|
|
ARCHIVE: Rutgers 'Security List' (incl. misc.security) - Archives (1989)
DOCUMENT: Rutgers 'Security List' for August 1989 (35 messages, 15405 bytes)
SOURCE: http://securitydigest.org/exec/display?f=rutgers/archive/1989/08.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.
START OF DOCUMENT
-----------[000000][next][prev][last][first]---------------------------------------------------- From: bcn@june.cs.washington.edu (Clifford Neuman) 2-AUG-1989 19:34:31 To: misc-security@beaver.cs.washington.edu
The Kerberos system available from MIT's Project Athena comes with a version of rlogin that will optionally encrypt the data stream. ~ Cliff
-----------[000001][next][prev][last][first]---------------------------------------------------- From: tower@bu_cs.bu.edu (Leonard H. Tower Jr.) 2-AUG-1989 20:19:56 To: misc-security@husc6.harvard.edu
Has anyone had problems with modems after they have gone through the X-Ray machines used by airport security guards? Have to do this soon, and wanted to check. thanx -len
-----------[000002][next][prev][last][first]---------------------------------------------------- From: "Alejandro Kurczyn S." <499229@VMTECMEX> 2-AUG-1989 21:01:31 To: SECURITY@UGA
Hi, I'm not a member of this list, and perhaps this isn't the right place to post this but... Can anyone tell me what is the latest techinque to copy-protect a PC diskette? how can I do the protection? please mail me directly, this is really urgent.. -Alejandro System operator ITESM CEM *
-----------[000003][next][prev][last][first]---------------------------------------------------- From: jimkirk@outlaw.uwyo.edu (Jim Kirkpatrick) 2-AUG-1989 21:44:20 To: security@pyrite.rutgers.edu
I recently asked about DES on PC-type computers, promising a summary of responses. Here's what I got -- 1. A request for a copy of what I get. 2. A reminiscence about a fairly old DES from another list 3. An address in West Germany that sells a software implementation. 4. A nice list of various manufacturers, complete with address. Thanks to those who responded. If anybody wants a copy of the responses, E-mail me and I'll forward.
-----------[000004][next][prev][last][first]---------------------------------------------------- From: EVERHART%ARISIA.decnet@crdgw1.ge.com 2-AUG-1989 22:21:31 To: SECURITY@pyrite.rutgers.edu
Defeating a "copy proof" paper based on paper color only is fairly straightforward. You get a sheet of colored celluloid or the like and place it in front of the item being copied. Look through the celluloid and if you can't SEE the lettering, the copier generally won't either. Our copier (one of the newer Xerox models) has sufficient contrast adjustments that the quality of the copy can nevertheless be made most adequate. The same trick can be used if you want to duplicate the red "proof" photos some photographers use. A useful fact is that a CuSO4 solution (copper sulphate) of reasonable density will filter out ALL red light (down to the sub 1 photon level; it's used to filter lasers and select second harmonic radiation!). Use a small bit as a filter & contact print the pic onto roll film...voila! Your very own negative! (This is a major pain in the neck to do and should not become a habit...the poor photog. has to make a living, after all. The filtering technique is occasionally useful though.) Glenn Everhart
-----------[000005][next][prev][last][first]---------------------------------------------------- From: mk59200@funet.fi (Kolkka Markku Olavi) 2-AUG-1989 23:07:13 To: misc-security@cwi.nl
> ... However, according to this one locksmith, Abloy locks > don't wear well. If they are not treated gently, they will begin to jam. Several millions of Abloys are in use here in Finland, many of them decades old. The weather conditions aren't exactly 'gentle' here. The Abloy has a very simple but efficient design with a minimal number of moving parts. The manufacturer recommends lubrication with thin oil now and then (just a few drops into the keyhole), and that should keep it working. > Abloy keys cannot be duplicated at the shop as a standard Medeco can. The > "Platinum," or biaxial, Medecos are in the same boat as the Abloy.) There are also several variants of Abloy, with different levels of availability of key blanks and duplication service. Disclaimer: I have nothing to do with Wartsila Oy (manufacturer of Abloy locks), except that I have been using Abloys all my life. (well, almost) -- Markku Kolkka mk59200@tut.fi
-----------[000006][next][prev][last][first]---------------------------------------------------- Date: 3 Aug 89 05:05:00 GMT From: DLV@cunyvms1.BITNET To: misc.security Subject: Brand new DES?
