The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: Rutgers 'Security List' (incl. misc.security) - Archives (1989)
DOCUMENT: Rutgers 'Security List' for September 1989 (29 messages, 19055 bytes)
SOURCE: http://securitydigest.org/exec/display?f=rutgers/archive/1989/09.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

-----------[000000][next][prev][last][first]----------------------------------------------------
Date:      8 Sep 89 22:17:02 GMT
From:      margoli@arnor.UUCP (Larry Margolis)
To:        misc.security
Subject:   Re: bike locks

One other thing to check is that if you're locking to a sign post, there's a
sign at the top of the post.  I know people who've come back to find that
someone apparently just threw the bike over the top of the pole, then walked
away with the bike, lock and all.

Whatever you're locking to, make sure it's firmly mounted in the ground.

You mentioned Cobra locks.  Does anyone have any familiarity with them?  
A friend gave me one he found, but I haven't had too much luck picking it.
Do they use any kind of pick-resistant pins, or an I just rusty on Ace-type
locks?  Also, is there a pin I can drill to remove the cylinder?

-----------[000001][next][prev][last][first]----------------------------------------------------
From:      jimkirk@outlaw.uwyo.edu (Jim Kirkpatrick)  14-SEP-1989  7:54:59
To:        security@pyrite.rutgers.edu
OOPS, in my previous posting about DES for PCs, I forgot to mention that
Darrel Long sent me a SHAR file containing a DES implementation in C for
Unix.  Way too big to post, so drop me a note if you want a copy.  I have
not tried it yet, being a VMS person.
-----------[000002][next][prev][last][first]----------------------------------------------------
From:      stodol@diku.dk (David Stodolsky)  14-SEP-1989  8:53:05
To:        misc-security@dkuug.dk
Radio Netherlands International, Saturday, 12 August 1989, 
will have more on this:
----
The objective of the research is to develop a Personal Health Security System. 
The term "personal" is used because the system is based on a card that can be 
carried by the person at all times. Security is enhanced by requiring entry of 
a secret code prior to operation. Computer-chip-based money cards use a 
similar technology. 

The term "personal" is also used to indicate that the system is designed to 
protect the right of users to control their own health records. This is 
particularly important when persons may be discriminated against because of 
their health status, or when sensitive personal information is to be stored. 
If health records are not stored because of inadequate data security, then 
people's exposure to infectious agents can not be effectively controlled. 

The term "health" is used because the card would store not only medical 
records, but also behavioral information. Also, our strategy for health 
maintenance includes social support as well as medical support.

We use the term "security" to indicate that the objective is protecting and 
securing the health of the user, and to indicate that information security is 
a key feature of the system. Both physical and cryptographic security 
techniques are used to protect data. Cryptography is used to build information 
exchange procedures that permit both privacy and anonymity to be preserved.

The term "system" is used because the health card, like a telephone, is only 
useful if there are other similar devices to exchange information with, and 
because both human and machine elements must act in coordination if the 
benefits are to be obtained. Finally, a system view, that considers the 
interaction of all system elements and the benefits to every person is 
necessary to ensure proper function. 

Recently, we have seen examples of what can happen when system wide effects 
are not considered. In one case, the number of persons donating blood in a 
city in Sweden increased sharply. Apparently people were using blood donor 
pins as evidence that they were in good health when meeting others at dance 
halls. Of course, since a person could acquire an infection after giving 
blood, or even use someone else's pin, there was no real security. 

The authorized user of a health card, and only the authorized user, could at 
any time cause the card to issue an up-to-date health certificate. It could 
also read and validate a certificate issued by another's card. The validation 
might be an unforgeable digital signature from a medical doctor on the 
certificate. Furthermore, ones health card could be programmed to 
automatically exchange certificates with another person's card. The purpose of 
exchanging certificates would be to evaluate infection risk from transfer of 
bodily fluids. Such transfers accompany sexual activities, and blood and 
tissue donation. A small display on the card could show the results of the 
evaluation. The certificates issued could not be used to identify or trace the 
card user. Furthermore, a privacy preserving procedure ensures that sensitive 
information is only released when needed, that is, when the automated 
negotiation process indicates that the interaction will take place. These 
exchange procedures can be thought of as generating informational barriers 
that prevent transmission of infectious agents.
-----

Time and frequency information (UTC [Universal Time Coordinated] = GMT, 
Summer Time (DST) shifts *not* indicated:

Europe at 11:30 - 12:25 UTC; 9715 & 5955 kHz (31, 49 meter bands)
          14:30 - 15:25 UTC; 5955 kHz 
North America at 00:30 - 1:25 UTC; 15315, 6165 & 6020 kHz (19, 49, 49 m.)
                  3:30 - 4:25 UTC; 9590 & 6165 (31, 49 m.)
Australia (central & eastern) 7:30 - 8:25 UTC; 9715 & 9630 kHz (31, 31 m.)
                             10:30 - 11:25 UTC; 9675 (31 m.)

Coverage is world wide. For other areas consult a local information source. 
Otherwise, email me or contact Radio Netherlands Int'l, English Section: 
Email - RNI@500/202.fidonet.org (this hasn't worked for me), 
Int. Tel. +31 35 724 211, Fax. +31 35 724 352.

