The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: Rutgers 'Security List' (incl. misc.security) - Archives (1989)
DOCUMENT: Rutgers 'Security List' for July 1989 (73 messages, 32960 bytes)
SOURCE: http://securitydigest.org/exec/display?f=rutgers/archive/1989/07.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

-----------[000000][next][prev][last][first]----------------------------------------------------
Date:      1 Jul 89 22:09:57 GMT
From:      KFL@ai.ai.mit.edu ("Keith F. Lynch")
To:        misc.security
Subject:   RANDOM vs DETERMINISTIC systems

> Does anyone know to distinguish a system that spits out a sequence
> of "truly" random numbers ...  that has a complex (non-linear) but
> deterministic structure?

I don't think there is any way, other than to try and see a pattern.
If you don't find one, that doesn't mean there isn't one.  It might
just be too subtle for you to have noticed.

> A similar question is: how can you distinguish a good random
> number generator from a great one?  What tests are used?

A good answer would take many k.  Most of the poor generators flunk
autocorrelation statistics, though.  That doesn't mean one that passes
is good.  How good is good enough, and what tests are necessary,
largely depend on what you intend to use it for.
								...Keith

-----------[000001][next][prev][last][first]----------------------------------------------------
Date:      2 Jul 89 04:21:49 GMT
From:      gwyn@BRL.MIL
To:        misc.security
Subject:   Re: RANDOM vs DETERMINISTIC systems

>A similar question is: how can you distinguish a good random
>number generator from a great one?  What tests are used?

A good start on this would be to read Donald Knuth's "The Art of
Computer Programming -- Volume 2: Seminumerical Algorithms", which
explains many of the standard statistical tests for "randomness"
as well as the tricky question of how to define "random".

-----------[000002][next][prev][last][first]----------------------------------------------------
From:      Pat Ratz <TS0404@OHSTVMA>  4-JUL-1989 22:55:37
To:        security@OHSTVMA
I'm new to this list.

Has anyone attended MIS Training Institute's conference on Control, Audit,
and Security of IBM Systems?  I sent for some info on it and I'd like to
know if it would be worth attending.  Also any comparison info relative to
Computer Security Institute's conference.  We are in the midst of installing
Top Secret on our MVS system on an IBM 3081D.  We have lots of other hardware
and software here at OSU including VM, DEC, UNIX.  Its all networked together
using TCP/IP.

I would also be interested in hearing from any other university people who
using Top Secret.
-----------[000003][next][prev][last][first]----------------------------------------------------
From:      Victoria Landgraf <VLANDGRAF@eagle.wesleyan.edu>  4-JUL-1989 23:25:15
To:        SECURITY@pyrite.rutgers.edu
Usually, when going through airport security, I toss my metal pocket items
(keys, lighter, swiss, often another small knife) into the basket that goes
around the metal detector.  However, on the occasions I have not done this,
the metal detector has still not gone off.  Most of them don't seem to be
incredibly sensitive, except to uncovered items ("Why don't you try walking
through again with your hand over your belt buckle?  [No beep]  OK, go ahead.")
No security guard has ever opened my knife to check the blade length.  I
think they're a lot more worried about guns and bombs, really -- and even
though the stuff in my pockets can feel like a lot, it probably doesn't contain
as much metal as even a small pistol would... and none of it looks particularly
explosive.

                                                               Victoria
-----------[000004][next][prev][last][first]----------------------------------------------------
From:      kiravuo@kampi.hut.fi (Timo Kiravuo)  6-JUL-1989  3:31:09
To:        misc-security@cwi.nl
>A sort of related question is:  I have seen locks with automatic "dead bolts"
> - meaning, locks in which opening the door with a key from the outside
>(not in the handle) pulls back a full-sized spring loaded bolt, which closes
>when the door is closed.

I'm not sure I understood this right, but in Finland we have
ABLOY locks with a keyhole on the outside and a small flat knob
(not the round American type) on the outside. Towards the frame
there is a small triangular piece that is pressed in by the frame
and a larger (1 x 3 x 1,5 cm) rectangular piece that locks the
door. You open the door from outside by twisting the key 180
degrees and pulling and lock it by pushing the door close. 

When the larger piece is out, you can pull it back in by twisting
the knob or the key, but not by pushing it. 

There are some variations of the theme, but basically you can not
open a lock of this type in the traditional "movie style", with a
credit card or something like that.

In Finland ABLOY has a major share of the lock market, and they
are considered to be most secure. They are not completely secure,
apparently somebody has found a way to open one. There was
something about it in the papers some time ago.

In the door of my apartment I have two locks.  For normal use I
have an ABLOY so that I can just push the door shut when I leave.
When I am away for a longer time I use a German Zeiss Icon
security lock that has to be shut with a key.  This is a rather
common practice in Finland.

One thing that I always have wonderer in the states is the
practice of having _round_ knobs on doors. If the lock is tight,
they are really awful to turn. In Finlad we have usually decent
handles, that you can turn. Much more easier.

--
Timo  Kiravuo
Helsinki University of Technology, Computing Center
kiravuo@hut.fi   kiravuo@fingate.bitnet   sorvi::kiravuo
work: 90-451 4328   home: 90-676 076
-----------[000005][next][prev][last][first]----------------------------------------------------
From:      Reality is not an Industry Standard <PETERSON@LIUVAX>  6-JUL-1989  7:47:43
To:        security@marist
In the US I often go through the detectors with my pager and I have never
had the units go off.  The Guard at O'hare wanted to look at it AFTER I went
through once.

The units at glascow [Scotland] were set off by dog tags in my pocket.

Makes you wonder what you realy could get past with.

PETERSON@LIUVAX, NY
-----------[000006][next][prev][last][first]----------------------------------------------------
Date:      6 Jul 89 16:58:05 GMT
From:      lamaster@AMES.ARC.NASA.GOV (Hugh LaMaster)
To:        misc.security
Subject:   Re: Consensus on locks?

(Thanks for the information about Abloy locks - I have received a number of
recommendations for them.  If there is a consensus, Abloy seems to be it.)

>In Finland we have usually decent
>handles, that you can turn. Much more easier.

This is strictly a safety issue.  Handles have been denigrated as a safety 
hazard to children.  Knobs are sized such that it is almost impossible
to injure an eye on them. 

I do not know whether it materially increases safety, but I am sure someone
must keep statistics on such things...  Anyway, with more lawyers than
engineers in the US, we can't afford to take chances with things like that :-)

  Hugh LaMaster, m/s 233-9,  UUCP ames!lamaster
  NASA Ames Research Center  ARPA lamaster@ames.arc.nasa.gov
  Moffett Field, CA 94035     
  Phone:  (415)694-6117       

-----------[000007][next][prev][last][first]----------------------------------------------------
From:      Elie Harel                           <ACEH0@ais.ucla.edu>  11-JUL-1989  2:39:34
To:        security@pyrite.rutgers.edu
Does anyone have experience with door locking devices that incorporate
thumb scanning techniques instead of magnetic cards?

It would be nice to eliminate the need for carrying magnetic cards for
secure areas but in the same time maintain or improve the security level
that these techniques provide.

Any information on issues such as vendors, costs, characteristics,
technical problems, administrative problems, security levels, and
especially your own experience will be greatly appreciated.  Thanks.
-----------[000008][next][prev][last][first]----------------------------------------------------
From:      simsong@idr.cambridge.ma.us (Simson L. Garfinkel)  11-JUL-1989  3:45:16
To:        security@rutgers.edu
The very best kind of lock you can get is a Warehouse lock.  I'm sure you've
seen these before --- the one example in a movie I can think of was in the 
movie FX (the stuntman had one on his front door).

Basically, it's a cylinder in the middle of the door, which turns a disc, which
throws two deadbolts, one on either side of the door.  Some variants throw
four deadbolts, one up and one down.  You can't jimmy this, obviously.

On the other hand, I have friends who had very good burglar alarms on their
house.  Doors, windows.  Didn't matter.  The theives came in through the 
walls.  Like, with chain saws.  (They were after the art and Jewelry; looked
like an inside job.)

-simson
-----------[000009][next][prev][last][first]----------------------------------------------------
From:      janw@janus.UUCP (Jan Wortelboer)  11-JUL-1989  5:04:03
To:        misc-security@hp4nl.nluug.nl
Is there anybody who knows about a General Purpuse Security System,
for a computer system(UNIX) with inventive Users? 
I am using Convergent's with informix and would like to make
the system secure, (as far as it goes).
If there is, i would like to know about it.

Thanks for any help.

	Jan
-- 
Usenet:	janw@janus.fwi.uva.nl, Uucp: {uunet,...}!hp4nl!janus!janw 
Jan Wortelboer,Tel.Prive 020-913169,TOPDATA / Compact Informaticadiensten nv
Kantoorgebouw "Oosterpoort" Pegasusweg 18 3067 KX Rotterdam
Tel: {+31|0}10-4552644 Telefax {+31|0}10-4554682 Telex: 26727 .. NL
-----------[000010][next][prev][last][first]----------------------------------------------------
Date:      Thu, 29 Jun 89 09:28 MDT
From:      <STGEORGE@UNMB.BITNET>   11-JUL-1989  5:27:04, <STGEORGE@UNMB.BITNET>
To:        security@pyrite.rutgers.edu, security@pyrite.rutgers.edu
After several years of stagnation, we have again become interested
in hiring a person in charge of security. Since we will only be
hiring one person, this person will (gasp) have to handle ALL aspects
of security at all levels, from micros to mainframes. My question is
not with how to accomplish this, but one of where to place such a
person organizationally. I've read the textbooks, but I'd like to
hear from any of you who have a person in charge of security - to
whom does he/she report and what are the goods and bads of your
reporting line of authority? Thanks.
-----------[000011][next][prev][last][first]----------------------------------------------------
From:      "MOG::REX"@isdmnl.menlo.usgs.gov   (Rex Sanders)  11-JUL-1989  6:36:23
To:        security@pyrite.rutgers.edu
>Knowing that "root vegetables" were used to name
>the other accounts, guesses can be made as to the other account names.

