The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: Rutgers 'Security List' (incl. misc.security) - Archives (1989)
DOCUMENT: Rutgers 'Security List' for August 1989 (35 messages, 15405 bytes)
SOURCE: http://securitydigest.org/exec/display?f=rutgers/archive/1989/08.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

-----------[000000][next][prev][last][first]----------------------------------------------------
From:      bcn@june.cs.washington.edu (Clifford Neuman)  2-AUG-1989 19:34:31
To:        misc-security@beaver.cs.washington.edu
The Kerberos system available from MIT's Project Athena comes with a
version of rlogin that will optionally encrypt the data stream.

	~ Cliff
-----------[000001][next][prev][last][first]----------------------------------------------------
From:      tower@bu_cs.bu.edu (Leonard H. Tower Jr.)  2-AUG-1989 20:19:56
To:        misc-security@husc6.harvard.edu
Has anyone had problems with modems after they have gone through the
X-Ray machines used by airport security guards?  

Have to do this soon, and wanted to check.

thanx -len 
-----------[000002][next][prev][last][first]----------------------------------------------------
From:      "Alejandro Kurczyn S." <499229@VMTECMEX>  2-AUG-1989 21:01:31
To:        SECURITY@UGA
 Hi, I'm not a member of this list, and perhaps this isn't the right place
to post this but...

  Can anyone tell me what is the latest techinque to copy-protect a PC
diskette? how can I do the protection? please mail me directly, this is
really urgent..

-Alejandro
System operator
ITESM CEM
*
-----------[000003][next][prev][last][first]----------------------------------------------------
From:      jimkirk@outlaw.uwyo.edu (Jim Kirkpatrick)  2-AUG-1989 21:44:20
To:        security@pyrite.rutgers.edu
I recently asked about DES on PC-type computers, promising a summary of
responses.  Here's what I got --
  1.  A request for a copy of what I get.
  2.  A reminiscence about a fairly old DES from another list
  3.  An address in West Germany that sells a software implementation.
  4.  A nice list of various manufacturers, complete with address.
Thanks to those who responded.  If anybody wants a copy of the responses,
E-mail me and I'll forward.
-----------[000004][next][prev][last][first]----------------------------------------------------
From:      EVERHART%ARISIA.decnet@crdgw1.ge.com  2-AUG-1989 22:21:31
To:        SECURITY@pyrite.rutgers.edu
Defeating a "copy proof" paper based on paper color only is fairly
straightforward. You get a sheet of colored celluloid or the like and
place it in front of the item being copied. Look through the celluloid
and if you can't SEE the lettering, the copier generally won't either.
Our copier (one of the newer Xerox models) has sufficient contrast
adjustments that the quality of the copy can nevertheless be made most
adequate. The same trick can be used if you want to duplicate the
red "proof" photos some photographers use. A useful fact is that a
CuSO4 solution (copper sulphate) of reasonable density will filter
out ALL red light (down to the sub 1 photon level; it's used to
filter lasers and select second harmonic radiation!). Use a small
bit as a filter & contact print the pic onto roll film...voila!
Your very own negative! (This is a major pain in the neck to do and
should not become a habit...the poor photog. has to make a living,
after all. The filtering technique is occasionally useful though.)
Glenn Everhart
-----------[000005][next][prev][last][first]----------------------------------------------------
From:      mk59200@funet.fi (Kolkka Markku Olavi)  2-AUG-1989 23:07:13
To:        misc-security@cwi.nl
> ...  However, according to this one locksmith, Abloy locks
> don't wear well.  If they are not treated gently, they will begin to jam.

Several millions of Abloys are in use here in Finland, many of them decades
old. The weather conditions aren't exactly 'gentle' here.  The Abloy has a
very simple but efficient design with a minimal number of moving parts. The
manufacturer recommends lubrication with thin oil now and then (just a few
drops into the keyhole), and that should keep it working.

> Abloy keys cannot be duplicated at the shop as a standard Medeco can.  The
> "Platinum," or biaxial, Medecos are in the same boat as the Abloy.)

There are also several variants of Abloy, with different levels of availability
of key blanks and duplication service.

Disclaimer: I have nothing to do with Wartsila Oy (manufacturer of Abloy
locks), except that I have been using Abloys all my life. (well, almost)
--
	Markku Kolkka
	mk59200@tut.fi
-----------[000006][next][prev][last][first]----------------------------------------------------
Date:      3 Aug 89 05:05:00 GMT
From:      DLV@cunyvms1.BITNET
To:        misc.security
Subject:   Brand new DES?