-------
-- 
David S. Stodolsky, PhD      Routing: <@uunet.uu.net:stodol@diku.dk>
Department of Psychology                  Internet: <stodol@diku.dk>
Copenhagen Univ., Njalsg. 88                  Voice + 45 31 58 48 86
DK-2300 Copenhagen S, Denmark                  Fax. + 45 31 54 32 11
-----------[000003][next][prev][last][first]----------------------------------------------------
From:      jimkirk@outlaw.uwyo.edu (Jim Kirkpatrick)  14-SEP-1989  9:34:41
To:        security@pyrite.rutgers.edu
Well, I got over 20 requests for my replies about DES stuff on PCs.  As a
result, I'm just going to post it rather than reply to each one of you.
Hopefully the moderator will understand :-)
The first is probably the most interesting.  I will add the usual disclaimer
that I'm not affiliated with any of these folks.  Also, sorry for the delay,
I was at SIGGRAPH last week!  And hopefully none of the repliers will object
to their mail being posted.

Date: 19 Jul 89 13:17:06 GMT
From: Russel Pearson <RPEARSON@drev.dnd.ca>
Subject: DES for PC AT

There is a lot. I will give you only the names of some
companies who furnish interesting products.  We do not possess any of them
now but we are in the process of look what is available on the market.
 
Technical Communications Corporation
100 Domino Drive
Concord MA 01742
Tel: 617-862-6035
telex: 923407
Fax: 617-371-1280
   They have a lot of products implementing DES, for example
 
Secure Telecom Inc.
P.O. Box 70337
Sunnyvale, CA 94086
Tel: 408-992-0572
Fax: 408-992-0573
   The produce a modem/DES-encryptor/multiplexor-multidrop/remote-control
 
Ficher International System Co.
PO Box 9107
4073 Merchantile avenue
Naples, Florida, 33942-9981
Tel:800-237-4510
   Could be interesting: XEUS/3270 Coax, XEUS/Async  XEUS/RSA
 
RSA Data Security Inc
10 Twin Dorphin Drive
Redwood City, CA 94065
Tel: 415-595-8782
Fax: 414-595-1873
    They furnish an implementation for E-mail of RSA famous cypher algorithm
 
American Computer Security Industries, Inc.
112 Blue Hills Ct.
Nashville, TN 37214
Tel: 615-883-6741
    Product: Compsec-II-Z1 and Comspec-II-Z1-H
 
Sector Technology
5109 Leesburg Pike
Suite 900
Falls Church, VA 22041
Tel: 703-379-1800
    They can transform your machine in a C2 level secure system
    (with DES encryption included)
 
Advanced Computer Security Concepts
4609 Logsdon Drive
Annadate, VA 22003
Tel: 703-354-0985
     CryptBoard(tm) implemented DES
 
Wisdom Software Inc.
P.O. Box 460310
San Fransisco, CA 94146-0310
     Software:  FileEncrypt(tm) for MS-DOS and OS/2
 
Hope that will of some utility.  Good luck !
 
------
 
Russel Pearson                                    rpearson@drev.dnd.ca
Defence Research Establishment Valcartier (DREV)  phone: (418) 844-4664
Informatics Center/Scientific Support Service     fax  : (418) 844-4646
PO BOX 8800 Courcelette, Quebec Canada G0A 1R0    envoy: r.pearson/crdv.drev
DISCLAIMER: The above was the opinions of an individual and in no way reflect
             the views of my employer (Department of National Defence)
 
--------------------------------------------------------------------------- 
Date:     Wed, 19 Jul 89 22:18 EST
From:     Dimitri Vulis <DLV@CUNYVMS1>
Subject:  DES for PC/AT

I while ago, John Gilmore posted a DES implementation on news.
I took it, and compiled it using MS C 3.0 (which should tell you when
approximately it was).
I made it much faster by pre-computing everything that could be
pre-computed and using table lookups. Unfortunately, I have no idea
where I put it later.
 
Dimitri Vulis
Department of Mathematics
CUNY GC

-------------------------------------------------------------------------
Date: Sat, 22 Jul 89 00:41:13 MEZ
From: Bernd Fix <bernd%nexus.UUCP@tub.BITNET>
Subject: DES for PC/AT

Hi Jim,
 
you can get a DES software implementation for PC/AT's from
BrainON!, Schulstrasse 10, D-6925 Eschelbronn, West-Germany
for approx. $140 plus shipping. On a 20MHz-386 (my computer)
it en/decrypts about 8510 bytes/sec - quite good I think.
All the best to you,
                             Bernd.
--
+------------------------------+-------------------------------+
| bernd fix                    |                               |
| handschuhsheimer l'str. 45   |  wer redet, luegt.            |
| d-6900 heidelberg            |  wer schweigt, kollaboriert.  |
+------------------------------+  nichts ist wahr.             |
| bernd@nexus.uucp             |  alles ist erlaubt.           |
| ...!doitcr!rnihd!nexus!bernd |                               |
| bernd%nexus@DB0TUI11.BITNET  |          william s. burroughs |
| tel.: +49 62 21 / 41 06 73   |                               |
+--------------------------------------------------------------+

------------------------------------------------------------------------------
From: devine@cookie.enet.dec.com (Bob Devine)
Date: 2 Aug 89 17:16
Subject: Re: DES on PC -- summary

Hi Jim, if you are still looking for a DES program for a PC, I have
one that I will sell for $30.  I wrote it about two years ago but
never found a market for it.  It is small (about 30K if I remember
correctly) and will do a full encryption cycle in about 10 milliseconds
on an AT.  That's faster than any other DES program I've seen for a
PC (including IBM's assembler code that runs inside of automated
teller machines).

If you are interested, send e-mail back and I'll give you more details.

