ARCHIVE: Rutgers 'Security List' (incl. misc.security) - Archives (1988)
DOCUMENT: Rutgers 'Security List' for June 1988 (8 messages, 7661 bytes)
NOTICE: securitydigest.org recognises the rights of all third-party works.
START OF DOCUMENT
-----------[next][prev][last][first]---------------------------------------------------- From: Brint Cooper <abc@BRL.ARPA> 2-JUN-1988 23:27 To: email@example.com
<ZSYJKAA%WYOCDC1.BITNET@CUNYVM.CUNY.EDU> reports, "Apparently we have a professor who thought it would be a good experience for his students, as a project, to write (each) a virus, and demonstrate that it works." He relates the havoc in the lab that this project created. Then he/she asks (paraphrase): 1. Is "viral education" a good thing? 2. What are the ethics of such a practice? 3. Would it be against the spirit or letter of "freedom of information" to restrict such teaching and the propagation of such knowledge? Perhaps the analogy with biological viruses isn't overworked after all. In consideration of such analogy, I submit: 1. "Viral education" is a good thing. "Know thine enemy" might be the appropriate commandment. 2. The ethics of viral education are, in my view, similar in computer and biological systems. If there's any doubt about inadvertant propagation, the viral education should remain at the prospective and theoretical levels. I don't believe, for example, that third year bio or chem students "create" new viruses by DNA/RNA splicing and other genetic engineering techniques. The results would be too unpredictable. So it is with computer viruses. 3. The propatation of knowledge is one thing. But for permitting the propagation of the virus, the prof should be sentenced to have to use only the little fingers of each hand on his keyboard for the next five years! A better approach would be to assign students to write "virus hunting" or "interferon" programs. If a "weakened" computer virus is available, one whose characteristics are sufficiently well-known as to keep it well-contained, then the students' anti-viral programs could be tested against it.
-----------[next][prev][last][first]---------------------------------------------------- From: firstname.lastname@example.org 3-JUN-1988 12:54 To: goldstein%star.DEC@decwrl.dec.com Cc: email@example.com
Andy - Many (most?) of the large vendors are on the internet. (Look at the .com domain; even IBM is there!!). DoD Instruction 5215.2, dated 2 Sept. 1986 establishes the Computer Security Technical Vulnerability Reporting Program (CSTVRP). It's purpose is to establish "procedures for reporting all demonstrable (sic) and repeatable technical vunerabilities of Automated Information Systems (AIS)" and establish "methodologies for dissemination of vulnerablility information." Given 5215.2, one might successfully disagree with you regarding vendors not being able to use the internet for reporting. I tend to agree with many of your statements, but I hope that I am slightly more optimistic. Jeff Edelheit (firstname.lastname@example.org) The MITRE Corporation 7525 Colshire Drive McLean, VA 22102 (703) 883-7586
-----------[next][prev][last][first]---------------------------------------------------- From: "Michael J. Chinni, SMCAR_CCS_E" <mchinni@ARDEC.ARPA> 3-JUN-1988 13:57 To: email@example.com
> For instance, in American law & philosophy, freedom of information is nearly > sacred; is propoagation of the knowlege on how to write a virus itself a > bad thing, or only the malicious and/or negligent spreading of one and it's > symptoms/damage? I think that both the propagation and passing of said knowledge is at least unethical and possibly illegal. Illegal because it could be viewed as conspiring to commit a crime (malicious use of a virus). I think that this is analogous to a counterfeiter giving a class in forgery and requiring the class to forge currency. If the class had been given to a group of computer security specialists with the intent of showing the ease of creating a virus, the possible results of an infection, and possible countermeasures, then I would see no problem. But for the class to be given to a "random" group of students I find reprehensible. Disclaimer: Opinions expressed are my own and not the official views of my employer. Mike Chinni <mchinni@ardec> Dover, NJ
-----------[next][prev][last][first]---------------------------------------------------- From: Nick Papadakis <firstname.lastname@example.org> 3-JUN-1988 17:48 To: ZSYJKAA%WYOCDC1.email@example.com Cc: firstname.lastname@example.org
It strikes me as a poor example of pedagogy. Biology students do not experiment with tuberculosis (say) when less virulent examples that serve the purpose exist. The instructor should not have permitted the viruses to have destructive side-effects. The general precept in law is that *posession* of information is never illegal, but *utilizing* it may be. There are exceptions (pornography, classified information, and doubtless many other well intentioned attempts by poorly-informed legislators) but the argument hinges on whether you consider *transferring* information to be 'utilizing' within the context above. I sympathize with the DEC employee who recently posted a message to the effect that people who discover security flaws should just keep quiet; in the short term this is a reasonable response. In the longer term people should keep in mind that these machines have only been around for fifty years or so - we don't really have the foggiest idea of what they might ultimately be good for. The fact that they happen to be good for something right now shouldn't be allowed to hinder their further development. Just in passing, I wanted to remark on an interesting point: viruses are only really a problem for people who don't distribute source. Think about it. - nick
-----------[next][prev][last][first]---------------------------------------------------- From: ZSYJKAA%WYOCDC1.BITNET@CUNYVM.CUNY.EDU 8-JUN-1988 11:05 To: email@example.com
Does anybody have ideas on where I might acquire an older floor safe for home use at a reasonable price? I am hoping to find something about 2x2x2 to 3x3x3 feet or so, and about 1910-1940 or so in appearance so it won't be so ugly my wife leaves. I keep checking things like local estate sales and going-out-of-business sales (lots of those lately) but one hasn't turned up yet. I'm certain I need to find one locally (I'm in Laramie Wyoming; Denver is a 2.5-hour drive away if I could find one there) due to shipping costs for something that heavy. Do these things show up in trade journals or something like that? I know the older safes are not as secure as some modern designs, but modern crooks seldom carry explosives and are seldom adequate safe-crakcers.