>  2.  A reminiscence about a fairly old DES from another list

I guess this refers to my message. I said that John Gilmore posted a C source
to DES on netnews a while ago, which I got to work on PC with minimal effort.
I wonder if Jim is using the attribute 'fairly old' to put down
this implementation. DES itself is fairly old, and probably not very secure;
there seem to be better codes around, but if one wants DES, then it should
not probably matter how old the implementation is, as long as it's DES. S in
DES is for Standard. A 'brand new DES' probably should not be called DES
anymore. Is Jim using 'DES' as a generic term? I'm all confused.

Dimitri Vulis
Department of Mathematics
CUNY GC

-----------[000007][next][prev][last][first]----------------------------------------------------
From:      melling@gateway.mitre.org (Phil Mellinger)  6-AUG-1989 18:27:41
To:        security@pyrite.rutgers.edu
Something interesting occurred to me concerning the transfer of
encryption programs over networks that have international connectivity?
Can you ship such encryption programs (which may be export sensitive)
over international networks or is this a violation of export laws?
This sounds silly but I am curious...

                     Phil Mellinger
-----------[000008][next][prev][last][first]----------------------------------------------------
From:      Bob Dixon <DIXON@ohstvma.bitnet>  6-AUG-1989 19:10:09
To:        security@pyrite.rutgers.edu
We have Fortran source codefor DES as part of our larger system of
across-platform encryption software. But it is all tied up in the legalese
problems now.

                          Bob Dixon
                          Ohio State University
-----------[000009][next][prev][last][first]----------------------------------------------------
From:      gwyn@brl.mil  6-AUG-1989 19:42:45
To:        security@rutgers.edu
>I'm looking for a Fortran source code to do encryption of Ascii files ...

See section 7.5, "The Data Encryption Standard", of "Numerical Recipes --
The Art of Scientific Computing" by William H. Press, Brian P. Flannery,
Saul A. Teukolsky, and William T. Vetterling (1986, Cambridge University
Press), ISBN 0-521-30811-9 (book), ISBN 0-521-30957-3 (FORTRAN diskette).
-----------[000010][next][prev][last][first]----------------------------------------------------
From:      Earl Culham <ECULHAM@ualtavm.bitnet>  6-AUG-1989 20:23:55
To:        misc-security@watmath.waterloo.edu
>We are interested in providing an encrypting gateway for our campus network.
>...  Ideally, it would be a card with the ability to
>encrypt/decrypt on its own chip rather than taking up workstation CPU cycles.

I've recently run across a device which suits this purpose well.

The FasTok box is a combination encryptor/compressor.

Its normal configuration is as an active modem cable, plugging in
between the computer and the modem, at both ends. It is transparent
to both the computer, and the modem.

It both encrypts and compresses. The quoted compression ratios were
in the 2 to 5 times range.

I have no connection with the manufacturer, other than friendship.
However, I will relay questions to and from the net if there is an
interest.
-----------[000011][next][prev][last][first]----------------------------------------------------
From:      smb@ulysses.homer.nj.att.com (Steven M. Bellovin)  6-AUG-1989 20:54:59
To:        att!misc-security
>     I could have sworn I saw a posting about an article in a Soviet computer
> science journal that gave an algorithm for breaking badly chosen keys for 
> DES.  I may have even seen it [the reference] here...

There's been a rumor floating around on the net that the Soviets have
cracked DES, and published that fact in one of their academic journals.
Apart from the implausibility of that, Don Mitchell did a fairly thorough
literature search, with the aid of a Russian-speaking reference librarian,
and found nothing.

Now -- for certain badly-chosen keys, that isn't out of the question.
There are 4 "weak keys" -- 01010101 01010101, FEFEFEFE FEFEFEFE,
1F1F1F1F 0E0E0E0E, E0E0E0E0 F1F1F1F1 -- which should be avoided.
There are also a set of "semi-weak keys" which present a smaller
security risk.  All of these should be avoided in critical situations,
i.e., master keys used to encrypt session keys.  See Davies and Price,
"Security for Computer Networks", for details.