Note the explanation in the original article for choosing "root
vegetable" names - this was done to let insiders know when root
users were logged in.

>While it may have improved internal security a bit (though I can't
>actually see how), you've statistically increased your opportunities
>for a damaging forced entry.  Four accounts with four passwords
>doesn't really do anything to improve your security.

I agree that we have increased the chances for outside entry into our
system.  However, most of the "experts" I've heard from or read about
state the biggest danger is from inside jobs.  We have improved
internal security by providing more accountability for actions taken
with root permissions e.g. "Who modified that system file?".

Also, as stated in the original article, the "one account,
one-person-knows-password" rule was passed down from Higher
Authorities.  Perhaps this last point illustrates an old idea -
set up a rule (law), and someone will comply with the letter of the
rule while violating the objective (spirit).

-- Rex Sanders, rex@isdmnl.menlo.usgs.gov
-----------[000012][next][prev][last][first]----------------------------------------------------
From:      swartz@eniac.seas.upenn.edu (Peter M Swartz)  11-JUL-1989  7:31:41
To:        misc-security@rutgers.edu
At one time, I recall seeing paper that would not make legible copies.  I 
think the paper was a special shade of red;  any writing on this paper
would not show up when copied.  Essentially the copy would be a sheet of
black paper.

Does this stuff exist?  If so who makes it.  Any other suggestions on
preventing copies from being made on a copy machine?

thanks

peter
(swartz@eniac.seas.upenn.edu)
-----------[000013][next][prev][last][first]----------------------------------------------------
From:      gwyn@brl.mil  11-JUL-1989  8:01:08
To:        security@rutgers.edu
>A similar question is: how can you distinguish a good random
>number generator from a great one?  What tests are used?

A good start on this would be to read Donald Knuth's "The Art of
Computer Programming -- Volume 2: Seminumerical Algorithms", which
explains many of the standard statistical tests for "randomness"
as well as the tricky question of how to define "random".
-----------[000014][next][prev][last][first]----------------------------------------------------
From:      ghoti <KRAINIER@eagle.wesleyan.edu>  11-JUL-1989  8:32:29
To:        security@pyrite.rutgers.edu
Folks:

  A consensus on locks?  Doubt it.  The locksmith I deal with likes Medecos
best.  He also deals in Abloy, but not Sargeant KESO or any other high
security locks.

  He claimed that for virtually all applications, Medeco was superior to Abloy.
Abloy is harder to pick.  However, according to this one locksmith, Abloy locks
don't wear well.  If they are not treated gently, they will begin to jam.  Have
people discovered this to be true?  (Note: Abloy is more expensive than Medeco,
but Abloy keys cannot be duplicated at the shop as a standard Medeco can.  The
"Platinum," or biaxial, Medecos are in the same boat as the Abloy.)

  As an earlier posting noted, a great cylinder isn't worth much if attached to
a bad lock.  And a great lock won't help if attached to a cheap frame.  Our
company is installing a Medeco D10 (7.5 lbs. of nasty looking metal) drop bolt
onto a steel door inside a steel frame held up by steel reinforced studs.  That
should keep all but a few determined hacks out.

                                       ghoti

-----------------------------------------------------------------------------
Kevin M. Rainier                                      * -- *
krainier@eagle.wesleyan.edu                      Geek |    | Pride
krainier@eagle.wesleyan.bitnet                        * -- *
-----------[000015][next][prev][last][first]----------------------------------------------------
From:      sequent!edb@cse.ogc.edu (Edward Bunch)  11-JUL-1989  9:01:29
To:        security@pyrite.rutgers.edu
I am interested in finding out more about Home Security/Control Systems.
You know, the ones that not only tell you if someone is breaking in but
control lights while your out and make coffee for you in the morning.
Please Email me direct.

Thanks,

                                  -----------
Edward A. Bunch                   |      |/ |     UUCP: {sun,fai,uunet}!
Sequent Computer Systems, Inc.    |     /|/ |           sequent!edb     
Network Manager                   |     /|  |     DOMAIN: not yet ;-)
                                  |         |                               
                                  -----------                           
-----------[000016][next][prev][last][first]----------------------------------------------------
Date:      Mon, 26 Jun 89 10:44 PST
From:      Where Y'at??? <8840488@wwu.edu>   11-JUL-1989  9:47:05, Where Y'at??? <8840488@wwu.edu>
To:        security@pyrite.rutgers.edu, security@pyrite.rutgers.edu
*I don't know about a consensus on pick-proof, but I've been burglarized
*3 times in 3 different locations.  In 2 cases the door was jimmied; in the
*3rd, the door and the jamb were found in toto on my living room rug.

Kevin -

Speaking as one who has been in the fields of both security and law
enforcement, I would say that you are one individual in sore need of a 
strange electrical device called a burglar alarm.  Most models work with
*any* type of lock on the door.

I'm not trying to be sarcastic, but I used to live in the "big city" (New
Orleans, to be exact), and I know what it's like to be a crime victim.
The only advice I have for you is to "up the ante" - try new security methods
out, like an alarm.

Here are some other things that may work.  If you don't have any small children
around, get a dog.  Pit bulls are still the rage, but I prefer rottweilers
myself.  Also, check your local laws to see if there are any homemade
"passive" booby traps you can lay out to surprise the unexpected visitor.
Many of these will deter them from returning.

Of course, no method of security will work unless you use it properly.  The
last time my house in N.O. was burglarized was in broad daylight, while I was
in court.  I came home to find that the alarm had not been set, and that the
kitchen window had been left open.  My ex-wife left it that way because she
"thought that no one could get through that 'tiny' opening".  They got away
with a TV, stereo, and my service revolver.

If the city still gets to be too much for you, look around for a small town
nearby where you feel comfortable and from which you can commute, and by all
means, move!  I now live in a small town in the northwest.  My door is
unlocked at night, and I usually leave my keys in the car when I get home.
I've been there three years, and have yet to be mugged, burglarized, or
threatened in any manner.

Above all, DON'T GIVE UP!  As they say, no one can walk over you without
your permission.  In the meantime, pray for peace of mind - you need some.

Paul Simmons
8840488%wwu.edu@RELAY.CS.NET
"These are my own opinions.  I am not affiliated with anyone who would
 have me."
-----------[000017][next][prev][last][first]----------------------------------------------------
From:      Frank Simon <151133@DOLUNI1.BITNET>  11-JUL-1989 10:17:58
To:        security@pyrite.rutgers.edu
Hello Simson !

>I am doing an article on ISDN for The Boston Globe.  The artice would like
>to write about all of the problems with ISDN, all of the advantages, what
>people's experience have been (both positive and negative), and where things
>are going.

Ok. First: Excuse mz bad english, but i have problems with natural languages
like English and Spanish. Could we speak in Assembler or C ? :-)

Let's start: My name is Frank Simon (called Terra), student of computer
science in Oldenburg(West Germany), i am running a BBS (Chaos Mailbox System)
on Bitnet (107633@DOLUNI1), and i am one of the seven ppl who build the
leading/council/presidium (oh i don't know the word ...) of the Chaos
Computer Club in Hamburg (West-Germany).

The german PPT (Deutsche Bundespost (short: DBP)) start experimence with
ISDN for several years. Now it will install in germany in the next years.
We have thought about the possibilites and the danger of ISDN. Our
opinion is: We are against ISDN in this form in westgermany, because
 1) the DBP will save all communication datas (who called whom, on which
    service (phone,etc), how long , how much cost it,etc) for 80 days
    in 12 central computer centers in germany. We and the german Data
    Security People (i don't know the right word ... in germany we have
    for every country and for the state Data Security People. They are
    called by state to work.) are against the Saving of these (most
    don't need the DBP for there work) because it's against the Data
    Security Law.
 2) The DBP will integrate all Services until 1992 in one Network -
    IBFN - that means ... TV, Radio , Phoning, Computernetworks,a.s.o.
    are on ONE Network. Much Security Problem must be solut by the DBP
    for this, in exampe the Central Computer System who will manage all this
    functions. We don't ave a good opinion of the DBP. They don't have the
    Data Security and System Security at first place in there concepts.
 3) The function of ISDN give an goverment now and in future the possiblity
    the control there citizens. The government (or the secret services)
    can check every citizen, who contact he, what does he read in information
    retrieval systems, which channel he look in TV,and so on.
    The Solution is a complete Communication Picture on group of citizens
    or especialy one citizen.