Bob Devine
DEC Database Development/Colorado Springs
-----------[000004][next][prev][last][first]----------------------------------------------------
From:      "Richard B. August" <AUGUST@vlsi.jpl.nasa.gov>  14-SEP-1989 12:52:29
To:        security@pyrite.rutgers.edu
In the case of blue printing one has only to place a yellow filter
between the copier plate and the item being copied.
The yellow dye in yellow view graph transparency film is usually
satisfactory to bring the print out. This will not make a good looking
print, but it will allow you to get the data off the page.

Regards,
Richard B. August
-----------[000005][next][prev][last][first]----------------------------------------------------
From:      jimkirk@outlaw.uwyo.edu (Jim Kirkpatrick)  14-SEP-1989 13:54:20
To:        security@pyrite.rutgers.edu
Some time ago, there was a discussion on "dongles" on this list.  The
general impression was that dongles were a poor idea and nobody really
was serious about them (at least that's my recollection).  FYI a dongle
is a physical device, plugged into a PC's parallel printer port as an
example.  The software looks for the dongle and refuses to work if it
is not there.

While at SIGGRAPH last week in Boston, there was a company called Rainbow
Technologies showing off their "Software Sentinel" "revenue protection
system."  It is a small device that plugs into the PC's parallel printer
port (and passes through), and since they were selling it as a development
tool, includes software drivers for many languages.  Older dongles were
simply made up of a specific wiring, or perhaps even a ROM.  The newer
ones appear to include a chip that may even do encryption.  Their flier
says it "Uses highly-secure algorithm technique" and "all voltages are
supplied by the computer or optional printer."  I asked for more info
which they will mail me, but in the meantime wanted to point out the
dongle is not yet dead.  Anyone already know more details?
-----------[000006][next][prev][last][first]----------------------------------------------------
From:      mwn@mike.ufnet.ufl.edu (Michael Nora)  14-SEP-1989 14:59:02
To:        misc-security@ufl.edu
>He got fed up and wired the place with wall current.
>Someone came in and fell into his trap and was electrocuted.

You may be refering to what happened in the Overtown section of Miami a few
years ago. I can't remember the store owner's name, but what happened was
that people were breaking into his store through a hole in the roof. He placed
a section of chain-link fence across the hole but a few feet below it, so
if a person was to enter the hole he would be almost entirely inside before
he made contact. This he hooked up to the AC in his store.
 
Sure enough, someone did enter and was electrocuted by the device. I remember
there being a big debate in the Miami area over the actions of this man, with
most people siding WITH him. When it finally did come before the grand jury,
they refused to indict the store owner for murder, and he was convicted of a
much lesser charge (like an illegal security device or something . . ) and
as far as I know he is still in business.

device.
--
     Michael Nora       | Internet:  mwn@mike.ufnet.ufl.edu
 University of Florida  | UUCP:  uhmmm .. beats the hell outa me ???
 Data & Video Network   | MaBellNet:  (904) 335-8312 {or 8300}
-----------[000007][next][prev][last][first]----------------------------------------------------
From:      az@angate.att.com (Zigmas J Astravas)  15-SEP-1989 13:12:52
To:        misc-security@att.att.com
In response to many inquiries about BURGLAR ALARMS,

AT&T has entered this market with their new WIRELESS SYSTEM
(AT&T SECURITY SYSTEM 8000).

CASTLE ALARMS PLUS, INC is the AT&T Authorized Dealer in the
Southern New Hampshire area.
They can be reached at (603) 898-9851 or
                       (800) CAP-2580 outside NH.

Over the past few years, I have built my own house and
had an excellent alarm system wired into it for
BURGLAR, FIRE, and SMOKE protection.
In the course of building my own home, I
researched every type of home security system
on the market.  These included all the features imaginable
(Passive Infra-Red motion detectors, microwave motion detectors,
shock detectors for pre-entry warning,
pressure sensitive mats, smoke alarms (photoelectric
and ionization), magnetic contact switches for doors and windows,
delayed entry features, medical alert, digital communicators
for automatically dialing authorities, etc....)

However, the new WIRELESS SYSTEMS
on the market today have all of the same features
as the above wired systems, AND MORE!
A WIRELESS ALARM SYSTEM has the added benefit that
the entire system can be taken with you, should you decide
to move.

In fact, the AT&T WIRELESS SYSTEM (AT&T SECURITY SYSTEM 8000)
utilizes the latest RF technology extending
it beyond the capabilities of wired systems
and has features OVER AND ABOVE other wireless systems.
This modular system can incorporate BURGLAR, FIRE, SMOKE, MEDICAL,
and ENVIRONMENTAL protection.

CASTLE ALARMS PLUS, INC is the AT&T Authorized Dealer in the area.
They can be reached at (603) 898-9851 or
                       (800) CAP-2580 outside NH.

They come highly recommended and can engineer a system
that's tailored to your needs,
at a very REASONABLE PRICE and RELIABLE SERVICE
with your interests in mind.
They may even offer financing and I heard they
may offer a discount to AT&T employees or
free Alarm Monitoring for the first year
(about a $240 value)!