> 2. A reminiscence about a fairly old DES from another list I guess this refers to my message. I said that John Gilmore posted a C source to DES on netnews a while ago, which I got to work on PC with minimal effort. I wonder if Jim is using the attribute 'fairly old' to put down this implementation. DES itself is fairly old, and probably not very secure; there seem to be better codes around, but if one wants DES, then it should not probably matter how old the implementation is, as long as it's DES. S in DES is for Standard. A 'brand new DES' probably should not be called DES anymore. Is Jim using 'DES' as a generic term? I'm all confused. Dimitri Vulis Department of Mathematics CUNY GC
-----------[000007][next][prev][last][first]---------------------------------------------------- From: melling@gateway.mitre.org (Phil Mellinger) 6-AUG-1989 18:27:41 To: security@pyrite.rutgers.edu
Something interesting occurred to me concerning the transfer of encryption programs over networks that have international connectivity? Can you ship such encryption programs (which may be export sensitive) over international networks or is this a violation of export laws? This sounds silly but I am curious... Phil Mellinger
-----------[000008][next][prev][last][first]---------------------------------------------------- From: Bob Dixon <DIXON@ohstvma.bitnet> 6-AUG-1989 19:10:09 To: security@pyrite.rutgers.edu
We have Fortran source codefor DES as part of our larger system of across-platform encryption software. But it is all tied up in the legalese problems now. Bob Dixon Ohio State University
-----------[000009][next][prev][last][first]---------------------------------------------------- From: gwyn@brl.mil 6-AUG-1989 19:42:45 To: security@rutgers.edu
>I'm looking for a Fortran source code to do encryption of Ascii files ... See section 7.5, "The Data Encryption Standard", of "Numerical Recipes -- The Art of Scientific Computing" by William H. Press, Brian P. Flannery, Saul A. Teukolsky, and William T. Vetterling (1986, Cambridge University Press), ISBN 0-521-30811-9 (book), ISBN 0-521-30957-3 (FORTRAN diskette).
-----------[000010][next][prev][last][first]---------------------------------------------------- From: Earl Culham <ECULHAM@ualtavm.bitnet> 6-AUG-1989 20:23:55 To: misc-security@watmath.waterloo.edu
>We are interested in providing an encrypting gateway for our campus network. >... Ideally, it would be a card with the ability to >encrypt/decrypt on its own chip rather than taking up workstation CPU cycles. I've recently run across a device which suits this purpose well. The FasTok box is a combination encryptor/compressor. Its normal configuration is as an active modem cable, plugging in between the computer and the modem, at both ends. It is transparent to both the computer, and the modem. It both encrypts and compresses. The quoted compression ratios were in the 2 to 5 times range. I have no connection with the manufacturer, other than friendship. However, I will relay questions to and from the net if there is an interest.
