The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: Rutgers 'Security List' (incl. misc.security) - Archives (1989)
DOCUMENT: Rutgers 'Security List' for June 1989 (87 messages, 38192 bytes)
SOURCE: http://securitydigest.org/exec/display?f=rutgers/archive/1989/06.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

-----------[000000][next][prev][last][first]----------------------------------------------------
From:      ron@ron.rutgers.edu (Ron Natalie)  2-JUN-1989 22:15:23
To:        misc-security@rutgers.edu
UNICOS, at least as I saw it two years ago, had no
pretense at security.  It was quite easy to do things that
would crash the machine, and only moderately more difficult
to get unauthorized access to root.

You might ring up your colleagues at NASA-AMES, who certainly
have much more experience with UNICOS that I do.  They're also
pretty sharp on the security scene.

-Ron
-----------[000001][next][prev][last][first]----------------------------------------------------
From:      zeleznik@cs.utah.edu (Mike Zeleznik)  2-JUN-1989 22:39:25
To:        security@rutgers.edu
> Could anyone give me a list of well known and
> not so well known security holes for 4.2 and 4.3 BSD and System V (UNICOS).

You might check out Bob Baldwin's stuff (MIT) for rule-based analysis of
UNIX system security.  He had a paper in CompCon Spring 87.

Also, "UNIX System Security" by Wood and Kochan, Hayden Books.

  Michael Zeleznik              Computer Science Dept.
                                University of Utah
  zeleznik@cs.utah.edu          Salt Lake City, UT  84112
                                (801) 581-5617
-----------[000002][next][prev][last][first]----------------------------------------------------
Date:      2 Jun 89 13:33:37 GMT
From:      simsong@idr.cambridge.ma.us (Simson L. Garfinkel)
To:        misc.security
Subject:   ISDN

I am doing an article on ISDN for The Boston Globe.  The artice would like
to write about all of the problems with ISDN, all of the advantages, what
people's experience have been (both positive and negative), and where things
are going.

If anybody would like to give me a call or email, and flame, this is your
chance!!!

		Simson L. Garfinkel
		409 Washington Street
		Cambridge, MA 02139
		617-876-6111

		simsong@idr.cambridge.ma

-----------[000003][next][prev][last][first]----------------------------------------------------
From:      andrews@apple.com (Richard Andrews)  6-JUN-1989  7:00:54
To:        misc-security@ucbvax.berkeley.edu
 From my own experience, it seems to me that DES per se is not excluded from
export.  It just depends on how you use it.  I worked on a product, the
AppleShare File Server, that uses DES to encrypt passwords, and that was
granted a Commerce Jurisdiction (meaning Apple is free to export it).
Clearly, we would not have been able to export it if we used DES for file
encryption.
-----------[000004][next][prev][last][first]----------------------------------------------------
From:      cme@cloud9.stratus.com (Carl Ellison)  6-JUN-1989  7:34:57
To:        linus!misc-security@ursa-major.spdcc.com
This is getting out of hand....

If it weren't so silly, I'd rant and rave for pages about it.

What makes DES written here so secret when the one written in Finland
(acc. a recent posting) isn't??????

We're locking the barn door -- with the horse inside -- but after the
back wall fell down.

--Carl Ellison                      UUCP::  cme@cloud9.Stratus.COM
SNail:: Stratus Computer; 55 Fairbanks Blvd.; Marlborough MA 01752
Disclaimer::  (of course)
-----------[000005][next][prev][last][first]----------------------------------------------------
From:      alo@kampi.hut.fi (Antti Louko)  6-JUN-1989  7:53:02
To:        misc-security@cwi.nl
> Thus, a copy of Dbase III labelled 
> "Not for export" cannot be used in an open lab here.

Software vendors could do the following:

Take their software product without any non-export stuff to some of
their labs outside US. At that site, include some outside-US
DES-package into their product, or even better, ship their product in
relocatable form, so customer can link any encryption package with it.

My DES-package can be used freely for non-commercial purposes. If a
vendor ships my DES-package in source code (and optionally in
relocatable code) with their product so that customer can link it
together himself, I consider this as non-commercial use. The idea is
that the customer could do the same even if the vendor wouldn'n
provide the DES-package.

If the vendor packages their product and DES together (eg. linking
them into an executable) I consider this as a commercial use.

In my opinion:

Software vendors should ship all their software also in reloacatable
form!!

My DES-package is available by ftp at kampi.hut.fi (128.214.3.9) at
directory /alo/

------------------
 alo@santra.UUCP (mcvax!santra!alo)       Antti Louko
 alo@hut.fi                               Helsinki University of Technology
 alo@fingate.bitnet                       Computing Centre
 alo%fingate.bitnet@cunyvm.cuny.edu       SF-02150, Espoo
                                          FINLAND
                                          tel. +358 0 4514314
------------------
-----------[000006][next][prev][last][first]----------------------------------------------------
From:      Doug Claar <dclaar%hpmpec1e@hplabs.hp.com>  6-JUN-1989 23:14:43
To:        security@pyrite.rutgers.edu
> I'm always amused by the notion of "tamper-resistant" envelopes.  I

Yes, what about the 'see-thru' spray being sold by Sharper Image, or
some such company. "Makes envelopes transparent without leaving a trace!"

The post office is not amused, but I don't think they can do much about
it, since there is (in tiny type, at least in the ad), a warning that
using the spray on U.S. Mail is against the law.

Doug Claar
HP Computer Systems Division
UUCP: mcvax!decvax!hplabs!hpda!dclaar -or- ucbvax!hpda!dclaar
ARPA: dclaar%hpda@hplabs.HP.COM
-----------[000007][next][prev][last][first]----------------------------------------------------
From:      "MOG::REX"@isdmnl.menlo.usgs.gov   (Rex Sanders)  6-JUN-1989 23:54:59
To:        security@pyrite.rutgers.edu
On our 4.3 BSD Unix system, we have three people that need
root permissions.  We used to all know the root password.
Then, a security directive came around: one account, only one
person knows the password.

We set up three accounts, with names other than "root", and
uid 0, gid 1.  Each account has it's own password, and I
changed the "root" password to something I've already forgotten.
We put hooks in /.login and /.cshrc to source files of our own.
This scheme has worked fine for several years now.

To help other users identify "root" users when logged in, we
named the other accounts with root vegetable names - mine is
"radish".

-- Rex
   rex@isdmnl.menlo.usgs.gov
-----------[000008][next][prev][last][first]----------------------------------------------------
From:      deh@eng.umd.edu  7-JUN-1989  0:31:42
To:        AI.CLIVE@mcc.com
Cc:        security@pyrite.rutgers.edu
there are envelopes that close with a holographic foil that is 
then embossed. The image is somewhat unique in that it has a 
serial number on(in?) it, visible. Since they are serial numbered, 
you can't just replace it, and they seem to be very fragile in
that you can not peal them off without a lot of visible and 
obvious damage. Of course, they are most likely VERY expansive,
(yow! I think I meant expensive!) since I only know of one place
that uses them at all, and only then for very sensitive things, 
and they DON'T like it when people take them home for their
kids to play with ! 
Doug
-----------[000009][next][prev][last][first]----------------------------------------------------
Date:      5 Jun 89 18:38:24 GMT
From:      lekash@ORVILLE.NAS.NASA.GOV (John Lekashman)
To:        misc.security
Subject:   System Security


     UNICOS, at least as I saw it two years ago, had no
     pretense at security.

Things are getting better.  They now very quickly get bug repairs
in, at least in the networking area.  In fact, CRI is the
fastest vendor we have at applying and releasing discovered security
bug repairs.  (Except vaxes running BSD, but thats a special case.)
So, if you find something, tell them.  If its real,
and gets back to Minnesota, it gets fixed.

						john

-----------[000010][next][prev][last][first]----------------------------------------------------
Date:      5 Jun 89 21:20:32 GMT
From:      faigin@AEROSPACE.AERO.ORG
To:        misc.security
Subject:   Looking for Conferences or Seminars on Security

Someone in our company asked me for information on conferences or 
seminars that might provide somebody with background on DoD regulations
and requirements for computer security, including regulations about
TEMPEST. As I am more involved with multi-level computer security
(as opposed to the DoD side of things), I though I might toss out the
request. Does anyone know of conferences or seminars which might fit the 
bill?

Daniel
Work :The Aerospace Corp M8/055 * POB 92957 * LA, CA 90009-2957 * 213/336-3149
Home :8333 Columbus Avenue #17  * Sepulveda CA 91343            * 818/892-8555
Email:faigin@aerospace.aero.org (or) Faigin@dockmaster.ncsc.mil               
Voicemail: 213/336-5454 Box#3149 * "Take what you like, and leave the rest"   

-----------[000011][next][prev][last][first]----------------------------------------------------
Date:      6 Jun 89 11:52:19 GMT
From:      peter%ficc@UUNET.UU.NET (Peter da Silva)
To:        misc.security
Subject:   Re: GNU, security, and RMS

> No security on the computer is similar to allowing anyone to come into
> your office and look at anything they please, and also to allow them to
> change anything they please. I doubt if many people would like this.

I think you have this backwards. In no place I have worked has there been any
security protecting the contents of people's offices from such intrusion, at
least below management levels. In school, however, personal security is taken
much more seriously. Every TA and advisor has a lock on their door, lockers
for students are available in most buildings, etc...

Security in computer systems at the typical commercial/industry site is mainly
to (1) keep intruders out, and (2) keep people from accidentally damaging each
others files. And both of these are useful features.
-- 
Peter da Silva, Xenix Support, Ferranti International Controls Corporation.

Business: uunet.uu.net!ficc!peter, peter@ficc.uu.net, +1 713 274 5180.
Personal: ...!texbell!sugar!peter, peter@sugar.hackercorp.com.

-----------[000012][next][prev][last][first]----------------------------------------------------
From:      "John Schlosser" <URSJ@MARISTC>  7-JUN-1989 22:32:29
To:        "Security List" <SECURITY@MARIST>
  From what I've seen, the "club" only blocks the steering wheel
from turning more than a few degrees any way because of the way the
club is attached.  This works great if a would-be thief has the
intention of driving away with your car, but what if he/she/it
just wants to strip it bare of anything that's in it?
  A large metal pole that's attached to the steering wheel isn't
going to do much good then, will it?

John P. Schlosser (URSJ@MARISTC)
Student Staff Programmer
Marist College Computer Center
.Nothing I say in any way reflects anyone's opinion other than my own.
.I am not affiliated with THE CLUB's makers, distributors, advertisers
 or anyone else.
-----------[000013][next][prev][last][first]----------------------------------------------------
From:      barnett@unclejack.crd.ge.com (Bruce Barnett)  7-JUN-1989 23:03:16
To:        security@pyrite.rutgers.edu
>On the other hand, picking a Medeco lock is again, significantly more
>difficult than other locks.

I was talking to someone selling home security units.
He laughed at a Medeco lock, saying someone invented a device that lets
you pick/defeat it in minutes.

Of course he wanted to sell me HIS security system.
-- 
Bruce G. Barnett	<barnett@crdgw1.ge.com>  a.k.a. <barnett@[192.35.44.4]>
			uunet!crdgw1.ge.com!barnett

[Moderator tack-on:  He was probably talking about the various Medeco
"mapping" devices, that were actually patented at one point.  I doubt if
these tools were ever marketed to locksmiths; they utilized some weaknesses
of the cylinder in really bizarre twisted ways, such as shoving a small wire
up the twist-limiting guide slot to feel where the top of the pin was.You
would still have to cut a key based on what the tool told you.  You might
ask this fellow if he ever *saw* these tools being used...