I hope this information helps you "make the right choice".
-----------[000008][next][prev][last][first]----------------------------------------------------
From:      krvw@sei.cmu.edu (Kenneth Van Wyk)  15-SEP-1989 13:48:27
To:        misc-security@rutgers.edu
Many computers connected to the Internet have recently experienced
unauthorized system activity.  Investigation shows that the activity
has occurred for several months and is spreading.  Several UNIX
computers have had their "telnet" programs illicitly replaced with
versions of "telnet" which log outgoing login sessions (including
usernames and passwords to remote systems).  It appears that access
has been gained to many of the machines which have appeared in some of
these session logs.  (As a first step, frequent telnet users should
change their passwords immediately.)  While there is no cause for
panic, there are a number of things that system administrators can do
to detect whether the security on their machines has been compromised
using this approach and to tighten security on their systems where
necessary.  At a minimum, all UNIX site administrators should do the
following:

o Test telnet for unauthorized changes by using the UNIX "strings"
  command to search for path/filenames of possible log files.  Affected
  sites have noticed that their telnet programs were logging information
  in user accounts under directory names such as "..." and ".mail".

In general, we suggest that site administrators be attentive to
configuration management issues.  These include the following:

o Test authenticity of critical programs - Any program with access to
  the network (e.g., the TCP/IP suite) or with access to usernames and
  passwords should be periodically tested for unauthorized changes.
  Such a test can be done by comparing checksums of on-line copies of
  these programs to checksums of original copies.  (Checksums can be
  calculated with the UNIX "sum" command.)  Alternatively, these
  programs can be periodically reloaded from original tapes.

o Privileged programs - Programs that grant privileges to users (e.g.,
  setuid root programs/shells in UNIX) can be exploited to gain
  unrestricted access to systems.  System administrators should watch
  for such programs being placed in places such as /tmp and /usr/tmp (on
  UNIX systems).  A common malicious practice is to place a setuid shell
  (sh or csh) in the /tmp directory, thus creating a "back door" whereby
  any user can gain privileged system access.

o Monitor system logs - System access logs should be periodically
  scanned (e.g., via UNIX "last" command) for suspicious or unlikely
  system activity.

o Terminal servers - Terminal servers with unrestricted network access
  (that is, terminal servers which allow users to connect to and from
  any system on the Internet) are frequently used to camouflage network
  connections, making it difficult to track unauthorized activity.
  Most popular terminal servers can be configured to restrict network
  access to and from local hosts.

o Passwords - Guest accounts and accounts with trivial passwords
  (e.g., username=password, password=none) are common targets.  System
  administrators should make sure that all accounts are password
  protected and encourage users to use acceptable passwords as well as
  to change their passwords periodically, as a general practice.  For
  more information on passwords, see Federal Information Processing
  Standard Publication (FIPS PUB) 112, available from the National
  Technical Information Service, U.S. Department of Commerce,
  Springfield, VA 22161.

o Anonymous file transfer - Unrestricted file transfer access to a
  system can be exploited to obtain sensitive files such as the UNIX
  /etc/passwd file.  If used, TFTP (Trivial File Transfer Protocol -
  which requires no username/password authentication) should always be
  configured to run as a non-privileged user and "chroot" to a file
  structure where the remote user cannot transfer the system /etc/passwd
  file.  Anonymous FTP, too, should not allow the remote user to access
  this file, or any other critical system file.  Configuring these
  facilities to "chroot" limits file access to a localized directory
  structure.

o Apply fixes - Many of the old "holes" in UNIX have been closed.
  Check with your vendor and install all of the latest fixes.

If system administrators do discover any unauthorized system activity,
they are urged to contact the Computer Emergency Response Team (CERT).

Kenneth R. van Wyk
Computer Emergency Response Team
cert@SEI.CMU.EDU
(412) 268-7090  (24 hour hotline)
-----------[000009][next][prev][last][first]----------------------------------------------------
Date:      14 Sep 89 07:55:57 GMT
From:      hobbit@PYRITE.RUTGERS.EDU (*Hobbit*)
To:        misc.security
Subject:   Ving Cards

There used to be only one kind of Ving card lock.  Now there are two kinds,
as I discovered to my horror a while back while at a convention.  The first
and possibly "classic" version is all-mechanical, while the second is optical
with an electronic controller.  I did a longish article on the mechanical
one back when I got to take it apart, which I will send to anyone who asks,
and since the time of that writing discovered a few more things about it.
I believe this article was sent to this very list years ago...

My examination of the optical type occurred much more recently, and there are
still several things I don't know about it -- in particular how master-keying
is handled in software, since the pin-tumbler cylinder in this type appears
primarily to be for programming.  This lock uses the same technology as the
Yaletronics and its ilk; the matrix of holes is simply read by a bunch of
infrared LED/sensor pairs connected to the inputs of a small processor.  You
feed it the right number, it pulls the solenoid.  There is no mechanical
connection from the pin cylinder to the spring-latch mechanism, so I'm
clueless as to what people do if the batteries die on them.  Even with plenty
of advance battery-low warning, you'd think there would be a mechanical
bypass available...

You can quickly tell which type you have by the noises it makes.  The
mechanical version produces all kinds of racket as the card slides over the
ball-bearings; the optical presents no mechanical impediment to the card
save the little spring-loaded protective bar at the opening.  The mechanicals
have a "combination card" loaded into them through the hinged black cover
on the inside of the door, which is sometimes difficult to install and remove
due to the way the pins sit inside the matrix.

The pin-tumbler cylinders are made in-house by Ving, and sport a rather unique
feature.  About 30 degrees clockwise from the normal drivers there is a set
of "extra" drivers which are retained up in the cylinder housing.  All they
appear to be for is to store extra mastering splits you aren't using in the
regular lock.  Thus to change between several known keys, one would turn key
A over to this position, remove it and insert key B, and return it to the
locked position.  The difference between keys A and B causes splits to be
left at or picked up from the spare driver area.  They also have the magic-
rear-pin-ring dealbolt hack commonly found in hotel systems.

