|
|
ARCHIVE: Rutgers 'Security List' (incl. misc.security) - Archives (1989)
DOCUMENT: Rutgers 'Security List' for June 1989 (87 messages, 38192 bytes)
SOURCE: http://securitydigest.org/exec/display?f=rutgers/archive/1989/06.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.
START OF DOCUMENT
-----------[000000][next][prev][last][first]---------------------------------------------------- From: ron@ron.rutgers.edu (Ron Natalie) 2-JUN-1989 22:15:23 To: misc-security@rutgers.edu
UNICOS, at least as I saw it two years ago, had no pretense at security. It was quite easy to do things that would crash the machine, and only moderately more difficult to get unauthorized access to root. You might ring up your colleagues at NASA-AMES, who certainly have much more experience with UNICOS that I do. They're also pretty sharp on the security scene. -Ron
-----------[000001][next][prev][last][first]---------------------------------------------------- From: zeleznik@cs.utah.edu (Mike Zeleznik) 2-JUN-1989 22:39:25 To: security@rutgers.edu
> Could anyone give me a list of well known and
> not so well known security holes for 4.2 and 4.3 BSD and System V (UNICOS).
You might check out Bob Baldwin's stuff (MIT) for rule-based analysis of
UNIX system security. He had a paper in CompCon Spring 87.
Also, "UNIX System Security" by Wood and Kochan, Hayden Books.
Michael Zeleznik Computer Science Dept.
University of Utah
zeleznik@cs.utah.edu Salt Lake City, UT 84112
(801) 581-5617
-----------[000002][next][prev][last][first]---------------------------------------------------- Date: 2 Jun 89 13:33:37 GMT From: simsong@idr.cambridge.ma.us (Simson L. Garfinkel) To: misc.security Subject: ISDN
I am doing an article on ISDN for The Boston Globe. The artice would like to write about all of the problems with ISDN, all of the advantages, what people's experience have been (both positive and negative), and where things are going. If anybody would like to give me a call or email, and flame, this is your chance!!! Simson L. Garfinkel 409 Washington Street Cambridge, MA 02139 617-876-6111 simsong@idr.cambridge.ma
-----------[000003][next][prev][last][first]---------------------------------------------------- From: andrews@apple.com (Richard Andrews) 6-JUN-1989 7:00:54 To: misc-security@ucbvax.berkeley.edu
From my own experience, it seems to me that DES per se is not excluded from export. It just depends on how you use it. I worked on a product, the AppleShare File Server, that uses DES to encrypt passwords, and that was granted a Commerce Jurisdiction (meaning Apple is free to export it). Clearly, we would not have been able to export it if we used DES for file encryption.
-----------[000004][next][prev][last][first]---------------------------------------------------- From: cme@cloud9.stratus.com (Carl Ellison) 6-JUN-1989 7:34:57 To: linus!misc-security@ursa-major.spdcc.com
This is getting out of hand.... If it weren't so silly, I'd rant and rave for pages about it. What makes DES written here so secret when the one written in Finland (acc. a recent posting) isn't?????? We're locking the barn door -- with the horse inside -- but after the back wall fell down. --Carl Ellison UUCP:: cme@cloud9.Stratus.COM SNail:: Stratus Computer; 55 Fairbanks Blvd.; Marlborough MA 01752 Disclaimer:: (of course)
-----------[000005][next][prev][last][first]---------------------------------------------------- From: alo@kampi.hut.fi (Antti Louko) 6-JUN-1989 7:53:02 To: misc-security@cwi.nl
> Thus, a copy of Dbase III labelled
> "Not for export" cannot be used in an open lab here.
Software vendors could do the following:
Take their software product without any non-export stuff to some of
their labs outside US. At that site, include some outside-US
DES-package into their product, or even better, ship their product in
relocatable form, so customer can link any encryption package with it.
My DES-package can be used freely for non-commercial purposes. If a
vendor ships my DES-package in source code (and optionally in
relocatable code) with their product so that customer can link it
together himself, I consider this as non-commercial use. The idea is
that the customer could do the same even if the vendor wouldn'n
provide the DES-package.
If the vendor packages their product and DES together (eg. linking
them into an executable) I consider this as a commercial use.
In my opinion:
Software vendors should ship all their software also in reloacatable
form!!
My DES-package is available by ftp at kampi.hut.fi (128.214.3.9) at
directory /alo/
------------------
alo@santra.UUCP (mcvax!santra!alo) Antti Louko
alo@hut.fi Helsinki University of Technology
alo@fingate.bitnet Computing Centre
alo%fingate.bitnet@cunyvm.cuny.edu SF-02150, Espoo
FINLAND
tel. +358 0 4514314
------------------
-----------[000006][next][prev][last][first]---------------------------------------------------- From: Doug Claar <dclaar%hpmpec1e@hplabs.hp.com> 6-JUN-1989 23:14:43 To: security@pyrite.rutgers.edu
> I'm always amused by the notion of "tamper-resistant" envelopes. I Yes, what about the 'see-thru' spray being sold by Sharper Image, or some such company. "Makes envelopes transparent without leaving a trace!" The post office is not amused, but I don't think they can do much about it, since there is (in tiny type, at least in the ad), a warning that using the spray on U.S. Mail is against the law. Doug Claar HP Computer Systems Division UUCP: mcvax!decvax!hplabs!hpda!dclaar -or- ucbvax!hpda!dclaar ARPA: dclaar%hpda@hplabs.HP.COM
-----------[000007][next][prev][last][first]---------------------------------------------------- From: "MOG::REX"@isdmnl.menlo.usgs.gov (Rex Sanders) 6-JUN-1989 23:54:59 To: security@pyrite.rutgers.edu
On our 4.3 BSD Unix system, we have three people that need root permissions. We used to all know the root password. Then, a security directive came around: one account, only one person knows the password. We set up three accounts, with names other than "root", and uid 0, gid 1. Each account has it's own password, and I changed the "root" password to something I've already forgotten. We put hooks in /.login and /.cshrc to source files of our own. This scheme has worked fine for several years now. To help other users identify "root" users when logged in, we named the other accounts with root vegetable names - mine is "radish". -- Rex rex@isdmnl.menlo.usgs.gov
-----------[000008][next][prev][last][first]---------------------------------------------------- From: deh@eng.umd.edu 7-JUN-1989 0:31:42 To: AI.CLIVE@mcc.com Cc: security@pyrite.rutgers.edu
there are envelopes that close with a holographic foil that is then embossed. The image is somewhat unique in that it has a serial number on(in?) it, visible. Since they are serial numbered, you can't just replace it, and they seem to be very fragile in that you can not peal them off without a lot of visible and obvious damage. Of course, they are most likely VERY expansive, (yow! I think I meant expensive!) since I only know of one place that uses them at all, and only then for very sensitive things, and they DON'T like it when people take them home for their kids to play with ! Doug
-----------[000009][next][prev][last][first]---------------------------------------------------- Date: 5 Jun 89 18:38:24 GMT From: lekash@ORVILLE.NAS.NASA.GOV (John Lekashman) To: misc.security Subject: System Security
UNICOS, at least as I saw it two years ago, had no
pretense at security.
Things are getting better. They now very quickly get bug repairs
in, at least in the networking area. In fact, CRI is the
fastest vendor we have at applying and releasing discovered security
bug repairs. (Except vaxes running BSD, but thats a special case.)
So, if you find something, tell them. If its real,
and gets back to Minnesota, it gets fixed.
john
-----------[000010][next][prev][last][first]---------------------------------------------------- Date: 5 Jun 89 21:20:32 GMT From: faigin@AEROSPACE.AERO.ORG To: misc.security Subject: Looking for Conferences or Seminars on Security
Someone in our company asked me for information on conferences or seminars that might provide somebody with background on DoD regulations and requirements for computer security, including regulations about TEMPEST. As I am more involved with multi-level computer security (as opposed to the DoD side of things), I though I might toss out the request. Does anyone know of conferences or seminars which might fit the bill? Daniel Work :The Aerospace Corp M8/055 * POB 92957 * LA, CA 90009-2957 * 213/336-3149 Home :8333 Columbus Avenue #17 * Sepulveda CA 91343 * 818/892-8555 Email:faigin@aerospace.aero.org (or) Faigin@dockmaster.ncsc.mil Voicemail: 213/336-5454 Box#3149 * "Take what you like, and leave the rest"
-----------[000011][next][prev][last][first]---------------------------------------------------- Date: 6 Jun 89 11:52:19 GMT From: peter%ficc@UUNET.UU.NET (Peter da Silva) To: misc.security Subject: Re: GNU, security, and RMS
> No security on the computer is similar to allowing anyone to come into > your office and look at anything they please, and also to allow them to > change anything they please. I doubt if many people would like this. I think you have this backwards. In no place I have worked has there been any security protecting the contents of people's offices from such intrusion, at least below management levels. In school, however, personal security is taken much more seriously. Every TA and advisor has a lock on their door, lockers for students are available in most buildings, etc... Security in computer systems at the typical commercial/industry site is mainly to (1) keep intruders out, and (2) keep people from accidentally damaging each others files. And both of these are useful features. -- Peter da Silva, Xenix Support, Ferranti International Controls Corporation. Business: uunet.uu.net!ficc!peter, peter@ficc.uu.net, +1 713 274 5180. Personal: ...!texbell!sugar!peter, peter@sugar.hackercorp.com.