-----------[000011][next][prev][last][first]---------------------------------------------------- From: smb@ulysses.homer.nj.att.com (Steven M. Bellovin) 6-AUG-1989 20:54:59 To: att!misc-security
> I could have sworn I saw a posting about an article in a Soviet computer > science journal that gave an algorithm for breaking badly chosen keys for > DES. I may have even seen it [the reference] here... There's been a rumor floating around on the net that the Soviets have cracked DES, and published that fact in one of their academic journals. Apart from the implausibility of that, Don Mitchell did a fairly thorough literature search, with the aid of a Russian-speaking reference librarian, and found nothing. Now -- for certain badly-chosen keys, that isn't out of the question. There are 4 "weak keys" -- 01010101 01010101, FEFEFEFE FEFEFEFE, 1F1F1F1F 0E0E0E0E, E0E0E0E0 F1F1F1F1 -- which should be avoided. There are also a set of "semi-weak keys" which present a smaller security risk. All of these should be avoided in critical situations, i.e., master keys used to encrypt session keys. See Davies and Price, "Security for Computer Networks", for details. --Steve Bellovin smb@ulysses.att.com
-----------[000012][next][prev][last][first]---------------------------------------------------- From: Roy Stehle <stehle@tsca.istc.sri.com> 6-AUG-1989 21:28:39 To: Security@pyrite.rutgers.edu Cc: stehle@tsca.istc.sri.com
The following appeared in Denise Caruso's column in the 23 July 89 issue of the San Francisco Examiner: "Speaking of proprietary vs. public information, I'd like to personally thank NoCopi International of Montreal, makers of the uncopyable, unfaxable paper used by Apple Computer inc., Broderbund Software, Sierra On-Line and others to stem the flow of proprietary data. NoCopi's got a new product combo that's going to make my job a lot more creative. "Norm Gardner, president and CEO of NoCopi, says the two products are the first to come out of its new Canadian research center - a clear-ink highlighter and a white, chemically treated paper. You can type or print onto the paper with plain old ink, just like usual. But if you highlight text on the paper using the marker and try to photocopy or fax the page, the highlighted material is blocked out as completely as if you used a black marker. "He says the products will be ready to ship by year end, ..." This is provided for your information and further investigation. I have no experience with NoCopi. Roy Stehle SRI International
-----------[000013][next][prev][last][first]---------------------------------------------------- From: "Quick, VT_180, to the VAXmobile." <JMS@ARIZMIS> 6-AUG-1989 22:04:06 To: security@marist
I have seen a reference to a Soviet article about DES, but no one has ever been able to provide me with enough information to track the article down. I am prepared to dismiss it as a myth, until someone puts a real reference here. While the question of export control (of DES, and of other things) is certainly of great interest, the issues are wildly complex and not going to be solved here. However, here are some comments on some stuff people have said: Just because something appears on Usenet doesn't mean that it has made it to the USSR. And just because it has made it to one or two folks there, doesn't mean that there is broad distribution. The USSR is just like the US. A piece of technology may be well embedded in a particular department or office, or even a whole building, but it is unlikely to spread quickly around the country, or even across the hall. Communications are heavily stifled. There is no concept of BBS/Usenet in the Soviet Union---the people who have access to Western databases number less than 100. I'm not saying that DES restriction is bad/good; what I am saying is that Dr. Dobbs is not widely read in the Soviet Union. A $40 subscription to Dr. Dobbs is 80 days pay for the average Soviet (because Dr. Dobbs doesn't take Rubles). The argument that ``this is everywhere in the US public domain'' has no relevance when extended to the USSR. When the argument is made that ``the spies/terrorists have whatever they want,'' that is also not very valid. This argument is used quite often by Soviet academics we meet to explain why the US should sell computers to the Soviets. In fact, the unstated policy of US export controls is to keep the Enemy (you know, the dark empire) in bare feet and technological illiteracy. What do you think the military industrial complex depends on? Answer: the research done everywhere else in the country. Whether we admit it or not, the policies that DoD promotes through Commerce (note that DoD, Commerce, and the Businesses-that-want-to-make-a-profit form three legs of a triangle that is in eternal conflict. DoD would have them in the stone age, while Business wants to increase exports and make our economy stronger) are aimed at restricting technology EVERYWHERE in the country. So, you can fight that particular policy, but you can't use a rational argument, since the policy isn't there for rational reasons (well, let's just say not for reasons that are entirely above board). jms Joel M Snyder, U Arizona MIS Dep't, Tucson, AZ, 85721 Phone: 602.621.2748 BITNET: jms@arizmis Internet: jms@mis.arizona.edu SPAN: 47541::uamis::jms SM-1700 - A small VAX that's *all* VAX (except it's made in the USSR)