The last address I had for the makers of these things, if you want the
corporate party line, is

	Elkem Ving
	6200 Denton Dr
	Dallas TX
	800 527 5121

If someone tries the above and it's horribly wrong, please let me know, since
all of this was several years ago.

_H*

-----------[000010][next][prev][last][first]----------------------------------------------------
Date:      15 Sep 89 04:52:51 GMT
From:      boerner@EMX.UTEXAS.EDU (Brendan B. Boerner)
To:        misc.security
Subject:   Dongles are still alive

>there was a company called Rainbow
>Technologies showing off their "Software Sentinel"

I am using this device for a program which I am writing for a client
(at his request).  It was not that hard to interface to the code I was
writing in Turbo Pascal v5.0 and the manual states that it supports
other languages/operating systems.  The only problem I had was that I
was using an older version of the product and as a result was
initializing it incorrectly.  After a quick call to their tech support
I got it cleared up.

Disclaimer: The project I am working on which uses this device is in
no way related to my work at the University of Texas at Austin.  I'm
just using this account to pass along the info which I obtained from
outside work.

If you have more questions, drop me a line and I'll try to answer.

Brendan
--
Brendan B. Boerner		Phone: 512/471-3241
Microcomputer Technologies	The University of Texas @ Austin
Internet: boerner@emx.utexas.edu     UUCP: ...!cs.utexas.edu!ut-emx!boerner
BITNET:   CCGB001@UTXVM.BITNET 	AppleLink: boerner@emx.utexas.edu@DASNET#

-----------[000011][next][prev][last][first]----------------------------------------------------
Date:      15 Sep 89 14:55:33 GMT
From:      Paul=Zonfrillo%SQA%Banyan@thing.banyan.com
To:        misc.security
Subject:   re: Dongles are still alive

Yes indeed, Dongles are alive and well!

My company, Banyan Systems Inc. makes PC-based WAN/LAN software and uses such a
device for copy protection as well as and upgrade.  Our "server key" is a
straight-thru  device that sits on the pralell port.  Users can also purchase
additional "option keys" to enable additional operating systems options such
as TCIP routing,  that can be loaded on/off the server via these option keys .
As far as reliability goes, in six years,  we have NEVER had one burn out.
(this is according to tech support).

Our software encodes to the key after it has been loaded on the
server.   The option is also attractive because it does not take up any
slots in the server.

In short:  Dongles seem to be an effective but unobtrusive form of copy
protection.

Paul Zonfrillo
SQA Engineer, Banyan Systems Inc.

Paul=Zonfrillo%SQA%BANYAN@thing.banyan.com

-----------[000012][next][prev][last][first]----------------------------------------------------
Date:      22 Sep 89 15:21:23 GMT
From:      jimkirk@OUTLAW.UWYO.EDU (Jim Kirkpatrick)
To:        misc.security
Subject:   Privacy vs on-line library

First, this may be more of a talk.politics item, but then there have been
previous discussions here about privacy vs Social Security number etc.

Earlier this year I remember reading articles about the government wanting
libraries to turn over records of who checked out what book, apparently so
they could find out if anybody has been reading subversive material.  Libraries
(via whatever library associations exist) told the government to piss off,
and they weren't going to hand over such records (or keep them) because it
violated freedom of privacy and freedom of information.  I applaud this.

Our University library recently joined a regional conglomerate to obtain
on-line library catalog access (CARL - Colorado Area Regional Library,
or something like that), which also includes things like an on-line
encyclopedia.  However, to use the encyclopedia, one must enter their
bar code from their library card.  I tend to object to this on the same
grounds as stated above, that they have no business keeping records of
who looks at which databases.  I can walk into the library and read the
bloody thing without presenting an ID, why should on-line use be made
more restrictive?

Any comments on the privacy issues here?

-----------[000013][next][prev][last][first]----------------------------------------------------
Date:      22 Sep 89 17:09:39 GMT
From:      feo@cbnewsl.ATT.COM (francis.e.o brien)
To:        misc.security
Subject:   Home Alarms

I'm interested in installing my own home security system.  My
house is mostly pre-wired, which makes the installation of a
wired system relatively simple.  The only problem is finding
systems.  So far the choice is Radio Shack.  I haven't located
any other distributors of alarm systems who sell to the general
public.  Most places insist on installaing and of course providing
a monitoring service.  Can anyone provide me with the name of some
dealers that I can deal with directly?
Thanks.   

-----------[000014][next][prev][last][first]----------------------------------------------------
From:      chet@retix.retix.com (Chet Mazur)  26-SEP-1989 18:43:19
To:        misc-security@rutgers.edu
You might want to check out WatchDog P.C. Security System by Fischer
(sp?) Intl. someplace in Florida... It's a neat package and they have
excellent technical support!!! Try it.... You'll like it :)!!!
-----------[000015][next][prev][last][first]----------------------------------------------------
From:      pnet01!pro_realm!namerow@uunet.uu.net (Wayne Namerow)  27-SEP-1989  9:09:34
To:        security@pyrite.rutgers.edu
One has to be VERY careful when considering booby traps (for burglers etc.)
as mentioned in an earlier submission. For example, if your house dispensed
tear gas to stop burglers, you might be in BIG trouble if you had a fire.
Imagine the fire depts. surprise as they entered your home to extinguish
the blaze and got doused by tear gas ! Your home certainly would not be
high on their priority list for future calls.
                                                    -Wayne
ProLine:namerow@pro-realm           BITNET:namerow%pro-realm.cts.com@nosc.mil
UUCP:crash!pnet01!pro-realm!namerow ARPA:crash!pnet01!pro-realm!namerow@nosc.mil
-----------[000016][next][prev][last][first]----------------------------------------------------
From:      kodak!ektools!john (John H. Hall)  27-SEP-1989 10:13:19
To:        misc-security@rutgers.edu
I am thinking about making some security-related improvements to my
home.  After putting deadbolts and strike reinforcements on the front
and back doors, I'm wondering what to do about the windows.  This is a
1955 ranch house with awning and casement type windows.  They are all
"manual", that is they don't have geared "operators", you just turn the
latch and push to open them.  Similarly, a burglar just breaks the
glass, turns the latch and pulls.  We close all the windows when we go
to work, but I think we may be going to get an alarm system, too.