_H*]
-----------[000014][next][prev][last][first]----------------------------------------------------
From:      hollombe@ttidca.tti.com (The Polymath)  8-JUN-1989  2:49:37
To:        misc-security@sdcsvax.ucsd.edu
} hi, have you heard of the latest lock for vehicles ... called the "Club".

Probably a little less secure than with the type of lock that runs from
the steering wheel to the brake or clutch pedal. (The "Club" just locks on
the steering wheel, making it difficult or impossible to turn completely
around).

I'd guess a large pair of bolt-cutters would get either one off in a few
seconds. (If they won't cut the lock, cut the steering wheel.  Car thieves
aren't known for finesse).

-- 
The Polymath (aka: Jerry Hollombe, hollombe@ttidca.tti.com)  Illegitimati Nil
Citicorp(+)TTI                                                 Carborundum
3100 Ocean Park Blvd.   (213) 452-9191, x2483
Santa Monica, CA  90405 {csun|philabs|psivax}!ttidca!hollombe
-----------[000015][next][prev][last][first]----------------------------------------------------
From:      Jeff Makey <Makey@logicon.arpa>  8-JUN-1989  3:22:18
To:        security@rutgers.edu
I carry an ordinary Boy Scout knife in my pocket the same as I carry
my wallet and keys.  When I fly, I usually just put the knife and
other metal objects I have into my briefcase to be x-rayed and I have
never had any problems.

About a month ago I went through airport security (in San Diego)
without anything to be put on the x-ray belt, so I just pulled the
knife out of my pocket and placed it on one of those little trays they
have for change and stuff.  As I walked through the metal detector the
guard picked up my knife and looked at it.  He opened the blade
part-way (perhaps to see if it was a switch-blade? or to check the
size of the blade?), closed it, and gave it back to me without
comment.

A similar thing happened about 9 years ago in Chicago, except the
guard told me, "just don't kill anybody."  Seriously!

It sounds as if the airline security folks are fairly sensible about
the types of things you can and can't take on an airline with you.  I
would be shocked if they tried to prevent me from taking on board my
mechanical pencil, which is a pointed metal object about the same
length as my open Boy Scout knife.

                        :: Jeff Makey
                           Makey@LOGICON.ARPA
-----------[000016][next][prev][last][first]----------------------------------------------------
Date:      6 Jun 89 19:50:38 GMT
From:      pyron@lvvax1.csc.ti.com (Who remembers 8USER.PAR?)
To:        misc.security
Subject:   DECUS Security SIG

Is there anyone on this list who took part in any of the sessions at the
Spring DECUS (Atlanta) on forming a Security SIG?  I haven't heard from
anyone since then, and my management wants to know where it is going.

Please reply directly to me.

Dillon Pyron                         | The opinions are mine, the facts 
TI/DSEG Lewisville Computer Services | probably belong to the company.
pyron@lvvax1.csc.ti.com              |
(214)462-5449                        | We try, we learn, sometimes we die.
                                     | We sit on our butts, learn nothing,
                                     | and we still die.

-----------[000017][next][prev][last][first]----------------------------------------------------
From:      lamaster@ames.arc.nasa.gov (Hugh LaMaster)  8-JUN-1989  3:35:18
To:        misc-security@ames.arc.nasa.gov
I have seen many postings on a variety of problems with so-called high
security standard-cylinder-type locks.  While no such lock is perfect,
it would seem that there might be a consensus that some particular
product line is the least likely to be easily picked or forced by garden-
variety burglars, and may even slow down an expert.  If there is such
a consensus on a company/product line, I would appreciate knowing what it is.

A sort of related question is:  I have seen locks with automatic "dead bolts"
 - meaning, locks in which opening the door with a key from the outside
(not in the handle) pulls back a full-sized spring loaded bolt, which closes
when the door is closed.  The obvious idea is to prevent "loiding" (I think
this is the term...), and also to provide more resistance to forcing than
the relatively narrow bars which are used on some locks for the same purpose.
Does anyone know the availability of these locks and whether they have any
advantage over the standard narrow bar type?  (I am no lock expert, in case
it isn't obvious :-)     ).  I assume that such a lock would have to be well
lubricated to allow the torque of a key to open a large bolt, but what other
disadvantages are there?

  Hugh LaMaster, m/s 233-9,  UUCP ames!lamaster
  NASA Ames Research Center  ARPA lamaster@ames.arc.nasa.gov
  Moffett Field, CA 94035     
  Phone:  (415)694-6117       

[Moderator toss-in:  The usual way manufacturers of spring-loaded latches
prevent carding, loiding, sliding, whatever you want to call it, is to provide
an extra latch piece that is pushed into the mortise edge when the door is
closed, and engages a catch that prevents the main latch from being pushed
in.  These are well-known to, um, not work in many installations.  The sure-
fire way to lock the door is a dead bolt or better, but you can't just slam
the door closed.  If you're a chronic loser of keys, this could be good!   _H*]
-----------[000018][next][prev][last][first]----------------------------------------------------
From:      Stephen Wadlow <sw0y+@andrew.cmu.edu>  8-JUN-1989 10:24:41
To:        biocca@bevb.bev.lbl.gov (Alan Biocca), misc-security@ucbvax.berkeley.edu
Rekeying is feasible depending on the availability of pins.  Many
cylinders use a fairly standard pin (.115 in diameter, frequently in
.003 or .005 increments).  Medeco and a few other companies (Best
comes to mind) use different size pins that aren't as easily
available.  Medeco also requires very specific types of pins if they
are addressing the sidebar, otherwise, other pins are useless.

What I would really like to see is more venders going to the hex-nut
caps that medeco uses.  It would make re-keying much easier and
quicker.

			steve

======================================================================
Stephen G. Wadlow               Internet: stephen.wadlow@andrew.cmu.edu
				Bitnet:   wadlow@drycas
"Hey Man, A ship in harbor is safe, but that ain't what ships are for"
-----------[000019][next][prev][last][first]----------------------------------------------------
Date:      7 Jun 89 04:39:11 GMT
From:      svh@XAIT.XEROX.COM (Susan Hammond)
To:        misc.security
Subject:   Re: Security Digest

There are cheap low-tech ways to make an envelope really tamper-resistant--
or to make tampering obvious.  Easiest is to enclose the item in question in
aluminum foil before you put it into the envelope.  

Also, you can enclose the whole envelope in two clear sheets of contact
paper.  For a #10 envelope, cut two sheets about 4" by 10", peel the
backing off, place the envelope on one, cover with the other, and leaving
about 1/2 to 1" of contact paper around the edges of the envelope, trim the
contact paper edges to be even to make it difficult to get a grip on a single
sheet.  If someone tries to remove it it is pretty obvious.  Putting a
signature on the envelope (as suggested in an earlier posting?) helps you
detect an attempt to substitue a new envelope for the damaged one.

-- 
------------------------------------------------------------------
Susan Hammond/CCA
svh@XAIT.Xerox.COM
{decvax,linus,mirror}!xait!svh

-----------[000020][next][prev][last][first]----------------------------------------------------
From:      hal@gateway.mitre.org (Hal Feinstein)  8-JUN-1989 17:10:38
To:        -v@gateway.mitre.org, security@pyrite.rutgers.edu
Cc:        infsecur@smiley.mitre.org
I've just gotten the word that a substantially reworked version of
DES will soon become public.  The version eliminates the piple-line
structure of FIPS 46 and replaces many of the bit picking that slows
most computer  implementations.  I havn't been told how much of a 
speed up this will have over the FIPS 46  version of the algorithm.
The new version has eliminated some of the "rounds" structure
of the current algorithm and still computes the same DES process.  
Speculation is that it will make file and bulk based DES faster and 
less expensive and will provide a base for faster IC implementations. 
More as I find it out.
-----------[000021][next][prev][last][first]----------------------------------------------------
From:      "David D. Grisham" <DAVE@UNMB>  8-JUN-1989 17:20:53
To:        security@ubvm
   Has anyone had experience with fileserver security?  I am reviewing
our new fileserver proposed setups.  Novel SFT 2.15 and Appleshare
2.0 in a 50 station pod.  What safeguards are you all using?
Any hacker or virus problems?  General and specific information
would be appreciated.  Also, we are going to keep stats
on use (Saber on Novel).  What menu/usage tracking software are you using
and is it safe and effective?
  In return I can help with Mac specific viruses with policies and
tools.   On the DOS side we have been using notchless disks
in our remote pods- Novel looks like a potential problem- yes or no?
We have been running an Appleshare for a year
and have it up, running, and safe 99% of the time in a small lab.

  Dave Grisham, Senior Consultant/Virus Security  Phone (505) 277-8148
  Computer & Information Resources & Technology
  University of New Mexico                        USENET DAVE@UNMA.UNM.EDU
  Albuquerque, New Mexico  87131                  BITNET DAVE@UNMB
-----------[000022][next][prev][last][first]----------------------------------------------------
From:      viusys!rwb@daitc.mil (Rick Butland)  8-JUN-1989 22:11:48
To:        security@rutgers.edu
As the subject says, is anyone aware of a software package that will encrypt
files on DOS?  Actually, what's desired is the ability to compose a msg
on a PC, encrypt it, and mail it to another PC user, where both PC's are
attached to a Unix host.  Most likely, though, rather than mail, the messages
will just be uploaded/downloaded.

Thanks in advance,

Rick Butland (rwb@viusys)
-----------[000023][next][prev][last][first]----------------------------------------------------
From:      SIANI@nssdca.gsfc.nasa.gov  8-JUN-1989 22:28:01
To:        security@rutgers.edu
>Attorneys said yesterday they are negotiating a second plea
>bargain for computer hacker Kevin Mitnick

   Kevin Mitnick, the hacker "so dangerous that he can't even be allowed to use
a phone". "He could ruin your life with his keyboard". "Armed with a keyboard
and considered dangerous."

   These are some of the things that have been said about this person. All
of this media hype would be fine if it just sold news papers. But it has done
much more then just sell a few papers. It has influenced those that will
ultimately decide his fate. I myself don't know the man, but I have talked to
others that do. Including one of the persons that investigated Mitnick.  From
all I have heard about him, I think he is a slime ball!
But even a slime ball should not be railroaded into a prison sentence that
others of equal or greater guilt have avoided. 

I personally feel the man is just a criminal, like the guy that robs a 7/11,
no better but certainly not any worse. 
Unfortunately he is thought of as some kind of a "SUPER HACKER".
The head of LA Police Dept's Computer Crime Unit is quoted as saying
"Mitnick is several levels above what you would characterize as a computer
hacker".                                                           

   No disrespect intended, but a statement like this from the head of a
computer crime unit indicates his ignorance on the ability of hackers
and phone phreaks. Sure he did things like access and perhaps even altered 
Police Dept. criminal records, credit records at TRW Corp, and Pacific
Telephone, disconnecting phones of people he didn't like etc.
But what is not understood by most people outside of the hack/phreak world is
that these things are VERY EASY TO DO AND ARE DONE ALL THE TIME.
In the hack/phreak community such manipulation of computer and phone systems
is all to easy. I see nothing special about his ability to do this.
The only thing special about Kevin Mitnick is that he is not a "novice" hacker
like most of the thirteen year old kids that get busted for hacking/phreaking.
It has been a number of years since an "advanced" hacker has been arrested.
Not since the days of the Inner Circle gang have law enforcement authorities
had to deal with a hacker working at this level of ability. As a general
rule, advanced hackers do not get caught because of there activity but rather
it is almost always others that turn them in. 
It is therefore easy to understand why his abilities are perceived as being
extraordinary when in fact they are not. 

Because of all the media hype this case has received I'm afraid that: 

1.) He will not be treated fairly. He will be judged as a much greater threat
to society then others that have committed simular crimes.