-----------[000012][next][prev][last][first]---------------------------------------------------- From: "John Schlosser" <URSJ@MARISTC> 7-JUN-1989 22:32:29 To: "Security List" <SECURITY@MARIST>
From what I've seen, the "club" only blocks the steering wheel from turning more than a few degrees any way because of the way the club is attached. This works great if a would-be thief has the intention of driving away with your car, but what if he/she/it just wants to strip it bare of anything that's in it? A large metal pole that's attached to the steering wheel isn't going to do much good then, will it? John P. Schlosser (URSJ@MARISTC) Student Staff Programmer Marist College Computer Center .Nothing I say in any way reflects anyone's opinion other than my own. .I am not affiliated with THE CLUB's makers, distributors, advertisers or anyone else.
-----------[000013][next][prev][last][first]---------------------------------------------------- From: barnett@unclejack.crd.ge.com (Bruce Barnett) 7-JUN-1989 23:03:16 To: security@pyrite.rutgers.edu
>On the other hand, picking a Medeco lock is again, significantly more >difficult than other locks. I was talking to someone selling home security units. He laughed at a Medeco lock, saying someone invented a device that lets you pick/defeat it in minutes. Of course he wanted to sell me HIS security system. -- Bruce G. Barnett <barnett@crdgw1.ge.com> a.k.a. <barnett@[192.35.44.4]> uunet!crdgw1.ge.com!barnett [Moderator tack-on: He was probably talking about the various Medeco "mapping" devices, that were actually patented at one point. I doubt if these tools were ever marketed to locksmiths; they utilized some weaknesses of the cylinder in really bizarre twisted ways, such as shoving a small wire up the twist-limiting guide slot to feel where the top of the pin was.You would still have to cut a key based on what the tool told you. You might ask this fellow if he ever *saw* these tools being used... _H*]
-----------[000014][next][prev][last][first]---------------------------------------------------- From: hollombe@ttidca.tti.com (The Polymath) 8-JUN-1989 2:49:37 To: misc-security@sdcsvax.ucsd.edu
} hi, have you heard of the latest lock for vehicles ... called the "Club".
Probably a little less secure than with the type of lock that runs from
the steering wheel to the brake or clutch pedal. (The "Club" just locks on
the steering wheel, making it difficult or impossible to turn completely
around).
I'd guess a large pair of bolt-cutters would get either one off in a few
seconds. (If they won't cut the lock, cut the steering wheel. Car thieves
aren't known for finesse).
--
The Polymath (aka: Jerry Hollombe, hollombe@ttidca.tti.com) Illegitimati Nil
Citicorp(+)TTI Carborundum
3100 Ocean Park Blvd. (213) 452-9191, x2483
Santa Monica, CA 90405 {csun|philabs|psivax}!ttidca!hollombe
-----------[000015][next][prev][last][first]---------------------------------------------------- From: Jeff Makey <Makey@logicon.arpa> 8-JUN-1989 3:22:18 To: security@rutgers.edu
I carry an ordinary Boy Scout knife in my pocket the same as I carry
my wallet and keys. When I fly, I usually just put the knife and
other metal objects I have into my briefcase to be x-rayed and I have
never had any problems.
About a month ago I went through airport security (in San Diego)
without anything to be put on the x-ray belt, so I just pulled the
knife out of my pocket and placed it on one of those little trays they
have for change and stuff. As I walked through the metal detector the
guard picked up my knife and looked at it. He opened the blade
part-way (perhaps to see if it was a switch-blade? or to check the
size of the blade?), closed it, and gave it back to me without
comment.
A similar thing happened about 9 years ago in Chicago, except the
guard told me, "just don't kill anybody." Seriously!
It sounds as if the airline security folks are fairly sensible about
the types of things you can and can't take on an airline with you. I
would be shocked if they tried to prevent me from taking on board my
mechanical pencil, which is a pointed metal object about the same
length as my open Boy Scout knife.
:: Jeff Makey
Makey@LOGICON.ARPA
-----------[000016][next][prev][last][first]---------------------------------------------------- Date: 6 Jun 89 19:50:38 GMT From: pyron@lvvax1.csc.ti.com (Who remembers 8USER.PAR?) To: misc.security Subject: DECUS Security SIG
Is there anyone on this list who took part in any of the sessions at the
Spring DECUS (Atlanta) on forming a Security SIG? I haven't heard from
anyone since then, and my management wants to know where it is going.
Please reply directly to me.
Dillon Pyron | The opinions are mine, the facts
TI/DSEG Lewisville Computer Services | probably belong to the company.
pyron@lvvax1.csc.ti.com |
(214)462-5449 | We try, we learn, sometimes we die.
| We sit on our butts, learn nothing,
| and we still die.
-----------[000017][next][prev][last][first]---------------------------------------------------- From: lamaster@ames.arc.nasa.gov (Hugh LaMaster) 8-JUN-1989 3:35:18 To: misc-security@ames.arc.nasa.gov
I have seen many postings on a variety of problems with so-called high security standard-cylinder-type locks. While no such lock is perfect, it would seem that there might be a consensus that some particular product line is the least likely to be easily picked or forced by garden- variety burglars, and may even slow down an expert. If there is such a consensus on a company/product line, I would appreciate knowing what it is. A sort of related question is: I have seen locks with automatic "dead bolts" - meaning, locks in which opening the door with a key from the outside (not in the handle) pulls back a full-sized spring loaded bolt, which closes when the door is closed. The obvious idea is to prevent "loiding" (I think this is the term...), and also to provide more resistance to forcing than the relatively narrow bars which are used on some locks for the same purpose. Does anyone know the availability of these locks and whether they have any advantage over the standard narrow bar type? (I am no lock expert, in case it isn't obvious :-) ). I assume that such a lock would have to be well lubricated to allow the torque of a key to open a large bolt, but what other disadvantages are there? Hugh LaMaster, m/s 233-9, UUCP ames!lamaster NASA Ames Research Center ARPA lamaster@ames.arc.nasa.gov Moffett Field, CA 94035 Phone: (415)694-6117 [Moderator toss-in: The usual way manufacturers of spring-loaded latches prevent carding, loiding, sliding, whatever you want to call it, is to provide an extra latch piece that is pushed into the mortise edge when the door is closed, and engages a catch that prevents the main latch from being pushed in. These are well-known to, um, not work in many installations. The sure- fire way to lock the door is a dead bolt or better, but you can't just slam the door closed. If you're a chronic loser of keys, this could be good! _H*]
-----------[000018][next][prev][last][first]---------------------------------------------------- From: Stephen Wadlow <sw0y+@andrew.cmu.edu> 8-JUN-1989 10:24:41 To: biocca@bevb.bev.lbl.gov (Alan Biocca), misc-security@ucbvax.berkeley.edu
Rekeying is feasible depending on the availability of pins. Many cylinders use a fairly standard pin (.115 in diameter, frequently in .003 or .005 increments). Medeco and a few other companies (Best comes to mind) use different size pins that aren't as easily available. Medeco also requires very specific types of pins if they are addressing the sidebar, otherwise, other pins are useless. What I would really like to see is more venders going to the hex-nut caps that medeco uses. It would make re-keying much easier and quicker. steve ====================================================================== Stephen G. Wadlow Internet: stephen.wadlow@andrew.cmu.edu Bitnet: wadlow@drycas "Hey Man, A ship in harbor is safe, but that ain't what ships are for"
-----------[000019][next][prev][last][first]---------------------------------------------------- Date: 7 Jun 89 04:39:11 GMT From: svh@XAIT.XEROX.COM (Susan Hammond) To: misc.security Subject: Re: Security Digest
There are cheap low-tech ways to make an envelope really tamper-resistant--
or to make tampering obvious. Easiest is to enclose the item in question in
aluminum foil before you put it into the envelope.
Also, you can enclose the whole envelope in two clear sheets of contact
paper. For a #10 envelope, cut two sheets about 4" by 10", peel the
backing off, place the envelope on one, cover with the other, and leaving
about 1/2 to 1" of contact paper around the edges of the envelope, trim the
contact paper edges to be even to make it difficult to get a grip on a single
sheet. If someone tries to remove it it is pretty obvious. Putting a
signature on the envelope (as suggested in an earlier posting?) helps you
detect an attempt to substitue a new envelope for the damaged one.
--
------------------------------------------------------------------
Susan Hammond/CCA
svh@XAIT.Xerox.COM
{decvax,linus,mirror}!xait!svh
-----------[000020][next][prev][last][first]---------------------------------------------------- From: hal@gateway.mitre.org (Hal Feinstein) 8-JUN-1989 17:10:38 To: -v@gateway.mitre.org, security@pyrite.rutgers.edu Cc: infsecur@smiley.mitre.org
I've just gotten the word that a substantially reworked version of DES will soon become public. The version eliminates the piple-line structure of FIPS 46 and replaces many of the bit picking that slows most computer implementations. I havn't been told how much of a speed up this will have over the FIPS 46 version of the algorithm. The new version has eliminated some of the "rounds" structure of the current algorithm and still computes the same DES process. Speculation is that it will make file and bulk based DES faster and less expensive and will provide a base for faster IC implementations. More as I find it out.
