The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: Rutgers 'Security List' (incl. - Archives (1988)
DOCUMENT: Rutgers 'Security List' for June 1988 (8 messages, 7661 bytes)
NOTICE: recognises the rights of all third-party works.


From:      Brint Cooper <abc@BRL.ARPA>  2-JUN-1988 23:27
<ZSYJKAA%WYOCDC1.BITNET@CUNYVM.CUNY.EDU> reports, "Apparently we have a
professor who thought it would be a good experience for his students, as
a project, to write (each) a virus, and demonstrate that it works."

He relates the havoc in the lab that this project created.  Then he/she
asks (paraphrase):

	1. Is "viral education" a good thing?

	2. What are the ethics of such a practice?

	3. Would it be against the spirit or  letter of "freedom of
information" to restrict such teaching and the propagation of such

Perhaps the analogy with biological viruses isn't overworked after
all.  In consideration of such analogy, I submit:

	1. "Viral education" is a good thing.  "Know thine enemy" might
be the appropriate commandment.

	2. The ethics of viral education are, in my view, similar in
computer and biological systems.  If there's any doubt about inadvertant
propagation, the viral education should remain at the prospective and
theoretical levels.  I don't believe, for example, that third year
bio or chem students "create" new viruses by DNA/RNA splicing and other
genetic engineering techniques.  The results would be too
unpredictable.  So it is with computer  viruses.

	3. The propatation of knowledge is one thing.  But for
permitting the propagation of the virus, the prof should be sentenced to
have to use only the little fingers of each hand on his keyboard for the
next five years!

A better approach would be to assign students to write "virus hunting"
or "interferon" programs.  If a "weakened" computer virus is available,
one whose characteristics are sufficiently well-known as to keep it
well-contained, then the students' anti-viral programs could be tested
against it.
From:  3-JUN-1988 12:54
Andy - Many (most?) of the large vendors are on the internet.  (Look at
the .com domain; even IBM is there!!).  DoD Instruction 5215.2, dated
2 Sept. 1986 establishes the Computer Security Technical Vulnerability
Reporting Program (CSTVRP).  It's purpose is to establish "procedures for
reporting all demonstrable (sic) and repeatable technical vunerabilities of
Automated Information Systems (AIS)" and establish "methodologies for
dissemination of vulnerablility information."  Given 5215.2, one might
successfully disagree with you regarding vendors not being able to use
the internet for reporting.

	I tend to agree with many of your statements, but I hope that
I am slightly more optimistic.

Jeff Edelheit		(
The MITRE Corporation	7525 Colshire Drive
McLean, VA   22102		(703) 883-7586
From:      "Michael J. Chinni, SMCAR_CCS_E" <mchinni@ARDEC.ARPA>  3-JUN-1988 13:57
 > For instance, in American law & philosophy, freedom of information is nearly
 > sacred; is propoagation of the knowlege on how to write a virus itself a
 > bad thing, or only the malicious and/or negligent spreading of one and it's
 > symptoms/damage?

I think that both the propagation and passing of said knowledge is at least
unethical and possibly illegal.  Illegal because it could be viewed as
conspiring to commit a crime (malicious use of a virus).  I think that this is
analogous to a counterfeiter giving a class in forgery and requiring the class
to forge currency.  If the class had been given to a group of computer security
specialists with the intent of showing the ease of creating a virus, the
possible results of an infection, and possible countermeasures, then I would
see no problem.  But for the class to be given to a "random" group of students
I find reprehensible.

Disclaimer: Opinions expressed are my own and not the official views of my

Mike Chinni
Dover, NJ
From:      Nick Papadakis <>  3-JUN-1988 17:48
	It strikes me as a poor example of pedagogy.  Biology students
do not experiment with tuberculosis (say) when less virulent examples
that serve the purpose exist.  The instructor should not have permitted
the viruses to have destructive side-effects.

	The general precept in law is that *posession* of information is
never illegal, but *utilizing* it may be.  There are exceptions
(pornography, classified information, and doubtless many other well
intentioned attempts by poorly-informed legislators) but the argument
hinges on whether you consider *transferring* information to be
'utilizing' within the context above.

	I sympathize with the DEC employee who recently posted a message
to the effect that people who discover security flaws should just keep
quiet; in the short term this is a reasonable response.  In the longer
term people should keep in mind that these machines have only been
around for fifty years or so - we don't really have the foggiest idea of
what they might ultimately be good for.  The fact that they happen to be
good for something right now shouldn't be allowed to hinder their
further development.