2.) He will become some kind of folk hero. A Jesse James with a keyboard.
    This will only cause other to follow in his footsteps. 

I'm not defending him or the things he has done in any sense. All I'm saying
is lets be fair. Judge the man by the facts, not the headlines.

Disclaimer: The views expressed here are my own. 
                                                     

                                                     Kenneth Siani 
                                                     Sr. Security Specialist
                                                     Information Systems Div.
                                                     NYMA Inc.
                                                     Internet Mail:
                                                     siani@nssdca.gsfc.nasa.gov
-----------[000024][next][prev][last][first]----------------------------------------------------
Date:      7 Jun 89 21:35:00 GMT
From:      WMURRAY@dcm1wm.das.net
To:        misc.security
Subject:   Export of the DES

>Not long ago I got inside word that AT&T had asked for a determination
>of the export status of their UNIX crypt routines, the outcome of which
>was essentially that individual approval would have been readily obtained,
>but not blanket "warehouse" approval.  This seems pretty silly to me..
 
It is not silly if you believe your self to be required by law to
keep track of every instance.
 
>From my own experience, it seems to me that DES per se is not excluded from
>export.  It just depends on how you use it.  
 
DES is not excluded from export.  However, it must be licensed.  It
is easy to get a license for DES in hardware.  It is easy to get a
license for a one-way implementation of DES in software.  It may be
possible to get a license to export a reversible version of the DES
in software provided that it is so embedded in an application that it
cannot be used to encrypt an arbitrary file or msessage.  It is
practically impossible to get a license to export a software
implementation of a general purpose and revesible verion of DES (or
indeed any other algorithm for that matter.)
 
Such implementations have the potential for turning any mini or micro
into a crypto engine.  This might fill the ether with traffic that
cannot be readily recognized, raising the cost of signals
intelligence gathering.
 
>What makes DES written here so secret when the one written in Finland
>(acc. a recent posting) isn't??????
 
The issue is not secrecy; it is replicability.  Note that hardware
implementations cannot be easily copied or modified.  If you can keep
track of the incidents of hardware, but would have more difficulty in
keeping track of copies of software, then you might be interested in
discouraging software.  If the work factor for reading the DES was N,
but that of reading a variant is >N then one might be motivated to
discourage variants.
 
>We're locking the barn door -- with the horse inside -- but after the
>back wall fell down.
 
One does what one can do.  This is particularly true if one believes
oneself to be mandated by law to do so.
 
These observations are based upon many years of observing this issue.
While I have often discussed them in front of officers of the NSA,
they have never commented on them.  Neither have they ever attempted
in any way to influence me.  I suspect that the area is classified
and that they are unable to confirm or deny.
 
I am not now, have never been, and do not ever expect to be an agent
of the NSA.  While I am a guest on DOCKMASTER, this message
originates on MCI Mail.
 
____________________________________________________________________
William Hugh Murray                     216-861-5000
Fellow,                                 203-966-4769
Information System Security             203-964-7348 (CELLULAR)
                                        ARPA: WHMurray@DOCKMASTER
Ernst & Whinney                         MCI-Mail: 315-8580
2000 National City Center               TELEX: 6503158580
Cleveland, Ohio 44114                   FAX: 203-966-8612
                                        Compu-Serve: 75126,1722
                                        INET: WH.MURRAY/EWINET.USA
21 Locust Avenue, Suite 2D              DASnet: [DCM1WM]WMURRAY
New Canaan, Connecticut 06840           PRODIGY: DXBM57A
--------------------------------------------------------------------

-----------[000025][next][prev][last][first]----------------------------------------------------
Date:      8 Jun 89 16:12:26 GMT
From:      strauss@AEROSPACE.AERO.ORG (Daryll Strauss)
To:        misc.security
Subject:   Re: High-Tech Knife

I carry my Swiss Army knife with me all the time, and my usual routine
is to hand it to the security gaurd on my way through the metal
detector. They usually don't bother to open it, but when they do, they
are checking that the blade is less than 3 and 1/2 inches long. I
believe that is the current FAA limit. The security people are
reasonable, and some of them even have a sense of humour! I got quite a
chuckle when I was returning from a trip to Mexico. I was 18 (and looked
younger), and I was carrying 2 liters of Tequila. The security gaurd
X-ray'd my bag and just laughed. It wasn't his job to stop minors from
drinking! 

The thing that is much more scarey is when I was leaving Pittsburgh on
one trip and forgot to remove my knife and the metal detector did NOT go
off! That really made me worry.

-------------------------------------------------------------------------------
Daryll Strauss          			f	The Aerospace Corp.
strauss@aerospace.aero.org      		n	Mail Stop: M1-102
..!uunet!aero.org!strauss			o	P.O. Box 92957

-----------[000026][next][prev][last][first]----------------------------------------------------
From:      simsong@idr.cambridge.ma.us (Simson L. Garfinkel)  10-JUN-1989 22:29:59
To:        elbows@bloom-beacon.mit.edu, security@rutgers.edu
I am doing an article on ISDN for The Boston Globe.  The artice would like
to write about all of the problems with ISDN, all of the advantages, what
people's experience have been (both positive and negative), and where things
are going.

If anybody would like to give me a call or email, and flame, this is your
chance!!!

		Simson L. Garfinkel
		409 Washington Street
		Cambridge, MA 02139
		617-876-6111

		simsong@idr.cambridge.ma
-----------[000027][next][prev][last][first]----------------------------------------------------
From:      leichter@cs.yale.edu (Jerry Leichter (LEICHTER_JERRY@CS.YALE.EDU))  10-JUN-1989 22:55:17
To:        misc-security@uunet.uu.net
Try substituting "tanks" for "DES implementations".  There are many manufac-
turers of tanks in the world; their products are not subject to US control.
Should the US therefore be willing to export tanks to anyone who wants them?

One can certainly criticise the export controls that now exist for being
poorly stated, or ineffective, or any of a variety of other things.  Certainly
the way they ARE stated can make them look very silly.  But it bothers me to
see a complete unwillingness to understand that there is a real, underlying
issue here.

Suppose the US manufactured military radios containing very strong encryption
technology.  Should we be willing to sell those to anyone who wanted them?

Suppose the basic technology for the radios was readily available, but the
encryption chips that made the radios used secret technology.  Should we sell
the encryption chips to anyone who asks?  If your answer to this question
is different from the previous one, can you explain why?

Now suppose the algorithms of the encryption chips were public knowledge, but
actually implementating them as chips with sufficient speed, reliability, low
power consumption, whatever, was very hard.  Does your answer change?

Lines are hard to draw.  But laws require them to be drawn.

							-- Jerry
-----------[000028][next][prev][last][first]----------------------------------------------------
From:      WMURRAY@dcm1wm.das.net  10-JUN-1989 23:08:04
To:        security@rutgers.edu
>Not long ago I got inside word that AT&T had asked for a determination
>of the export status of their UNIX crypt routines, the outcome of which
>was essentially that individual approval would have been readily obtained,
>but not blanket "warehouse" approval.  This seems pretty silly to me..
 
It is not silly if you believe your self to be required by law to
keep track of every instance.
 
>From my own experience, it seems to me that DES per se is not excluded from
>export.  It just depends on how you use it.  
 
DES is not excluded from export.  However, it must be licensed.  It
is easy to get a license for DES in hardware.  It is easy to get a
license for a one-way implementation of DES in software.  It may be
possible to get a license to export a reversible version of the DES
in software provided that it is so embedded in an application that it
cannot be used to encrypt an arbitrary file or msessage.  It is
practically impossible to get a license to export a software
implementation of a general purpose and revesible verion of DES (or
indeed any other algorithm for that matter.)
 
Such implementations have the potential for turning any mini or micro
into a crypto engine.  This might fill the ether with traffic that
cannot be readily recognized, raising the cost of signals
intelligence gathering.
 
>What makes DES written here so secret when the one written in Finland
>(acc. a recent posting) isn't??????
 
The issue is not secrecy; it is replicability.  Note that hardware
implementations cannot be easily copied or modified.  If you can keep
track of the incidents of hardware, but would have more difficulty in
keeping track of copies of software, then you might be interested in
discouraging software.  If the work factor for reading the DES was N,
but that of reading a variant is >N then one might be motivated to
discourage variants.
 
>We're locking the barn door -- with the horse inside -- but after the
>back wall fell down.
 
One does what one can do.  This is particularly true if one believes
oneself to be mandated by law to do so.
 
These observations are based upon many years of observing this issue.
While I have often discussed them in front of officers of the NSA,
they have never commented on them.  Neither have they ever attempted
in any way to influence me.  I suspect that the area is classified
and that they are unable to confirm or deny.
 
I am not now, have never been, and do not ever expect to be an agent
of the NSA.  While I am a guest on DOCKMASTER, this message
originates on MCI Mail.
 
____________________________________________________________________
William Hugh Murray                     216-861-5000
Fellow,                                 203-966-4769
Information System Security             203-964-7348 (CELLULAR)
                                        ARPA: WHMurray@DOCKMASTER
Ernst & Whinney                         MCI-Mail: 315-8580
2000 National City Center               TELEX: 6503158580
Cleveland, Ohio 44114                   FAX: 203-966-8612
                                        Compu-Serve: 75126,1722
                                        INET: WH.MURRAY/EWINET.USA
21 Locust Avenue, Suite 2D              DASnet: [DCM1WM]WMURRAY
New Canaan, Connecticut 06840           PRODIGY: DXBM57A
--------------------------------------------------------------------
-----------[000029][next][prev][last][first]----------------------------------------------------
Date:      10 Jun 89 16:35:06 GMT
From:      ijk@cbnewsh.att.com (ihor.j.kinal)
To:        misc.security
Subject:   Re: car locks

Wondering thru the local car parts store, I came across a device to
make your steering wheel DETACHABLE!!!

REMOVE THE WHEEL WHEN YOU LEAVE - That should deter most thieves.

Cost - around $80.

If I owned a Ferrari, I might get one - but I'd check first
that it did not release TOO easily - might be a bit disconcerting
if you reach out to adjust the tilt, and instead wind up disconnecting!!!

Ihor Kinal
cbnewsh!ijk
[standard disclaimer applies]

-----------[000030][next][prev][last][first]----------------------------------------------------
From:      gwyn@brl.mil  12-JUN-1989  1:59:37
To:        security@rutgers.edu
>But what if the new version of crypt is not public ... ?

One of the first rules of cryptography is to assume that the "opposition"
knows all about the general system and is deprived only of the specific
keys used for encryption.  Experience has shown this to be a good
approximation to reality.
-----------[000031][next][prev][last][first]----------------------------------------------------
From:      Fred Blonder <fred@dtix.arpa>  12-JUN-1989  2:24:12
To:        cme@cloud9.stratus.com (Carl Ellison)
Cc:        linus!misc-security@ursa-major.spdcc.com
	You don't have to erase old encrypted passwords when
	you change algorithms -- just be prepared to accept
	either, for a while --
	
Or just silently store the new encryption. In fact, changing the
encryption algorithm on a regular basis, combined with accepting
either the current or previous encryptions, would be one way of
implementing password aging, assuming you really want to do that.
----
					Fred Blonder <fred@dtix.arpa>
					David Taylor Research Center
					(202) 227-1428
-----------[000032][next][prev][last][first]----------------------------------------------------
From:      gregm@csd4.milw.wisc.edu (Greg Mumm)  12-JUN-1989  2:35:07
To:        misc-security@uunet.uu.net
I have noticed that reporters and local security officials have
the ability to trace auto license plates. Does anyone know how this
is done? Seems unlikely that they call up the local police department and
ask because anyone could do that! What is the probability that a common
citizen could find out the address of the person who cuts us off on the
freeway via his license number and then proceed to visit him (or her) in
person? :-) Any suggestions?