What's a good book on do-it-yourself home security systems?

What are the trade-offs of do-it-yourself vs. a professional security
company? 

How do I protect my home without overtly annoying the neighbors, police,
etc. with false alarms.

Radio Shack sells "glass breakage detectors".  These are ~1" diameter
"pucks" that stick to the glass and are wired to an alarm.  

* What do these sense?  

* If they are in the corner of a picture window, and the
  other side of the window is broken but the glass under the puck remains
  intact will they trigger?  
* If they are impact-sensitive, will a truck or plane rumbling by set 
  them off?

How about area detectors, infra-red or sonic?  We have no pets to set
them off but:

* Can IR detectors see movement through windows?  Wouldn't want the
paper boy setting them off by mistake.

* How about changes in ambient IR levels caused by the sun coming in
through a window or the furnace going on or off?

* Are the sonic types sensitive to noises outside the house?

* Will, say, thunder shake the house enough to trigger a motion detector?

I see both wired and wireless alarm systems for sale.  Since I have good
attic and basement access, I am tending toward the wired sort.  The
wireless types seem to need occasional battery replacement.  Aside from
this are there reliability concerns wrt. either style?

-- 
-------------------------------------------------------------------------
John Hall, Product Software Engineering, Software Systems Division
EASTMAN KODAK COMPANY, 901 Elmgrove Rd., Rochester, NY 14650
716 726-9345 / john@kodak.COM / ...!rutgers!rochester!kodak!ektools!john
-----------[000017][next][prev][last][first]----------------------------------------------------
From:      *Hobbit* <hobbit@pyrite.rutgers.edu>  27-SEP-1989 10:59:26
To:        security@pyrite.rutgers.edu
There used to be only one kind of Ving card lock.  Now there are two kinds,
as I discovered to my horror a while back while at a convention.  The first
and possibly "classic" version is all-mechanical, while the second is optical
with an electronic controller.  I did a longish article on the mechanical
one back when I got to take it apart, which I will send to anyone who asks,
and since the time of that writing discovered a few more things about it.
I believe this article was sent to this very list years ago...

My examination of the optical type occurred much more recently, and there are
still several things I don't know about it -- in particular how master-keying
is handled in software, since the pin-tumbler cylinder in this type appears
primarily to be for programming.  This lock uses the same technology as the
Yaletronics and its ilk; the matrix of holes is simply read by a bunch of
infrared LED/sensor pairs connected to the inputs of a small processor.  You
feed it the right number, it pulls the solenoid.  There is no mechanical
connection from the pin cylinder to the spring-latch mechanism, so I'm
clueless as to what people do if the batteries die on them.  Even with plenty
of advance battery-low warning, you'd think there would be a mechanical
bypass available...

You can quickly tell which type you have by the noises it makes.  The
mechanical version produces all kinds of racket as the card slides over the
ball-bearings; the optical presents no mechanical impediment to the card
save the little spring-loaded protective bar at the opening.  The mechanicals
have a "combination card" loaded into them through the hinged black cover
on the inside of the door, which is sometimes difficult to install and remove
due to the way the pins sit inside the matrix.

The pin-tumbler cylinders are made in-house by Ving, and sport a rather unique
feature.  About 30 degrees clockwise from the normal drivers there is a set
of "extra" drivers which are retained up in the cylinder housing.  All they
appear to be for is to store extra mastering splits you aren't using in the
regular lock.  Thus to change between several known keys, one would turn key
A over to this position, remove it and insert key B, and return it to the
locked position.  The difference between keys A and B causes splits to be
left at or picked up from the spare driver area.  They also have the magic-
rear-pin-ring dealbolt hack commonly found in hotel systems.

The last address I had for the makers of these things, if you want the
corporate party line, is

	Elkem Ving
	6200 Denton Dr
	Dallas TX
	800 527 5121

If someone tries the above and it's horribly wrong, please let me know, since
all of this was several years ago.

_H*
-----------[000018][next][prev][last][first]----------------------------------------------------
Date:      MON, 4 SEP 1989 15:39 EXP
From:      Lee SuBok <CONSULT1@krsnucc1.bitnet>   28-SEP-1989  5:06:03, Lee SuBok <CONSULT1@krsnucc1.bitnet>
To:        <SECURITY@pyrite.rutgers.edu>, <SECURITY@pyrite.rutgers.edu>
Recently I am seeking for papers on Computer Crime and its criminal
investigation. Would you send me any pointers to papers and books on it?
Thanks in advance.
-----------[000019][next][prev][last][first]----------------------------------------------------
From:      bywater!arnor!margoli@uunet.uu.net (Larry Margolis)  28-SEP-1989  5:43:45
To:        misc-security@uunet.uu.net
One other thing to check is that if you're locking to a sign post, there's a
sign at the top of the post.  I know people who've come back to find that
someone apparently just threw the bike over the top of the pole, then walked
away with the bike, lock and all.