-----------[000021][next][prev][last][first]---------------------------------------------------- From: "David D. Grisham" <DAVE@UNMB> 8-JUN-1989 17:20:53 To: security@ubvm
Has anyone had experience with fileserver security? I am reviewing our new fileserver proposed setups. Novel SFT 2.15 and Appleshare 2.0 in a 50 station pod. What safeguards are you all using? Any hacker or virus problems? General and specific information would be appreciated. Also, we are going to keep stats on use (Saber on Novel). What menu/usage tracking software are you using and is it safe and effective? In return I can help with Mac specific viruses with policies and tools. On the DOS side we have been using notchless disks in our remote pods- Novel looks like a potential problem- yes or no? We have been running an Appleshare for a year and have it up, running, and safe 99% of the time in a small lab. Dave Grisham, Senior Consultant/Virus Security Phone (505) 277-8148 Computer & Information Resources & Technology University of New Mexico USENET DAVE@UNMA.UNM.EDU Albuquerque, New Mexico 87131 BITNET DAVE@UNMB
-----------[000022][next][prev][last][first]---------------------------------------------------- From: viusys!rwb@daitc.mil (Rick Butland) 8-JUN-1989 22:11:48 To: security@rutgers.edu
As the subject says, is anyone aware of a software package that will encrypt files on DOS? Actually, what's desired is the ability to compose a msg on a PC, encrypt it, and mail it to another PC user, where both PC's are attached to a Unix host. Most likely, though, rather than mail, the messages will just be uploaded/downloaded. Thanks in advance, Rick Butland (rwb@viusys)
-----------[000023][next][prev][last][first]---------------------------------------------------- From: SIANI@nssdca.gsfc.nasa.gov 8-JUN-1989 22:28:01 To: security@rutgers.edu
>Attorneys said yesterday they are negotiating a second plea
>bargain for computer hacker Kevin Mitnick
Kevin Mitnick, the hacker "so dangerous that he can't even be allowed to use
a phone". "He could ruin your life with his keyboard". "Armed with a keyboard
and considered dangerous."
These are some of the things that have been said about this person. All
of this media hype would be fine if it just sold news papers. But it has done
much more then just sell a few papers. It has influenced those that will
ultimately decide his fate. I myself don't know the man, but I have talked to
others that do. Including one of the persons that investigated Mitnick. From
all I have heard about him, I think he is a slime ball!
But even a slime ball should not be railroaded into a prison sentence that
others of equal or greater guilt have avoided.
I personally feel the man is just a criminal, like the guy that robs a 7/11,
no better but certainly not any worse.
Unfortunately he is thought of as some kind of a "SUPER HACKER".
The head of LA Police Dept's Computer Crime Unit is quoted as saying
"Mitnick is several levels above what you would characterize as a computer
hacker".
No disrespect intended, but a statement like this from the head of a
computer crime unit indicates his ignorance on the ability of hackers
and phone phreaks. Sure he did things like access and perhaps even altered
Police Dept. criminal records, credit records at TRW Corp, and Pacific
Telephone, disconnecting phones of people he didn't like etc.
But what is not understood by most people outside of the hack/phreak world is
that these things are VERY EASY TO DO AND ARE DONE ALL THE TIME.
In the hack/phreak community such manipulation of computer and phone systems
is all to easy. I see nothing special about his ability to do this.
The only thing special about Kevin Mitnick is that he is not a "novice" hacker
like most of the thirteen year old kids that get busted for hacking/phreaking.
It has been a number of years since an "advanced" hacker has been arrested.
Not since the days of the Inner Circle gang have law enforcement authorities
had to deal with a hacker working at this level of ability. As a general
rule, advanced hackers do not get caught because of there activity but rather
it is almost always others that turn them in.
It is therefore easy to understand why his abilities are perceived as being
extraordinary when in fact they are not.
Because of all the media hype this case has received I'm afraid that:
1.) He will not be treated fairly. He will be judged as a much greater threat
to society then others that have committed simular crimes.
2.) He will become some kind of folk hero. A Jesse James with a keyboard.
This will only cause other to follow in his footsteps.
I'm not defending him or the things he has done in any sense. All I'm saying
is lets be fair. Judge the man by the facts, not the headlines.
Disclaimer: The views expressed here are my own.
Kenneth Siani
Sr. Security Specialist
Information Systems Div.
NYMA Inc.
Internet Mail:
siani@nssdca.gsfc.nasa.gov
-----------[000024][next][prev][last][first]---------------------------------------------------- Date: 7 Jun 89 21:35:00 GMT From: WMURRAY@dcm1wm.das.net To: misc.security Subject: Export of the DES
>Not long ago I got inside word that AT&T had asked for a determination
>of the export status of their UNIX crypt routines, the outcome of which
>was essentially that individual approval would have been readily obtained,
>but not blanket "warehouse" approval. This seems pretty silly to me..
It is not silly if you believe your self to be required by law to
keep track of every instance.
>From my own experience, it seems to me that DES per se is not excluded from
>export. It just depends on how you use it.
DES is not excluded from export. However, it must be licensed. It
is easy to get a license for DES in hardware. It is easy to get a
license for a one-way implementation of DES in software. It may be
possible to get a license to export a reversible version of the DES
in software provided that it is so embedded in an application that it
cannot be used to encrypt an arbitrary file or msessage. It is
practically impossible to get a license to export a software
implementation of a general purpose and revesible verion of DES (or
indeed any other algorithm for that matter.)
Such implementations have the potential for turning any mini or micro
into a crypto engine. This might fill the ether with traffic that
cannot be readily recognized, raising the cost of signals
intelligence gathering.
>What makes DES written here so secret when the one written in Finland
>(acc. a recent posting) isn't??????
The issue is not secrecy; it is replicability. Note that hardware
implementations cannot be easily copied or modified. If you can keep
track of the incidents of hardware, but would have more difficulty in
keeping track of copies of software, then you might be interested in
discouraging software. If the work factor for reading the DES was N,
but that of reading a variant is >N then one might be motivated to
discourage variants.
>We're locking the barn door -- with the horse inside -- but after the
>back wall fell down.
One does what one can do. This is particularly true if one believes
oneself to be mandated by law to do so.
These observations are based upon many years of observing this issue.
While I have often discussed them in front of officers of the NSA,
they have never commented on them. Neither have they ever attempted
in any way to influence me. I suspect that the area is classified
and that they are unable to confirm or deny.
I am not now, have never been, and do not ever expect to be an agent
of the NSA. While I am a guest on DOCKMASTER, this message
originates on MCI Mail.
____________________________________________________________________
William Hugh Murray 216-861-5000
Fellow, 203-966-4769
Information System Security 203-964-7348 (CELLULAR)
ARPA: WHMurray@DOCKMASTER
Ernst & Whinney MCI-Mail: 315-8580
2000 National City Center TELEX: 6503158580
Cleveland, Ohio 44114 FAX: 203-966-8612
Compu-Serve: 75126,1722
INET: WH.MURRAY/EWINET.USA
21 Locust Avenue, Suite 2D DASnet: [DCM1WM]WMURRAY
New Canaan, Connecticut 06840 PRODIGY: DXBM57A
--------------------------------------------------------------------
-----------[000025][next][prev][last][first]---------------------------------------------------- Date: 8 Jun 89 16:12:26 GMT From: strauss@AEROSPACE.AERO.ORG (Daryll Strauss) To: misc.security Subject: Re: High-Tech Knife
I carry my Swiss Army knife with me all the time, and my usual routine is to hand it to the security gaurd on my way through the metal detector. They usually don't bother to open it, but when they do, they are checking that the blade is less than 3 and 1/2 inches long. I believe that is the current FAA limit. The security people are reasonable, and some of them even have a sense of humour! I got quite a chuckle when I was returning from a trip to Mexico. I was 18 (and looked younger), and I was carrying 2 liters of Tequila. The security gaurd X-ray'd my bag and just laughed. It wasn't his job to stop minors from drinking! The thing that is much more scarey is when I was leaving Pittsburgh on one trip and forgot to remove my knife and the metal detector did NOT go off! That really made me worry. ------------------------------------------------------------------------------- Daryll Strauss f The Aerospace Corp. strauss@aerospace.aero.org n Mail Stop: M1-102 ..!uunet!aero.org!strauss o P.O. Box 92957
-----------[000026][next][prev][last][first]---------------------------------------------------- From: simsong@idr.cambridge.ma.us (Simson L. Garfinkel) 10-JUN-1989 22:29:59 To: elbows@bloom-beacon.mit.edu, security@rutgers.edu
I am doing an article on ISDN for The Boston Globe. The artice would like to write about all of the problems with ISDN, all of the advantages, what people's experience have been (both positive and negative), and where things are going. If anybody would like to give me a call or email, and flame, this is your chance!!! Simson L. Garfinkel 409 Washington Street Cambridge, MA 02139 617-876-6111 simsong@idr.cambridge.ma
-----------[000027][next][prev][last][first]---------------------------------------------------- From: leichter@cs.yale.edu (Jerry Leichter (LEICHTER_JERRY@CS.YALE.EDU)) 10-JUN-1989 22:55:17 To: misc-security@uunet.uu.net
Try substituting "tanks" for "DES implementations". There are many manufac- turers of tanks in the world; their products are not subject to US control. Should the US therefore be willing to export tanks to anyone who wants them? One can certainly criticise the export controls that now exist for being poorly stated, or ineffective, or any of a variety of other things. Certainly the way they ARE stated can make them look very silly. But it bothers me to see a complete unwillingness to understand that there is a real, underlying issue here. Suppose the US manufactured military radios containing very strong encryption technology. Should we be willing to sell those to anyone who wanted them? Suppose the basic technology for the radios was readily available, but the encryption chips that made the radios used secret technology. Should we sell the encryption chips to anyone who asks? If your answer to this question is different from the previous one, can you explain why? Now suppose the algorithms of the encryption chips were public knowledge, but actually implementating them as chips with sufficient speed, reliability, low power consumption, whatever, was very hard. Does your answer change? Lines are hard to draw. But laws require them to be drawn. -- Jerry
-----------[000028][next][prev][last][first]---------------------------------------------------- From: WMURRAY@dcm1wm.das.net 10-JUN-1989 23:08:04 To: security@rutgers.edu
>Not long ago I got inside word that AT&T had asked for a determination
>of the export status of their UNIX crypt routines, the outcome of which
>was essentially that individual approval would have been readily obtained,
>but not blanket "warehouse" approval. This seems pretty silly to me..