-----------[000014][next][prev][last][first]---------------------------------------------------- Date: 6 Aug 89 20:44:25 GMT From: jik@ATHENA.MIT.EDU (Jonathan I. Kamens) To: misc.security Subject: exporting encryption software
>Can you ship such encryption programs (which may be export sensitive) >over international networks or is this a violation of export laws? >This sounds silly but I am curious... It is not silly at all. Project Athena has been extremely hindered in our attempts to export Kerberos (an authentication protocol based on DES encryption) outside the United States. The state department does not allow the export from the United States of encryption software unless that software is "mass market" (which means, for all intents and purposes, that it runs on a PC :-). They will not allow the export of Kerberos, despite the fact that it is easy to get software implementations of the DES library outside of the United States. In fact, somebody in Finland wrote and released a version of DES that was specifically designed to fit into the Kerberos code and to replace the Kerberos encryption routines. The problem with that is that the government even has problems with the export of code that *references* encryption code. In other words, in order to export Kerberos we have to take out all references to encryption in the source code. Recently, a large portion of the Project Athena environment was installed at Bond University, a new University in Australia. We had to install the encryption-free version, affectionately called "bones", on the computers there. Although Kerberos is available for anonymous ftp from anywhere on the Internet, and it is also available from an archive server, the instructions for getting the files cannot be obtained without obtaining along with them a warning which says that if you are trying to get the code from outside the United States, you need to get permission from the U.S. government before it is legal for you to do so. I seem to recall that Unix systems exported from the United States have a weaker form of crypt(), because the Unix crypt uses a modified DES algorithm. Isn't this correct? Jonathan Kamens USnail: MIT Project Athena 432 S. Rose Blvd. jik@Athena.MIT.EDU Akron, OH 44320 Office: 617-253-4261 Home: 216-869-6432
-----------[000015][next][prev][last][first]---------------------------------------------------- Date: 7 Aug 89 04:02:39 GMT From: CAPEK@yktvmv.BITNET (Peter G. Capek) To: misc.security Subject: Non-copyable paper
I don't know what relation NoCopi's product has to it, but Xerox patented a method for inhibiting document copying as long ago as 1973. I don't know whether Xerox ever manufactured what they patented (seems like it might not be in their best interest :-) ). The idea behind the Xerox work seems to be fluorescent dyes; is it publicly known how the NoCopi stuff works? For anyone who wants the details, the Xerox stuff is UK patent number 1 338 893. Peter Capek IBM Research -- Yorktown Heights, NY
-----------[000016][next][prev][last][first]---------------------------------------------------- Date: 7 Aug 89 22:44:04 GMT From: bill@lxn.eds.com (Bill Doviak) To: misc.security Subject: Looking for: SNA Session-level encryption hardware/software.
Apologies in advance if this query is not appropriate to this group. I have tried comp.protocols.ibm and comp.protocols.misc to no avail. Here goes ... I am looking for either commercial or public-domain software implementing SNA secondary-logical unit (SLU) LU0 protocol using process-based encryption. Usually, the actual encryption is performed with hardware assistance. If necessary, I am willing to integrate one vendor's LU0 product with the encryption support available from another source. I have already done this under MS-DOS using my own SNA/LU0 software. My preference is for a SYSV-compatable product running on the NCR Tower series including the 32/200. However, ANY pointers to hardware/software source are appreciated. Please respond by EMAIL and, if the volume is sufficient, I will summarize later. Thanks, Bill -- Bill Doviak | US MAIL: Electronic Data Systems (EDS) UUCP: vu-vlsi!lxn!bill | Lanark Building or bill%lxn.uucp@rutgers.edu | Center Valley, PA 18034 or lehi3b15!lxn!bill | Voice: (215) 282-1213
-----------[000017][next][prev][last][first]---------------------------------------------------- Date: 8 Aug 89 18:03:37 GMT From: bandy@capmkt.UUCP To: misc.security Subject: see this?