	Just in passing, I wanted to remark on an interesting point: 
viruses are only really a problem for people who don't distribute source.

	Think about it.

		- nick
Does anybody have ideas on where I might acquire an older floor safe
for home use at a reasonable price?  I am hoping to find something about
2x2x2 to 3x3x3 feet or so, and about 1910-1940 or so in appearance so it
won't be so ugly my wife leaves.  I keep checking things like local estate
sales and going-out-of-business sales (lots of those lately) but one
hasn't turned up yet.  I'm certain I need to find one locally (I'm in Laramie
Wyoming; Denver is a 2.5-hour drive away if I could find one there) due to
shipping costs for something that heavy.  Do these things show up in trade
journals or something like that?

I know the older safes are not as secure as some modern designs, but
modern crooks seldom carry explosives and are seldom adequate safe-crakcers.
Please bear in mind that I am in *NO* way related to this BBS, I have
merely been in the same room when a friend of mine logged into it and I
thought that the people on this list might be interested in making use
of some of the topics on it.  'nuf with the legal stuff....heres the
vital stats...

The Crypto BBS

  This BBS is centered around a cryptography basis, and has GOBS of
PD programs and source relating to such.....Have fun.  Although most
of it is for PC's :-< -- leaving us Macites out in the cold...

bye for now but not for long...

Bitnet: miss026@ecncdc
Disclaimer: Call it if you want, but don't blame me for problems..
I'd bet that the sonogram equipment and techniques used on people would be
pretty useless on a Medeco-sized lock.  First, the things you're looking at
are much smaller.  Second, the speed of sound in metal is, I believe, much
higher than water (people), meaning the electronics must switch between
pulsing and receiving much faster (definitely not impossible, just the
"baby-watching" stuff probably won't hack it).  Third, you probably only
have access to the front face of the lock (if you have access to the sides
and top, just open it up) and that means you'd be "looking" at the pins
all at once; you'd rather have a side view so as to see them individually.

I sent a long response to the original poster of the question about using
sound waves; I guess I should have kept a copy to send to the group.  My
own speculation of such techniques involves using one of two methods.
First method:  The "time domain reflectometry" type.  Using a key-shaped
holder if possible, hold a transducer against the bottom of a pin.  Repeatedly
(1 kHz?) send a pulse out of it, switch to receive mode, and display the
echos on a 'scope and time them.

Second method: resonance.  Again hold a transducer against the pin.  Sweep
a range of frequencies (50-250 kHz or so) and look for resonances as
indicated by peaks and dips in the induced voltage (you'd have to play
with the impedances to get the right "Q" for optimum sensing).

Several factors effect how well either method works.  Keep in mind that
round-trip time for a pulse in a .1" pin made of metal with speed of sound
around 3000fps is 5 microseconds; corresponding resonant frequency is 200
kilohertz.  Very thin pins (as used in some mastering methods) would be
even "quicker".  You must (or should) know the pin material, since I would
guess speed of sound is quite different in steel versus brass, and maybe
significantly so in differing types of brass (I don't have the proper
references handy).  Some "pin assemblies" consist of a steel ball contacting
the key followed by a brass pin, so that can be nasty (but easy to discover
with a flashlight); perhaps the ball would yield a distinctive "signature"
on the instrument, or perhaps it would obscure desired signal.  The pins
should ideally be isolated from the lock body but that's impossible, so
I'd guess it would be best to thoroughly clean the lock with a fast-drying
liquid that leaves no residue.  On the other hand, getting some graphite
or teflon particles in there might help "insulate" the pins.  You'd have
to try it and see.  I have no idea how badly misleading or mangled a
signal would be from mushroom pins.  You might get a false sense of a
possible shear line from locks constructed with a second cylinder (a
better mastering technique, as used at least on better Russwins) depending
on how much signal got conducted from the pins into the body.  Such diversion
of signal would also degrade the system's response (e.g. echo strength).
If there are many pins involved, the multiple echos and/or resonance modes
could be pretty hairy to sort out, except for the first pin or two.

Question: "WHY?"  Sounds a bit like a high-tech B&E tool.  Yeah, but even
a screwdriver can be used for illicit gains.  It is obviously a useful
item to ponder for legitimate locksmith use, such as very secure installations
where the key was lost and no copy existed.  This would be very expensive
to buy if it were available, or non-trivial to build in either case, and
most of the bad guys couldn't cut a key if you handed them the cut numbers
or a blueprint.  Significant skilled "interpretation" might be required
as well, if the methods work at all.