It is not silly if you believe your self to be required by law to
keep track of every instance.
>From my own experience, it seems to me that DES per se is not excluded from
>export. It just depends on how you use it.
DES is not excluded from export. However, it must be licensed. It
is easy to get a license for DES in hardware. It is easy to get a
license for a one-way implementation of DES in software. It may be
possible to get a license to export a reversible version of the DES
in software provided that it is so embedded in an application that it
cannot be used to encrypt an arbitrary file or msessage. It is
practically impossible to get a license to export a software
implementation of a general purpose and revesible verion of DES (or
indeed any other algorithm for that matter.)
Such implementations have the potential for turning any mini or micro
into a crypto engine. This might fill the ether with traffic that
cannot be readily recognized, raising the cost of signals
intelligence gathering.
>What makes DES written here so secret when the one written in Finland
>(acc. a recent posting) isn't??????
The issue is not secrecy; it is replicability. Note that hardware
implementations cannot be easily copied or modified. If you can keep
track of the incidents of hardware, but would have more difficulty in
keeping track of copies of software, then you might be interested in
discouraging software. If the work factor for reading the DES was N,
but that of reading a variant is >N then one might be motivated to
discourage variants.
>We're locking the barn door -- with the horse inside -- but after the
>back wall fell down.
One does what one can do. This is particularly true if one believes
oneself to be mandated by law to do so.
These observations are based upon many years of observing this issue.
While I have often discussed them in front of officers of the NSA,
they have never commented on them. Neither have they ever attempted
in any way to influence me. I suspect that the area is classified
and that they are unable to confirm or deny.
I am not now, have never been, and do not ever expect to be an agent
of the NSA. While I am a guest on DOCKMASTER, this message
originates on MCI Mail.
____________________________________________________________________
William Hugh Murray 216-861-5000
Fellow, 203-966-4769
Information System Security 203-964-7348 (CELLULAR)
ARPA: WHMurray@DOCKMASTER
Ernst & Whinney MCI-Mail: 315-8580
2000 National City Center TELEX: 6503158580
Cleveland, Ohio 44114 FAX: 203-966-8612
Compu-Serve: 75126,1722
INET: WH.MURRAY/EWINET.USA
21 Locust Avenue, Suite 2D DASnet: [DCM1WM]WMURRAY
New Canaan, Connecticut 06840 PRODIGY: DXBM57A
--------------------------------------------------------------------
-----------[000029][next][prev][last][first]---------------------------------------------------- Date: 10 Jun 89 16:35:06 GMT From: ijk@cbnewsh.att.com (ihor.j.kinal) To: misc.security Subject: Re: car locks
Wondering thru the local car parts store, I came across a device to make your steering wheel DETACHABLE!!! REMOVE THE WHEEL WHEN YOU LEAVE - That should deter most thieves. Cost - around $80. If I owned a Ferrari, I might get one - but I'd check first that it did not release TOO easily - might be a bit disconcerting if you reach out to adjust the tilt, and instead wind up disconnecting!!! Ihor Kinal cbnewsh!ijk [standard disclaimer applies]
-----------[000030][next][prev][last][first]---------------------------------------------------- From: gwyn@brl.mil 12-JUN-1989 1:59:37 To: security@rutgers.edu
>But what if the new version of crypt is not public ... ? One of the first rules of cryptography is to assume that the "opposition" knows all about the general system and is deprived only of the specific keys used for encryption. Experience has shown this to be a good approximation to reality.
-----------[000031][next][prev][last][first]---------------------------------------------------- From: Fred Blonder <fred@dtix.arpa> 12-JUN-1989 2:24:12 To: cme@cloud9.stratus.com (Carl Ellison) Cc: linus!misc-security@ursa-major.spdcc.com
You don't have to erase old encrypted passwords when you change algorithms -- just be prepared to accept either, for a while -- Or just silently store the new encryption. In fact, changing the encryption algorithm on a regular basis, combined with accepting either the current or previous encryptions, would be one way of implementing password aging, assuming you really want to do that. ---- Fred Blonder <fred@dtix.arpa> David Taylor Research Center (202) 227-1428
-----------[000032][next][prev][last][first]---------------------------------------------------- From: gregm@csd4.milw.wisc.edu (Greg Mumm) 12-JUN-1989 2:35:07 To: misc-security@uunet.uu.net
I have noticed that reporters and local security officials have the ability to trace auto license plates. Does anyone know how this is done? Seems unlikely that they call up the local police department and ask because anyone could do that! What is the probability that a common citizen could find out the address of the person who cuts us off on the freeway via his license number and then proceed to visit him (or her) in person? :-) Any suggestions? Internet: gregm@csd4.milw.wisc.edu / arpa!gregm@csd4.milw.wisc.edu Uucp: uwvax!uwmcsd1!uwmcsd4!gregm Csnet: gregm%uwmcsd4@uwm Greg Mumm
-----------[000033][next][prev][last][first]---------------------------------------------------- Date: 11 Jun 89 05:22:33 GMT From: gwyn@BRL.ARPA (Doug Gwyn) To: misc.security Subject: Re: DES export laws
>Try substituting "tanks" for "DES implementations". There is a fundamental difference. Tanks can obviously be used to assault you, to violate rights of individuals on a large scale. Effective encryption technology could be used to prevent your eavesdropping, to protect the rights of persons communicating. I see no way to claim that NSA or anyone else has a "right" to be able to snoop on other people's conversations. I don't dispute that such snooping can produce useful information, but it is not information to which we are in principle entitled. As much as I love cryptanalysis, I would welcome a world in which people can be sure their communications are secure against snoops.
-----------[000034][next][prev][last][first]---------------------------------------------------- From: Mr. Stanley Cup <gretzky@unison.larc.nasa.gov> 12-JUN-1989 22:03:04 To: @uxv.larc.nasa.gov:security@pyrite.rutgers.edu
> You don't have to erase old encrypted passwords when you change
> algorithms -- just be prepared to accept either, for a while --
How about having both algorithms available for a "real short" time and do
this with them:
if (strcmp(new_crypt(reply ,salt),pass) == 0) {
/* all is ok, let 'em in */
}
else if (strcmp(crypt(reply, salt), pass) == 0) {
new_version_pass = new_crypt(reply,salt);
/* update the passwd file */
/* let 'em in */
}
else {
/* password was no good, do whatever */
}
After all of your users have logged in at least once, you then have all of
their passwords converted to the new algorithm without ever knowing what
their password is/was and the user will not know that anything was done
to the encryption algorithm for logging in.
-=>gretzky<=-
.mitch
-----------[000035][next][prev][last][first]---------------------------------------------------- From: zeleznik@cs.utah.edu (Mike Zeleznik) 12-JUN-1989 22:17:54 To: security@pyrite.rutgers.edu
Assuming you could keep the binary secure, isn't there always the old
argument that you should not base the security of a crypto system on the
secrecy of the algorithm, in general?
"GOOD" ciphers are hard to design; the average person doesn't just come
up with a new one overnight. Once you figure yours has sufficiently
leaked out, you'll have to design another one; EACH time.
The NSA seems willing to do this (with the new crypto systems), but
I would think the algorithm secrecy exists more as an added nuisance
than a requirement. They must figure it can't stay secret for very
long.
What about sticking with the current crypt, but just change the
constant. Now you only have to keep a single number secret, and you can
afford to change it very often.
Further, using the scheme mentioned earlier, the login could recognize
both the old and new crypt constant. Couldn't it then simply generate
the new crypt'd password when it needs to (or is this too dangerous?)?