Whatever you're locking to, make sure it's firmly mounted in the ground.

You mentioned Cobra locks.  Does anyone have any familiarity with them?  
A friend gave me one he found, but I haven't had too much luck picking it.
Do they use any kind of pick-resistant pins, or an I just rusty on Ace-type
locks?  Also, is there a pin I can drill to remove the cylinder?
-----------[000020][next][prev][last][first]----------------------------------------------------
From:      wjvax!mario@pyramid.com (Mario Dona)  28-SEP-1989  6:17:17
To:        misc-security@decwrl.dec.com
I'm looking for some advice on setting up a PS/2 Model 70 for doing
government classified work.  The primary requirement is that the
magnetic media be removable.  I'd like to go with a Passport made by
Plus, but its housing doesn't fit in the Model 70, which forces us to
use an external chassis.  Another problem is the fixed disk in the
Model 70 cannot be active (turned on) while working on classified
material.  Before we got our PS/2's, we used ATs which we modified by
installing a toggle switch on the back panel.  This switch allowed us
to turn off the power to the hard drive and boot off a Bernoulli.  We
would like something similar to this setup for the PS/2 70.  If anyone
has already solved these and related problems, I'd appreciate any
advice you can give.

BTW,  I understand IBM won't give out their schematic of their PS/2's,
so that we can't readily locate any of the power leads into the hard
drive.

  Mario Dona
  ...!{ !decwrl!qubix, ames!oliveb!tymix, pyramid}!wjvax!mario         
  The above opinions are mine alone and not, in any way, those of WJ.
-----------[000021][next][prev][last][first]----------------------------------------------------
Date:      27 Sep 89 14:46:00 GMT
From:      JAHARITO@owucomcn.BITNET
To:        misc.security
Subject:   Request of DES implementation

Hello there,
        I would much appreciate it if U could send me the DES Unix
implementation. I am a freshman in Ohio Wesleyan University and I
have also implemented the DES in C, but I don't know how efficiently...
I would like 2 check it with mine...

Thank U in advance,

John Haritos, 1989

Bitnet%"JAHARITO@OWUCOMCN"

-----------[000022][next][prev][last][first]----------------------------------------------------
From:      fec@whuts.att.com (F E Carey)  29-SEP-1989  4:02:51
To:        misc-security@att.att.com
A while back somebody requested info on surveillance.  Today's mail
brought the announcement of Surveillance Expo '89 - conference and
exhibits - Dec 12 - 15 1989, Sheraton Washington Hotel, Wash. D.C.
The mailing was from Ross Engineering in Adamstown MD 301/831-8400
They are in the surveillance business and are promoting a video
tape and also appear to run a newsletter.  Check 'em out - whoever
you were.
-----------[000023][next][prev][last][first]----------------------------------------------------
Date:      27 Sep 89 20:32:02 GMT
From:      doug@letni.UUCP (Doug Davis)
To:        misc.security
Subject:   Re: Home Security Systems

>* What do these sense?  
These are mercury filled switches which you can set the "sensitivity"
by providing the inital tilt of the switch.  I use them in my car
for things like tee-tops.  (substatute velcro for the double stick tape)
and they work reall well.  For glass breakage they are only moderate
I would suggest them only if tape is to obnoxious and you can't affored
the "real ones" based off of piezo elements.

>* Can IR detectors see movement through windows?
No, not unless they were paper thin, Ultra sonics can't even see thru 
that.   

>* How about changes in ambient IR levels caused by the sun coming in
>through a window or the furnace going on or off?
Usually two slow in both cases,  I once walked across a room that was
protected via IR detectors, it took half an hour to cross 20 feet, but
I won the bet.   I suspect sonics are foolable in a similer fashion,
but *I* can't do it.

>* Are the sonic types sensitive to noises outside the house?
Not unless its very very loud and in their detection range.

>* Will, say, thunder shake the house enough to trigger a motion detector?
I use both and we have lots and lots of thunder storms, the shaking of
the house has never set them off.. Books falling from the shelf across
the room will though.

IR detectors love heating element furnaces, and steam radiators,
generally anything that changes temperature quickly will set them
off.

Ultrasonic detectors love ceiling fans, and air vents (if they are
set too sensitive) 

>I see both wired and wireless alarm systems for sale.
Yeas, most wireless "broadcast" somehow, and like any RF signal it
is subject to distortion caused by outside interference.   Also
someone else my have an alarm system using the same codes and/or
frequencys that could cause yours to appear to false alarm. While 
wired alarms are subject to "rodent abuse." Like when the squirrel
that has made your attic its home desides to "borrow" a chunk of alarm
wire for its nest.

Wired is by far more reliable, and more work ;-)

Think closed loop, that *IS* the way to go, also the more loops the
better, that way you can still have a partial alarm system when 
a loop goes out..   Thats not good, but it's thousands of times better
than not having an alarm.

Look real carefully at off the shelf "base units" most of them are
low grade trash, generally in this area you get what you pay for.

doug
--
Doug Davis/1030 Pleasant Valley Lane/Arlington/Texas/76015/817-467-3740
{sys1.tandy.com, motown!sys1, uiucuxc!sys1 lawnet, attctc, texbell} letni!doug
 "Everything in this article is a Jolt Cola hallucination and in no way
   exhibits any signs of being remotely connection to any reality."