		--Steve Bellovin
		smb@ulysses.att.com
-----------[000012][next][prev][last][first]----------------------------------------------------
From:      Roy Stehle <stehle@tsca.istc.sri.com>  6-AUG-1989 21:28:39
To:        Security@pyrite.rutgers.edu
Cc:        stehle@tsca.istc.sri.com
The following appeared in Denise Caruso's column in the 23 July 89 issue
of the San Francisco Examiner:

"Speaking of proprietary vs. public information, I'd like to personally
 thank NoCopi International of Montreal, makers of the uncopyable,
 unfaxable paper used by Apple Computer inc., Broderbund Software, Sierra
 On-Line and others to stem the flow of proprietary data.  NoCopi's got a
 new product combo that's going to make my job a lot more creative.

"Norm Gardner, president and CEO of NoCopi, says the two products are the
 first to come out of its new Canadian research center - a clear-ink
 highlighter and a white, chemically treated paper.  You can type or print
 onto the paper with plain old ink, just like usual.  But if you highlight
 text on the paper using the marker and try to photocopy or fax the page,
 the highlighted material is blocked out as completely as if you used a
 black marker.

"He says the products will be ready to ship by year end, ..."

This is provided for your information and further investigation.  I have no
experience with NoCopi.

Roy Stehle
SRI International
-----------[000013][next][prev][last][first]----------------------------------------------------
From:      "Quick, VT_180, to the VAXmobile." <JMS@ARIZMIS>  6-AUG-1989 22:04:06
To:        security@marist
I have seen a reference to a Soviet article about DES, but
no one has ever been able to provide me with enough information
to track the article down.  I am prepared to dismiss it as
a myth, until someone puts a real reference here.

While the question of export control (of DES, and of other things)
is certainly of great interest, the issues are wildly complex
and not going to be solved here.  However, here are some comments
on some stuff people have said:

Just because something appears on Usenet doesn't mean that it
has made it to the USSR.  And just because it has made it to one
or two folks there, doesn't mean that there is broad distribution.
The USSR is just like the US.  A piece of technology may be well
embedded in a particular department or office, or even a whole
building, but it is unlikely to spread quickly around the country,
or even across the hall.  Communications are heavily stifled.
There is no concept of BBS/Usenet in the Soviet Union---the
people who have access to Western databases number less than 100.
I'm not saying that DES restriction is bad/good; what I am saying
is that Dr. Dobbs is not widely read in the Soviet Union.  A $40
subscription to Dr. Dobbs is 80 days pay for the average Soviet
(because Dr. Dobbs doesn't take Rubles).  The argument that ``this
is everywhere in the US public domain'' has no relevance when
extended to the USSR.

When the argument is made that ``the spies/terrorists have whatever
they want,'' that is also not very valid.  This argument is used
quite often by Soviet academics we meet to explain why the US should
sell computers to the Soviets.  In fact, the unstated policy of US
export controls is to keep the Enemy (you know, the dark empire)
in bare feet and technological illiteracy.  What do you think the
military industrial complex depends on?  Answer: the research done
everywhere else in the country.  Whether we admit it or not, the
policies that DoD promotes through Commerce (note that DoD, Commerce,
and the Businesses-that-want-to-make-a-profit form three legs of
a triangle that is in eternal conflict.  DoD would have them in
the stone age, while Business wants to increase exports and make our
economy stronger) are aimed at restricting technology EVERYWHERE
in the country.

So, you can fight that particular policy, but you can't use a rational
argument, since the policy isn't there for rational reasons (well,
let's just say not for reasons that are entirely above board).

jms

Joel M Snyder, U Arizona MIS Dep't, Tucson, AZ, 85721  Phone: 602.621.2748
BITNET: jms@arizmis  Internet: jms@mis.arizona.edu  SPAN: 47541::uamis::jms
SM-1700 -  A small VAX that's *all* VAX (except it's made in the USSR)
-----------[000014][next][prev][last][first]----------------------------------------------------
Date:      6 Aug 89 20:44:25 GMT
From:      jik@ATHENA.MIT.EDU (Jonathan I. Kamens)
To:        misc.security
Subject:   exporting encryption software

>Can you ship such encryption programs (which may be export sensitive)
>over international networks or is this a violation of export laws?
>This sounds silly but I am curious...

  It is not silly at all.  Project Athena has been extremely hindered
in our attempts to export Kerberos (an authentication protocol based
on DES encryption) outside the United States.