*horrible_english_i_know* :-)

Feel free to ask for details of our opinio or what does words of my
mail means.

greets Terra

-----------------------------------------------------------------
| Name: Frank Simon                Bitnet:  151133@DOLUNI1      |
| Nickname: Terra                  UUCP: simon@uniol%unido      |
| Position: Oldenburg,Westgermany  Voice: 0441/592607           |
|          WYGWYH - What you get , is what you hack             |
-----------------------------------------------------------------
-----------[000018][next][prev][last][first]----------------------------------------------------
From:      "Jerry Leichter _ LEICHTER_JERRY@CS.YALE.EDU"  11-JUL-1989 10:54:49
To:        security@rutgers.edu
(The long turn-around for messages on the security list make this response a
pain to write.  I got several personal messages from people shortly after my
message appeared, and got involved in a couple of conversations.  Coming back
to all this two weeks later, repeating many of the same things, is a bit of a
bother.  Oh, well.)

[Moderator injection: Sorry, Jerry.  I do my best with the backlog *and* all
  the other real-life things I keep track of too.  But have you considered that
  you're feeling the need to repeat yourself because some readers didn't bother
  to absorb your original points in the first place?  Does that necessarily
  imply that restatement will change that?

  Further, I believe you're giving the readership less credit than they
  deserve for being able to restore the context of a discussion in their own
  minds.  If, of course, they were interested in the first place.  If they
  couldn't care less, they've probably already skipped this entire msg.
  There's a large, diverse audience out there...  _H*]

In the interests of keeping things to a reasonable length, I'm going to
summarize the comments I'm responding to.  If my summaries lose what the
writers were trying to get across, my apologies.  I'm sure they will speak
for themselves again....

Carl Ellison raises two distinct points:

	a)  The value of something like a tank is in the material, workman-
		ship, and so on.  Preventing physical export of such objects
		"keeps the value at home."  The value of an encryption algo-
		rithm is in the algorithm itself, and possibly in means of
		breaking it; an implementation is a minor gloss.

	b)  If he invents the algorithm, he claims that he has the right to
		sell it as he wishes - the government doesn't own it, and
		should have no say in what he chooses to do with it.  While
		he discusses the invention of an algorithm, presumably he
		intends the same argument to apply to a privately-developed
		implementation of a public algorithm.

I contest both points.  Point (a), a point several of my correspondents
raised as well, reveals a certain naivete concerning the ease or difficulty
of implementing software, and about what constitutes value in software.  The
fact of the matter is, people are willing to pay many thousands of dollars for
well-written, efficient software.  They are willing to do this because it is
NOT easy to produce such software.

Yes, it is quite true that having an efficient algorithm provides no addi-
tional security, in the sense that the output of the encryption is as secure
if it was done in a millisecond as if it was done in 10 seconds.  But that's
not the point:  Military (or commercial) usefulness of an encryption algo-
rithm requires a fairly high level of performance.

To pick current "bad boys", how many people in all of Libya or Iran do you
think there are who can implement a useful version of DES?

Remember, too, that I'm NOT arguing that the particular restrictions the US
has chosen to impose are "right".  All I'm arguing is that the PRINCIPLE that
it may be reasonable to restrict distribution of software makes perfect sense,
even software for algorithms that are public.  The fact that one can get DES
implementations from elsewhere is exactly equivalent to the fact that one can
get tanks from elsewhere:  It means that our restrictions may not end up being
very effective, but it doesn't mean that we should necessarily eliminate them.

There has been much written about how we are entering the "information age",
where value inheres in information, rather than in goods alone.  Here we have
a prime example!

At one time, it was easy to distinguish "military" from "civilian" items.  In
today's world, things are not so simple.  High-technology "goods" (which in-
cludes information and software) are usually capable of "dual use".  Is it
a pharmaceutical plant or a poison gas plant?  The machinery is identical in
both cases....

BTW, tanks these days contain a LOT of software in things like targetting
systems.  The underlying algorithms are pretty "public" - basic physics - but
the software itself is neither straightforward nor public.  You can't buy that
software on the open market either - even in the US....

As for (b):  Under US law, there are exactly two classes of things which are
"born classified":  Information about nuclear weapons, and information about
cryptography.  The US legal system has chosen to say that you do NOT have a
property right for this kind of information - it is considered too important
to national security.  You are, of course, free to disagree.  So far, the
courts have backed the government position, though the issue is pretty messy.

In any case, on this issue you don't even need to go nearly that far.  If I
independently develop the necessary technology for making nerve gas, without
any reference to government work on the matter, I STILL can't sell the stuff.
I can't sell drugs I invent without a license.  I can't sell guns.  I can't
even sell cars without meeting all sorts of government regulations first.

If you want to argue that the government should stay entirely out of trade,
you can certainly find some respectable economists and philosophers on your
side.  But the fact of the matter is that the US does not today have, and
never has had, complete "freedom of trade", whether national or internation-
ally.  Trying to use this non-existent freedom to justify a particular posi-
tion is is pointless.

Graham Shaw argues that there is no point restricting export of DES implemen-
tations because the Russians will have little trouble getting hold of an
implementation in the domestic market if they really want it.  Again, this
argument simply proves that it's difficult to enforce the restrictions; it
doesn't say that attempting to maintain them is wrong in principle.  Again,
it's quite clear that the NSA understands this:  First off, DES was deliber-
ately made hard to implement efficiently in software (that's the only con-
ceivable purpose for the initial and final permutations - they add no strength
to the algorithm); second, they saw to it that only a hardware implementation
could be certified; and finally for the "next generation" of encryption
algorithms they intend to provide ONLY tamper-proof hardware, with secret
algorithms.

Doug Gwyn distinguishes tanks from DES implementations by pointing out - with
images of Tienamen square clearly in front of him - that tanks, unlike cryp-
tographic technology, can be used to violate individual rights on a large
scale.  This is an interesting distinction, but let's see where it goes.  If
the Chinese democracy demonstrators had also had tanks, they might have been
able to defend themselves.  Absurd position?  A similar position is taken by
the NRA concerning gun regulation:  They love to point out that the first
thing a dictatorship does is seize all the weapons in the people's hands.  If
people are armed, it's not so easy to violate their rights.

Still find the argument silly?  Do you think an Afghan would agree with you on
that point?

Looking at the other side:  It's clear from information that makes it into the
public eye that much data about future terrorist plans is derived from inter-
cepted communication.  Does Abu Nidal have a right to secure communications
channels?  Gwyn's argument that information gained by "snooping", while valu-
able, "is not information to which we are in principle entitled", is remini-
scent of the line attributed to Stimson that "Gentleman don't read other gen-
tlemen's mail".  Gentlemen also don't hijack airliners or blow up civilians.
I, too, would prefer to live in a world of "gentlemen", but this world isn't
like that.  The rabbis had a saying:  Those who start out by being kind to the
cruel, end up being cruel to the kind.

							-- Jerry
-----------[000019][next][prev][last][first]----------------------------------------------------
Date:      10 Jul 89 07:26:47 GMT
From:      palm@DUVAN.NADA.KTH.SE (Christer Palm)
To:        misc.security
Subject:   Re: Consensus on locks?

ABLOY makes Motorlocks (bolt is operated by a motor) an can thus be controlled
in a noumerus ways. 
One way is to open up the door from out side with a key and let the door lock
iteself directly when it's closed. This is dunn with a standard sensor in the
lock.

-----------[000020][next][prev][last][first]----------------------------------------------------
Date:      11 Jul 89 10:39:51 GMT
From:      151133@DOLUNI1.BITNET (Frank Simon)
To:        misc.security
Subject:   Re: ISDN

Hello Simson !

>I am doing an article on ISDN for The Boston Globe.  The artice would like
>to write about all of the problems with ISDN, all of the advantages, what
>people's experience have been (both positive and negative), and where things
>are going.

Ok. First: Excuse mz bad english, but i have problems with natural languages
like English and Spanish. Could we speak in Assembler or C ? :-)

Let's start: My name is Frank Simon (called Terra), student of computer
science in Oldenburg(West Germany), i am running a BBS (Chaos Mailbox System)
on Bitnet (107633@DOLUNI1), and i am one of the seven ppl who build the
leading/council/presidium (oh i don't know the word ...) of the Chaos
Computer Club in Hamburg (West-Germany).

The german PPT (Deutsche Bundespost (short: DBP)) start experimence with
ISDN for several years. Now it will install in germany in the next years.
We have thought about the possibilites and the danger of ISDN. Our
opinion is: We are against ISDN in this form in westgermany, because
 1) the DBP will save all communication datas (who called whom, on which
    service (phone,etc), how long , how much cost it,etc) for 80 days
    in 12 central computer centers in germany. We and the german Data
    Security People (i don't know the right word ... in germany we have
    for every country and for the state Data Security People. They are
    called by state to work.) are against the Saving of these (most
    don't need the DBP for there work) because it's against the Data
    Security Law.
 2) The DBP will integrate all Services until 1992 in one Network -
    IBFN - that means ... TV, Radio , Phoning, Computernetworks,a.s.o.
    are on ONE Network. Much Security Problem must be solut by the DBP
    for this, in exampe the Central Computer System who will manage all this
    functions. We don't ave a good opinion of the DBP. They don't have the
    Data Security and System Security at first place in there concepts.
 3) The function of ISDN give an goverment now and in future the possiblity
    the control there citizens. The government (or the secret services)
    can check every citizen, who contact he, what does he read in information
    retrieval systems, which channel he look in TV,and so on.
    The Solution is a complete Communication Picture on group of citizens
    or especialy one citizen.