Internet: gregm@csd4.milw.wisc.edu / arpa!gregm@csd4.milw.wisc.edu  
Uucp: uwvax!uwmcsd1!uwmcsd4!gregm    Csnet: gregm%uwmcsd4@uwm  Greg Mumm 
-----------[000033][next][prev][last][first]----------------------------------------------------
Date:      11 Jun 89 05:22:33 GMT
From:      gwyn@BRL.ARPA (Doug Gwyn)
To:        misc.security
Subject:   Re: DES export laws

>Try substituting "tanks" for "DES implementations".

There is a fundamental difference.  Tanks can obviously be used to
assault you, to violate rights of individuals on a large scale.
Effective encryption technology could be used to prevent your
eavesdropping, to protect the rights of persons communicating.
I see no way to claim that NSA or anyone else has a "right" to
be able to snoop on other people's conversations.  I don't dispute
that such snooping can produce useful information, but it is not
information to which we are in principle entitled.

As much as I love cryptanalysis, I would welcome a world in which
people can be sure their communications are secure against snoops.

-----------[000034][next][prev][last][first]----------------------------------------------------
From:      Mr. Stanley Cup <gretzky@unison.larc.nasa.gov>  12-JUN-1989 22:03:04
To:        @uxv.larc.nasa.gov:security@pyrite.rutgers.edu
> You don't have to erase old encrypted passwords when you change
> algorithms -- just be prepared to accept either, for a while --

How about having both algorithms available for a "real short" time and do
this with them:

	if (strcmp(new_crypt(reply ,salt),pass) == 0) {
		/* all is ok, let 'em in */
	}
	else if (strcmp(crypt(reply, salt), pass) == 0) {
		new_version_pass = new_crypt(reply,salt);
		/* update the passwd file */
		/* let 'em in */
	}
	else {
		/* password was no good, do whatever */
	}

After all of your users have logged in at least once, you then have all of
their passwords converted to the new algorithm without ever knowing what
their password is/was and the user will not know that anything was done
to the encryption algorithm for logging in.

			-=>gretzky<=-
.mitch
-----------[000035][next][prev][last][first]----------------------------------------------------
From:      zeleznik@cs.utah.edu (Mike Zeleznik)  12-JUN-1989 22:17:54
To:        security@pyrite.rutgers.edu
Assuming you could keep the binary secure, isn't there always the old
argument that you should not base the security of a crypto system on the
secrecy of the algorithm, in general?

"GOOD" ciphers are hard to design; the average person doesn't just come
up with a new one overnight.  Once you figure yours has sufficiently
leaked out, you'll have to design another one; EACH time.  

The NSA seems willing to do this (with the new crypto systems), but
I would think the algorithm secrecy exists more as an added nuisance
than a requirement.  They must figure it can't stay secret for very
long.

What about sticking with the current crypt, but just change the
constant.  Now you only have to keep a single number secret, and you can
afford to change it very often.

Further, using the scheme mentioned earlier, the login could recognize
both the old and new crypt constant.  Couldn't it then simply generate
the new crypt'd password when it needs to (or is this too dangerous?)?

Mike

  Michael Zeleznik              Computer Science Dept.
                                University of Utah
  zeleznik@cs.utah.edu          Salt Lake City, UT  84112
                                (801) 581-5617
-----------[000036][next][prev][last][first]----------------------------------------------------
Date:      12 Jun 89 03:04:07 GMT
From:      G.D.Shaw@DURHAM.AC.UK
To:        misc.security
Subject:   Re: DES Export Laws

> Try substituting "tanks" for "DES implementations".

    This is not a valid analogy.  Once you have one copy of a DES algorithm,
then it is easy to create as many as you like; the same is not true of
military hardware.  Therefore, even if your enemy has a given number of
tanks, or of guns or whatever, it is still in your interest not to give him
any more.  With software, he only needs to buy or steal one, so if you are
going to try to prevent the DES falling into the 'wrong hands', that
security must be complete:

1.  If the software is on open sale in the US, then you may as well sell
it in Moscow too - at least that way, they might pay for it instead of
buying one copy in the US and pirating the rest.  There is certainly no
point in banning it from NATO or neutral countries.

2.  If you really want to stop the Russians getting hold of it, then you
need strict regulations in the US as well - but if this was effective you
would probably have had to prevent any commercial use of the product and
restrict it to government agencies only.

3.  Even if you did this, it would only be a matter of time before any
hostile government was able to steal a copy; indeed, I would be surprised
if the Russians are not capable of writing their own DES code.

    Fast DES chips are a very different matter: though it can undoubtedly
be done, copying chips is not a trivial undertaking.  The issues at stake
are therefore essentially identical to those governing the sale of CPUs
or complete computers.  Software and hardware pose very different problems,
and just because they both relate to the DES they should not be confused.

+----------------------------------------------------------------+
| Graham Shaw, Collingwood College, South Road, Durham, ENGLAND  |
| JANET       : G.D.Shaw @ UK.AC.DUR.MTS                         |
| Internet    : G.D.Shaw%MTS.DUR.AC.UK@cunyvm.cuny.edu           |
| EARN/BITNET : G.D.Shaw%MTS.DUR.AC.UK@UKACRL                    |
 +----------------------------------------------------------------+
| "I always said there was something fundamentally wrong with    |
|  the Universe" - Arthur Dent                                   |
+----------------------------------------------------------------+

-----------[000037][next][prev][last][first]----------------------------------------------------
From:      John Lekashman <lekash@orville.nas.nasa.gov>  14-JUN-1989  0:06:44
To:        ron@ron.rutgers.edu
Cc:        misc-security@rutgers.edu
     UNICOS, at least as I saw it two years ago, had no
     pretense at security.

Things are getting better.  They now very quickly get bug repairs
in, at least in the networking area.  In fact, CRI is the
fastest vendor we have at applying and releasing discovered security
bug repairs.  (Except vaxes running BSD, but thats a special case.)
So, if you find something, tell them.  If its real,
and gets back to Minnesota, it gets fixed.

						john
-----------[000038][next][prev][last][first]----------------------------------------------------
From:      _David C. Kovar <daedalus!corwin@talcott.harvard.edu>  14-JUN-1989  0:34:23
To:        security@rutgers.edu
>You might check out Bob Baldwin's stuff (MIT) for rule-based analysis of
>UNIX system security.  He had a paper in CompCon Spring 87.

  This sounds like a program called 'kuang' that I've been looking for,
on and off, since a network security conference in Boston a few months
back. If anyone knows where one can aquire a copy of it I would be most
appreciative.

-David C. Kovar
	Technical Consultant			ARPA: kovar@husc4.harvard.edu
	Office of Information Technology	BITNET: corwin@harvarda.bitnet
	Harvard University			MacNET: DKovar
						Ma Bell: 617-495-5947

"It is easier to get forgiveness than permission."
-----------[000039][next][prev][last][first]----------------------------------------------------
From:      svh@xait.xerox.com (Susan Hammond)  14-JUN-1989  0:44:18
To:        misc-security@linus.mitre.org
There are cheap low-tech ways to make an envelope really tamper-resistant--
or to make tampering obvious.  Easiest is to enclose the item in question in
aluminum foil before you put it into the envelope.  

Also, you can enclose the whole envelope in two clear sheets of contact
paper.  For a #10 envelope, cut two sheets about 4" by 10", peel the
backing off, place the envelope on one, cover with the other, and leaving
about 1/2 to 1" of contact paper around the edges of the envelope, trim the
contact paper edges to be even to make it difficult to get a grip on a single
sheet.  If someone tries to remove it it is pretty obvious.  Putting a
signature on the envelope (as suggested in an earlier posting?) helps you
detect an attempt to substitue a new envelope for the damaged one.

-- 
------------------------------------------------------------------
Susan Hammond/CCA
svh@XAIT.Xerox.COM
{decvax,linus,mirror}!xait!svh
-----------[000040][next][prev][last][first]----------------------------------------------------
Date:      12 Jun 89 17:23:25 GMT
From:      cep@APPLE.COM (Christopher Pettus)
To:        misc.security
Subject:   Re: Tracing license numbers

In California, at least, automobile registration records are public 
information.  You just go down to the local DMV, fill out a form (stating 
why you want the information), pay an exceptionally nominal fee that 
depends on how much information you gave them to do the search, and they 
send you the registration information.  They also let the registered owner 
know that you did the request, however; I suppose one could use an assumed 
name (which, I'm quite sure, would be illegal).

-- Christopher Pettus                   | "Ganesha Said: 'Done!  The very 
   Network Systems Development          | day I was born I made my first
   Apple Computer, Inc.                 | mistake, and by that path have
   cep@apple.com   {nsc, sun}!apple!cep | I sought wisdom ever since.'"
   AppleLink: PETTUS.C                  | - The Mahabharata
   (408) 974-0004                       |   I: A Mine of Jewels and Gems

-----------[000041][next][prev][last][first]----------------------------------------------------
From:      mrc@tomobiki_cho.cac.washington.edu (Mark Crispin)  14-JUN-1989  7:14:31
To:        misc-security@ames.arc.nasa.gov
Auto registration and driver's license information is public information,
available to anyone.  All you have to do is go to the local licensing
agency for your state, plunk down a few dollars, and you'll receive a
printout.

A few states, such as California, will make you give some reason for
asking for the information, and will notify that person that so-and-so
looked up your record.  However, they don't verify the reason or
so-and-so's address, etc.

Mark Crispin / 6158 Lariat Loop NE / Bainbridge Island, WA 98110-2020
mrc@CAC.Washington.EDU / MRC@WSMR-SIMTEL20.Army.Mil / (206) 842-2385

[Moderator tack-on:  Thanks also to the *numerous* others who have so
far responded with nearly identical information...    _H*]
-----------[000042][next][prev][last][first]----------------------------------------------------
From:      cep@apple.com (Christopher Pettus)  14-JUN-1989  7:21:41
To:        misc-security@goofy.apple.com
In California, at least, automobile registration records are public 
information.  You just go down to the local DMV, fill out a form (stating 
why you want the information), pay an exceptionally nominal fee that 
depends on how much information you gave them to do the search, and they 
send you the registration information.  They also let the registered owner 
know that you did the request, however; I suppose one could use an assumed 
name (which, I'm quite sure, would be illegal).

-- Christopher Pettus                   | "Ganesha Said: 'Done!  The very 
   Network Systems Development          | day I was born I made my first
   Apple Computer, Inc.                 | mistake, and by that path have
   cep@apple.com   {nsc, sun}!apple!cep | I sought wisdom ever since.'"
   AppleLink: PETTUS.C                  | - The Mahabharata
   (408) 974-0004                       |   I: A Mine of Jewels and Gems

-----------[000043][next][prev][last][first]----------------------------------------------------
Date:      13 Jun 89 19:35:58 GMT
From:      hollombe@ttidca.tti.com (The Polymath)
To:        misc.security
Subject:   Re: Kevin Mitnick

}I personally feel the man is just a criminal, like the guy that robs a 7/11,
}no better but certainly not any worse. 

A number of people have been killed in 7/11 robberies.  How bad is that?

}... Sure he did things like access and perhaps even altered
}Police Dept. criminal records, credit records at TRW Corp, and Pacific
}Telephone, disconnecting phones of people he didn't like etc.
}But what is not understood by most people outside of the hack/phreak world is
}that these things are VERY EASY TO DO AND ARE DONE ALL THE TIME.

Therefore Mitnick's guilt is less?  More appropriately, we should throw the
book at him and go after similar criminals/sociopaths just as aggressively.