  The state department does not allow the export from the United
States of encryption software unless that software is "mass market"
(which means, for all intents and purposes, that it runs on a PC :-).
They will not allow the export of Kerberos, despite the fact that it
is easy to get software implementations of the DES library outside of
the United States.

  In fact, somebody in Finland wrote and released a version of DES
that was specifically designed to fit into the Kerberos code and to
replace the Kerberos encryption routines.  The problem with that is
that the government even has problems with the export of code that
*references* encryption code.  In other words, in order to export
Kerberos we have to take out all references to encryption in the
source code.

  Recently, a large portion of the Project Athena environment was
installed at Bond University, a new University in Australia.  We had
to install the encryption-free version, affectionately called "bones",
on the computers there.

  Although Kerberos is available for anonymous ftp from anywhere on
the Internet, and it is also available from an archive server, the
instructions for getting the files cannot be obtained without
obtaining along with them a warning which says that if you are trying
to get the code from outside the United States, you need to get
permission from the U.S. government before it is legal for you to do
so.

  I seem to recall that Unix systems exported from the United States
have a weaker form of crypt(), because the Unix crypt uses a modified
DES algorithm.  Isn't this correct?

Jonathan Kamens			              USnail:
MIT Project Athena				432 S. Rose Blvd.
jik@Athena.MIT.EDU				Akron, OH  44320
Office: 617-253-4261			      Home: 216-869-6432

-----------[000015][next][prev][last][first]----------------------------------------------------
Date:      7 Aug 89 04:02:39 GMT
From:      CAPEK@yktvmv.BITNET (Peter G. Capek)
To:        misc.security
Subject:   Non-copyable paper

I don't know what relation NoCopi's product has to it, but Xerox patented
a method for inhibiting document copying as long ago as 1973.  I don't
know whether Xerox ever manufactured what they patented (seems like it
might not be in their best interest :-)  ).  The idea behind the Xerox
work seems to be fluorescent dyes; is it publicly known how the NoCopi
stuff works?  For anyone who wants the details, the Xerox stuff is UK
patent number 1 338 893.

Peter Capek
IBM Research -- Yorktown Heights, NY

-----------[000016][next][prev][last][first]----------------------------------------------------
Date:      7 Aug 89 22:44:04 GMT
From:      bill@lxn.eds.com (Bill Doviak)
To:        misc.security
Subject:   Looking for: SNA Session-level encryption hardware/software.

Apologies in advance if this query is not appropriate to this group. I have
tried comp.protocols.ibm and comp.protocols.misc to no avail. Here goes ...

I am looking for either commercial or public-domain software implementing
SNA secondary-logical unit (SLU) LU0 protocol using process-based encryption.
Usually, the actual encryption is performed with hardware assistance. If
necessary, I am willing to integrate one vendor's LU0 product with the
encryption support available from another source. I have already done this
under MS-DOS using my own SNA/LU0 software.

My preference is for a SYSV-compatable product running on the NCR Tower series
including the 32/200. However, ANY pointers to hardware/software source are
appreciated.

Please respond by EMAIL and, if the volume is sufficient, I will summarize
later.

						Thanks,

						Bill
-- 
Bill Doviak                         | US MAIL: Electronic Data Systems (EDS)
UUCP: vu-vlsi!lxn!bill              |          Lanark Building
 or   bill%lxn.uucp@rutgers.edu     |          Center Valley, PA  18034
 or   lehi3b15!lxn!bill             | Voice:   (215) 282-1213

-----------[000017][next][prev][last][first]----------------------------------------------------
Date:      8 Aug 89 18:03:37 GMT
From:      bandy@capmkt.UUCP
To:        misc.security
Subject:   see this?

>From: bryden@vax1.acs.udel.EDU (Christopher F. Bryden)
Subject: Re: U-Shaped Locks...
Date: 8 Aug 89 01:01:26 GMT