*horrible_english_i_know* :-)

Feel free to ask for details of our opinio or what does words of my
mail means.

greets Terra

-----------------------------------------------------------------
| Name: Frank Simon                Bitnet:  151133@DOLUNI1      |
| Nickname: Terra                  UUCP: simon@uniol%unido      |
| Position: Oldenburg,Westgermany  Voice: 0441/592607           |
|          WYGWYH - What you get , is what you hack             |
 -----------------------------------------------------------------

-----------[000021][next][prev][last][first]----------------------------------------------------
Date:      11 Jul 89 14:17:15 GMT
From:      silber@TCGOULD.TN.CORNELL.EDU (Jeffrey Silber)
To:        misc.security
Subject:   Re: "copy proof paper" - does such a thing exist?

Light blue (also called non-reproducible blue) is difficult to copy.  It
is frequently used in graphic arts applications for outlines, etc.

Another method of identifying (but not preventing) copies is to do a half-tone
of the background color saying "COPY," which only appears when the item is
copied in black and white.  This is usually found on checks and other
negotiable documents.

-- 
"A billion here, a billion there, and pretty soon you're talking real money."
                                                      --Sen. Everett Dirksen
Jeffrey A. Silber/silber@tcgould.tn.cornell.edu
Business Manager/Cornell Center for Theory & Simulation in Science & Engineering

-----------[000022][next][prev][last][first]----------------------------------------------------
Date:      11 Jul 89 16:17:05 GMT
From:      german@UXH.CSO.UIUC.EDU (Gregory German)
To:        misc.security
Subject:   TCP/IP encryption

What is the status of encryption of the data stream in a protocol like
TELNET?  I would like to have a version of TELNET that would optionally
encrypt the data stream to keep the causual curious net sniffer from
reading data off the network.  I have source for both ends of the connection
I am concerned about, but would rather not totally re-invent the wheel if
there has been some work done in this area.

         Greg German (german@sonne.CSO.UIUC.EDU) (217-333-8293)
US Mail: Univ of Illinois, CSO, 1304 W Springfield Ave, Urbana, IL  61801
Office:  129 Digital Computer Lab., Network Design Office

-----------[000023][next][prev][last][first]----------------------------------------------------
Date:      11 Jul 89 19:09:47 GMT
From:      phil@diablo.amd.com (Phil Ngai)
To:        misc.security
Subject:   Re: locks

|On the other hand, I have friends who had very good burglar alarms on their
|house.  Doors, windows.  Didn't matter.  The theives came in through the
|walls.

This is why I have always felt that a home security system is
incomplete without a motion detector inside the house. Preferably at
least two, so that they can cover each other. 

By the way, does anyone know if there are any prohibitions on a home
security system releasing tear gas if an intruder enters your house?
What about painfully loud sirens? 

--
Phil Ngai, phil@diablo.amd.com		{uunet,decwrl,ucbvax}!amdcad!phil
"The government is not your mother."

-----------[000024][next][prev][last][first]----------------------------------------------------
Date:      13 Jul 89 08:18:26 GMT
From:      clive@ixi.UUCP
To:        misc.security
Subject:   Re: (none)

Notice to UK readers - every police division (i.e. every reasonable town) has
an officer called a Crime Prevention Officer. His/her duty is to offer *free*
advice to anyone who wants it on home/business security.

>I now live in a small town in the northwest.
>I've been there three years, and have yet to be mugged, burglarized, or
>threatened in any manner.

Very true. My parents live in a large town (pop. 150 000) - there have been 4
buglaries this year in the 80 properties in their street. I live in a
village (pop. 5 000). There have been 4 buglaries in the entire village in the
last *fifteen years*.
-- 
Clive D.W. Feather
IXI Limited
clive@ixi.uucp
...!uunet!ukc!ixi!clive (riskier)

-----------[000025][next][prev][last][first]----------------------------------------------------
Date:      13 Jul 89 19:18:51 GMT
From:      fin@UF.MSC.UMN.EDU ("Craig Finseth")
To:        misc.security
Subject:   (none)


   Since we will only be
   hiring one person, this person will (gasp) have to handle ALL aspects
   of security at all levels, from micros to mainframes. My question is
   not with how to accomplish this, but one of where to place such a
   person organizationally.

Consider for a moment the range of tasks that a security officer
performs.  In general, their duties cover host security (with account
management figuring heavily), communications, building security,
personnell (most breaches are inside jobs after all), and just about
everything under the sun.  It therefore makes sense to place them in
some sort of "general administrative" group.

Unfortunately, the person in charge of that group probably does not
understand security.  Cheer up, no one else does, either (:-).

For confirmation, look to other organizations where security figures
prominently (e.g., banks).  I think you will find that they put
security in just such a general, but centrally-run division.

Craig A. Finseth			fin@msc.umn.edu [CAF13]
Minnesota Supercomputer Center, Inc.	(612) 624-3375

-----------[000026][next][prev][last][first]----------------------------------------------------
Date:      15 Jul 89 04:54:43 GMT
From:      mason@EDDIE.MIT.EDU (Nark Mason)
To:        misc.security
Subject:   thumb scan devices


  I have seen a thumbscan in the kilobuck range made by, I believe,
ThumbScan Inc, probably in Cambridge, Ma. The version I saw was
attatched to a PC.
  They make a couple of other interesting security devices, one I
thought do be really clever is called the Gordian Knot. It is a
epoxy potted "thing" about the size of the average electronic
stopwatch with a photodetector and an LCD readout, and it self
destructs when it thinks someone is tampering with it.
  The idea was that the software would flash a spot on the screen
in a certain pattern, you would hold the device to the screen, it
would read the pattern being flashed, hash, trash, encrypt and
discombobulate it and hand back a number that the software would
already be expecting. Quite a bit more versatile than the IBM
label Medeco locks on the 3270 and infinately more clever. (I seem
to think they were about $14 in small quantity). They could also
be programmed (only once) to self destruct at a given time or just
expire.

-----------[000027][next][prev][last][first]----------------------------------------------------
From:      Susan Bramhall <SUSAN%YALEVM.BITNET@DEVVAX.TN.CORNELL.EDU>  18-JUL-1989 13:35:59
To:        Multiple recipients of list IBM-NETS <IBM-NETS@BITNIC.BITNET>
Please excuse me if you receive multiple copies of this note.  I am sending it
to several lists which may have a subscriber who has relevant information.

We are interested in providing an encrypting gateway for our campus network.
The idea is that users on certain LANs considered secure wish to send data
across an unsecured ethernet spine and eventually into another secure LAN or
host. We have several ideas for the gateway (based on previous software
developed at Yale) but would like to acquire a software or, preferably
hardware, encryptor.  Ideally, it would be a card with the ability to
encrypt/decrypt on its own chip rather than taking up workstation CPU cycles.
We would pass it data and a key and it would return encrypted data.  The
gateway is being built on an IBM PS/2.  Any leads would be very much
appreciated.

I also wonder if other sites are thinking about this problem and, if so, what
sort of solution are you looking at?  All of the security discussions which I
have seen are concerned with authorization and access control (such as dial
back) rather than encryption of data.  Does anyone know of a forum where this
has been discussed?  Note, by the way, that we are not planning to do any
research into encryption algorithms, a subject I am happy to leave to the
mathematicians.

Since I do not subscribe to ANY of the lists, please send replies directly to
me (as well as the list if you like).  Thanks for in advance for your help.

              Susan Bramhall
              Senior Research Programmer
-----------[000028][next][prev][last][first]----------------------------------------------------
From:      simsong@idr.cambridge.ma.us (Simson L. Garfinkel)  18-JUL-1989 16:04:52
To:        security@rutgers.edu
I'm thinking about writing an article on this for The Monitor (are people
getting tired of these messages?)  If anybody has any thoughts on the issue
and would like to be quoted in a national newspaper, please send them to
me, along with your title, company, and a phone number where I can reach you.

-simson
-----------[000029][next][prev][last][first]----------------------------------------------------
Date:      18 Jul 89 01:10:52 GMT
From:      zeleznik@CS.UTAH.EDU (Mike Zeleznik)
To:        misc.security
Subject:   Re: Thumb scanning devices

As for explicit thumb print authentication, you might check out the
ThumbScan Fingerprint System:

  ThumbScan, Inc.
  Two Mid-America Plaza, Suite 800
  Oakgrook Terrace, IL  60181
  312-954-2336

Another approach which avoids the need to carry something with you is
the real-time analysis of typing keystroke characteristics, like in the
Electronic Signature Lock (if it is still around):

  Electronic Signature Lock Corp.
  1311 Ulloa St.
  San Francisco, CA  94116
  415 558-9133 / 681-7325

I have NO personal experience with either of these; have only seen their
literature and talked with them.

  Michael Zeleznik              Computer Science Dept.
                                University of Utah
  zeleznik@cs.utah.edu          Salt Lake City, UT  84112
                                (801) 581-5617

-----------[000030][next][prev][last][first]----------------------------------------------------
From:      Ken Bell <SYKLB@NASAGISS.BITNET>  19-JUL-1989 18:52:34
To:        security@pyrite.rutgers.edu
> >Try substituting "tanks" for "DES implementations".
> There is a fundamental difference.  Tanks can obviously be used to assault

There's another difference.  You can't carry tanks over in your
briefcase or buy the plans for them at B. Dalton's.  There's an
awful lot of published DES code, and various PC utilities (PCTOOLS,
for example) contain DES.  The only ones who are being deprived of
DES are the non-security risks - the spies/terrorists already have it.
-----------[000031][next][prev][last][first]----------------------------------------------------
From:      jimkirk@UWYO.BITNET (Jim Kirkpatrick)  19-JUL-1989 19:34:37
To:        security@ubvm
Does anybody have pointers to good DES implementations for the PC/AT type
system (Zenith 248 in this case)?  I'm interested in either software or
hardware implementations.  Quite a while ago there was mention of a board
by Winterhalter but I can't seem to find the company.  Any reviews in the
trade magazines I (probably) missed?