-----------[next][prev][last][first]---------------------------------------------------- From: GREENY <MISS026%ECNCDC.BITNET@CORNELLC.CCS.CORNELL.EDU> 10-JUN-1988 19:38 To: firstname.lastname@example.org
Please bear in mind that I am in *NO* way related to this BBS, I have merely been in the same room when a friend of mine logged into it and I thought that the people on this list might be interested in making use of some of the topics on it. 'nuf with the legal stuff....heres the vital stats... The Crypto BBS 1-703-237-4322 This BBS is centered around a cryptography basis, and has GOBS of PD programs and source relating to such.....Have fun. Although most of it is for PC's :-< -- leaving us Macites out in the cold... bye for now but not for long... Greeny Bitnet: miss026@ecncdc Internet: email@example.com Disclaimer: Call it if you want, but don't blame me for problems..
-----------[next][prev][last][first]---------------------------------------------------- From: ZSYJKAA%WYOCDC1.BITNET@CUNYVM.CUNY.EDU 10-JUN-1988 19:56 To: firstname.lastname@example.org
I'd bet that the sonogram equipment and techniques used on people would be pretty useless on a Medeco-sized lock. First, the things you're looking at are much smaller. Second, the speed of sound in metal is, I believe, much higher than water (people), meaning the electronics must switch between pulsing and receiving much faster (definitely not impossible, just the "baby-watching" stuff probably won't hack it). Third, you probably only have access to the front face of the lock (if you have access to the sides and top, just open it up) and that means you'd be "looking" at the pins all at once; you'd rather have a side view so as to see them individually. I sent a long response to the original poster of the question about using sound waves; I guess I should have kept a copy to send to the group. My own speculation of such techniques involves using one of two methods. First method: The "time domain reflectometry" type. Using a key-shaped holder if possible, hold a transducer against the bottom of a pin. Repeatedly (1 kHz?) send a pulse out of it, switch to receive mode, and display the echos on a 'scope and time them. Second method: resonance. Again hold a transducer against the pin. Sweep a range of frequencies (50-250 kHz or so) and look for resonances as indicated by peaks and dips in the induced voltage (you'd have to play with the impedances to get the right "Q" for optimum sensing). Several factors effect how well either method works. Keep in mind that round-trip time for a pulse in a .1" pin made of metal with speed of sound around 3000fps is 5 microseconds; corresponding resonant frequency is 200 kilohertz. Very thin pins (as used in some mastering methods) would be even "quicker". You must (or should) know the pin material, since I would guess speed of sound is quite different in steel versus brass, and maybe significantly so in differing types of brass (I don't have the proper references handy). Some "pin assemblies" consist of a steel ball contacting the key followed by a brass pin, so that can be nasty (but easy to discover with a flashlight); perhaps the ball would yield a distinctive "signature" on the instrument, or perhaps it would obscure desired signal. The pins should ideally be isolated from the lock body but that's impossible, so I'd guess it would be best to thoroughly clean the lock with a fast-drying liquid that leaves no residue. On the other hand, getting some graphite or teflon particles in there might help "insulate" the pins. You'd have to try it and see. I have no idea how badly misleading or mangled a signal would be from mushroom pins. You might get a false sense of a possible shear line from locks constructed with a second cylinder (a better mastering technique, as used at least on better Russwins) depending on how much signal got conducted from the pins into the body. Such diversion of signal would also degrade the system's response (e.g. echo strength). If there are many pins involved, the multiple echos and/or resonance modes could be pretty hairy to sort out, except for the first pin or two. Question: "WHY?" Sounds a bit like a high-tech B&E tool. Yeah, but even a screwdriver can be used for illicit gains. It is obviously a useful item to ponder for legitimate locksmith use, such as very secure installations where the key was lost and no copy existed. This would be very expensive to buy if it were available, or non-trivial to build in either case, and most of the bad guys couldn't cut a key if you handed them the cut numbers or a blueprint. Significant skilled "interpretation" might be required as well, if the methods work at all. One last thought: Yes, knowing the pin heights on a Medeco doesn't get you in. But there's only three possible rotations for each pin, so heights gets you a lot farther than knowing nothing. A neat feat of miniature machining would be to make a Medeco key (as keys go they're rather big) with shim-adjustable heights and rotatable "seats" for the pins. Making one that could be adjusted while seated in the lock would be even better, best if you could transmit back some "feel" to the operator. P.S. I probably have the speed of sound in metal way off. Air is 1100fps I think, and I vaguely recall it is 6 times that in steel. Maybe one could steal techniques from reflection seismology too.