}1.) He will not be treated fairly. He will be judged as a much greater threat
}to society then others that have committed simular crimes.

That's his lawyer's problem.

}2.) He will become some kind of folk hero. A Jesse James with a keyboard.

Not if he's found guilty and harshly sentenced.  There's little glory in
20 years behind bars with no access to his favorite toys.

}I'm not defending him or the things he has done in any sense. All I'm saying
}is lets be fair. Judge the man by the facts, not the headlines.

Let's trust the jury to do just that.  Despite the image of a chaotic
court system, created by the same media hype of a few odd cases, juries,
by and large, have been shown to be fairly efficient at fact finding and
interpretation and ignoring media bull.

BTW, my impression from the news media is that Mitnick isn't a super
hacker, or even much of a hacker, at all.  He's more a classic, textbook
sociopath.  Most of the times he gained access to systems he did so not
with computer expertise, but by conning the owners into giving him the
needed passwords.  That ability to inspire trust, combined with the
conscienceless willingness to abuse it, is a classic symptom of
sociopathy.  It has nothing to do with computer expertise.

If he didn't know anything about computers Mitnick would probably be an
embezzler or a used car salescritter.  I suspect society will be much
better off with him isolated and neutralized (and that should keep me
off the jury, at least).

-- 
The Polymath (aka: Jerry Hollombe, hollombe@ttidca.tti.com)  Illegitimati Nil
Citicorp(+)TTI                                                 Carborundum
3100 Ocean Park Blvd.   (213) 452-9191, x2483
Santa Monica, CA  90405 {csun|philabs|psivax}!ttidca!hollombe

-----------[000044][next][prev][last][first]----------------------------------------------------
Date:      14 Jun 89 20:28:57 GMT
From:      kiravuo@KAMPI.HUT.FI (Timo Kiravuo)
To:        misc.security
Subject:   Re: Consensus on locks?

>A sort of related question is:  I have seen locks with automatic "dead bolts"
> - meaning, locks in which opening the door with a key from the outside
>(not in the handle) pulls back a full-sized spring loaded bolt, which closes
>when the door is closed.

I'm not sure I understood this right, but in Finland we have
ABLOY locks with a keyhole on the outside and a small flat knob
(not the round American type) on the outside. Towards the frame
there is a small triangular piece that is pressed in by the frame
and a larger (1 x 3 x 1,5 cm) rectangular piece that locks the
door. You open the door from outside by twisting the key 180
degrees and pulling and lock it by pushing the door close. 

When the larger piece is out, you can pull it back in by twisting
the knob or the key, but not by pushing it. 

There are some variations of the theme, but basically you can not
open a lock of this type in the traditional "movie style", with a
credit card or something like that.

In Finland ABLOY has a major share of the lock market, and they
are considered to be most secure. They are not completely secure,
apparently somebody has found a way to open one. There was
something about it in the papers some time ago.

In the door of my apartment I have two locks.  For normal use I
have an ABLOY so that I can just push the door shut when I leave.
When I am away for a longer time I use a German Zeiss Icon
security lock that has to be shut with a key.  This is a rather
common practice in Finland.

One thing that I always have wonderer in the states is the
practice of having _round_ knobs on doors. If the lock is tight,
they are really awful to turn. In Finlad we have usually decent
handles, that you can turn. Much more easier.

--
Timo  Kiravuo
Helsinki University of Technology, Computing Center
kiravuo@hut.fi   kiravuo@fingate.bitnet   sorvi::kiravuo
work: 90-451 4328   home: 90-676 076

-----------[000045][next][prev][last][first]----------------------------------------------------
From:      ddefend@mcdurb.Urbana.Gould.COM  20-JUN-1989  9:38:44
To:        misc-security@uxc.cso.uiuc.edu
I'm looking for a modem which is capable of dial-back and is advertised
as being somewhat secure.  I would appreciate hearing from anyone who
has experience with any modem of this type.

-----
Dan Defend
Motorola Microcomputer Division
ARPA: ddefend@urbana.mcd.mot.com
UUCP: uunet!uiucdcs!mcdurb!ddefend
-----------[000046][next][prev][last][first]----------------------------------------------------
From:      spaf@cs.purdue.edu (Gene Spafford)  20-JUN-1989 10:04:24
To:        misc-security@gatech.edu
For purposes of checking for weak passwords, I'de like to obtain a
list of common names (Al, Fred, George... Alice, Kathy, Susan...)
Does anybody have such a list online they'd be willing to share with
me?

Please e-mail -- don't post.

Thanks in advance!
-- 
Gene Spafford
NSF/Purdue/U of Florida  Software Engineering Research Center,
Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004
Internet:  spaf@cs.purdue.edu	uucp:	...!{decwrl,gatech,ucbvax}!purdue!spaf
-----------[000047][next][prev][last][first]----------------------------------------------------
From:      faigin@aerospace.aero.org  20-JUN-1989 10:13:58
To:        security@rutgers.edu
Someone in our company asked me for information on conferences or 
seminars that might provide somebody with background on DoD regulations
and requirements for computer security, including regulations about
TEMPEST. As I am more involved with multi-level computer security
(as opposed to the DoD side of things), I though I might toss out the
request. Does anyone know of conferences or seminars which might fit the 
bill?

Daniel
Work :The Aerospace Corp M8/055 * POB 92957 * LA, CA 90009-2957 * 213/336-3149
Home :8333 Columbus Avenue #17  * Sepulveda CA 91343            * 818/892-8555
Email:faigin@aerospace.aero.org (or) Faigin@dockmaster.ncsc.mil               
Voicemail: 213/336-5454 Box#3149 * "Take what you like, and leave the rest"   
-----------[000048][next][prev][last][first]----------------------------------------------------
From:      Reality is not an Industry Standard <PETERSON@LIUVAX>  20-JUN-1989 20:36:03
To:        security@marist
A site I worked at used tyvek (tm?) envelopes and sealed them with a few
drops of an  epoxy.  It was very difficult to spray them with "see-
through" stuff (I prefer DEC tape unit cleaning fluid) and the epoxy
drops ripped off fibers of they were forced.

I prefer to leave the pager or phone number of two people who know
system access passwords since a problem and security breach are known
in real-time.  Unfortunately this is not always possible.

J. Peterson/Sys Eng
LIU/South
PETERSON@LIUVAX.BITNET
-----------[000049][next][prev][last][first]----------------------------------------------------
From:      peter%ficc@uunet.uu.net (Peter da Silva)  20-JUN-1989 20:49:25
To:        misc-security@uunet.uu.net
> No security on the computer is similar to allowing anyone to come into
> your office and look at anything they please, and also to allow them to
> change anything they please. I doubt if many people would like this.

I think you have this backwards. In no place I have worked has there been any
security protecting the contents of people's offices from such intrusion, at
least below management levels. In school, however, personal security is taken
much more seriously. Every TA and advisor has a lock on their door, lockers
for students are available in most buildings, etc...

Security in computer systems at the typical commercial/industry site is mainly
to (1) keep intruders out, and (2) keep people from accidentally damaging each
others files. And both of these are useful features.
-- 
Peter da Silva, Xenix Support, Ferranti International Controls Corporation.

Business: uunet.uu.net!ficc!peter, peter@ficc.uu.net, +1 713 274 5180.
Personal: ...!texbell!sugar!peter, peter@sugar.hackercorp.com.
-----------[000050][next][prev][last][first]----------------------------------------------------
From:      guy@ksr.com  21-JUN-1989  0:06:29
To:        security@rutgers.edu
Well, I once had a pair of scissors confiscated by airline security
before they would let me board a low-risk, Memphis-to-Boston flight.
It sounds like you just happened to encounter a fairly sensible airline
security character; they're not all like that.

					-- Guy Hillyer
					ksr!guy@harvard.harvard.edu
-----------[000051][next][prev][last][first]----------------------------------------------------
Date:      19 Jun 89 16:27:58 GMT
From:      TS0404@OHSTVMA.Berkeley.EDU (Pat Ratz)
To:        misc.security
Subject:   MIS Training Inst. Conference

I'm new to this list.

Has anyone attended MIS Training Institute's conference on Control, Audit,
and Security of IBM Systems?  I sent for some info on it and I'd like to
know if it would be worth attending.  Also any comparison info relative to
Computer Security Institute's conference.  We are in the midst of installing
Top Secret on our MVS system on an IBM 3081D.  We have lots of other hardware
and software here at OSU including VM, DEC, UNIX.  Its all networked together
using TCP/IP.

I would also be interested in hearing from any other university people who
using Top Secret.

-----------[000052][next][prev][last][first]----------------------------------------------------
From:      rjg@sialis.mn.org (Robert J. Granvin)  21-JUN-1989  0:34:47
To:        misc-security@uunet.uu.net
>We set up three accounts, with names other than "root", and
>uid 0, gid 1.  Each account has it's own password, and I
>changed the "root" password to something I've already forgotten.

However, you have effectively quadrupled your chances for an
unauthorized entry, assuming that someone out there knows the 
other names of the "root users".

> mine is "radish".

At this point, you've already given one away.  Now the world knows
that the account "radish" is a root account.  One can also assume that
"root" still exists.  Knowing that "root vegetables" were used to name
the other accounts, guesses can be made as to the other account
names.  Even if they weren't root accounts, it's still a basis to
start from...

While it may have improved internal security a bit (though I can't
actually see how), you've statistically increased your opportunities
for a damaging forced entry.  Four accounts with four passwords
doesn't really do anything to improve your security.  Without knowing
anything about your internal specifics, I'd personally say you've
damaged it...

-- 
________Robert J. Granvin________   INTERNET: rjg@sialis.mn.org
____National Computer Systems____   CONFUSED: rjg%sialis.mn.org@shamash.cdc.com
__National Information Services__       UUCP: ...uunet!rosevax!sialis!rjg
                 "Exxon: Our gasoline contains no sea water"
-----------[000053][next][prev][last][first]----------------------------------------------------
Date:      20 Jun 89 14:35:00 GMT
From:      ELTRUT@MSSTATE.BITNET (Michael K. Blackstock)
To:        misc.security
Subject:   Re: auto-call-back modems

Here is an ad taken from "computer shopper" Mar. 89.

"FINAL CLOSEOUT/SRICE SLASHED!

Lockheed-Getex modems now priced below our cost!
..300/1200-baud
..Choice of security levels including selective and nonselective
callback
..Non-hayes compatible and any computer...that has industry
standard RS-232C port " can use it
"... NOW $29 + $4 S/H

Item #  H-4206-7344-195

COMB
1-800-328-0609

I have got two of them.  I am using one of them right now, with a
Lear Siegler Terminal.   The other one is for my PC.

BITNET:  ELTRUT@MSSTATE              -Michael

-----------[000054][next][prev][last][first]----------------------------------------------------
From:      strauss@aerospace.aero.org (Daryll Strauss)  22-JUN-1989  1:39:24
To:        misc-security@rutgers.edu
I carry my Swiss Army knife with me all the time, and my usual routine
is to hand it to the security gaurd on my way through the metal
detector. They usually don't bother to open it, but when they do, they
are checking that the blade is less than 3 and 1/2 inches long. I
believe that is the current FAA limit. The security people are
reasonable, and some of them even have a sense of humour! I got quite a
chuckle when I was returning from a trip to Mexico. I was 18 (and looked
younger), and I was carrying 2 liters of Tequila. The security gaurd
X-ray'd my bag and just laughed. It wasn't his job to stop minors from
drinking! 

The thing that is much more scarey is when I was leaving Pittsburgh on
one trip and forgot to remove my knife and the metal detector did NOT go
off! That really made me worry.