I just got finished talking with a exbicycle messenger from NYCity.  A quote
from him : "In order to know how to protect your bicycle in New York, you have
to know how to steal a bicycle."  Since most of us are not willing to do this,
I'll share what he had to say with you.  He said that there were a varity of 
ways to hack Kryptonite/U-type locks.  Standard procedure, as it turns out, is 
to approach the bicycle and see if the person has locked the bike correctly.
Apparently, cylindrical locks have to positions that the key can be removed
from, the locked position and the unlocked position.  Some people fail to lock
their lock properly.  Then, cut off the plastic around the locking mechanism.
If there may or may not be a pin the holds the lock in place.  If there is a
pin, tap it out.  The lock should fall out or can be unscrewed at this point.
if there is no pin, use a pipe cutter to cut thru the hollow portion of the 
lock.  This is available in hardware stores (really poor description of a pipe 
cutter follows : it's a right angle brace with a slot in it where the cutter 
sits and a screw/vice type mechanism is at the other end).  If none of this
works (pipe cutter won't work for a solid bar between end portions of the 
"U") then a large diameter, long pipe can be used to force the lock.  This 
makes a huge, loud bang.  Freon tricks work, but usually take about a minute
or two ard require blunt smashing insturment.  Liquid nitrogen tricks work
fast, but it's dangerous if you use the stuff incorrectly.  If you have some 
time, a few locks are open on the other side of the part that holds the lock.
This can be split with a chisle.

Most messengers in NY use a shielded cable lock called "The Cobra."  It's mondo
expensive, heavy, and there's no warranty with it.  The messengers that have 
U-type locks have a tee pipe sections, available at hardware stores, around the
lock portion of the cross bar to keep people from tapping out the pin that holds
the lock.  There is a band steel version of the U-type locks, but I don't know 
what it's called or how good it is.  Some of the messengers feel that it's only
a matter of time before their bikes are stolen, so they buy two locks.  They
beat the s*it out of one and basically make it look like it was broken.  Then
they use the other and fill out the warranty for the other.  A good theif never
leaves evidence behind.  This means they never leave the lock behind.

If you're looking for a U-type bicycle lock, here are a few things to look for :

1) Does it have a pin that holds the lock in?
   This is hard to check, but you should be able to get the plastic back 
   enough to see.  If you can't (some locks are in shrink wrapped packages),
   then ask the store to open a package and strip off the plastic for you to
   see.  A good store will do this for you free of charge and keep it around
   to sell bicycle locks in the future.
2) Does lock have a solid bar between the two points where the "U" is secured.
   This is usually pretty obvious.  It's either a solid bar or a pipe.
3) Is the other end of the section of the lock that secures the "U" open?
   This usually requires the removal of the plastic that covers the lock.
4) Does the lock mechanism have a metle shank that slides into the lock?
   If so, how thick is it?  A superior locking mechanism will have a 
   cylindrical ball that moves into hemisphere that is drilled into the "U".
5) How is the other end of the lock secured?
   Is it just bent?  These are real easy to force.  Does the bent end have
   a hole drilled in to it so that it hinges a hook inside (this is better that
   just being bent, but by no means the best).  The best arrangement is to 
   have a hole dirlled thru the section that the "U" is secured to.  In this 
   arrangement, you slide the "U" section into the hole in a perpendicular 
   fassion (hard to describe, easy to understand).
6) What is the warranty like?
   Does it require evidence of the lock being broken.  Does it require you
   bicycle to be registered with the police?  Does it require payment for
   registration with the company?  Look the warranty over.  Again, it may be in 
   a shrink wrap package that you have to buy to open.  A good bicycle shop 
   will have an open package so that you can read the warranty and inspect the 
   lock.  In some ways, this is the most important step in buying a lock.

If you have questions or comments, send me mail.

Chris
-- 
arpa  : bryden@vax1.acs.udel.edu |  If you steal a clean slate,  
bitnet: AIT05167 at ACSVM        |  does it go on your record? -- anonymous 
plato : bryden/itpt/udel          ------------------ Only if you are caught.
uucp  : ...{unidot,uunet}!cfg!udel!udccvax1!bryden | -- me

-----------[000018][next][prev][last][first]----------------------------------------------------
From:      heim!scott@grian.cps.altadena.ca.us  10-AUG-1989  7:02:57
To:        misc-security@ames.arc.nasa.gov
>I would be willing to bet that were you 
>to NOT deposit ALL metal articles in the basket when travelling
>from an airport up here in W. Canada, the bells and whistles would go nuts.