Please reply directly to me, and I'll summarize later.  Thanks.
-----------[000032][next][prev][last][first]----------------------------------------------------
From:      Chris Petersen _ VUCC <PETERSEN@ctrvx1.vanderbilt.edu>  19-JUL-1989 20:14:56
To:        security@pyrite.rutgers.edu
> indeed, I would be surprised
> if the Russians are not capable of writing their own DES code.

    I could have sworn I saw a posting about an article in a Soviet computer
science journal that gave an algorithm for breaking badly chosen keys for 
DES.  I may have even seen it [the reference] here...

-Chris Petersen
Vanderbilt University
petersen@ctrvax.vanderbilt.edu

Disclaimer:  If I say anything at all, it is strictly off the record and 
should in no way be construed as legal or binding or even authoritative or 
responsible... :-)
-----------[000033][next][prev][last][first]----------------------------------------------------
From:      "PRL::BICKER" <bicker%prl.decnet@nwc.navy.mil>  19-JUL-1989 21:00:28
To:        "security" <security@pyrite.rutgers.edu>
Hi
I'm looking for a Fortran source code to do encryption of
Ascii files before transfer over networks.  The code will
have to run on several different types of machines including
Vax, Convex, Cray and PCs.  It isn't necessary that it be the
ultimate in encryption techniques but should be at least secure
from less than major attacks.   I checked the archives and found
several requests for such codes but couldn't find any source codes.

Thanks for the help

Cliff Bicker   BICKER%PRL.DECNET@NWC.ARPA
-----------[000034][next][prev][last][first]----------------------------------------------------
From:      "Keith F. Lynch" <KFL@ai.ai.mit.edu>  19-JUL-1989 21:33:28
To:        tsibouris@vms.macc.wisc.edu
Cc:        KFL@ai.ai.mit.edu, misc-security@uunet.uu.net
> Does anyone know to distinguish a system that spits out a sequence
> of "truly" random numbers ...  that has a complex (non-linear) but
> deterministic structure?

I don't think there is any way, other than to try and see a pattern.
If you don't find one, that doesn't mean there isn't one.  It might
just be too subtle for you to have noticed.

> A similar question is: how can you distinguish a good random
> number generator from a great one?  What tests are used?

A good answer would take many k.  Most of the poor generators flunk
autocorrelation statistics, though.  That doesn't mean one that passes
is good.  How good is good enough, and what tests are necessary,
largely depend on what you intend to use it for.
								...Keith
-----------[000035][next][prev][last][first]----------------------------------------------------
Date:      18 Jul 89 19:53:07 GMT
From:      makela@JYU.FI (Otto J. Makela)
To:        misc.security
Subject:   Re: consensus on locks

About Abloy locks not wearing down well:
As is known, Abloys (originally) come from Finland.  Here they are the most
common type of locks.  I just recently had to have my apartment lock replaced
because it was so worn-out it was hard to get it to stay unlocked !  It had
been originally installed when the house was built, in 1962.  The lock still
opened the door very nicely, though.
Also, I personally changed the lock for my parent's front door - their house
was built circa 1955... the lock was still quite operational, but had the same
problem of not properly latching to the "unlocked" position.
How long do apartment locks (used several times daily) last, in general ?

Otto J. Makela, University of Jyvaskyla
InterNet: makela@tukki.jyu.fi, BitNet: MAKELA_OTTO_@FINJYU.BITNET
BBS: +358 41 211 562 (V.22bis/V.22/V.21, 24h/d), Phone: +358 41 613 847
Mail: Kauppakatu 1 B 18, SF-40100 Jyvaskyla, Finland, EUROPE

"In the week before their departure to Arrakis, when all the final scurrying
about had reached a nearly unbelievable frenzy, an old crone came to visit the
mother of the boy, Paul." - Frank Herbert, Dune

-----------[000036][next][prev][last][first]----------------------------------------------------
Date:      19 Jul 89 15:21:00 GMT
From:      ishikawa@ultra.enet.dec.com (Jim Ishikawa, DTN-293-5054)
To:        misc.security
Subject:   RE:      Encryption hardware/software available?

There are some DEC products that might be useful to you.  Digital's Ethernet
Enhanced-Security System (EESS) products sound most applicable, though I'd have
to hear a bit more about what gateway functionality is required to be sure. 

There are two EESS products:

    The DESNC secure network controller
    The VAX KDC security management software

The EESS provides a number of security features for Ethernet/802.3 networks
including transmission of encrypted data between Ethernet devices over
unprotected segments.

We also have some software encryption products, but none run on OS/2.  If you
could use a VMS or Ultrix workstation (e.g., VAXstation 3100 or DECstation
2100) you might consider Digital's DES software products.

There will be a case study article on using EESS products to enhance the
security of university campus backbones in the next revision to the Auerbach
"Handbook on LANs."  I'll also forward your message to some people who have
been dealing with various security problems on campus networks.

If you have any questions or would like some additional assistance please feel
free to contact me.

    Jim Ishikawa
    Product Manager

    ishikawa@ultra.enet.dec.com
    decwrl!ultra.dec.com!ishikawa
    508-264-5054 

-----------[000037][next][prev][last][first]----------------------------------------------------
Date:      20 Jul 89 12:29:13 GMT
From:      DIXON@ohstvma.BITNET (Bob Dixon)
To:        misc.security
Subject:   Re: encryption source code in Fortran

We have Fortran source codefor DES as part of our larger system of
across-platform encryption software. But it is all tied up in the legalese
problems now.

                          Bob Dixon
                          Ohio State University

-----------[000038][next][prev][last][first]----------------------------------------------------
Date:      20 Jul 89 16:33:51 GMT
From:      mk59200@FUNET.FI (Kolkka Markku Olavi)
To:        misc.security
Subject:   Re: consensus on locks

> ...  However, according to this one locksmith, Abloy locks
> don't wear well.  If they are not treated gently, they will begin to jam.

Several millions of Abloys are in use here in Finland, many of them decades
old. The weather conditions aren't exactly 'gentle' here.  The Abloy has a
very simple but efficient design with a minimal number of moving parts. The
manufacturer recommends lubrication with thin oil now and then (just a few
drops into the keyhole), and that should keep it working.

> Abloy keys cannot be duplicated at the shop as a standard Medeco can.  The
> "Platinum," or biaxial, Medecos are in the same boat as the Abloy.)

There are also several variants of Abloy, with different levels of availability
of key blanks and duplication service.

Disclaimer: I have nothing to do with Wartsila Oy (manufacturer of Abloy
locks), except that I have been using Abloys all my life. (well, almost)
--
	Markku Kolkka
	mk59200@tut.fi

-----------[000039][next][prev][last][first]----------------------------------------------------
From:      Ken  De Cruyenaere <KDC@UOFMCC> 204_474_8340  22-JUL-1989  3:09:24
To:        Security@ohstvma
I have not attended any MIS conferences but a colleague has and he did not
like it much.  Not much substance, I beleive, was the gist of his complaints.
I have attended Computer Security Inst. annual conf. for the last 2 yrs and
hope to go again this year.   CSI annual conf. include a trade show which is
quite interesting and informative as well as a variety of sessions, videos, etc.

I have also attended a TOPIC conf (1987). TOPIC is/was CA's Top Secret users
conference.  We have TSS installed on our Amdahl (running MVS).
I dont think CA calls it TOPIC any more but they still have an annual conf.

p.s. where/what is OSU  ?
---------------------------------------------------------------------
Ken De Cruyenaere - Computer Security Coordinator
Computer Services - University of Manitoba - Winnipeg, Manitoba, Canada, R3T 2N2
Bitnet: KDC@CCM.UManitoba.CA               (204)474-8340
-----------[000040][next][prev][last][first]----------------------------------------------------
From:      sph@apss.ab.ca (Shaun Hammond)  22-JUL-1989  3:53:02
To:        misc-security@uunet.uu.net
> I toss my metal pocket items into the basket that goes
> around the metal detector.  However, on the occasions I have not done this,
> the metal detector has still not gone off.

The sensitivity of the detectors seems to vary dependent on the 
whim of the aviation authority.  I would be willing to bet that were you 
to NOT deposit ALL metal articles in the basket when travelling
from an airport up here in W. Canada, 
the bells and whistles would go nuts. I have noticed a difference on the
last two trips I made recently to the US, in that what  sets the alarms off
at the Edmonton International, goes merrily undetected by the systems
in Washington, Minneapolis and Chicago.

It would seem that Transport Canada  perhaps requires a more sensitive setting
than the FAA in the US. examples : I have been asked to remove my wallet with
credit cards and try again; the foil in cigarette packages is enough to trigger
a response.

[Moderator tack-on: Someone also pointed out that any packaging foil, such
as that around Lifesavers, can trigger them.   _H*]
-----------[000041][next][prev][last][first]----------------------------------------------------
From:      Joe McMahon <XRJDM@SCFVM.BITNET>  22-JUL-1989  4:30:29
To:        security@pyrite.rutgers.edu
>I'm looking for information about a software package named "Defender" that
>runs on IBM mainframes.
Ooog.