>From: bryden@vax1.acs.udel.EDU (Christopher F. Bryden) Subject: Re: U-Shaped Locks... Date: 8 Aug 89 01:01:26 GMT I just got finished talking with a exbicycle messenger from NYCity. A quote from him : "In order to know how to protect your bicycle in New York, you have to know how to steal a bicycle." Since most of us are not willing to do this, I'll share what he had to say with you. He said that there were a varity of ways to hack Kryptonite/U-type locks. Standard procedure, as it turns out, is to approach the bicycle and see if the person has locked the bike correctly. Apparently, cylindrical locks have to positions that the key can be removed from, the locked position and the unlocked position. Some people fail to lock their lock properly. Then, cut off the plastic around the locking mechanism. If there may or may not be a pin the holds the lock in place. If there is a pin, tap it out. The lock should fall out or can be unscrewed at this point. if there is no pin, use a pipe cutter to cut thru the hollow portion of the lock. This is available in hardware stores (really poor description of a pipe cutter follows : it's a right angle brace with a slot in it where the cutter sits and a screw/vice type mechanism is at the other end). If none of this works (pipe cutter won't work for a solid bar between end portions of the "U") then a large diameter, long pipe can be used to force the lock. This makes a huge, loud bang. Freon tricks work, but usually take about a minute or two ard require blunt smashing insturment. Liquid nitrogen tricks work fast, but it's dangerous if you use the stuff incorrectly. If you have some time, a few locks are open on the other side of the part that holds the lock. This can be split with a chisle. Most messengers in NY use a shielded cable lock called "The Cobra." It's mondo expensive, heavy, and there's no warranty with it. The messengers that have U-type locks have a tee pipe sections, available at hardware stores, around the lock portion of the cross bar to keep people from tapping out the pin that holds the lock. There is a band steel version of the U-type locks, but I don't know what it's called or how good it is. Some of the messengers feel that it's only a matter of time before their bikes are stolen, so they buy two locks. They beat the s*it out of one and basically make it look like it was broken. Then they use the other and fill out the warranty for the other. A good theif never leaves evidence behind. This means they never leave the lock behind. If you're looking for a U-type bicycle lock, here are a few things to look for : 1) Does it have a pin that holds the lock in? This is hard to check, but you should be able to get the plastic back enough to see. If you can't (some locks are in shrink wrapped packages), then ask the store to open a package and strip off the plastic for you to see. A good store will do this for you free of charge and keep it around to sell bicycle locks in the future. 2) Does lock have a solid bar between the two points where the "U" is secured. This is usually pretty obvious. It's either a solid bar or a pipe. 3) Is the other end of the section of the lock that secures the "U" open? This usually requires the removal of the plastic that covers the lock. 4) Does the lock mechanism have a metle shank that slides into the lock? If so, how thick is it? A superior locking mechanism will have a cylindrical ball that moves into hemisphere that is drilled into the "U". 5) How is the other end of the lock secured? Is it just bent? These are real easy to force. Does the bent end have a hole drilled in to it so that it hinges a hook inside (this is better that just being bent, but by no means the best). The best arrangement is to have a hole dirlled thru the section that the "U" is secured to. In this arrangement, you slide the "U" section into the hole in a perpendicular fassion (hard to describe, easy to understand). 6) What is the warranty like? Does it require evidence of the lock being broken. Does it require you bicycle to be registered with the police? Does it require payment for registration with the company? Look the warranty over. Again, it may be in a shrink wrap package that you have to buy to open. A good bicycle shop will have an open package so that you can read the warranty and inspect the lock. In some ways, this is the most important step in buying a lock. If you have questions or comments, send me mail. Chris -- arpa : bryden@vax1.acs.udel.edu | If you steal a clean slate, bitnet: AIT05167 at ACSVM | does it go on your record? -- anonymous plato : bryden/itpt/udel ------------------ Only if you are caught. uucp : ...{unidot,uunet}!cfg!udel!udccvax1!bryden | -- me
-----------[000018][next][prev][last][first]---------------------------------------------------- From: heim!scott@grian.cps.altadena.ca.us 10-AUG-1989 7:02:57 To: misc-security@ames.arc.nasa.gov
>I would be willing to bet that were you >to NOT deposit ALL metal articles in the basket when travelling >from an airport up here in W. Canada, the bells and whistles would go nuts. No kidding! I was working for a computer game manufacturer a year or so ago, and we had a game called "Airborne Ranger" - a nice trench warfare simulation. Well, as a promotional gift, we had some practice HAND GRENADES stenciled w/ the games logo (they made good paperweights, if you go for that kind of thing). I have one of those metal briefcases (Zero Haliburton I think), which may have helped obscure things... but a friend tossed one of our little "promotions" into my briefcase with out my knowing! This was not done malicously, I had asked for one.... To continue, I traveled from Baltimore Int'l to John Wayne Int'l (Orange Co. CA.) with a plane change inbetween with my mock explosive brief- case as carry on! This meant two different scannings that failed to turn up something which should have a pretty blatent signature. The next day when I noticed what I had gotten away with, I was pleased that I hadn't been pulled aside for questioning, or inadvertantly shot for someone too nasty to be dealt with nicely, but it didn't take too long for me to realize that I might feel a little safer in the future if I had been stopped. True Story - no joke. -- Scott Watson - "Inane little message goes here" uucp: {rutgers,ames}!elroy!grian!heim!scott Internet: scott@heim.UUCP
-----------[000019][next][prev][last][first]---------------------------------------------------- From: Homer <CTM@cornellc.bitnet> 12-AUG-1989 23:36:23 To: "Security List." <security@pyrite.rutgers.edu>
There is the story of the store owner who was robbed repeatedly by his fellow denizens. They came in through the roof of his store. He got fed up and wired the place with wall current. Someone came in and fell into his trap and was electrocuted. Well cooked I imagine. The jury threw the book at him for murder.