-----------[next][prev][last][first]---------------------------------------------------- From: blblbl!zonker@EDDIE.MIT.EDU 20-JUN-1988 20:09 To: bloom-beacon!elbows@mit-eddie
RULES FOR BANK ROBBERS According to the FBI, most modern-day bank robberies are "unsophisticated and unprofessional crimes," comitted by young male repeat offenders who apparently don't know the first thing about their business. This information was included in an interesting, amusing article titles "How Not to Rob a Bank," by Tim Clark, which appeared in the 1987 edition of The Old Farmers Almanac. Clark reported that in spite of the widespread use of surveillance cameras, 76 percent of bank robbers use no disquise, 86 percent never study the bank before robbing it, and 95 percent make no long-range plans for concealing the loot. Thus, he offered this advice to would-be bank robbers, along with examples of what can happen if the rules aren't followed: 1. Pick the right bank. Clark advises that you don't follow the lead of the fellow in Anaheim, Cal., who tried to hold up a bank that was no longer in business and had no money. On the other hand, you don't want to be too familiar with the bank. A California robber ran into his mother while making his getaway. She turned him in. 2. Approach the right teller. Granted, Clark says, this is harder to plan. One teller in Springfield, Mass., followed the holdup man out of the bank and down the street until she saw him go into a restaurant. She hailed a passing police car, and the police picked him up. Another teller was given a holdup note by a robber, and her father, who was next in line, wrestled the man to the ground and sat on him until authorities arrived. 3. Don't sign your demand note. Demand notes have been written on the back of a subpoena issued in the name of a bank robber in Pittsburgh, on an envelope bearing the name and address of another in Detriot, and in East Hartford, Conn., on the back of a withdrawal slip giving the robber's signature and account number. 4. Beware of dangerous vegetables. A man in White Plains, N.Y., tried to hold up a bank with a zucchini. The police captured him at his house, where he showed them his "weapon." 5. Avoid being fussy. A robber in Panorama City, Cal., gave a teller a note saying, "I have a gun. Give me all your twenties in this envelope." The teller said, "All I've got is two twenties." The robber took them and left. 6. Don't advertise. A holdup man thought that if he smeared mercury ointment on his face, it would make him invisible to the cameras. Actually, it accentuated his features, giving authorities a much clearer picture. Bank robbers in Minnesota and California tried to create a diversion by throwing stolen money out of the windows of their cars. They succeeded only in drawing attention to themselves. 7. Take right turns only. Avoid the sad fate of the thieves in Florida who took a wrong turn and ended up on the Homestead Air Force Base. They drove up to a military police guardhouse and, thinking it was a toolbooth, offered the security men money. 8. Provide your own transportation. It is not clever to borrow the teller's car, which she carefully described to police. This resulted in the most quickly solved bank robbery in the history of Pittsfield, Mass. 9. Don't be too sensitive. In these days of exploding dye packs, stuffing the cash into your pants can lead to embarrassing stains, Clark points out, not to mention severe burns in sensitive places--as bandits in San Diego and Boston painfully discovered. 10. Consider another line of work. One nervous Newport, R.I., robber, while trying to stuff his ill-gotten gains into his shirt pocket, shot himself in the head and died instantly. Then there was the case of the hopeful criminal in Swansea, Mass., who, when the teller told him she had no money, fainted. He was still unconscious when the police arrived. In view of such ineptitude, it is not surprising that in 1978 and 1979, for example, federal and state officers made arrests in 69 percent of the bank holdups reported.
END OF DOCUMENT
|ISSN 1742-948X 01 (Online) | 2005/03/01 | Copyright 2002-2008 securitydigest.org. All rights reserved.|