Mike
Michael Zeleznik Computer Science Dept.
University of Utah
zeleznik@cs.utah.edu Salt Lake City, UT 84112
(801) 581-5617
-----------[000036][next][prev][last][first]---------------------------------------------------- Date: 12 Jun 89 03:04:07 GMT From: G.D.Shaw@DURHAM.AC.UK To: misc.security Subject: Re: DES Export Laws
> Try substituting "tanks" for "DES implementations".
This is not a valid analogy. Once you have one copy of a DES algorithm,
then it is easy to create as many as you like; the same is not true of
military hardware. Therefore, even if your enemy has a given number of
tanks, or of guns or whatever, it is still in your interest not to give him
any more. With software, he only needs to buy or steal one, so if you are
going to try to prevent the DES falling into the 'wrong hands', that
security must be complete:
1. If the software is on open sale in the US, then you may as well sell
it in Moscow too - at least that way, they might pay for it instead of
buying one copy in the US and pirating the rest. There is certainly no
point in banning it from NATO or neutral countries.
2. If you really want to stop the Russians getting hold of it, then you
need strict regulations in the US as well - but if this was effective you
would probably have had to prevent any commercial use of the product and
restrict it to government agencies only.
3. Even if you did this, it would only be a matter of time before any
hostile government was able to steal a copy; indeed, I would be surprised
if the Russians are not capable of writing their own DES code.
Fast DES chips are a very different matter: though it can undoubtedly
be done, copying chips is not a trivial undertaking. The issues at stake
are therefore essentially identical to those governing the sale of CPUs
or complete computers. Software and hardware pose very different problems,
and just because they both relate to the DES they should not be confused.
+----------------------------------------------------------------+
| Graham Shaw, Collingwood College, South Road, Durham, ENGLAND |
| JANET : G.D.Shaw @ UK.AC.DUR.MTS |
| Internet : G.D.Shaw%MTS.DUR.AC.UK@cunyvm.cuny.edu |
| EARN/BITNET : G.D.Shaw%MTS.DUR.AC.UK@UKACRL |
+----------------------------------------------------------------+
| "I always said there was something fundamentally wrong with |
| the Universe" - Arthur Dent |
+----------------------------------------------------------------+
-----------[000037][next][prev][last][first]---------------------------------------------------- From: John Lekashman <lekash@orville.nas.nasa.gov> 14-JUN-1989 0:06:44 To: ron@ron.rutgers.edu Cc: misc-security@rutgers.edu
UNICOS, at least as I saw it two years ago, had no
pretense at security.
Things are getting better. They now very quickly get bug repairs
in, at least in the networking area. In fact, CRI is the
fastest vendor we have at applying and releasing discovered security
bug repairs. (Except vaxes running BSD, but thats a special case.)
So, if you find something, tell them. If its real,
and gets back to Minnesota, it gets fixed.
john
-----------[000038][next][prev][last][first]---------------------------------------------------- From: _David C. Kovar <daedalus!corwin@talcott.harvard.edu> 14-JUN-1989 0:34:23 To: security@rutgers.edu
>You might check out Bob Baldwin's stuff (MIT) for rule-based analysis of >UNIX system security. He had a paper in CompCon Spring 87. This sounds like a program called 'kuang' that I've been looking for, on and off, since a network security conference in Boston a few months back. If anyone knows where one can aquire a copy of it I would be most appreciative. -David C. Kovar Technical Consultant ARPA: kovar@husc4.harvard.edu Office of Information Technology BITNET: corwin@harvarda.bitnet Harvard University MacNET: DKovar Ma Bell: 617-495-5947 "It is easier to get forgiveness than permission."
-----------[000039][next][prev][last][first]---------------------------------------------------- From: svh@xait.xerox.com (Susan Hammond) 14-JUN-1989 0:44:18 To: misc-security@linus.mitre.org
There are cheap low-tech ways to make an envelope really tamper-resistant--
or to make tampering obvious. Easiest is to enclose the item in question in
aluminum foil before you put it into the envelope.
Also, you can enclose the whole envelope in two clear sheets of contact
paper. For a #10 envelope, cut two sheets about 4" by 10", peel the
backing off, place the envelope on one, cover with the other, and leaving
about 1/2 to 1" of contact paper around the edges of the envelope, trim the
contact paper edges to be even to make it difficult to get a grip on a single
sheet. If someone tries to remove it it is pretty obvious. Putting a
signature on the envelope (as suggested in an earlier posting?) helps you
detect an attempt to substitue a new envelope for the damaged one.
--
------------------------------------------------------------------
Susan Hammond/CCA
svh@XAIT.Xerox.COM
{decvax,linus,mirror}!xait!svh
-----------[000040][next][prev][last][first]---------------------------------------------------- Date: 12 Jun 89 17:23:25 GMT From: cep@APPLE.COM (Christopher Pettus) To: misc.security Subject: Re: Tracing license numbers
In California, at least, automobile registration records are public
information. You just go down to the local DMV, fill out a form (stating
why you want the information), pay an exceptionally nominal fee that
depends on how much information you gave them to do the search, and they
send you the registration information. They also let the registered owner
know that you did the request, however; I suppose one could use an assumed
name (which, I'm quite sure, would be illegal).
-- Christopher Pettus | "Ganesha Said: 'Done! The very
Network Systems Development | day I was born I made my first
Apple Computer, Inc. | mistake, and by that path have
cep@apple.com {nsc, sun}!apple!cep | I sought wisdom ever since.'"
AppleLink: PETTUS.C | - The Mahabharata
(408) 974-0004 | I: A Mine of Jewels and Gems
-----------[000041][next][prev][last][first]---------------------------------------------------- From: mrc@tomobiki_cho.cac.washington.edu (Mark Crispin) 14-JUN-1989 7:14:31 To: misc-security@ames.arc.nasa.gov
Auto registration and driver's license information is public information, available to anyone. All you have to do is go to the local licensing agency for your state, plunk down a few dollars, and you'll receive a printout. A few states, such as California, will make you give some reason for asking for the information, and will notify that person that so-and-so looked up your record. However, they don't verify the reason or so-and-so's address, etc. Mark Crispin / 6158 Lariat Loop NE / Bainbridge Island, WA 98110-2020 mrc@CAC.Washington.EDU / MRC@WSMR-SIMTEL20.Army.Mil / (206) 842-2385 [Moderator tack-on: Thanks also to the *numerous* others who have so far responded with nearly identical information... _H*]
-----------[000042][next][prev][last][first]---------------------------------------------------- From: cep@apple.com (Christopher Pettus) 14-JUN-1989 7:21:41 To: misc-security@goofy.apple.com
In California, at least, automobile registration records are public
information. You just go down to the local DMV, fill out a form (stating
why you want the information), pay an exceptionally nominal fee that
depends on how much information you gave them to do the search, and they
send you the registration information. They also let the registered owner
know that you did the request, however; I suppose one could use an assumed
name (which, I'm quite sure, would be illegal).
-- Christopher Pettus | "Ganesha Said: 'Done! The very
Network Systems Development | day I was born I made my first
Apple Computer, Inc. | mistake, and by that path have
cep@apple.com {nsc, sun}!apple!cep | I sought wisdom ever since.'"
AppleLink: PETTUS.C | - The Mahabharata
(408) 974-0004 | I: A Mine of Jewels and Gems
-----------[000043][next][prev][last][first]---------------------------------------------------- Date: 13 Jun 89 19:35:58 GMT From: hollombe@ttidca.tti.com (The Polymath) To: misc.security Subject: Re: Kevin Mitnick
}I personally feel the man is just a criminal, like the guy that robs a 7/11,
}no better but certainly not any worse.
A number of people have been killed in 7/11 robberies. How bad is that?
}... Sure he did things like access and perhaps even altered
}Police Dept. criminal records, credit records at TRW Corp, and Pacific
}Telephone, disconnecting phones of people he didn't like etc.
}But what is not understood by most people outside of the hack/phreak world is
}that these things are VERY EASY TO DO AND ARE DONE ALL THE TIME.
Therefore Mitnick's guilt is less? More appropriately, we should throw the
book at him and go after similar criminals/sociopaths just as aggressively.
}1.) He will not be treated fairly. He will be judged as a much greater threat
}to society then others that have committed simular crimes.
That's his lawyer's problem.
}2.) He will become some kind of folk hero. A Jesse James with a keyboard.
Not if he's found guilty and harshly sentenced. There's little glory in
20 years behind bars with no access to his favorite toys.
}I'm not defending him or the things he has done in any sense. All I'm saying
}is lets be fair. Judge the man by the facts, not the headlines.
Let's trust the jury to do just that. Despite the image of a chaotic
court system, created by the same media hype of a few odd cases, juries,
by and large, have been shown to be fairly efficient at fact finding and
interpretation and ignoring media bull.
BTW, my impression from the news media is that Mitnick isn't a super
hacker, or even much of a hacker, at all. He's more a classic, textbook
sociopath. Most of the times he gained access to systems he did so not
with computer expertise, but by conning the owners into giving him the
needed passwords. That ability to inspire trust, combined with the
conscienceless willingness to abuse it, is a classic symptom of
sociopathy. It has nothing to do with computer expertise.