-----------[000020][next][prev][last][first]---------------------------------------------------- From: Douglas James Martin <USERDJMA@UALTAMTS.BITNET> 13-AUG-1989 0:13:15 To: silber@TCGOULD.TN.CORNELL.EDU, security@UBVM.BITNET
Light blue is also often used in some vital parts of the docs of computer games rather than copy-protection of the disk; you can copy the game disk fine but the game is unplayable without tedious manual copying of the non-photocopyable stuff. This was a long time ago, so I can't give sources, but I'm sure I read somewhere of the use of dyes that are highly flourescent under the lights used by copiers (something about there being lots of UV in them) used to screw up copying.
-----------[000021][next][prev][last][first]---------------------------------------------------- From: Charlene Charette <CI60UCU@vm.tcs.tulane.edu> 13-AUG-1989 0:42:23 To: security@pyrite.rutgers.edu
When I was working for a security company (commerical and residental), we had a clothing store customer who insisted she didn't need a motion detector since all her doors and windows were protected. The thieves drilled through a cement wall and thus did not set off the alarm (they were after furs). As far as a home security system dispensing tear gas: with people being so sue happy today it could cause problems? Have you heard of the case where a thief robbed a house that was being bug-bombed and died? His family is suing the homeowners for his death! --Charlene Charette
-----------[000022][next][prev][last][first]---------------------------------------------------- From: Dr. T. Andrews <ki4pv!tanner@bikini.cis.ufl.edu> 13-AUG-1989 1:14:58 To: security@pyrite.rutgers.edu
) I think the paper was a special shade of red; any writing on this ) paper would not show up when copied. ... This reminds me that I have never found a check printer who will provide checks on such red paper. The banks are reputed to use a variety of film for their copies on which such checks will not be legible. Does anyone know of a source for such checks? -- ...!bikini.cis.ufl.edu!ki4pv!tanner ...!bpa!cdin-1!ki4pv!tanner or... {allegra attctc gatech!uflorida uunet!cdin-1}!ki4pv!tanner
-----------[000023][next][prev][last][first]---------------------------------------------------- From: cowan@marob.masa.com (John Cowan) 13-AUG-1989 1:48:04 To: misc-security@rutgers.edu
>By the way, does anyone know if there are any prohibitions on a home >security system releasing tear gas if an intruder enters your house? >What about painfully loud sirens? In general, an automatic system may do only what you might do if you were physically present. To take an extreme example: suppose you rig up an automatic device to fire a gun at intruders. Then anyone who is shot can sue you if you yourself would not have been justified in using deadly force. (This reflects actual cases: farmers setting up spring-guns to protect their crops and then blowing away a neighbor's kid.) -- Internet/Smail: cowan@marob.masa.com Dumb: uunet!hombre!marob!cowan Fidonet: JOHN COWAN of 1:107/711 Magpie: JOHN COWAN, (212) 420-0527 Charles li reis, nostre emperesdre magnes Set anz toz pleins at estet in Espagne.