-------------------------------------------------------------------------------
Daryll Strauss          			f	The Aerospace Corp.
strauss@aerospace.aero.org      		n	Mail Stop: M1-102
..!uunet!aero.org!strauss			o	P.O. Box 92957
-----------[000055][next][prev][last][first]----------------------------------------------------
From:      deh@eng.umd.edu  22-JUN-1989  2:14:47
To:        Makey@logicon.arpa
Cc:        security@pyrite.rutgers.edu
The airline security people are in general pretty reasonable, once they
understand what something is, and can make a jungement on letting it
through or not.  A lot of people flame them for asking a lot of 
questions about things that are strange to them, but they are just 
trying to understand what the item is and how it fits into their 
mission.  I used to lug a TI Silent 725 around airports a lot, in the 
US and internationally, and most of them needed to see the insides 
of it, since the X-rays did nothing to help my case (the damned things
look so much like a bomb when you X-ray them it is not funny). From the
viewpoint of the security people this thing was:

  1. a large container with lights and switches that could hold enough 
     explosives to blow the whole airport up.

[after x-ray]
  2. a large container with lights and switches that contains battery 
     looking things, wires, explosive looking things, more wires, etc.

[after I take off the inner cover]
  3. a large frame with lights, switches, capacitors, wires, a roll of 
     paper, circut cards, more waires, but no sign of anything that 
     might be a problem for their security rules...

Of course, technology has progressed, but a Compaq 386 portable does
not look a lot better under x-ray, and is a whole lot harder to open...

Doug
-----------[000056][next][prev][last][first]----------------------------------------------------
From:      GREENY <MISS026@ECNCDC.BITNET>  22-JUN-1989  2:50:54
To:        <security@pyrite.rutgers.edu>
> this could be good if you are a chronic loser of keys...

Well if that is the case, then investigate the Schlage Key-n-Keyless entry
deadbolt/doorknob combination.  Basically this is a set up that uses an
electronic circuit to all you to unlock the deadbolt AND the doorknob locks
without a key, or with the key if you have it.

When you leave the room/apt/whatever, you press a button, open the door and
after closing the door, you turn what is normally the security sheath (rim)
around the deadbolt cylinder to the right....this locks the deadbolt, and away
you walk.

upon returning, you turn the door knob until the led display (just one 1/4"
number only) lights up.  Then via a combination of left and right turns of
the door knob you enter the combination.  If you do it right, a "U" shows
up in the display, the thing beeps, and you can turn the security sheath
of the deadbolt to the left, thereby unlocking the deadbolt.  Then you use
the door knob normally and enter in.

Several problems with this lock are:
   1) the whole thing is made of that crappy cheapo metalic ABS plastic and
       one good whack with a sledgehammer would take it right off the door.
       (although the deadbolt cylinder, door knob appear to be normal metal)

    2) If the batteries die, and you dont have the key, then you have to
       either call a locksmith to pick it open for you or you have to do it...

    3) I dont like the idea of having to push a button when I leave a room
       this should be automatic...

Basically this lock would be good for closets, storerooms, etc,, where what's
wants something flashier than a sentex pushbutton lock...

Bye for now but not for long
Greeny
BITNET: MISS026@ECNCDC
Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU
GEnie: Greeny
-----------[000057][next][prev][last][first]----------------------------------------------------
Date:      21 Jun 89 21:38:26 GMT
From:      gwyn@BRL.MIL
To:        misc.security
Subject:   Re: Envelopes

>A site I worked at used tyvek (tm?) envelopes and sealed them with a few
>drops of an epoxy.

This is probably beyond the bounds of reasonable paranoia, but you should
be aware that the standard technique for removing a document from a sealed
envelope is to insert a slotted rod at the corner, roll the contents onto
the rod, and slip it out as a thin tube.  Of course it's reinserted by
reversing the process.  Thus, the corners of the envelope need special
attention.

-----------[000058][next][prev][last][first]----------------------------------------------------
From:      ijk@cbnewsh.att.com (ihor.j.kinal)  23-JUN-1989 18:15:21
To:        misc-security@att.att.com
Wondering thru the local car parts store, I came across a device to
make your steering wheel DETACHABLE!!!

REMOVE THE WHEEL WHEN YOU LEAVE - That should deter most thieves.

Cost - around $80.

If I owned a Ferrari, I might get one - but I'd check first
that it did not release TOO easily - might be a bit disconcerting
if you reach out to adjust the tilt, and instead wind up disconnecting!!!

Ihor Kinal
cbnewsh!ijk
[standard disclaimer applies]
-----------[000059][next][prev][last][first]----------------------------------------------------
From:      nanovx!msa3b!kevin@gatech.edu (Kevin P. Kleinfelter)  23-JUN-1989 18:28:44
To:        nanovx!misc-security@gatech.edu
I don't know about a consensus on pick-proof, but I've been burglarized
3 times in 3 different locations.  In 2 cases the door was jimmied; in the
3rd, the door and the jamb were found in toto on my living room rug.

I strongly believe in a "jimmy-proof" lock, which usually has several pins
on one side, which slide into holes on the other.  I've NEVER had a lock picked
or credit-carded, but at least 2 were simply crow-barred.

(I don't have a jimmy-proof lock now; I've decided "what's the use")
-- 
Kevin Kleinfelter @ Management Science America, Inc (404) 239-2347
gatech!nanovx!msa3b!kevin
-----------[000060][next][prev][last][first]----------------------------------------------------
Date:      22 Jun 89 11:51:19 GMT
From:      oster@DEWEY.SOE.BERKELEY.EDU (David Phillip Oster)
To:        misc.security
Subject:   IBM Mainframe rs232 call-back software=Defender interface?

I'm looking for information about a software package named "Defender" that
runs on IBM mainframes.

It provides 3270 emulation over rs232 lines connected to inexpensive modems.
It uses a hang up and call-back approach.

My questions:

What kind of terminal does it expect to see at the remote end? Does the
3270 emulation require a terminal that accepts ANSI control commands or
something wierder?  Does it provide any file transfer protocols, and if so,
which ones?

--- David Phillip Oster            --"Unix Version 7 was an improvement not
Arpa: oster@dewey.soe.berkeley.edu --only over its predeccessors, but also its
Uucp: {uwvax,decvax}!ucbvax!oster%dewey.soe.berkeley.edu --successors."

-----------[000061][next][prev][last][first]----------------------------------------------------
Date:      23 Jun 89 19:32:00 GMT
From:      ACEH0@ais.ucla.edu (Elie Harel)
To:        misc.security
Subject:   Thumb scanning devices

Does anyone have experience with door locking devices that incorporate
thumb scanning techniques instead of magnetic cards?

It would be nice to eliminate the need for carrying magnetic cards for
secure areas but in the same time maintain or improve the security level
that these techniques provide.

Any information on issues such as vendors, costs, characteristics,
technical problems, administrative problems, security levels, and
especially your own experience will be greatly appreciated.  Thanks.

-----------[000062][next][prev][last][first]----------------------------------------------------
Date:      25 Jun 89 18:27:59 GMT
From:      MOG::REX@ISDMNL.MENLO.USGS.GOV (Rex Sanders)
To:        misc.security
Subject:   Re: passwords

>Knowing that "root vegetables" were used to name
>the other accounts, guesses can be made as to the other account names.

Note the explanation in the original article for choosing "root
vegetable" names - this was done to let insiders know when root
users were logged in.

>While it may have improved internal security a bit (though I can't
>actually see how), you've statistically increased your opportunities
>for a damaging forced entry.  Four accounts with four passwords
>doesn't really do anything to improve your security.

I agree that we have increased the chances for outside entry into our
system.  However, most of the "experts" I've heard from or read about
state the biggest danger is from inside jobs.  We have improved
internal security by providing more accountability for actions taken
with root permissions e.g. "Who modified that system file?".

Also, as stated in the original article, the "one account,
one-person-knows-password" rule was passed down from Higher
Authorities.  Perhaps this last point illustrates an old idea -
set up a rule (law), and someone will comply with the letter of the
rule while violating the objective (spirit).

-- Rex Sanders, rex@isdmnl.menlo.usgs.gov

-----------[000063][next][prev][last][first]----------------------------------------------------
From:      pyron@lvvax1.csc.ti.com (Who remembers 8USER.PAR?)  28-JUN-1989 21:02:03
To:        security@pyrite.rutgers.edu, pyron@tilde.csc.ti.com
Is there anyone on this list who took part in any of the sessions at the
Spring DECUS (Atlanta) on forming a Security SIG?  I haven't heard from
anyone since then, and my management wants to know where it is going.

Please reply directly to me.

Dillon Pyron                         | The opinions are mine, the facts 
TI/DSEG Lewisville Computer Services | probably belong to the company.
pyron@lvvax1.csc.ti.com              |
(214)462-5449                        | We try, we learn, sometimes we die.
                                     | We sit on our butts, learn nothing,
                                     | and we still die.
-----------[000064][next][prev][last][first]----------------------------------------------------
From:      gwyn@brl.arpa (Doug Gwyn)  29-JUN-1989  1:19:22
To:        security@rutgers.edu
>Try substituting "tanks" for "DES implementations".

There is a fundamental difference.  Tanks can obviously be used to
assault you, to violate rights of individuals on a large scale.
Effective encryption technology could be used to prevent your
eavesdropping, to protect the rights of persons communicating.
I see no way to claim that NSA or anyone else has a "right" to
be able to snoop on other people's conversations.  I don't dispute
that such snooping can produce useful information, but it is not
information to which we are in principle entitled.

As much as I love cryptanalysis, I would welcome a world in which
people can be sure their communications are secure against snoops.
-----------[000065][next][prev][last][first]----------------------------------------------------
Date:      27 Jun 89 18:04:44 GMT
From:      janw@janus.UUCP (Jan Wortelboer)
To:        misc.security
Subject:   Multipurpose Security System (for) Users

Is there anybody who knows about a General Purpuse Security System,
for a computer system(UNIX) with inventive Users? 
I am using Convergent's with informix and would like to make
the system secure, (as far as it goes).
If there is, i would like to know about it.

Thanks for any help.

	Jan
-- 
Usenet:	janw@janus.fwi.uva.nl, Uucp: {uunet,...}!hp4nl!janus!janw 
Jan Wortelboer,Tel.Prive 020-913169,TOPDATA / Compact Informaticadiensten nv
Kantoorgebouw "Oosterpoort" Pegasusweg 18 3067 KX Rotterdam
Tel: {+31|0}10-4552644 Telefax {+31|0}10-4554682 Telex: 26727 .. NL

-----------[000066][next][prev][last][first]----------------------------------------------------
From:      cme@cloud9.stratus.com (Carl Ellison)  29-JUN-1989  2:54:52
To:        linus!misc-security@ursa-major.spdcc.com
> Should the US therefore be willing to export tanks to anyone who wants them?
> Suppose the US manufactured military radios containing very strong encryption
> technology.  Should we be willing to sell those to anyone who wanted them?

Sorry -- this argument doesn't wash.

Weapons and weapons systems, like tanks, derive military value from things
like the materials with which they're made, the workmanship used, ....
Sometimes there's value added in the add-on electronic packages.  In all of
these cases, posession of the physical object implies military value.
Therefore, sale and delivery of the object constitutes increasing the military
strength of the recipient.

An encryption device has only a trivial value by way of its parts.  (eg.,
there was a sliding alphabet device during WW-II which had particular value
because it was made of materials which didn't warp aboard ship in the
South Pacific.)

The real military value of an encryption device -- that which kills people
or saves them from being killed -- is the algorithm itself and devices or
algorithms for breaking it.

In the case of DES, the algorithm is already known.  No one is trying to sell
machinery for breaking it.  It's possible to buy implementations from overseas
so there's no secrecy to protect, either with the algorithm or with how to
implement it.