No kidding! I was working for a computer game manufacturer a year or so ago,
and we had a game called "Airborne Ranger" - a nice trench warfare simulation.
Well, as a promotional gift, we had some practice HAND GRENADES stenciled w/
the games logo (they made good paperweights, if you go for that kind of
thing).  I have one of those metal briefcases (Zero Haliburton I think), which
may have helped obscure things... but a friend tossed one of our little
"promotions" into my briefcase with out my knowing! This was not done
malicously, I had asked for one.... To continue, I traveled from Baltimore
Int'l to John Wayne Int'l (Orange Co. CA.) with a plane change inbetween with
my mock explosive brief- case as carry on! This meant two different scannings
that failed to turn up something which should have a pretty blatent signature.
The next day when I noticed what I had gotten away with, I was pleased that I
hadn't been pulled aside for questioning, or inadvertantly shot for someone
too nasty to be dealt with nicely, but it didn't take too long for me to
realize that I might feel a little safer in the future if I had been stopped.

True Story - no joke.

-- 
Scott Watson - "Inane little message goes here" 
    uucp: {rutgers,ames}!elroy!grian!heim!scott
Internet: scott@heim.UUCP
-----------[000019][next][prev][last][first]----------------------------------------------------
From:      Homer  <CTM@cornellc.bitnet>  12-AUG-1989 23:36:23
To:        "Security List." <security@pyrite.rutgers.edu>
     There is the story of the  store owner who was robbed
repeatedly by his fellow denizens.  They came in through the roof
of his store.  He got fed up and wired the place with wall current.
Someone came in and fell into his trap and was electrocuted.  Well cooked
I imagine.  The jury threw the book at him for murder.
-----------[000020][next][prev][last][first]----------------------------------------------------
From:      Douglas James Martin <USERDJMA@UALTAMTS.BITNET>  13-AUG-1989  0:13:15
To:        silber@TCGOULD.TN.CORNELL.EDU, security@UBVM.BITNET
Light blue is also often used in some vital parts of the docs of computer
games rather than copy-protection of the disk; you can copy the game disk
fine but the game is unplayable without tedious manual copying of the
non-photocopyable stuff.

This was a long time ago, so I can't give sources, but I'm sure I read
somewhere of the use of dyes that are highly flourescent under the lights
used by copiers (something about there being lots of UV in them) used to
screw up copying.
-----------[000021][next][prev][last][first]----------------------------------------------------
From:      Charlene Charette <CI60UCU@vm.tcs.tulane.edu>  13-AUG-1989  0:42:23
To:        security@pyrite.rutgers.edu
When I was working for a security company (commerical and residental), we had
a clothing store customer who insisted she didn't need a motion detector since
all her doors and windows were protected.  The thieves drilled through a cement
wall and thus did not set off the alarm (they were after furs).

As far as a home security system dispensing tear gas:  with people being so sue
happy today it could cause problems?  Have you heard of the case where a thief
robbed a house that was being bug-bombed and died?   His family is suing the
homeowners for his death!

--Charlene Charette
-----------[000022][next][prev][last][first]----------------------------------------------------
From:      Dr. T. Andrews <ki4pv!tanner@bikini.cis.ufl.edu>  13-AUG-1989  1:14:58
To:        security@pyrite.rutgers.edu
) I think the paper was a special shade of red; any writing on this
) paper would not show up when copied. ...
This reminds me that I have never found a check printer who will
provide checks on such red paper.  The banks are reputed to use
a variety of film for their copies on which such checks will not
be legible.

Does anyone know of a source for such checks?
-- 
...!bikini.cis.ufl.edu!ki4pv!tanner  ...!bpa!cdin-1!ki4pv!tanner
or...  {allegra attctc gatech!uflorida uunet!cdin-1}!ki4pv!tanner
-----------[000023][next][prev][last][first]----------------------------------------------------
From:      cowan@marob.masa.com (John Cowan)  13-AUG-1989  1:48:04
To:        misc-security@rutgers.edu
>By the way, does anyone know if there are any prohibitions on a home
>security system releasing tear gas if an intruder enters your house?
>What about painfully loud sirens? 

In general, an automatic system may do only what you might do if you were
physically present.  To take an extreme example: suppose you rig up an
automatic device to fire a gun at intruders.  Then anyone who is shot can
sue you if you yourself would not have been justified in using deadly force.
(This reflects actual cases: farmers setting up spring-guns to protect their
crops and then blowing away a neighbor's kid.)
-- 
Internet/Smail: cowan@marob.masa.com	Dumb: uunet!hombre!marob!cowan
Fidonet:  JOHN COWAN of 1:107/711	Magpie: JOHN COWAN, (212) 420-0527
		Charles li reis, nostre emperesdre magnes
		Set anz toz pleins at estet in Espagne.
-----------[000024][next][prev][last][first]----------------------------------------------------
From:      Bob Dixon <DIXON@ohstvma.bitnet>  13-AUG-1989 19:58:38
To:        security@pyrite.rutgers.edu
How much of the packet does the Xerox device encrypt? Can the packet pass thru
a router after being encrypted?