-----------[000024][next][prev][last][first]---------------------------------------------------- From: Bob Dixon <DIXON@ohstvma.bitnet> 13-AUG-1989 19:58:38 To: security@pyrite.rutgers.edu
How much of the packet does the Xerox device encrypt? Can the packet pass thru a router after being encrypted? Bob Dixon Ohio State University
-----------[000025][next][prev][last][first]---------------------------------------------------- From: gavron%dac@lanl.gov (Ehud Gavron, MS H828 (505)665_1131) 13-AUG-1989 21:21:27 To: "security@pyrite.rutgers.edu"%beta@lanl.gov, GAVRON%beta@lanl.gov
I have passed modems through airport x-ray machines, magnetic detectors, and even (forbid) baggage handlers... The modems have survived with no problem, a tribute to their American Roboticized manufacturer no doubt.
-----------[000026][next][prev][last][first]---------------------------------------------------- From: Bob Dixon <DIXON@ohstvma.bitnet> 13-AUG-1989 22:03:17 To: security@pyrite.rutgers.edu
The DEC encryption approach was described to me to have 2 significant defects: 1. You have to have a VAX to use it. 2. Too much of the packet is encrypted, such that the packets can only pass thru bridges, and not routers. Can someone who really knows verify this? We would be very interested in ethernet encryption hardware that was vendor-independent and encrypted ONLY the innermost "text" portion of the packets. Bob Dixon Ohio State University
-----------[000027][next][prev][last][first]---------------------------------------------------- From: Reality is not an Industry Standard <PETERSON@LIUVAX> 13-AUG-1989 22:49:40 To: security@marist
Try using Lattice SECRET DISK II. It can set updirectories to be hidden and additionally encrypted in either DES or their faster (less secure?) format. You load it as a device driver and a COM or EXE program. It works well (I demoed it several months ago and havent used it since) but will not work on many Zenith DOS PCs because of the partition table and the partition assignment program. It should work if you have firmware defines disk partitions - if you have more than one. J. Peterson LIU/Southampton Academ Comp. Disclaimer? Show me where I signed.
-----------[000028][next][prev][last][first]---------------------------------------------------- From: <DLV@cunyvms1.bitnet> 13-AUG-1989 23:32:58 To: security@pyrite.rutgers.edu
> 2. A reminiscence about a fairly old DES from another list I guess this refers to my message. I said that John Gilmore posted a C source to DES on netnews a while ago, which I got to work on PC with minimal effort. I wonder if Jim is using the attribute 'fairly old' to put down this implementation. DES itself is fairly old, and probably not very secure; there seem to be better codes around, but if one wants DES, then it should not probably matter how old the implementation is, as long as it's DES. S in DES is for Standard. A 'brand new DES' probably should not be called DES anymore. Is Jim using 'DES' as a generic term? I'm all confused. Dimitri Vulis Department of Mathematics CUNY GC
-----------[000029][next][prev][last][first]---------------------------------------------------- From: Lambert@dockmaster.ncsc.mil 14-AUG-1989 0:11:25 To: Security@rutgers.edu
MOTOROLA GEG DEVELOPS SECURITY SYSTEM FOR PROTECTION OF LOCAL AREA NETWORKS (LANS) Motorola Government Equipment Group (GEG) has introduced its Network Encryption System (NES), which features the latest in security services for the protection of Local Area Networks (LANs). Designed in accordance with Secure Data Network System (SDNS) standards including SDNS electronic key management, the NES is a flexible internet security solution for Type I applications. The NES is unique in COMSEC technology because the protocol software is loaded via diskette. The NES is installed in the drop cable between the computer and the transceiver, or as a gateway device separating a LAN from a backbone network. The product supports both DoD and ISO internet standards allowing protection over wide area networks. The initial product accommodates connection to IEEE 802.3 and IEEE 802.4 medias. Motorola Inc. has a Memorandum of Agreement with the National Security Agency and anticipates product endorsement in the first quarter of next year. The LAN product represents the first of a family of SDNS products that will provide complete, interoperable system security solutions. Additional information on the NES can be obtained from Joe Marino at (602) 441-5827.