If he didn't know anything about computers Mitnick would probably be an
embezzler or a used car salescritter. I suspect society will be much
better off with him isolated and neutralized (and that should keep me
off the jury, at least).
--
The Polymath (aka: Jerry Hollombe, hollombe@ttidca.tti.com) Illegitimati Nil
Citicorp(+)TTI Carborundum
3100 Ocean Park Blvd. (213) 452-9191, x2483
Santa Monica, CA 90405 {csun|philabs|psivax}!ttidca!hollombe
-----------[000044][next][prev][last][first]---------------------------------------------------- Date: 14 Jun 89 20:28:57 GMT From: kiravuo@KAMPI.HUT.FI (Timo Kiravuo) To: misc.security Subject: Re: Consensus on locks?
>A sort of related question is: I have seen locks with automatic "dead bolts" > - meaning, locks in which opening the door with a key from the outside >(not in the handle) pulls back a full-sized spring loaded bolt, which closes >when the door is closed. I'm not sure I understood this right, but in Finland we have ABLOY locks with a keyhole on the outside and a small flat knob (not the round American type) on the outside. Towards the frame there is a small triangular piece that is pressed in by the frame and a larger (1 x 3 x 1,5 cm) rectangular piece that locks the door. You open the door from outside by twisting the key 180 degrees and pulling and lock it by pushing the door close. When the larger piece is out, you can pull it back in by twisting the knob or the key, but not by pushing it. There are some variations of the theme, but basically you can not open a lock of this type in the traditional "movie style", with a credit card or something like that. In Finland ABLOY has a major share of the lock market, and they are considered to be most secure. They are not completely secure, apparently somebody has found a way to open one. There was something about it in the papers some time ago. In the door of my apartment I have two locks. For normal use I have an ABLOY so that I can just push the door shut when I leave. When I am away for a longer time I use a German Zeiss Icon security lock that has to be shut with a key. This is a rather common practice in Finland. One thing that I always have wonderer in the states is the practice of having _round_ knobs on doors. If the lock is tight, they are really awful to turn. In Finlad we have usually decent handles, that you can turn. Much more easier. -- Timo Kiravuo Helsinki University of Technology, Computing Center kiravuo@hut.fi kiravuo@fingate.bitnet sorvi::kiravuo work: 90-451 4328 home: 90-676 076
-----------[000045][next][prev][last][first]---------------------------------------------------- From: ddefend@mcdurb.Urbana.Gould.COM 20-JUN-1989 9:38:44 To: misc-security@uxc.cso.uiuc.edu
I'm looking for a modem which is capable of dial-back and is advertised as being somewhat secure. I would appreciate hearing from anyone who has experience with any modem of this type. ----- Dan Defend Motorola Microcomputer Division ARPA: ddefend@urbana.mcd.mot.com UUCP: uunet!uiucdcs!mcdurb!ddefend
-----------[000046][next][prev][last][first]---------------------------------------------------- From: spaf@cs.purdue.edu (Gene Spafford) 20-JUN-1989 10:04:24 To: misc-security@gatech.edu
For purposes of checking for weak passwords, I'de like to obtain a
list of common names (Al, Fred, George... Alice, Kathy, Susan...)
Does anybody have such a list online they'd be willing to share with
me?
Please e-mail -- don't post.
Thanks in advance!
--
Gene Spafford
NSF/Purdue/U of Florida Software Engineering Research Center,
Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004
Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf
-----------[000047][next][prev][last][first]---------------------------------------------------- From: faigin@aerospace.aero.org 20-JUN-1989 10:13:58 To: security@rutgers.edu
Someone in our company asked me for information on conferences or seminars that might provide somebody with background on DoD regulations and requirements for computer security, including regulations about TEMPEST. As I am more involved with multi-level computer security (as opposed to the DoD side of things), I though I might toss out the request. Does anyone know of conferences or seminars which might fit the bill? Daniel Work :The Aerospace Corp M8/055 * POB 92957 * LA, CA 90009-2957 * 213/336-3149 Home :8333 Columbus Avenue #17 * Sepulveda CA 91343 * 818/892-8555 Email:faigin@aerospace.aero.org (or) Faigin@dockmaster.ncsc.mil Voicemail: 213/336-5454 Box#3149 * "Take what you like, and leave the rest"
-----------[000048][next][prev][last][first]---------------------------------------------------- From: Reality is not an Industry Standard <PETERSON@LIUVAX> 20-JUN-1989 20:36:03 To: security@marist
A site I worked at used tyvek (tm?) envelopes and sealed them with a few drops of an epoxy. It was very difficult to spray them with "see- through" stuff (I prefer DEC tape unit cleaning fluid) and the epoxy drops ripped off fibers of they were forced. I prefer to leave the pager or phone number of two people who know system access passwords since a problem and security breach are known in real-time. Unfortunately this is not always possible. J. Peterson/Sys Eng LIU/South PETERSON@LIUVAX.BITNET
-----------[000049][next][prev][last][first]---------------------------------------------------- From: peter%ficc@uunet.uu.net (Peter da Silva) 20-JUN-1989 20:49:25 To: misc-security@uunet.uu.net
> No security on the computer is similar to allowing anyone to come into > your office and look at anything they please, and also to allow them to > change anything they please. I doubt if many people would like this. I think you have this backwards. In no place I have worked has there been any security protecting the contents of people's offices from such intrusion, at least below management levels. In school, however, personal security is taken much more seriously. Every TA and advisor has a lock on their door, lockers for students are available in most buildings, etc... Security in computer systems at the typical commercial/industry site is mainly to (1) keep intruders out, and (2) keep people from accidentally damaging each others files. And both of these are useful features. -- Peter da Silva, Xenix Support, Ferranti International Controls Corporation. Business: uunet.uu.net!ficc!peter, peter@ficc.uu.net, +1 713 274 5180. Personal: ...!texbell!sugar!peter, peter@sugar.hackercorp.com.
-----------[000050][next][prev][last][first]---------------------------------------------------- From: guy@ksr.com 21-JUN-1989 0:06:29 To: security@rutgers.edu
Well, I once had a pair of scissors confiscated by airline security before they would let me board a low-risk, Memphis-to-Boston flight. It sounds like you just happened to encounter a fairly sensible airline security character; they're not all like that. -- Guy Hillyer ksr!guy@harvard.harvard.edu
-----------[000051][next][prev][last][first]---------------------------------------------------- Date: 19 Jun 89 16:27:58 GMT From: TS0404@OHSTVMA.Berkeley.EDU (Pat Ratz) To: misc.security Subject: MIS Training Inst. Conference
I'm new to this list. Has anyone attended MIS Training Institute's conference on Control, Audit, and Security of IBM Systems? I sent for some info on it and I'd like to know if it would be worth attending. Also any comparison info relative to Computer Security Institute's conference. We are in the midst of installing Top Secret on our MVS system on an IBM 3081D. We have lots of other hardware and software here at OSU including VM, DEC, UNIX. Its all networked together using TCP/IP. I would also be interested in hearing from any other university people who using Top Secret.
-----------[000052][next][prev][last][first]---------------------------------------------------- From: rjg@sialis.mn.org (Robert J. Granvin) 21-JUN-1989 0:34:47 To: misc-security@uunet.uu.net
>We set up three accounts, with names other than "root", and
>uid 0, gid 1. Each account has it's own password, and I
>changed the "root" password to something I've already forgotten.
However, you have effectively quadrupled your chances for an
unauthorized entry, assuming that someone out there knows the
other names of the "root users".
> mine is "radish".
At this point, you've already given one away. Now the world knows
that the account "radish" is a root account. One can also assume that
"root" still exists. Knowing that "root vegetables" were used to name
the other accounts, guesses can be made as to the other account
names. Even if they weren't root accounts, it's still a basis to
start from...
While it may have improved internal security a bit (though I can't
actually see how), you've statistically increased your opportunities
for a damaging forced entry. Four accounts with four passwords
doesn't really do anything to improve your security. Without knowing
anything about your internal specifics, I'd personally say you've
damaged it...
