gets stolen or misplaced you are up the creek. They suggested insuring it. After many people complained and enough people didn't buy the upgrade they tossed the idea. Other software which use dongles are Novell Netware and Banyan Vines. There is breaker software for Novell. I am not sure for Vines. /S* PS The person I talked to at AutoDesk told me someone had broken the dongle code withing 24 hours and was distributing the fix within 48. ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1988033022400000> From: jbn@glacier.stanford.edu 1-APR-1988 06:20 To: misc-security@decwrl.dec.com Subj: [1042] Re: copy protection for micro software Technically dongles can be made to work, and a number of vendors sell them. See any issue of PC Tech Journal for ads for such gadgets. But they are very unpopular with users, and you get nasty reviews in Byte if you put one on your product. The most successful dongles do something useful that the program needs to function. Some dongles have a CPU in them, typically an 8-bit microcontroller. If some obscure but crucial part of the processing is performed in the dongle itself, it can be very difficult to operate the program without it. An excellent example is Cubicomp, which sells an animation package that requires a special graphics board only available through Cubicomp. There's actually nothing exciting about their graphics board; it's just a marketing ploy, and one clever enough that few people have figured it out yet. These strategies are generally for high-end software. At the low end, games, the future probably lies with compact disk technology. But that's another story. John Nagle ----MESSAGE-END----