                               Bob Dixon
                               Ohio State University
-----------[000025][next][prev][last][first]----------------------------------------------------
From:      gavron%dac@lanl.gov (Ehud Gavron, MS H828 (505)665_1131)  13-AUG-1989 21:21:27
To:        "security@pyrite.rutgers.edu"%beta@lanl.gov, GAVRON%beta@lanl.gov
	I have passed modems through airport x-ray machines,
	magnetic detectors, and even (forbid) baggage handlers...

	The modems have survived with no problem, a tribute
	to their American Roboticized manufacturer no doubt.
-----------[000026][next][prev][last][first]----------------------------------------------------
From:      Bob Dixon <DIXON@ohstvma.bitnet>  13-AUG-1989 22:03:17
To:        security@pyrite.rutgers.edu
The DEC encryption approach was described to me to have 2 significant defects:
1. You have to have a VAX to use it.
2. Too much of the packet is encrypted, such that the packets can only pass
   thru bridges, and not routers.

Can someone who really knows verify this?

We would be very interested in ethernet encryption hardware that was
vendor-independent and encrypted ONLY the innermost "text" portion of the
packets.

                              Bob Dixon
                              Ohio State University
-----------[000027][next][prev][last][first]----------------------------------------------------
From:      Reality is not an Industry Standard <PETERSON@LIUVAX>  13-AUG-1989 22:49:40
To:        security@marist
Try using Lattice SECRET DISK II.  It can set updirectories to be
hidden and additionally encrypted in either DES or their faster
(less secure?) format.

You load it as a device driver and a COM or EXE program.  It works
well (I demoed it several months ago and havent used it since)
but will not work on many Zenith DOS PCs because of the partition
table and the partition assignment program.  It should work if you
have firmware defines disk partitions - if you have more than one.

J. Peterson
LIU/Southampton
Academ Comp.

Disclaimer? Show me where
            I signed.
-----------[000028][next][prev][last][first]----------------------------------------------------
From:      <DLV@cunyvms1.bitnet>  13-AUG-1989 23:32:58
To:        security@pyrite.rutgers.edu
>  2.  A reminiscence about a fairly old DES from another list

I guess this refers to my message. I said that John Gilmore posted a C source
to DES on netnews a while ago, which I got to work on PC with minimal effort.
I wonder if Jim is using the attribute 'fairly old' to put down
this implementation. DES itself is fairly old, and probably not very secure;
there seem to be better codes around, but if one wants DES, then it should
not probably matter how old the implementation is, as long as it's DES. S in
DES is for Standard. A 'brand new DES' probably should not be called DES
anymore. Is Jim using 'DES' as a generic term? I'm all confused.

Dimitri Vulis
Department of Mathematics
CUNY GC
-----------[000029][next][prev][last][first]----------------------------------------------------
From:      Lambert@dockmaster.ncsc.mil  14-AUG-1989  0:11:25
To:        Security@rutgers.edu
MOTOROLA GEG DEVELOPS SECURITY SYSTEM
FOR PROTECTION OF LOCAL AREA NETWORKS (LANS)

Motorola Government Equipment Group (GEG) has introduced its Network
Encryption System (NES), which features the latest in security services
for the protection of Local Area Networks (LANs).  Designed in
accordance with Secure Data Network System (SDNS) standards including
SDNS electronic key management, the NES is a flexible internet security
solution for Type I applications.

The NES is unique in COMSEC technology because the protocol software is
loaded via diskette.  The NES is installed in the drop cable between the
computer and the transceiver, or as a gateway device separating a LAN
from a backbone network.  The product supports both DoD and ISO internet
standards allowing protection over wide area networks.

The initial product accommodates connection to IEEE 802.3 and IEEE 802.4
medias.  Motorola Inc. has a Memorandum of Agreement with the National
Security Agency and anticipates product endorsement in the first quarter
of next year.  The LAN product represents the first of a family of SDNS
products that will provide complete, interoperable system security
solutions.  Additional information on the NES can be obtained
from Joe Marino at (602) 441-5827.
-----------[000030][next][prev][last][first]----------------------------------------------------
From:      joe@pnet51.cts.com (Jim Henderson)  15-AUG-1989  1:55:03
To:        misc-security@uunet.uu.net
PC Tools Deluxe has a program with it called "PCSECURE" which will do an
entire directory using the DES Encryption Standard.  I have used it, and have
found it to be a very good program.