--
________Robert J. Granvin________ INTERNET: rjg@sialis.mn.org
____National Computer Systems____ CONFUSED: rjg%sialis.mn.org@shamash.cdc.com
__National Information Services__ UUCP: ...uunet!rosevax!sialis!rjg
"Exxon: Our gasoline contains no sea water"
-----------[000053][next][prev][last][first]---------------------------------------------------- Date: 20 Jun 89 14:35:00 GMT From: ELTRUT@MSSTATE.BITNET (Michael K. Blackstock) To: misc.security Subject: Re: auto-call-back modems
Here is an ad taken from "computer shopper" Mar. 89. "FINAL CLOSEOUT/SRICE SLASHED! Lockheed-Getex modems now priced below our cost! ..300/1200-baud ..Choice of security levels including selective and nonselective callback ..Non-hayes compatible and any computer...that has industry standard RS-232C port " can use it "... NOW $29 + $4 S/H Item # H-4206-7344-195 COMB 1-800-328-0609 I have got two of them. I am using one of them right now, with a Lear Siegler Terminal. The other one is for my PC. BITNET: ELTRUT@MSSTATE -Michael
-----------[000054][next][prev][last][first]---------------------------------------------------- From: strauss@aerospace.aero.org (Daryll Strauss) 22-JUN-1989 1:39:24 To: misc-security@rutgers.edu
I carry my Swiss Army knife with me all the time, and my usual routine is to hand it to the security gaurd on my way through the metal detector. They usually don't bother to open it, but when they do, they are checking that the blade is less than 3 and 1/2 inches long. I believe that is the current FAA limit. The security people are reasonable, and some of them even have a sense of humour! I got quite a chuckle when I was returning from a trip to Mexico. I was 18 (and looked younger), and I was carrying 2 liters of Tequila. The security gaurd X-ray'd my bag and just laughed. It wasn't his job to stop minors from drinking! The thing that is much more scarey is when I was leaving Pittsburgh on one trip and forgot to remove my knife and the metal detector did NOT go off! That really made me worry. ------------------------------------------------------------------------------- Daryll Strauss f The Aerospace Corp. strauss@aerospace.aero.org n Mail Stop: M1-102 ..!uunet!aero.org!strauss o P.O. Box 92957
-----------[000055][next][prev][last][first]---------------------------------------------------- From: deh@eng.umd.edu 22-JUN-1989 2:14:47 To: Makey@logicon.arpa Cc: security@pyrite.rutgers.edu
The airline security people are in general pretty reasonable, once they
understand what something is, and can make a jungement on letting it
through or not. A lot of people flame them for asking a lot of
questions about things that are strange to them, but they are just
trying to understand what the item is and how it fits into their
mission. I used to lug a TI Silent 725 around airports a lot, in the
US and internationally, and most of them needed to see the insides
of it, since the X-rays did nothing to help my case (the damned things
look so much like a bomb when you X-ray them it is not funny). From the
viewpoint of the security people this thing was:
1. a large container with lights and switches that could hold enough
explosives to blow the whole airport up.
[after x-ray]
2. a large container with lights and switches that contains battery
looking things, wires, explosive looking things, more wires, etc.
[after I take off the inner cover]
3. a large frame with lights, switches, capacitors, wires, a roll of
paper, circut cards, more waires, but no sign of anything that
might be a problem for their security rules...
Of course, technology has progressed, but a Compaq 386 portable does
not look a lot better under x-ray, and is a whole lot harder to open...
Doug
-----------[000056][next][prev][last][first]---------------------------------------------------- From: GREENY <MISS026@ECNCDC.BITNET> 22-JUN-1989 2:50:54 To: <security@pyrite.rutgers.edu>
> this could be good if you are a chronic loser of keys...
Well if that is the case, then investigate the Schlage Key-n-Keyless entry
deadbolt/doorknob combination. Basically this is a set up that uses an
electronic circuit to all you to unlock the deadbolt AND the doorknob locks
without a key, or with the key if you have it.
When you leave the room/apt/whatever, you press a button, open the door and
after closing the door, you turn what is normally the security sheath (rim)
around the deadbolt cylinder to the right....this locks the deadbolt, and away
you walk.
upon returning, you turn the door knob until the led display (just one 1/4"
number only) lights up. Then via a combination of left and right turns of
the door knob you enter the combination. If you do it right, a "U" shows
up in the display, the thing beeps, and you can turn the security sheath
of the deadbolt to the left, thereby unlocking the deadbolt. Then you use
the door knob normally and enter in.
Several problems with this lock are:
1) the whole thing is made of that crappy cheapo metalic ABS plastic and
one good whack with a sledgehammer would take it right off the door.
(although the deadbolt cylinder, door knob appear to be normal metal)
2) If the batteries die, and you dont have the key, then you have to
either call a locksmith to pick it open for you or you have to do it...
3) I dont like the idea of having to push a button when I leave a room
this should be automatic...
Basically this lock would be good for closets, storerooms, etc,, where what's
wants something flashier than a sentex pushbutton lock...
Bye for now but not for long
Greeny
BITNET: MISS026@ECNCDC
Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU
GEnie: Greeny
-----------[000057][next][prev][last][first]---------------------------------------------------- Date: 21 Jun 89 21:38:26 GMT From: gwyn@BRL.MIL To: misc.security Subject: Re: Envelopes
>A site I worked at used tyvek (tm?) envelopes and sealed them with a few >drops of an epoxy. This is probably beyond the bounds of reasonable paranoia, but you should be aware that the standard technique for removing a document from a sealed envelope is to insert a slotted rod at the corner, roll the contents onto the rod, and slip it out as a thin tube. Of course it's reinserted by reversing the process. Thus, the corners of the envelope need special attention.
-----------[000058][next][prev][last][first]---------------------------------------------------- From: ijk@cbnewsh.att.com (ihor.j.kinal) 23-JUN-1989 18:15:21 To: misc-security@att.att.com
Wondering thru the local car parts store, I came across a device to make your steering wheel DETACHABLE!!! REMOVE THE WHEEL WHEN YOU LEAVE - That should deter most thieves. Cost - around $80. If I owned a Ferrari, I might get one - but I'd check first that it did not release TOO easily - might be a bit disconcerting if you reach out to adjust the tilt, and instead wind up disconnecting!!! Ihor Kinal cbnewsh!ijk [standard disclaimer applies]
-----------[000059][next][prev][last][first]---------------------------------------------------- From: nanovx!msa3b!kevin@gatech.edu (Kevin P. Kleinfelter) 23-JUN-1989 18:28:44 To: nanovx!misc-security@gatech.edu
I don't know about a consensus on pick-proof, but I've been burglarized 3 times in 3 different locations. In 2 cases the door was jimmied; in the 3rd, the door and the jamb were found in toto on my living room rug. I strongly believe in a "jimmy-proof" lock, which usually has several pins on one side, which slide into holes on the other. I've NEVER had a lock picked or credit-carded, but at least 2 were simply crow-barred. (I don't have a jimmy-proof lock now; I've decided "what's the use") -- Kevin Kleinfelter @ Management Science America, Inc (404) 239-2347 gatech!nanovx!msa3b!kevin
-----------[000060][next][prev][last][first]---------------------------------------------------- Date: 22 Jun 89 11:51:19 GMT From: oster@DEWEY.SOE.BERKELEY.EDU (David Phillip Oster) To: misc.security Subject: IBM Mainframe rs232 call-back software=Defender interface?
I'm looking for information about a software package named "Defender" that
runs on IBM mainframes.
It provides 3270 emulation over rs232 lines connected to inexpensive modems.
It uses a hang up and call-back approach.
My questions:
What kind of terminal does it expect to see at the remote end? Does the
3270 emulation require a terminal that accepts ANSI control commands or
something wierder? Does it provide any file transfer protocols, and if so,
which ones?
--- David Phillip Oster --"Unix Version 7 was an improvement not
Arpa: oster@dewey.soe.berkeley.edu --only over its predeccessors, but also its
Uucp: {uwvax,decvax}!ucbvax!oster%dewey.soe.berkeley.edu --successors."
-----------[000061][next][prev][last][first]---------------------------------------------------- Date: 23 Jun 89 19:32:00 GMT From: ACEH0@ais.ucla.edu (Elie Harel) To: misc.security Subject: Thumb scanning devices
Does anyone have experience with door locking devices that incorporate thumb scanning techniques instead of magnetic cards? It would be nice to eliminate the need for carrying magnetic cards for secure areas but in the same time maintain or improve the security level that these techniques provide. Any information on issues such as vendors, costs, characteristics, technical problems, administrative problems, security levels, and especially your own experience will be greatly appreciated. Thanks.
-----------[000062][next][prev][last][first]---------------------------------------------------- Date: 25 Jun 89 18:27:59 GMT From: MOG::REX@ISDMNL.MENLO.USGS.GOV (Rex Sanders) To: misc.security Subject: Re: passwords
>Knowing that "root vegetables" were used to name >the other accounts, guesses can be made as to the other account names. Note the explanation in the original article for choosing "root vegetable" names - this was done to let insiders know when root users were logged in. >While it may have improved internal security a bit (though I can't >actually see how), you've statistically increased your opportunities >for a damaging forced entry. Four accounts with four passwords >doesn't really do anything to improve your security. I agree that we have increased the chances for outside entry into our system. However, most of the "experts" I've heard from or read about state the biggest danger is from inside jobs. We have improved internal security by providing more accountability for actions taken with root permissions e.g. "Who modified that system file?". Also, as stated in the original article, the "one account, one-person-knows-password" rule was passed down from Higher Authorities. Perhaps this last point illustrates an old idea - set up a rule (law), and someone will comply with the letter of the rule while violating the objective (spirit). -- Rex Sanders, rex@isdmnl.menlo.usgs.gov
-----------[000063][next][prev][last][first]---------------------------------------------------- From: pyron@lvvax1.csc.ti.com (Who remembers 8USER.PAR?) 28-JUN-1989 21:02:03 To: security@pyrite.rutgers.edu, pyron@tilde.csc.ti.com
Is there anyone on this list who took part in any of the sessions at the
Spring DECUS (Atlanta) on forming a Security SIG? I haven't heard from
anyone since then, and my management wants to know where it is going.