So, what does the Government gain by interfering with its export?

All I can see being accomplished is the inhibition of a small piece of
potential export trade which could have been working against the trade
deficit.

--Carl Ellison                      UUCP::  cme@cloud9.Stratus.COM
SNail:: Stratus Computer; 55 Fairbanks Blvd.; Marlborough MA 01752
Disclaimer::  (this is STRICTLY my own opinion)
-----------[000067][next][prev][last][first]----------------------------------------------------
From:      G.D.Shaw@DURHAM.AC.UK  29-JUN-1989  3:34:26
To:        SECURITY@pyrite.rutgers.edu
> Try substituting "tanks" for "DES implementations".

    This is not a valid analogy.  Once you have one copy of a DES algorithm,
then it is easy to create as many as you like; the same is not true of
military hardware.  Therefore, even if your enemy has a given number of
tanks, or of guns or whatever, it is still in your interest not to give him
any more.  With software, he only needs to buy or steal one, so if you are
going to try to prevent the DES falling into the 'wrong hands', that
security must be complete:

1.  If the software is on open sale in the US, then you may as well sell
it in Moscow too - at least that way, they might pay for it instead of
buying one copy in the US and pirating the rest.  There is certainly no
point in banning it from NATO or neutral countries.

2.  If you really want to stop the Russians getting hold of it, then you
need strict regulations in the US as well - but if this was effective you
would probably have had to prevent any commercial use of the product and
restrict it to government agencies only.

3.  Even if you did this, it would only be a matter of time before any
hostile government was able to steal a copy; indeed, I would be surprised
if the Russians are not capable of writing their own DES code.

    Fast DES chips are a very different matter: though it can undoubtedly
be done, copying chips is not a trivial undertaking.  The issues at stake
are therefore essentially identical to those governing the sale of CPUs
or complete computers.  Software and hardware pose very different problems,
and just because they both relate to the DES they should not be confused.

+----------------------------------------------------------------+
| Graham Shaw, Collingwood College, South Road, Durham, ENGLAND  |
| JANET       : G.D.Shaw @ UK.AC.DUR.MTS                         |
| Internet    : G.D.Shaw%MTS.DUR.AC.UK@cunyvm.cuny.edu           |
| EARN/BITNET : G.D.Shaw%MTS.DUR.AC.UK@UKACRL                    |
+----------------------------------------------------------------+
| "I always said there was something fundamentally wrong with    |
|  the Universe" - Arthur Dent                                   |
+----------------------------------------------------------------+
-----------[000068][next][prev][last][first]----------------------------------------------------
From:      cme@cloud9.stratus.com (Carl Ellison)  29-JUN-1989  3:58:45
To:        linus!misc-security@ursa-major.spdcc.com
> Now suppose the algorithms of the encryption chips were public knowledge, but
> actually implementating them as chips with sufficient speed, reliability, low
> power consumption, whatever, was very hard.  Does your answer change?

I say that in that case, if the implementation was done at the Government's
request (eg., as part of a defense contract), then they can legitimately lay
claim to rights over that implementation.  However, if the implementation was
done by a private firm strictly on its own money and for the intention of
shipping product overseas, then it's none of the Government's business!
This is a free market economy we keep bragging about, right?

Let's make it stickier.

Suppose the algorithm is not in a chip.  It's software on a plain vanilla
computer.

Let's pretend that it's MY software -- and let's also pretend that I'm the
best programmer in the world.  Therefore, even though this is just software
and anyone could have written it, I happen to be the person who wrote it
the best.

I want to profit from my ability.  I want to sell copies of this superior
software.

I'm not picky.  If the U.S.Government wants to buy some copies, I'll sell them
some copies.  However, I won't sell them exclusive rights to ths software
unless they're willing to pay a VERY high price -- to compensate me for
the profit I won't be able to make from other customers.

Will they sign an exclusive contract and pay that very high price?

(I'll wait while you stop laughing.)

Well, no, not exactly.  What they'll do is make it illegal for me to sell
this software outside the U.S. and although they'll allow me to sell and
ship it within the U.S., they won't buy any copies from me for themselves.

--- and I repeat -- with encryption algorithms, the quality of the
implementation doesn't add to the quality of the secrecy (and therefore
the military value), but it might add to the satisfaction of the user
and therefore to the financial incentive for me to do a good job in the
implementation.  Killing that financial incentive has only one logical
justification -- to keep me out of the business and therefore keep a
near monopoly in the hands of the NSA and select defense contractors.

--Carl Ellison                      UUCP::  cme@cloud9.Stratus.COM
SNail:: Stratus Computer; 55 Fairbanks Blvd.; Marlborough MA 01752
Disclaimer::  (of course)
-----------[000069][next][prev][last][first]----------------------------------------------------
From:      /* Purple Haze */ <NCASTELLANO@eagle.wesleyan.edu>  29-JUN-1989 22:47:41
To:        security@pyrite.rutgers.edu
There's been some discussion of software packages labelled "not for export"
because they contain DES.  Are there any other widely used programs that have
this same "not for export" status?  I have seen a "not for export" sticker on a
box for Turbo Pascal, anyone know why?
-----------[000070][next][prev][last][first]----------------------------------------------------
From:      MJB8949@RITVAX.BITNET  29-JUN-1989 23:22:32
To:        SECURITY@pyrite.rutgers.edu
        I'm presently researching the market for software designed to
interface a personal computer with a SESCOA 3000 alarm receiver.  This is
for a 'medium-to-large' size college campus which has been using the SESCOA
for several years.
        If anyone could pass on information about companies with such
products, or personal experience with various programs 'in the field',
your help would be greatly appreciated.
        Please note that I'd need to receive any info before July 6 (I
know it's not that far away), since I will be on the other side of the
country after that.
        E-Mail would probably be the best, then I can try to summarize
for everyone else if it seems others are interested.
        Thanks.
Mike Bunnell                    716-475-4263
30 Lowenthal Dr., Box 2767                       ('till July 6)
Rochester, NY  14623            MJB8949@RITVAX
-----------[000071][next][prev][last][first]----------------------------------------------------
From:      Mr. James Crooks <JIM@iss.nus.ac.sg>  29-JUN-1989 23:56:41
To:        security@pyrite.rutgers.edu
>Such implementations have the potential for turning any mini or micro
>into a crypto engine.  This might fill the ether with traffic that
>cannot be readily recognized, raising the cost of signals
>intelligence gathering.

Don't lose sight of the fact that DES represents ONLY commercial level
crypto. Anybody sending something REALLY important wouldn't use DES
anyway (gov't/mil). The fact that it is illegal, won't stop the bad
guys from smuggling out almost anything they want. In fact is mostly
stops the law abiding citizens of the world from getting the protection
they need to run their businesses (or at least getting it from the USA -
but then NSA doesn't care about the balance of payments gap).

>The issue is not secrecy; it is replicability. ...
>If the work factor for reading the DES was N, but that of reading a
>variant is >N then one might be motivated to discourage variants.

But given the fact that in an open marketplace with published alorithms,
one finds that other solutions will be provided sooner or later. If NSA
was really smart, they might have written public domain standard code
then freely distributed it in object form to cut down on the variants -
by all means protect the source code with export controls.

>>We're locking the barn door -- with the horse inside -- but after the
>>back wall fell down.
>One does what one can do.  This is particularly true if one believes
>oneself to be mandated by law to do so.

I agree that the law is there, but SHOULD it be there?  I really think
it boils down to pig-headedness in the security services. At least the
US delegation to the ISO Crypto standards stuff abstained rather than
vetoing DES (as NSA and the White House wanted them to, or at least
that is what I heard...).

At least NSA got smarter with the newer algorithms - and kept them
classified. Then they were looking for something a bit better than
commercial level protection.

James W. Crooks
Member, Advanced Technology Application Staff
BITNET:           JIM@ISS.NUS.AC.SG
BIX:              jw.crooks     DASnet:           DW1JW|JCROOKS
Compuserve:       72611,162     Envoy 100:        jw.crooks
Institute of Systems Science, National University of Singapore
Heng Mui Keng Terrace, Kent Ridge, Singapore 0511
-----------[000072][next][prev][last][first]----------------------------------------------------
From:      hwchoy@zpovc.enet.dec.com (Life, The Universe and Everything.)  30-JUN-1989 12:08:58
To:        DECWRL"".."security@pyrite.rutgers.edu"@zpovc.enet.dec.com
Can anyone give me information regarding Ethernet Encryption devices, 
prices, features and contact address/tel/fax would be welcomed. Thanx.
-----------[000073][next][prev][last][first]----------------------------------------------------
From:      gwyn@brl.mil  30-JUN-1989 13:11:42
To:        security@rutgers.edu
>A site I worked at used tyvek (tm?) envelopes and sealed them with a few
>drops of an epoxy.

This is probably beyond the bounds of reasonable paranoia, but you should
be aware that the standard technique for removing a document from a sealed
envelope is to insert a slotted rod at the corner, roll the contents onto
the rod, and slip it out as a thin tube.  Of course it's reinserted by
reversing the process.  Thus, the corners of the envelope need special
attention.
-----------[000074][next][prev][last][first]----------------------------------------------------
Date:      Tue Jun 20 08:59:24 1989
From:      monster!paul@csc-lons.af.mil   30-JUN-1989 13:43:00, monster!paul@csc-lons.af.mil
To:        security@csc-lons.uucp, security@csc-lons.uucp
I have had experience with Anderson-Jacobson (sp?) 2400 baud security modems.
I did several weeks of testing on them and I believe they will fit what you
are looking for.  I also had hardware problems with one modem and A-J sent
a tech over to my location to help test it, and swap out the bad modem on the
spot.  It was real nice.  The modem offers callback and multilevel security.
Take a look, you might like it.

				Paul Fischer
				paul%monster@csc-lons.csc.com
				1-800-234-6668
				Bohdan Associates Inc.
		"Smile! ... It makes people wonder what you're thinking."
-----------[000075][next][prev][last][first]----------------------------------------------------
From:      Michael K. Blackstock <ELTRUT@MSSTATE.BITNET>  30-JUN-1989 14:39:43
To:        <security@pyrite.rutgers.edu>
Here is an ad taken from "computer shopper" Mar. 89.

"FINAL CLOSEOUT/SRICE SLASHED!

Lockheed-Getex modems now priced below our cost!
..300/1200-baud
..Choice of security levels including selective and nonselective
callback
..Non-hayes compatible and any computer...that has industry
standard RS-232C port " can use it
"... NOW $29 + $4 S/H

Item #  H-4206-7344-195

COMB
1-800-328-0609

I have got two of them.  I am using one of them right now, with a
Lear Siegler Terminal.   The other one is for my PC.

BITNET:  ELTRUT@MSSTATE              -Michael
-----------[000076][next][prev][last][first]----------------------------------------------------
From:      tsibouris@vms.macc.wisc.edu (GEORGE TSIBOURIS)  30-JUN-1989 15:24:23
To:        misc-security@uunet.uu.net
I am not certain that this is the right forum but here it goes
anyways.

Does anyone know to distinguish a system that spits out a sequence
of "truly" random numbers (neutron decay of some radioactive material)
from a system that has a complex (non-linear) but deterministic
structure?

A similar question is: how can you distinguish a good random
number generator from a great one?  What tests are used?

I am rather new to this area but I am familiar with correlation 
integrals and the correlation dimension.

Any references on the above topic would be greatly appreciated.

Thank you,

George Tsibouris

tsibouris@vms.macc.wisc.edu     (Internet)
tsibouris@wiscmacc              (Bitnet)
-----------[000077][next][prev][last][first]----------------------------------------------------
From:      hollombe@ttidca.tti.com (The Polymath)  30-JUN-1989 16:08:57
To:        misc-security@sdcsvax.ucsd.edu
}I personally feel the man is just a criminal, like the guy that robs a 7/11,
}no better but certainly not any worse. 