-----------[000024][next][prev][last][first]----------------------------------------------------
From:      dave@ariel.unm.edu (Dave 'White Water' Grisham)  29-SEP-1989  4:17:59
To:        misc-security@uunet.uu.net
For those of you wishing to see what other universities are/have
done, please use the archives here.  I maintain an 'ethics' col-
lection here at UNM from the world's universities.  All entries 
have been submitted for posting by different universities and 
authors.  You may email or postal mail me your submissions to the 
collection.  And you may obtain any policy by 'anonymous' ftp
to unma.unm.edu, the directory is ethics.  The index is 00.INDEX.
I hope this helps.  And yes, I will have it LISTSERV available 
soon.
dave

   Dave Grisham                                                            
   Senior Staff Consultant/Virus Security          Phone (505) 277-8148     
   Computer & Information Resources & Technology   USENET DAVE@unma.unm.EDU
   Univ. of New Mexico     Albuquerque, NM 87131   BITNET DAVE@UNMB
-----------[000025][next][prev][last][first]----------------------------------------------------
From:      Yian Chang <TJLEE@twnctu01.bitnet>  1-OCT-1989  0:15:22
To:        security@pyrite.rutgers.edu
Can anybody tell me how the encryption parameters of DES (like transposition
and substitution arrays) were choosen ?  And why the DES encryption programs
can't be exported to the outside of USA ? I mean DES is a well known encrypt
algorithms, everybody can write such programs.
-- Yian Chang

[Moderator tack-on:  Replies/comments to sci.crypt, please.]
-----------[000026][next][prev][last][first]----------------------------------------------------
From:      boerner@emx.utexas.edu (Brendan B. Boerner)  1-OCT-1989  1:01:50
To:        jimkirk@outlaw.uwyo.edu
Cc:        security@pyrite.rutgers.edu
>there was a company called Rainbow
>Technologies showing off their "Software Sentinel"

I am using this device for a program which I am writing for a client
(at his request).  It was not that hard to interface to the code I was
writing in Turbo Pascal v5.0 and the manual states that it supports
other languages/operating systems.  The only problem I had was that I
was using an older version of the product and as a result was
initializing it incorrectly.  After a quick call to their tech support
I got it cleared up.

Disclaimer: The project I am working on which uses this device is in
no way related to my work at the University of Texas at Austin.  I'm
just using this account to pass along the info which I obtained from
outside work.

If you have more questions, drop me a line and I'll try to answer.

Brendan
--
Brendan B. Boerner		Phone: 512/471-3241
Microcomputer Technologies	The University of Texas @ Austin
Internet: boerner@emx.utexas.edu     UUCP: ...!cs.utexas.edu!ut-emx!boerner
BITNET:   CCGB001@UTXVM.BITNET 	AppleLink: boerner@emx.utexas.edu@DASNET#
-----------[000027][next][prev][last][first]----------------------------------------------------
From:      "Michael J. Chinni, SMCAR_CCS_E" <mchinni@pica.army.mil>  1-OCT-1989  1:48:40
To:        David Stodolsky <stodol@diku.dk>
Cc:        misc-security@dkuug.dk
David,

>The objective of the research is to develop a Personal Health Security
>System. 

You mention that the emphasis is to allow a person to control their own
records. What is to prevent the following situation:
	Person is told they have AIDS and this is entered into the records on
		the card.
	Person then deletes this AIDS info. from their card. VOILA! No more
		record of their AIDS infection.

Given your explantion so far, I do think that this can be done. 

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
			    Michael J. Chinni
      Chief Scientist, Simulation Techniques and Workplace Automation Team
	 US Army Armament Research, Development, and Engineering Center
 User to skeleton sitting at cobweb   () Picatinny Arsenal, New Jersey  
    and dust covered workstation      () ARPA: mchinni@pica.army.mil
      "System been down long?"        () UUCP: ...!uunet!pica.army.mil!mchinni
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
-----------[000028][next][prev][last][first]----------------------------------------------------
From:      ishikawa@ultra.enet.dec.com (Jim Ishikawa, DTN_293_5054)  1-OCT-1989  2:33:11
To:        "security@pyrite.rutgers.edu"@decwrl.dec.com
>The DEC encryption approach was described to me to have 2 significant defects:
>1. You have to have a VAX to use it.

While it is true that the security management software (VAX KDC) will only run
on a VAX system, only *one* VAX system is required on a  network.  Furthermore,
VAX KDC software will run on any VAX, including small ones like the MicroVAX
3100.  

Digital's Ethernet Enhanced-Security System product set actually comprises two
separate products.  In addition to the VAX KDC software, there is the DESNC
secure network controller.

The DESNC controllers are freestanding devices that provide a secure network
interface for client nodes.  Client nodes may be any device that complies with
Ethernet or IEEE 802.3 standards.  The network security manager uses one or
more VAX KDC systems to manage the DESNC controllers and their associated
client nodes on a network.

>2. Too much of the packet is encrypted, such that the packets can only pass
>   thru bridges, and not routers.

It is true that DESNC encryption is done at the data-link layer, and as such,
encrypted packets can only be forwarded through routers after first decrypting
them.  Of course, this means that DESNC controllers will support
vendor-independent, multiprotocol environments.  Network-layer encryption
schemes, which allow packets to be forwarded through routers without
decryption, are generally restricted to a single network-layer protocol and
typically do not support other protocols that run directly on the data-link
layer protocol.

Jim Ishikawa
DEC

END OF DOCUMENT