-----------[000030][next][prev][last][first]---------------------------------------------------- From: joe@pnet51.cts.com (Jim Henderson) 15-AUG-1989 1:55:03 To: misc-security@uunet.uu.net
PC Tools Deluxe has a program with it called "PCSECURE" which will do an entire directory using the DES Encryption Standard. I have used it, and have found it to be a very good program. Jim Henderson, joe@pnet51.cts.com "Don't ask me how it works or I'll start to whimper." - Arthur Dent DISCLAIMER: "I speak for myself, and only for myself." (Except where noted.)
-----------[000031][next][prev][last][first]---------------------------------------------------- From: McLellan@dockmaster.ncsc.mil 15-AUG-1989 2:08:14 To: Security@pyrite.rutgers.edu
Why is there so little awareness of the way many third-party software packages open vulnerabilities in even the perfectly managed C2 commercial systems? Even IBM, I'm told, still sells third-party software which can be used to wrench open MVS. Haven't the core sw products matured enough that this problem can be acknowledged and we can begin to address it? Only the hackers, and maybe the EDP auditors, seem to discuss this problem. Vin McLellan The Privacy Guild Boston, Ma.
-----------[000032][next][prev][last][first]---------------------------------------------------- From: Peter G. Capek <CAPEK@yktvmv.bitnet> 15-AUG-1989 2:20:20 To: security@pyrite.rutgers.edu
I don't know what relation NoCopi's product has to it, but Xerox patented a method for inhibiting document copying as long ago as 1973. I don't know whether Xerox ever manufactured what they patented (seems like it might not be in their best interest :-) ). The idea behind the Xerox work seems to be fluorescent dyes; is it publicly known how the NoCopi stuff works? For anyone who wants the details, the Xerox stuff is UK patent number 1 338 893. Peter Capek IBM Research -- Yorktown Heights, NY
-----------[000033][next][prev][last][first]---------------------------------------------------- From: Cliff Collins <collins@nisca.ircc.ohio_state.edu> 15-AUG-1989 2:52:14 To: security@pyrite.rutgers.edu
This is a pre-announcement of the availability of DES software for a variety of computers with a new feature: interoperability! We at Ohio State University have successfully ported the code that was graciously made available by Phil Karn and James Gillogly to 8 different brands of computers. They are: IBM/MVS Pyramid/OSx HP-UX VAX/Ultrix VAX/VMS Sun/SunOS MS-DOS Macintosh/MacOS We are currently working to extend that to the following platforms: IBM/VM Cray/Unicos Macintosh/AU/X Xenix RISC/Ultrix You say, "there must be a catch." Well, I must concede, there is. Being a state university we are working with our lawyers to make it available on the network via ftp. Let me say two words:"EXPORT RESTRICTIONS." We will keep you up to date on any developments as they happen. Needless to say, we are committed to finding a way to distribute this covey of code the cheapest way possible. Thank you for your support. Clifford Collins Assistant Director, Special Projects Instruction and Research Computer Center
-----------[000034][next][prev][last][first]---------------------------------------------------- From: Bill Doviak <bill@lxn.eds.com> 15-AUG-1989 3:23:08 To: info-unix@sem.brl.mil
Apologies in advance if this query is not appropriate to this group. I have tried comp.protocols.ibm and comp.protocols.misc to no avail. Here goes ... I am looking for either commercial or public-domain software implementing SNA secondary-logical unit (SLU) LU0 protocol using process-based encryption. Usually, the actual encryption is performed with hardware assistance. If necessary, I am willing to integrate one vendor's LU0 product with the encryption support available from another source. I have already done this under MS-DOS using my own SNA/LU0 software. My preference is for a SYSV-compatable product running on the NCR Tower series including the 32/200. However, ANY pointers to hardware/software source are appreciated. Please respond by EMAIL and, if the volume is sufficient, I will summarize later. Thanks, Bill -- Bill Doviak | US MAIL: Electronic Data Systems (EDS) UUCP: vu-vlsi!lxn!bill | Lanark Building or bill%lxn.uucp@rutgers.edu | Center Valley, PA 18034 or lehi3b15!lxn!bill | Voice: (215) 282-1213
END OF DOCUMENT
ISSN 1742-948X 01 (Online) | 2005/03/01 | Copyright 2002-2008 securitydigest.org. All rights reserved. |