A number of people have been killed in 7/11 robberies.  How bad is that?

}... Sure he did things like access and perhaps even altered
}Police Dept. criminal records, credit records at TRW Corp, and Pacific
}Telephone, disconnecting phones of people he didn't like etc.
}But what is not understood by most people outside of the hack/phreak world is
}that these things are VERY EASY TO DO AND ARE DONE ALL THE TIME.

Therefore Mitnick's guilt is less?  More appropriately, we should throw the
book at him and go after similar criminals/sociopaths just as aggressively.

}1.) He will not be treated fairly. He will be judged as a much greater threat
}to society then others that have committed simular crimes.

That's his lawyer's problem.

}2.) He will become some kind of folk hero. A Jesse James with a keyboard.

Not if he's found guilty and harshly sentenced.  There's little glory in
20 years behind bars with no access to his favorite toys.

}I'm not defending him or the things he has done in any sense. All I'm saying
}is lets be fair. Judge the man by the facts, not the headlines.

Let's trust the jury to do just that.  Despite the image of a chaotic
court system, created by the same media hype of a few odd cases, juries,
by and large, have been shown to be fairly efficient at fact finding and
interpretation and ignoring media bull.

BTW, my impression from the news media is that Mitnick isn't a super
hacker, or even much of a hacker, at all.  He's more a classic, textbook
sociopath.  Most of the times he gained access to systems he did so not
with computer expertise, but by conning the owners into giving him the
needed passwords.  That ability to inspire trust, combined with the
conscienceless willingness to abuse it, is a classic symptom of
sociopathy.  It has nothing to do with computer expertise.

If he didn't know anything about computers Mitnick would probably be an
embezzler or a used car salescritter.  I suspect society will be much
better off with him isolated and neutralized (and that should keep me
off the jury, at least).

-- 
The Polymath (aka: Jerry Hollombe, hollombe@ttidca.tti.com)  Illegitimati Nil
Citicorp(+)TTI                                                 Carborundum
3100 Ocean Park Blvd.   (213) 452-9191, x2483
Santa Monica, CA  90405 {csun|philabs|psivax}!ttidca!hollombe
-----------[000078][next][prev][last][first]----------------------------------------------------
From:      "Daniel L. Laser" <DLASER@TRINITY>  30-JUN-1989 21:26:34
To:        security@tcsvm
We are in the process of trying to formulate an INFORMATION SECURITY
POLICY for our campus.  This policy as we envision it would be
campus wide and would serve as the foundation for other more specific
information related security policies concerning electonic data systems,
reports, departmental p.c. systems, etc.   I would appreciate samples
of the information security policies that you are using on your
campuses.   Thanks,
==========================>>> Daniel L. Laser - Associate Director
==========================>>> Trinity University Computing Center

Acknowledge-To: <DLASER@TRINITY>
-----------[000079][next][prev][last][first]----------------------------------------------------
From:      oster@dewey.soe.berkeley.edu (David Phillip Oster)  30-JUN-1989 22:04:50
To:        misc-security@ucbvax.berkeley.edu
I'm looking for information about a software package named "Defender" that
runs on IBM mainframes.

It provides 3270 emulation over rs232 lines connected to inexpensive modems.
It uses a hang up and call-back approach.

My questions:

What kind of terminal does it expect to see at the remote end? Does the
3270 emulation require a terminal that accepts ANSI control commands or
something wierder?  Does it provide any file transfer protocols, and if so,
which ones?

--- David Phillip Oster            --"Unix Version 7 was an improvement not
Arpa: oster@dewey.soe.berkeley.edu --only over its predeccessors, but also its
Uucp: {uwvax,decvax}!ucbvax!oster%dewey.soe.berkeley.edu --successors."
-----------[000080][next][prev][last][first]----------------------------------------------------
From:      nevin1@cbnewsc.att.com (nevin.j.liber)  30-JUN-1989 22:37:36
To:        misc-security@att.att.com
[from Doron Zifrony in comp.misc.  He does not get misc.security;
please respond directly to Doron (and not ME) directly via email.]

Hello people!

  I hope this is the right newsgroup to post it.  I am interested in starting
a PhD in computer science or a related area.  I am interested in the field
of "computer security".

  Unfortunately, I have no knowledge of universities anywhere around the
globe, which include people researching in this area, which may advice me
in my thesis.

  I would welcome any information which will allow me to get in touch with
souch people for further discussion.

  I prefer an english-speaking country, or an hebrew-speaking country, as I
do not master any other language (I stutter a bit in French, but I do not
master it).  However, I'll be willing to learn other languages if the need
arrises.

  Please E-mail me responses, as I do not check this newsgroup often.

Thanks

--
Doron Zifrony   E-mail:    BITNET:    zifrony@taurus.bitnet
Msc.  Student              INTERNET:  zifrony@Math.Tau.Ac.IL
Dept. of   CS              ARPA:      zifrony%taurus.bitnet@cunyvm.cuny.edu
Tel Aviv Univ.             UUCP:      ...!uunet!mcvax!humus!taurus!zifrony
Israel                     CSNET:     zifrony%taurus.bitnet%cunyvm.cuny.edu@
                                        csnet-relay
--
Disclaimer: I DON'T represent Tel Aviv University.  The opinions hereby
            expressed are solely my own.
-----------[000081][next][prev][last][first]----------------------------------------------------
Date:      29 Jun 89 21:33:20 GMT
From:      SUSAN@YALEVM.BITNET (Susan Bramhall)
To:        misc.security
Subject:   Encryption hardware/software available?

Please excuse me if you receive multiple copies of this note.  I am sending it
to several lists which may have a subscriber who has relevant information.

We are interested in providing an encrypting gateway for our campus network.
The idea is that users on certain LANs considered secure wish to send data
across an unsecured ethernet spine and eventually into another secure LAN or
host. We have several ideas for the gateway (based on previous software
developed at Yale) but would like to acquire a software or, preferably
hardware, encryptor.  Ideally, it would be a card with the ability to
encrypt/decrypt on its own chip rather than taking up workstation CPU cycles.
We would pass it data and a key and it would return encrypted data.  The
gateway is being built on an IBM PS/2.  Any leads would be very much
appreciated.

I also wonder if other sites are thinking about this problem and, if so, what
sort of solution are you looking at?  All of the security discussions which I
have seen are concerned with authorization and access control (such as dial
back) rather than encryption of data.  Does anyone know of a forum where this
has been discussed?  Note, by the way, that we are not planning to do any
research into encryption algorithms, a subject I am happy to leave to the
mathematicians.

Since I do not subscribe to ANY of the lists, please send replies directly to
me (as well as the list if you like).  Thanks for in advance for your help.

              Susan Bramhall
              Senior Research Programmer

-----------[000082][next][prev][last][first]----------------------------------------------------
Date:      29 Jun 89 23:16:09 GMT
From:      NCASTELLANO@EAGLE.WESLEYAN.EDU (/* Purple Haze */)
To:        misc.security
Subject:   "not for export"

There's been some discussion of software packages labelled "not for export"
because they contain DES.  Are there any other widely used programs that have
this same "not for export" status?  I have seen a "not for export" sticker on a
box for Turbo Pascal, anyone know why?

-----------[000083][next][prev][last][first]----------------------------------------------------
Date:      30 Jun 89 00:22:18 GMT
From:      JIM@iss.nus.ac.sg (Mr. James Crooks)
To:        misc.security
Subject:   re: EXPORT OF THE DES

>Such implementations have the potential for turning any mini or micro
>into a crypto engine.  This might fill the ether with traffic that
>cannot be readily recognized, raising the cost of signals
>intelligence gathering.

Don't lose sight of the fact that DES represents ONLY commercial level
crypto. Anybody sending something REALLY important wouldn't use DES
anyway (gov't/mil). The fact that it is illegal, won't stop the bad
guys from smuggling out almost anything they want. In fact is mostly
stops the law abiding citizens of the world from getting the protection
they need to run their businesses (or at least getting it from the USA -
but then NSA doesn't care about the balance of payments gap).

>The issue is not secrecy; it is replicability. ...
>If the work factor for reading the DES was N, but that of reading a
>variant is >N then one might be motivated to discourage variants.

But given the fact that in an open marketplace with published alorithms,
one finds that other solutions will be provided sooner or later. If NSA
was really smart, they might have written public domain standard code
then freely distributed it in object form to cut down on the variants -
by all means protect the source code with export controls.

>>We're locking the barn door -- with the horse inside -- but after the
>>back wall fell down.
>One does what one can do.  This is particularly true if one believes
>oneself to be mandated by law to do so.

I agree that the law is there, but SHOULD it be there?  I really think
it boils down to pig-headedness in the security services. At least the
US delegation to the ISO Crypto standards stuff abstained rather than
vetoing DES (as NSA and the White House wanted them to, or at least
that is what I heard...).

At least NSA got smarter with the newer algorithms - and kept them
classified. Then they were looking for something a bit better than
commercial level protection.

James W. Crooks
Member, Advanced Technology Application Staff
BITNET:           JIM@ISS.NUS.AC.SG
BIX:              jw.crooks     DASnet:           DW1JW|JCROOKS
Compuserve:       72611,162     Envoy 100:        jw.crooks
Institute of Systems Science, National University of Singapore
Heng Mui Keng Terrace, Kent Ridge, Singapore 0511

-----------[000084][next][prev][last][first]----------------------------------------------------
Date:      30 Jun 89 18:58:33 GMT
From:      edb@sequent.UUCP (Edward Bunch)
To:        misc.security
Subject:   Home Security/Control Systems.

I am interested in finding out more about Home Security/Control Systems.
You know, the ones that not only tell you if someone is breaking in but
control lights while your out and make coffee for you in the morning.
Please Email me direct.

Thanks,

                                  -----------
Edward A. Bunch                   |      |/ |     UUCP: {sun,fai,uunet}!
Sequent Computer Systems, Inc.    |     /|/ |           sequent!edb     
Network Manager                   |     /|  |     DOMAIN: not yet ;-)
                                  |         |                               
                                  -----------                           

-----------[000085][next][prev][last][first]----------------------------------------------------
Date:      30 Jun 89 20:30:47 GMT
From:      SYKLB@NASAGISS.BITNET (Ken Bell)
To:        misc.security
Subject:   Re: DES export laws

> >Try substituting "tanks" for "DES implementations".
> There is a fundamental difference.  Tanks can obviously be used to assault

There's another difference.  You can't carry tanks over in your
briefcase or buy the plans for them at B. Dalton's.  There's an
awful lot of published DES code, and various PC utilities (PCTOOLS,
for example) contain DES.  The only ones who are being deprived of
DES are the non-security risks - the spies/terrorists already have it.

-----------[000086][next][prev][last][first]----------------------------------------------------
Date:      30 Jun 89 22:21:00 GMT
From:      PETERSEN@CTRVX1.VANDERBILT.EDU (Chris Petersen - VUCC)
To:        misc.security
Subject:   Re: DES Export Laws

> indeed, I would be surprised
> if the Russians are not capable of writing their own DES code.

    I could have sworn I saw a posting about an article in a Soviet computer
science journal that gave an algorithm for breaking badly chosen keys for 
DES.  I may have even seen it [the reference] here...

-Chris Petersen
Vanderbilt University
petersen@ctrvax.vanderbilt.edu

Disclaimer:  If I say anything at all, it is strictly off the record and 
should in no way be construed as legal or binding or even authoritative or 
responsible... :-)

END OF DOCUMENT