>It provides 3270 emulation over rs232 lines connected to inexpensive modems.
>It uses a hang up and call-back approach.
Yes, it does. Barely.

>What kind of terminal does it expect to see at the remote end?
It supports a lot of different terminals. The only one I've actually used with
it is a Data General Dasher 200. It *may* be able to use ANSI control. The only
file xfer protocol it supports is a proprietary one (can you say "big bucks"?
I knew you could), which only runs on IBM PCs (what, there are OTHER machines?)

It is not too great an emulator. You MIGHT be able to run RELAY through it, but
I don't think it supports Kermit. It runs in "half-ASCII duplex", meaning that
it does the character echoing, but doesn't allow type ahead, and locks you out
when it is repainting the screen. Its repainting is very poor; usually it
resends the whole blasted screen when you are using SPF. Don't know how well
it works with VM.

Summary recomendation: Security will love it. Your users will hate it (speaking
as a user).

 --- Joe M.
-----------[000042][next][prev][last][first]----------------------------------------------------
Date:      21 Jul 89 21:54:03 GMT
From:      ECULHAM@ualtavm.BITNET (Earl Culham)
To:        misc.security
Subject:   Re: Encryption hardware/software available?

>We are interested in providing an encrypting gateway for our campus network.
>...  Ideally, it would be a card with the ability to
>encrypt/decrypt on its own chip rather than taking up workstation CPU cycles.

I've recently run across a device which suits this purpose well.

The FasTok box is a combination encryptor/compressor.

Its normal configuration is as an active modem cable, plugging in
between the computer and the modem, at both ends. It is transparent
to both the computer, and the modem.

It both encrypts and compresses. The quoted compression ratios were
in the 2 to 5 times range.

I have no connection with the manufacturer, other than friendship.
However, I will relay questions to and from the net if there is an
interest.

-----------[000043][next][prev][last][first]----------------------------------------------------
Date:      22 Jul 89 11:53:01 GMT
From:      scott@heim.UUCP
To:        misc.security
Subject:   Re: airport metal detectors

>I would be willing to bet that were you 
>to NOT deposit ALL metal articles in the basket when travelling
>from an airport up here in W. Canada, the bells and whistles would go nuts.

No kidding! I was working for a computer game manufacturer a year or so ago,
and we had a game called "Airborne Ranger" - a nice trench warfare simulation.
Well, as a promotional gift, we had some practice HAND GRENADES stenciled w/
the games logo (they made good paperweights, if you go for that kind of
thing).  I have one of those metal briefcases (Zero Haliburton I think), which
may have helped obscure things... but a friend tossed one of our little
"promotions" into my briefcase with out my knowing! This was not done
malicously, I had asked for one.... To continue, I traveled from Baltimore
Int'l to John Wayne Int'l (Orange Co. CA.) with a plane change inbetween with
my mock explosive brief- case as carry on! This meant two different scannings
that failed to turn up something which should have a pretty blatent signature.
The next day when I noticed what I had gotten away with, I was pleased that I
hadn't been pulled aside for questioning, or inadvertantly shot for someone
too nasty to be dealt with nicely, but it didn't take too long for me to
realize that I might feel a little safer in the future if I had been stopped.

True Story - no joke.

-- 
Scott Watson - "Inane little message goes here" 
    uucp: {rutgers,ames}!elroy!grian!heim!scott
Internet: scott@heim.UUCP

-----------[000044][next][prev][last][first]----------------------------------------------------
Date:      23 Jul 89 11:37:29 GMT
From:      jimkirk@OUTLAW.UWYO.EDU (Jim Kirkpatrick)
To:        misc.security
Subject:   DES on PC -- summary

I recently asked about DES on PC-type computers, promising a summary of
responses.  Here's what I got --
  1.  A request for a copy of what I get.
  2.  A reminiscence about a fairly old DES from another list
  3.  An address in West Germany that sells a software implementation.
  4.  A nice list of various manufacturers, complete with address.
Thanks to those who responded.  If anybody wants a copy of the responses,
E-mail me and I'll forward.

-----------[000045][next][prev][last][first]----------------------------------------------------
From:      mfidelma@bbn.com (Miles Fidelman)  25-JUL-1989  0:02:07
To:        misc-security@uunet.uu.net
Does anybody out there know of a strong password program for the (Sun) Unix
environment? In particular, one that generates pronouncable but meaningless
passwords, forces periodic password change, limits retries, etc (like
Multics).

Please reply by email.

Thanks much,

Miles Fidelman
mfidelman@bbn.com
-----------[000046][next][prev][last][first]----------------------------------------------------
From:      palm@duvan.nada.kth.se (Christer Palm)  25-JUL-1989  0:39:17
To:        misc-security@uunet.uu.net
ABLOY makes Motorlocks (bolt is operated by a motor) an can thus be controlled
in a noumerus ways. 
One way is to open up the door from out side with a key and let the door lock
iteself directly when it's closed. This is dunn with a standard sensor in the
lock.
-----------[000047][next][prev][last][first]----------------------------------------------------
From:      Barry Johnson                        <CYCLIST@clemson.bitnet>  25-JUL-1989  1:20:29
To:        security@pyrite.rutgers.edu
Here at Clemson we have have similar paper that transcripts are printed
on.  If you try to copy it, the copy is legible but has the words
UNOFFICIAL COPY in big letters diagonally across the page.  The paper
is a reddish/orange color.  Hope this helps.  Thanks...

Barry Johnson                                  CYCLIST@CLEMSON.BITNET
Information Systems Development
Clemson University.
Clemson S.C. 29631
-----------[000048][next][prev][last][first]----------------------------------------------------
From:      lamaster@ames.arc.nasa.gov (Hugh LaMaster)  25-JUL-1989  1:56:56
To:        misc-security@ames.arc.nasa.gov
(Thanks for the information about Abloy locks - I have received a number of
recommendations for them.  If there is a consensus, Abloy seems to be it.)

>In Finland we have usually decent
>handles, that you can turn. Much more easier.

This is strictly a safety issue.  Handles have been denigrated as a safety 
hazard to children.  Knobs are sized such that it is almost impossible
to injure an eye on them. 

I do not know whether it materially increases safety, but I am sure someone
must keep statistics on such things...  Anyway, with more lawyers than
engineers in the US, we can't afford to take chances with things like that :-)

  Hugh LaMaster, m/s 233-9,  UUCP ames!lamaster
  NASA Ames Research Center  ARPA lamaster@ames.arc.nasa.gov
  Moffett Field, CA 94035     
  Phone:  (415)694-6117       
-----------[000049][next][prev][last][first]----------------------------------------------------
From:      cheetah@blake.acs.washington.edu (       )  25-JUL-1989  2:27:20
To:        misc-security@ames.arc.nasa.gov
I will be bringing a new UUCP site on-line within the next 60 days.
In preparation, I am trying to learn as much as possible about
information system security. The main emphisis is on the UNIX 
and VAX/VMS operating systems.

If you are aware of any mailing lists, publications, texts, or other
sources of information on these subjects, please drop me a note.

In an attempt to conserve bandwidth, as well as other obvious reasons, 
please Email me directly. 

Thank you for your assistence in this matter.

					- Steve 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"There are two major products that come out of Berkeley: LSD and UNIX. We
 don't believe this to be a coincidence." ||   - Jeremy S. Anderson 

#include <disclaimer.h>                   cheetah@blake.acs.wahington.edu
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----------[000050][next][prev][last][first]----------------------------------------------------
Date:      Tue, 11 Jul 89 13:21:04 EET
From:      "Kees de Groot (DEGROOT@HWALHW50)" <DEGROOT@RCL.WAU.NL>   25-JUL-1989  2:54:59, "Kees de Groot (DEGROOT@HWALHW50)" <DEGROOT@RCL.WAU.NL>
To:        security@finhutc.BITNET, security@finhutc.BITNET
Automated fingerprint identification system
-------------------------------------------

        These systems are sold by:

        FINGERMATRIX Inc.
        30 Virginia Road, North White Plains, NY 10603
        (914) 428-5441 * Telex: 131236 * Fax: (914) 4280971
        Washington, DC Office: (703) 893-3880

        I have seen such a system in Katwijk, Holland.
        The Dutch security-firm 'Bavak en Jung' delivers
        those systems in Holland. It's a box with a keyboard
        and a sensor on which you place one of your fingers.
        Identification costs only a few seconds. To enhance
        performance PIN-codes can be used. In that case the
        system only compares fingerprints with the same
        PIN-code.

        After the security-operator has identified itself
        new persons can be registered by the system. To
        improve false rejection more fingers can be shown to
        the system. So if you loose one finger you can stil
        enter your office to get your spare finger!

        The system does not store a complete image of your
        fingerprints. It only stores certain unique points
        where fingerprint ridges end or divide, which are
        unique to each individual.

        Policemen have tried to fool the system with various
        artificial fingers made of rubber and plastic. They
        even tried to make the temperature and conduction
        equal to a human finger but no succes! They are
        still looking for volunteers who want to donate a
        real fresh cutoff finger..

        I have no affiliation what so ever with Fingerprint.
        I just happened to have this info for a talk about
        security-devices a few months ago.