   Jim Henderson, joe@pnet51.cts.com
  "Don't ask me how it works or I'll start to whimper."  - Arthur Dent
  DISCLAIMER:  "I speak for myself, and only for myself."  (Except where noted.)
-----------[000031][next][prev][last][first]----------------------------------------------------
From:      McLellan@dockmaster.ncsc.mil  15-AUG-1989  2:08:14
To:        Security@pyrite.rutgers.edu
Why is there so little awareness of the way many third-party software
packages open vulnerabilities in even the perfectly managed C2
commercial systems?  Even IBM, I'm told, still sells third-party
software which can be used to wrench open MVS.  Haven't the core sw
products matured enough that this problem can be acknowledged and we can
begin to address it?  Only the hackers, and maybe the EDP auditors, seem
to discuss this problem.

Vin McLellan The Privacy Guild Boston, Ma.
-----------[000032][next][prev][last][first]----------------------------------------------------
From:      Peter G. Capek <CAPEK@yktvmv.bitnet>  15-AUG-1989  2:20:20
To:        security@pyrite.rutgers.edu
I don't know what relation NoCopi's product has to it, but Xerox patented
a method for inhibiting document copying as long ago as 1973.  I don't
know whether Xerox ever manufactured what they patented (seems like it
might not be in their best interest :-)  ).  The idea behind the Xerox
work seems to be fluorescent dyes; is it publicly known how the NoCopi
stuff works?  For anyone who wants the details, the Xerox stuff is UK
patent number 1 338 893.

Peter Capek
IBM Research -- Yorktown Heights, NY
-----------[000033][next][prev][last][first]----------------------------------------------------
From:      Cliff Collins <collins@nisca.ircc.ohio_state.edu>  15-AUG-1989  2:52:14
To:        security@pyrite.rutgers.edu
This is a pre-announcement of the availability of DES software for a
variety of computers with a new feature: interoperability!  We at
Ohio State University have successfully ported the code that was
graciously made available by Phil Karn and James Gillogly to 8
different brands of computers.  They are:

	IBM/MVS		Pyramid/OSx		HP-UX
	VAX/Ultrix	VAX/VMS			Sun/SunOS
	MS-DOS		Macintosh/MacOS

We are currently working to extend that to the following platforms:

	IBM/VM		Cray/Unicos		Macintosh/AU/X
	Xenix		RISC/Ultrix

You say, "there must be a catch."  Well, I must concede, there is.
Being a state university we are working with our lawyers to make
it available on the network via ftp. Let me say two words:"EXPORT
RESTRICTIONS."  We will keep you up to date on any developments as
they happen.  Needless to say, we are committed to finding a way to
distribute this covey of code the cheapest way possible.  Thank you
for your support.

				Clifford Collins
				Assistant Director,
				Special Projects
				Instruction and Research
				Computer Center 
-----------[000034][next][prev][last][first]----------------------------------------------------
From:      Bill Doviak <bill@lxn.eds.com>  15-AUG-1989  3:23:08
To:        info-unix@sem.brl.mil
Apologies in advance if this query is not appropriate to this group. I have
tried comp.protocols.ibm and comp.protocols.misc to no avail. Here goes ...

I am looking for either commercial or public-domain software implementing
SNA secondary-logical unit (SLU) LU0 protocol using process-based encryption.
Usually, the actual encryption is performed with hardware assistance. If
necessary, I am willing to integrate one vendor's LU0 product with the
encryption support available from another source. I have already done this
under MS-DOS using my own SNA/LU0 software.

My preference is for a SYSV-compatable product running on the NCR Tower series
including the 32/200. However, ANY pointers to hardware/software source are
appreciated.

Please respond by EMAIL and, if the volume is sufficient, I will summarize
later.

						Thanks,

						Bill
-- 
Bill Doviak                         | US MAIL: Electronic Data Systems (EDS)
UUCP: vu-vlsi!lxn!bill              |          Lanark Building
 or   bill%lxn.uucp@rutgers.edu     |          Center Valley, PA  18034
 or   lehi3b15!lxn!bill             | Voice:   (215) 282-1213

END OF DOCUMENT