Please reply directly to me.
Dillon Pyron | The opinions are mine, the facts
TI/DSEG Lewisville Computer Services | probably belong to the company.
pyron@lvvax1.csc.ti.com |
(214)462-5449 | We try, we learn, sometimes we die.
| We sit on our butts, learn nothing,
| and we still die.
-----------[000064][next][prev][last][first]---------------------------------------------------- From: gwyn@brl.arpa (Doug Gwyn) 29-JUN-1989 1:19:22 To: security@rutgers.edu
>Try substituting "tanks" for "DES implementations". There is a fundamental difference. Tanks can obviously be used to assault you, to violate rights of individuals on a large scale. Effective encryption technology could be used to prevent your eavesdropping, to protect the rights of persons communicating. I see no way to claim that NSA or anyone else has a "right" to be able to snoop on other people's conversations. I don't dispute that such snooping can produce useful information, but it is not information to which we are in principle entitled. As much as I love cryptanalysis, I would welcome a world in which people can be sure their communications are secure against snoops.
-----------[000065][next][prev][last][first]---------------------------------------------------- Date: 27 Jun 89 18:04:44 GMT From: janw@janus.UUCP (Jan Wortelboer) To: misc.security Subject: Multipurpose Security System (for) Users
Is there anybody who knows about a General Purpuse Security System,
for a computer system(UNIX) with inventive Users?
I am using Convergent's with informix and would like to make
the system secure, (as far as it goes).
If there is, i would like to know about it.
Thanks for any help.
Jan
--
Usenet: janw@janus.fwi.uva.nl, Uucp: {uunet,...}!hp4nl!janus!janw
Jan Wortelboer,Tel.Prive 020-913169,TOPDATA / Compact Informaticadiensten nv
Kantoorgebouw "Oosterpoort" Pegasusweg 18 3067 KX Rotterdam
Tel: {+31|0}10-4552644 Telefax {+31|0}10-4554682 Telex: 26727 .. NL
-----------[000066][next][prev][last][first]---------------------------------------------------- From: cme@cloud9.stratus.com (Carl Ellison) 29-JUN-1989 2:54:52 To: linus!misc-security@ursa-major.spdcc.com
> Should the US therefore be willing to export tanks to anyone who wants them? > Suppose the US manufactured military radios containing very strong encryption > technology. Should we be willing to sell those to anyone who wanted them? Sorry -- this argument doesn't wash. Weapons and weapons systems, like tanks, derive military value from things like the materials with which they're made, the workmanship used, .... Sometimes there's value added in the add-on electronic packages. In all of these cases, posession of the physical object implies military value. Therefore, sale and delivery of the object constitutes increasing the military strength of the recipient. An encryption device has only a trivial value by way of its parts. (eg., there was a sliding alphabet device during WW-II which had particular value because it was made of materials which didn't warp aboard ship in the South Pacific.) The real military value of an encryption device -- that which kills people or saves them from being killed -- is the algorithm itself and devices or algorithms for breaking it. In the case of DES, the algorithm is already known. No one is trying to sell machinery for breaking it. It's possible to buy implementations from overseas so there's no secrecy to protect, either with the algorithm or with how to implement it. So, what does the Government gain by interfering with its export? All I can see being accomplished is the inhibition of a small piece of potential export trade which could have been working against the trade deficit. --Carl Ellison UUCP:: cme@cloud9.Stratus.COM SNail:: Stratus Computer; 55 Fairbanks Blvd.; Marlborough MA 01752 Disclaimer:: (this is STRICTLY my own opinion)
-----------[000067][next][prev][last][first]---------------------------------------------------- From: G.D.Shaw@DURHAM.AC.UK 29-JUN-1989 3:34:26 To: SECURITY@pyrite.rutgers.edu
> Try substituting "tanks" for "DES implementations".
This is not a valid analogy. Once you have one copy of a DES algorithm,
then it is easy to create as many as you like; the same is not true of
military hardware. Therefore, even if your enemy has a given number of
tanks, or of guns or whatever, it is still in your interest not to give him
any more. With software, he only needs to buy or steal one, so if you are
going to try to prevent the DES falling into the 'wrong hands', that
security must be complete:
1. If the software is on open sale in the US, then you may as well sell
it in Moscow too - at least that way, they might pay for it instead of
buying one copy in the US and pirating the rest. There is certainly no
point in banning it from NATO or neutral countries.
2. If you really want to stop the Russians getting hold of it, then you
need strict regulations in the US as well - but if this was effective you
would probably have had to prevent any commercial use of the product and
restrict it to government agencies only.
3. Even if you did this, it would only be a matter of time before any
hostile government was able to steal a copy; indeed, I would be surprised
if the Russians are not capable of writing their own DES code.
Fast DES chips are a very different matter: though it can undoubtedly
be done, copying chips is not a trivial undertaking. The issues at stake
are therefore essentially identical to those governing the sale of CPUs
or complete computers. Software and hardware pose very different problems,
and just because they both relate to the DES they should not be confused.
+----------------------------------------------------------------+
| Graham Shaw, Collingwood College, South Road, Durham, ENGLAND |
| JANET : G.D.Shaw @ UK.AC.DUR.MTS |
| Internet : G.D.Shaw%MTS.DUR.AC.UK@cunyvm.cuny.edu |
| EARN/BITNET : G.D.Shaw%MTS.DUR.AC.UK@UKACRL |
+----------------------------------------------------------------+
| "I always said there was something fundamentally wrong with |
| the Universe" - Arthur Dent |
+----------------------------------------------------------------+
-----------[000068][next][prev][last][first]---------------------------------------------------- From: cme@cloud9.stratus.com (Carl Ellison) 29-JUN-1989 3:58:45 To: linus!misc-security@ursa-major.spdcc.com
> Now suppose the algorithms of the encryption chips were public knowledge, but > actually implementating them as chips with sufficient speed, reliability, low > power consumption, whatever, was very hard. Does your answer change? I say that in that case, if the implementation was done at the Government's request (eg., as part of a defense contract), then they can legitimately lay claim to rights over that implementation. However, if the implementation was done by a private firm strictly on its own money and for the intention of shipping product overseas, then it's none of the Government's business! This is a free market economy we keep bragging about, right? Let's make it stickier. Suppose the algorithm is not in a chip. It's software on a plain vanilla computer. Let's pretend that it's MY software -- and let's also pretend that I'm the best programmer in the world. Therefore, even though this is just software and anyone could have written it, I happen to be the person who wrote it the best. I want to profit from my ability. I want to sell copies of this superior software. I'm not picky. If the U.S.Government wants to buy some copies, I'll sell them some copies. However, I won't sell them exclusive rights to ths software unless they're willing to pay a VERY high price -- to compensate me for the profit I won't be able to make from other customers. Will they sign an exclusive contract and pay that very high price? (I'll wait while you stop laughing.) Well, no, not exactly. What they'll do is make it illegal for me to sell this software outside the U.S. and although they'll allow me to sell and ship it within the U.S., they won't buy any copies from me for themselves. --- and I repeat -- with encryption algorithms, the quality of the implementation doesn't add to the quality of the secrecy (and therefore the military value), but it might add to the satisfaction of the user and therefore to the financial incentive for me to do a good job in the implementation. Killing that financial incentive has only one logical justification -- to keep me out of the business and therefore keep a near monopoly in the hands of the NSA and select defense contractors. --Carl Ellison UUCP:: cme@cloud9.Stratus.COM SNail:: Stratus Computer; 55 Fairbanks Blvd.; Marlborough MA 01752 Disclaimer:: (of course)
-----------[000069][next][prev][last][first]---------------------------------------------------- From: /* Purple Haze */ <NCASTELLANO@eagle.wesleyan.edu> 29-JUN-1989 22:47:41 To: security@pyrite.rutgers.edu
There's been some discussion of software packages labelled "not for export" because they contain DES. Are there any other widely used programs that have this same "not for export" status? I have seen a "not for export" sticker on a box for Turbo Pascal, anyone know why?
-----------[000070][next][prev][last][first]---------------------------------------------------- From: MJB8949@RITVAX.BITNET 29-JUN-1989 23:22:32 To: SECURITY@pyrite.rutgers.edu
I'm presently researching the market for software designed to
interface a personal computer with a SESCOA 3000 alarm receiver. This is
for a 'medium-to-large' size college campus which has been using the SESCOA
for several years.
If anyone could pass on information about companies with such
products, or personal experience with various programs 'in the field',
your help would be greatly appreciated.
Please note that I'd need to receive any info before July 6 (I
know it's not that far away), since I will be on the other side of the
country after that.
E-Mail would probably be the best, then I can try to summarize
for everyone else if it seems others are interested.
Thanks.
Mike Bunnell 716-475-4263
30 Lowenthal Dr., Box 2767 ('till July 6)
Rochester, NY 14623 MJB8949@RITVAX
-----------[000071][next][prev][last][first]---------------------------------------------------- From: Mr. James Crooks <JIM@iss.nus.ac.sg> 29-JUN-1989 23:56:41 To: security@pyrite.rutgers.edu