Tel. +31-8370-  .KeesdeGroot   (DEGROOT@HWALHW50.BITNET)  o\/o  THERE AINT NO
     (8)3557/   'Computer security'                        []   SUCH THING AS
        4030    Wageningen Agricultural University        .==.  A FREE LUNCH!
                Computer-centre, the Netherlands
                X25:    PSI%(+204)18370060638::DEGROOT
disclaimer:     I always speak for myself
- if you go too far to the east, you find yourself in the west ..  -
-----------[000051][next][prev][last][first]----------------------------------------------------
Date:      24 Jul 89 21:12:26 GMT
From:      tower@BU-CS.BU.EDU (Leonard H. Tower Jr.)
To:        misc.security
Subject:   ??: Are modems harmed by airport X-rays?

Has anyone had problems with modems after they have gone through the
X-Ray machines used by airport security guards?  

Have to do this soon, and wanted to check.

thanx -len 

-----------[000052][next][prev][last][first]----------------------------------------------------
From:      silber@tcgould.tn.cornell.edu (Jeffrey Silber)  26-JUL-1989  9:35:45
To:        misc-security@rutgers.edu
Light blue (also called non-reproducible blue) is difficult to copy.  It
is frequently used in graphic arts applications for outlines, etc.

Another method of identifying (but not preventing) copies is to do a half-tone
of the background color saying "COPY," which only appears when the item is
copied in black and white.  This is usually found on checks and other
negotiable documents.

-- 
"A billion here, a billion there, and pretty soon you're talking real money."
                                                      --Sen. Everett Dirksen
Jeffrey A. Silber/silber@tcgould.tn.cornell.edu
Business Manager/Cornell Center for Theory & Simulation in Science & Engineering
-----------[000053][next][prev][last][first]----------------------------------------------------
From:      hplabs!walden@hpdml93.hp.com (Bob Walden)  26-JUL-1989 14:36:59
To:        misc-security@rutgers.edu
Does anyone know of any professional periodicals available regarding electronic
surveillance and/or use of electronics in law enforcement and security work?
Or any good reference material on the subject?  Thanks in advance!
-----------[000054][next][prev][last][first]----------------------------------------------------
From:      german@uxh.cso.uiuc.edu (Gregory German)  26-JUL-1989 15:17:14
To:        security@pyrite.rutgers.edu
What is the status of encryption of the data stream in a protocol like
TELNET?  I would like to have a version of TELNET that would optionally
encrypt the data stream to keep the causual curious net sniffer from
reading data off the network.  I have source for both ends of the connection
I am concerned about, but would rather not totally re-invent the wheel if
there has been some work done in this area.

         Greg German (german@sonne.CSO.UIUC.EDU) (217-333-8293)
US Mail: Univ of Illinois, CSO, 1304 W Springfield Ave, Urbana, IL  61801
Office:  129 Digital Computer Lab., Network Design Office
-----------[000055][next][prev][last][first]----------------------------------------------------
From:      gwyn@brl.mil  26-JUL-1989 15:59:12
To:        security@rutgers.edu
>I think the paper was a special shade of red; any writing on this paper
>would not show up when copied. ...

Yes, it's a dark red and light black printing on it is almost illegible
unless you view it under a STRONG light.  The computer game "Werdna's
Revenge" (Wizardry IV) uses a booklet of code numbers printed on the
stuff as a form of software piracy protection.  It sucks.

I don't know where you get such paper, presumably from a paper mill.
-----------[000056][next][prev][last][first]----------------------------------------------------
From:      phil@diablo.amd.com (Phil Ngai)  26-JUL-1989 16:37:22
To:        misc-security@ames.arc.nasa.gov
|On the other hand, I have friends who had very good burglar alarms on their
|house.  Doors, windows.  Didn't matter.  The theives came in through the
|walls.

This is why I have always felt that a home security system is
incomplete without a motion detector inside the house. Preferably at
least two, so that they can cover each other. 

By the way, does anyone know if there are any prohibitions on a home
security system releasing tear gas if an intruder enters your house?
What about painfully loud sirens? 

--
Phil Ngai, phil@diablo.amd.com		{uunet,decwrl,ucbvax}!amdcad!phil
"The government is not your mother."
-----------[000057][next][prev][last][first]----------------------------------------------------
From:      wrf@ecse.rpi.edu (Wm. Randolph Franklin)  26-JUL-1989 17:30:15
To:        security@pyrite.rutgers.edu
Another   principle (I think)   is  a   transparent spray  coating  that
fluoresces when exposed to the UV in the xerox  lamp.  So the whole page
copies as white.  It's possible that Xerox sells it.

I once saw an  overpriced newsletter printed in  light blue ink on white
paper with  yellow   polka   dots.   However,  it  was  illegible in the
original, before being copied.  I also get a laugh  from local road maps
that print in blue ink.  They  becore MORE legible  after copying on the
right machine.
                                     --------
						   Wm. Randolph Franklin
Internet: wrf@ecse.rpi.edu (or @cs.rpi.edu)    Bitnet: Wrfrankl@Rpitsmts
Telephone: (518) 276-6077;  Telex: 6716050 RPI TROU; Fax:     on request
Paper: ECSE Dept., 6026 JEC, Rensselaer Polytechnic Inst, Troy NY, 12180
-----------[000058][next][prev][last][first]----------------------------------------------------
Date:      Thu, 13 Jul 89 14:18:51 CDT
From:      "Craig Finseth" <fin@uf.msc.umn.edu>   26-JUL-1989 18:12:00, "Craig Finseth" <fin@uf.msc.umn.edu>
To:        STGEORGE@unmb.bitnet, STGEORGE@unmb.bitnet
Cc:        security@pyrite.rutgers.edu
   Since we will only be
   hiring one person, this person will (gasp) have to handle ALL aspects
   of security at all levels, from micros to mainframes. My question is
   not with how to accomplish this, but one of where to place such a
   person organizationally.

Consider for a moment the range of tasks that a security officer
performs.  In general, their duties cover host security (with account
management figuring heavily), communications, building security,
personnell (most breaches are inside jobs after all), and just about
everything under the sun.  It therefore makes sense to place them in
some sort of "general administrative" group.

Unfortunately, the person in charge of that group probably does not
understand security.  Cheer up, no one else does, either (:-).

For confirmation, look to other organizations where security figures
prominently (e.g., banks).  I think you will find that they put
security in just such a general, but centrally-run division.

Craig A. Finseth			fin@msc.umn.edu [CAF13]
Minnesota Supercomputer Center, Inc.	(612) 624-3375
-----------[000059][next][prev][last][first]----------------------------------------------------
From:      "John_Hodges.XSIS"@xerox.com  28-JUL-1989 13:24:11
To:        hwchoy@zpovc.enet.dec.com
Cc:        "Frank_Presson.McLeanCSD"@xerox.com, Hodges.XSIS@xerox.com, security
The Xerox Corpororation is nearing endorsement for the Xerox Encryption
Unit (XEU). The XEU is a stand-alone device, providing Type I encryption
service, which is installed in the drop cable between the processor and
tranceiver. It can be used on most LANs and with most equipment which
conforms to the IEEE 802.3 10BASE5 or Xerox Ethernet Version 1 or Version 2
local area network standard. IEEE 802.2 requirements are not specifically
supported. The Xerox marketing manager is Frank Presson (703) 442-6777. 
-----------[000060][next][prev][last][first]----------------------------------------------------
From:      ixi!clive@britain.eu.net  28-JUL-1989 14:27:36
To:        security@ukc.ac.uk
Notice to UK readers - every police division (i.e. every reasonable town) has
an officer called a Crime Prevention Officer. His/her duty is to offer *free*
advice to anyone who wants it on home/business security.

>I now live in a small town in the northwest.
>I've been there three years, and have yet to be mugged, burglarized, or
>threatened in any manner.

Very true. My parents live in a large town (pop. 150 000) - there have been 4
buglaries this year in the 80 properties in their street. I live in a
village (pop. 5 000). There have been 4 buglaries in the entire village in the
last *fifteen years*.
-- 
Clive D.W. Feather
IXI Limited
clive@ixi.uucp
...!uunet!ukc!ixi!clive (riskier)
-----------[000061][next][prev][last][first]----------------------------------------------------
From:      jad@dayton.dhdsc.mn.org (J. Deters)  28-JUL-1989 15:09:01
To:        security@rutgers.edu
There are a few different things you can use to slow down enterprising
xerographers.  Red appears black to the black and white imaging systems
of most copying machines, so red paper makes it more difficult to copy.

Light blue does not copy well, so you could write with a light blue
felt tip.

If you are more concerned about the legitimacy of the document (as in
a check) as opposed to the value of the information on it, you could
take the same approach that the check vendors use.  It amounts to the
words VOID-COPY written in a half-tone screen of a solid color being
superimposed on a pastel background equating to the same color.
(Tough to explain, but easy to see with an example.)  Let's say
you have a check in front of you that has soft yellow stripes
running through it.  If you look closely, you will see bright yellow
dots (with white space) spelling out the word VOID.  Normally it
doesn't show, but the copying machine sees the bright yellow letters
and reproduces them, ignoring the pastel areas.  Examine some of
the checks and/or official documents you run into in the next
few weeks.

-j

-- 
"Captain's log:  Stardate 2734.3.  'I am nailed to the hull.'"
-----------[000062][next][prev][last][first]----------------------------------------------------
From:      ishikawa@ultra.enet.dec.com (Jim Ishikawa, DTN_293_5054)  28-JUL-1989 15:48:25
To:        susan@yalevm.bitnet
There are some DEC products that might be useful to you.  Digital's Ethernet
Enhanced-Security System (EESS) products sound most applicable, though I'd have
to hear a bit more about what gateway functionality is required to be sure. 