One last thought:  Yes, knowing the pin heights on a Medeco doesn't get you
in.  But there's only three possible rotations for each pin, so heights
gets you a lot farther than knowing nothing.  A neat feat of miniature
machining would be to make a Medeco key (as keys go they're rather big)
with shim-adjustable heights and rotatable "seats" for the pins.  Making one
that could be adjusted while seated in the lock would be even better,
best if you could transmit back some "feel" to the operator.

P.S. I probably have the speed of sound in metal way off.  Air is 1100fps
I think, and I vaguely recall it is 6 times that in steel.  Maybe one
could steal techniques from reflection seismology too.
From:      blblbl!zonker@EDDIE.MIT.EDU  20-JUN-1988 20:09
To:        bloom-beacon!elbows@mit-eddie
  According to the FBI, most modern-day bank robberies are "unsophisticated
and unprofessional crimes," comitted by young male repeat offenders who 
apparently don't know the first thing about their business.  This information
was included in an interesting, amusing article titles "How Not to Rob a Bank,"
by Tim Clark, which appeared in the 1987 edition of The Old Farmers Almanac.
  Clark reported that in spite of the widespread use of surveillance cameras,
76 percent of bank robbers use no disquise, 86 percent never study the bank
before robbing it, and 95 percent make no long-range plans for concealing the
loot.  Thus, he offered this advice to would-be bank robbers, along with 
examples of what can happen if the rules aren't followed:
  1. Pick the right bank.  Clark advises that you don't follow the lead of the
fellow in Anaheim, Cal., who tried to hold up a bank that was no longer in 
business and had no money.  On the other hand, you don't want to be too 
familiar with the bank.  A California robber ran into his mother while making
his getaway.  She turned him in.
  2. Approach the right teller.  Granted, Clark says, this is harder to plan.
One teller in Springfield, Mass., followed the holdup man out of the bank and
down the street until she saw him go into a restaurant.  She hailed a passing
police car, and the police picked him up.  Another teller was given a holdup
note by a robber, and her father, who was next in line, wrestled the man to the
ground and sat on him until authorities arrived.
  3. Don't sign your demand note.  Demand notes have been written on the back 
of a subpoena issued in the name of a bank robber in Pittsburgh, on an envelope
bearing the name and address of another in Detriot, and in East Hartford, 
Conn., on the back of a withdrawal slip giving the robber's signature and
account number.
  4. Beware of dangerous vegetables.  A man in White Plains, N.Y., tried to
hold up a bank with a zucchini.  The police captured him at his house, where he
showed them his "weapon."
  5. Avoid being fussy.  A robber in Panorama City, Cal., gave a teller a note
saying, "I have a gun.  Give me all your twenties in this envelope."  The 
teller said, "All I've got is two twenties."  The robber took them and left.
  6. Don't advertise.  A holdup man thought that if he smeared mercury ointment
on his face, it would make him invisible to the cameras.  Actually, it 
accentuated his features, giving authorities a much clearer picture.  Bank
robbers in Minnesota and California tried to create a diversion by throwing 
stolen money out of the windows of their cars.  They succeeded only in drawing
attention to themselves.
  7. Take right turns only.  Avoid the sad fate of the thieves in Florida who
took a wrong turn and ended up on the Homestead Air Force Base.  They drove up
to a military police guardhouse and, thinking it was a toolbooth, offered the
security men money.
  8. Provide your own transportation.  It is not clever to borrow the teller's
car, which she carefully described to police.  This resulted in the most 
quickly solved bank robbery in the history of Pittsfield, Mass.
  9. Don't be too sensitive.  In these days of exploding dye packs, stuffing 
the cash into your pants can lead to embarrassing stains, Clark points out,
not to mention severe burns in sensitive places--as bandits in San Diego and
Boston painfully discovered.
  10. Consider another line of work.  One nervous Newport, R.I., robber, while 
trying to stuff his ill-gotten gains into his shirt pocket, shot himself in
the head and died instantly.  Then there was the case of the hopeful criminal
in Swansea, Mass., who, when the teller told him she had no money, fainted.
He was still unconscious when the police arrived.
  In view of such ineptitude, it is not surprising that in 1978 and 1979, for
example, federal and state officers made arrests in 69 percent of the bank
holdups reported.