There are two EESS products:

    The DESNC secure network controller
    The VAX KDC security management software

The EESS provides a number of security features for Ethernet/802.3 networks
including transmission of encrypted data between Ethernet devices over
unprotected segments.

We also have some software encryption products, but none run on OS/2.  If you
could use a VMS or Ultrix workstation (e.g., VAXstation 3100 or DECstation
2100) you might consider Digital's DES software products.

There will be a case study article on using EESS products to enhance the
security of university campus backbones in the next revision to the Auerbach
"Handbook on LANs."  I'll also forward your message to some people who have
been dealing with various security problems on campus networks.

If you have any questions or would like some additional assistance please feel
free to contact me.

    Jim Ishikawa
    Product Manager

    ishikawa@ultra.enet.dec.com
    decwrl!ultra.dec.com!ishikawa
    508-264-5054 
-----------[000063][next][prev][last][first]----------------------------------------------------
Date:      27 Jul 89 10:38:40 GMT
From:      tanner@ki4pv.UUCP (Dr. T. Andrews)
To:        misc.security
Subject:   Re: "copy proof paper" - does such a thing exist?

) I think the paper was a special shade of red; any writing on this
) paper would not show up when copied. ...
This reminds me that I have never found a check printer who will
provide checks on such red paper.  The banks are reputed to use
a variety of film for their copies on which such checks will not
be legible.

Does anyone know of a source for such checks?
-- 
...!bikini.cis.ufl.edu!ki4pv!tanner  ...!bpa!cdin-1!ki4pv!tanner
or...  {allegra attctc gatech!uflorida uunet!cdin-1}!ki4pv!tanner

-----------[000064][next][prev][last][first]----------------------------------------------------
Date:      27 Jul 89 19:29:06 GMT
From:      USERDJMA@UALTAMTS.BITNET (Douglas James Martin)
To:        misc.security
Subject:   Re: "copy proof paper" - does such a thing exist?

Light blue is also often used in some vital parts of the docs of computer
games rather than copy-protection of the disk; you can copy the game disk
fine but the game is unplayable without tedious manual copying of the
non-photocopyable stuff.

This was a long time ago, so I can't give sources, but I'm sure I read
somewhere of the use of dyes that are highly flourescent under the lights
used by copiers (something about there being lots of UV in them) used to
screw up copying.

-----------[000065][next][prev][last][first]----------------------------------------------------
Date:      28 Jul 89 20:45:55 GMT
From:      DIXON@ohstvma.BITNET (Bob Dixon)
To:        misc.security
Subject:   RE:      Encryption hardware/software available?

The DEC encryption approach was described to me to have 2 significant defects:
1. You have to have a VAX to use it.
2. Too much of the packet is encrypted, such that the packets can only pass
   thru bridges, and not routers.

Can someone who really knows verify this?

We would be very interested in ethernet encryption hardware that was
vendor-independent and encrypted ONLY the innermost "text" portion of the
packets.

                              Bob Dixon
                              Ohio State University

-----------[000066][next][prev][last][first]----------------------------------------------------
From:      hughes@ns.network.com (Jim Hughes x1676)  30-JUL-1989  5:55:33
To:        misc-security@rutgers.edu
A while ago there was a question about dial back modems.

I stated that there was a "defender" modem, but that I did not know
of the company name.  They have just sent me some mail.

The company name is:

	Digital Pathways Inc.
	201 Ravendale Drive
	Mountain view, CA, USA
	94043-5216

	(415)964-0707

jim
hughes@network.com
-----------[000067][next][prev][last][first]----------------------------------------------------
From:      zeleznik@cs.utah.edu (Mike Zeleznik)  30-JUL-1989  7:14:20
To:        security@pyrite.rutgers.edu
As for explicit thumb print authentication, you might check out the
ThumbScan Fingerprint System:

  ThumbScan, Inc.
  Two Mid-America Plaza, Suite 800
  Oakgrook Terrace, IL  60181
  312-954-2336

Another approach which avoids the need to carry something with you is
the real-time analysis of typing keystroke characteristics, like in the
Electronic Signature Lock (if it is still around):

  Electronic Signature Lock Corp.
  1311 Ulloa St.
  San Francisco, CA  94116
  415 558-9133 / 681-7325

I have NO personal experience with either of these; have only seen their
literature and talked with them.

  Michael Zeleznik              Computer Science Dept.
                                University of Utah
  zeleznik@cs.utah.edu          Salt Lake City, UT  84112
                                (801) 581-5617
-----------[000068][next][prev][last][first]----------------------------------------------------
From:      Margie Rogis <MDR100T@oduvm.cc.odu.edu>  30-JUL-1989  8:36:39
To:        security@rutgers.edu
This is addressed to any site running RACF -

I have a user who has only READ access to data sets under a generic profile
'ADMI.P.*'.  This user was able to create (and therefore later delete) a
data set falling under that profile's protection.  No other more specific
profile applied.

I have read the Administrator's Guide, and I don't understand why she was
able to do this.  According to page 4-4, a user can create a new user data
set ONLY if he/she has ALTER authority to the data set via the generic
profile or global access checking; neither is true in this case.
always-call,

Additional info:  We have always-call, the users do not have ADSP, and
PROTECT-ALL is not in effect.

Am I missing something?  I'd appreciate any insight from someone who
knows RACF better than I.

Thanks in advance...

[Moderator reminder: Replies to him, please..   _H*]
-----------[000069][next][prev][last][first]----------------------------------------------------
From:      mason@eddie.mit.edu (Nark Mason)  30-JUL-1989 10:15:24
To:        security@pyrite.rutgers.edu
  I have seen a thumbscan in the kilobuck range made by, I believe,
ThumbScan Inc, probably in Cambridge, Ma. The version I saw was
attatched to a PC.
  They make a couple of other interesting security devices, one I
thought do be really clever is called the Gordian Knot. It is a
epoxy potted "thing" about the size of the average electronic
stopwatch with a photodetector and an LCD readout, and it self
destructs when it thinks someone is tampering with it.
  The idea was that the software would flash a spot on the screen
in a certain pattern, you would hold the device to the screen, it
would read the pattern being flashed, hash, trash, encrypt and
discombobulate it and hand back a number that the software would
already be expecting. Quite a bit more versatile than the IBM
label Medeco locks on the 3270 and infinately more clever. (I seem
to think they were about $14 in small quantity). They could also
be programmed (only once) to self destruct at a given time or just
expire.
-----------[000070][next][prev][last][first]----------------------------------------------------
From:      NESCC@nervm.nerdc.ufl.edu (Scott C. Crumpton)  30-JUL-1989 11:37:17
To:        SECURITY@pyrite.rutgers.edu
I have a need to keep some of my PC (IBM clone) data encrypted.
However, none of the encryption programs that I have tested to date
do what I want.  They all take an input file and encrypt it to
produce an output file.  All fine and good for the occasional file or
two. What I want to do is declare entire directories as encrypted and
have the encryption package automatically encrypt/decrypt any data in
these directories.

I know there are some full blown security packages that will do this,
along with multiple users/passwords, protected directories/files,
etc. But I'm not really interested in all of that and the associated
overhead. Simple physical security is good enough in this case, the
encryption is desired to protect only a small subset of the data in
the event the PC is stolen.

So, my question: Does anyone know of a package that will do what I
need? A full blown system that can be selectively installed would be
acceptable. (Note: This must be a software solution, there are no
expansion slots on the PC in question.)

Thanks in advance.

---Scott.
-----------[000071][next][prev][last][first]----------------------------------------------------
From:      makela@jyu.fi (Otto J. Makela)  30-JUL-1989 12:36:28
To:        misc-security@cwi.nl
About Abloy locks not wearing down well:
As is known, Abloys (originally) come from Finland.  Here they are the most
common type of locks.  I just recently had to have my apartment lock replaced
because it was so worn-out it was hard to get it to stay unlocked !  It had
been originally installed when the house was built, in 1962.  The lock still
opened the door very nicely, though.
Also, I personally changed the lock for my parent's front door - their house
was built circa 1955... the lock was still quite operational, but had the same
problem of not properly latching to the "unlocked" position.
How long do apartment locks (used several times daily) last, in general ?

Otto J. Makela, University of Jyvaskyla
InterNet: makela@tukki.jyu.fi, BitNet: MAKELA_OTTO_@FINJYU.BITNET
BBS: +358 41 211 562 (V.22bis/V.22/V.21, 24h/d), Phone: +358 41 613 847
Mail: Kauppakatu 1 B 18, SF-40100 Jyvaskyla, Finland, EUROPE

"In the week before their departure to Arrakis, when all the final scurrying
about had reached a nearly unbelievable frenzy, an old crone came to visit the
mother of the boy, Paul." - Frank Herbert, Dune
-----------[000072][next][prev][last][first]----------------------------------------------------
Date:      31 Jul 89 12:40:58 GMT
From:      DIXON@ohstvma.BITNET (Bob Dixon)
To:        misc.security
Subject:   Re: Ethernet Encryption Device

How much of the packet does the Xerox device encrypt? Can the packet pass thru
a router after being encrypted?

                               Bob Dixon
                               Ohio State University

END OF DOCUMENT