The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: Rutgers 'Security List' (incl. misc.security) - Archives (1989)
DOCUMENT: Rutgers 'Security List' for November 1989 (87 messages, 43658 bytes)
SOURCE: http://securitydigest.org/exec/display?f=rutgers/archive/1989/11.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

-----------[000000][next][prev][last][first]----------------------------------------------------
From:      Brian Kaplan <KAPLANB@iubacs.bitnet>  3-NOV-1989  1:04:23
To:        SECURITY@UGA
Doesn't make any sense.
As soon as one formats a disk, all the tracks and sectors become available
for data and if there was a virus written on the unformatted disk, it would
be overwritten.  One could always be safe and use one of the Norton
Utilities and erase the disk to government specs.
I would worry about it.
Bye for now.
-----------[000001][next][prev][last][first]----------------------------------------------------
From:      Trond Borgen Mork <borgen%sunnvekst.uninett@norunix>  3-NOV-1989  1:41:15
To:        <security@finhutc.earn>
Hello everybody !

I'm interested in information (independent stories) about
the California earthquake's impact on computer systems
in different companies and organizations. Any stories
about prepairedness (good and bad) and consequences
because of computer breakdown are highly welcome. It
would be particularly interesting to hear about how
consulting firms and research institutions dealing with
computer security handled the disaster. However, other
kinds of companies and organizations are interesting too.

I'm a project leader working on information security at
Moere og Romsdal Teknologisenter (MRT). MRT is a research
institute in Aalesund. Aalesund is a city on the western
coast of Norway.

Greetings,

Trond.
-----------[000002][next][prev][last][first]----------------------------------------------------
From:      JohnH <JAHARITO@owucomcn.bitnet>  3-NOV-1989  2:06:38
To:        security@ohstvma
Sorry for bothering the list, but it's the only think I can do...

Somebody who his name I forget, wrote to me asking for my DES implementetion I
replied to him and said I would send you something which I didn't... The reason
is that after I replied your mail message, I deleted it and thus couldn't
remember your username and address to send you the files... I apologize for
that and ask you to send me your address again to send you the file.

Again, really sorry, I apologize
John Haritos.
-----------[000003][next][prev][last][first]----------------------------------------------------
From:      *Hobbit* <hobbit@pyrite.rutgers.edu>  3-NOV-1989  2:34:25
To:        security
It's been brought to my attention that Bitnet listservers fairly often mash
From: addresses to show security@pyrite.rutgers.edu instead of the original
sender of the message.  Despite, of course, all my efforts to make Sendmail
retain these lines.  [Listserv leaves a lot to be desired.]  If you're on a
bitnet machine and wish to reply to a message, please read the incoming
headers carefully to figure out who the message is from [and feel free to
contact me if they've been muched beyond belief and you can't figure out who
it's from].  Since different machines treat incoming mail differently,
there's no way for me to experiment and come up with something that reliably
works everywhere...

_H*
-----------[000004][next][prev][last][first]----------------------------------------------------
Date:      1 Nov 89 19:07:00 GMT
From:      XA3I@purccvm.BITNET (Robert Allinson)
To:        misc.security
Subject:   Cellular Modems

Does anyone know about the security implication on Cellular Modems.
Since cellular transmissions are in the 800 frequency band, anyone with
a receiver which can tune in to these hight frequency bands could
listen in.   Therefore, I have 2 questions:

    1.  How is a Cellular modem different than regular modems? (What
        special features does this type of modem must have.)

    2.  How about security?  If anyone can basically "Tune" in, what
        implications will this lead to as far as the technological aspect
        of the hardware?

I'd appreciate any comments on this matter.

+---------------------------------------------------------------------+
: Robert C. Allinson          Purdue University - Computer Technology :
: Bitnet:  XA3I@PURCCVM                                               :
:                                                                     :
: Work Phone: (317) 494-1638     Administrative Data Processing Center:
:                                                                     :
+---------------------------------------------------------------------+

-----------[000005][next][prev][last][first]----------------------------------------------------
From:      dasys1!eravin@cmcl2.nyu.edu (Ed Ravin)  3-NOV-1989  2:57:15
To:        misc-security@cmcl2.nyu.edu
One thing the enlightened cyclists are doing in Manhattan is two always
lock the bike up with two different kinds of locks.  The average bike thief
is only prepared to break one kind of locking system.  The usual
combination is a U-lock and a flexible cable with padlock.  That means the
thief would have to carry two different sets of tools to get the bike.

Most streetwise bikers also take some old chain links and rivet a little
loop of chain between the bicycle seat and the frame, to discourage parts
theives from taking the seat.

Bike theft is disgusting in this city: even your 3-speed covered with rust
isn't safe.  The new unit of commerce is the crack vial: as long as your
bike is worth at least one vial to someone, it is a potential theft
target.
-- 
Ed Ravin                  | hombre!dasys1!eravin | "A mind is a terrible thing
(BigElectricCatPublicUNIX)| eravin@dasys1.UUCP   | to waste-- boycott TV!"
--------------------------+----------------------+-----------------------------
Reader bears responsibility for all opinions expressed in this article.
-----------[000006][next][prev][last][first]----------------------------------------------------
Date:      3 Nov 89 01:12:44 GMT
From:      meister@GAAK.LCS.MIT.EDU (phil servita)
To:        misc.security
Subject:   bike locks

The kryptonite K4 bike lock now comes with a 1000 dollar guarantee against
theft. this guarantee is valid everywhere but New York City. Funny that.

                                        -meister

-----------[000007][next][prev][last][first]----------------------------------------------------
Date:      3 Nov 89 14:02:49 GMT
From:      ratzan@RWJA.UMDNJ.EDU (Lee Ratzan)
To:        misc.security
Subject:   controversy

A recent DoE computer security newsletter states that under certain
conditions "merely inserting a disk can cause one to be [virally]
infected". This statement is unclear: is it an infected disk into
an uninfected system which becomes infected (even without initiating
an application program)? Is it inserting a clean disk into an infected
system (again, with no application open)? Or what? Can you clarify
under what circumstances this infection event can occur?

Thanx,
Lee

-----------[000008][next][prev][last][first]----------------------------------------------------
Date:      3 Nov 89 15:26:52 GMT
From:      deh@MORDOR.ENG.UMD.EDU (Douglas Humphrey)
To:        misc.security
Subject:   Re:  Earthquake

A Tandem Computers VLX system, a fault-tolerant transaction processing
system, fell over flat on its back (this is a big mainframe, maybe 6
cabs of 6 feet tall and 28 inches or so wide, and weighs a LOT).

It was, of course, still operating just fine flat on its back.  The disks
were still upright, due to their being shorter and having lower ceters
of gravity.  From what I have been told, it was uprighted by Tandem
CEs and never missed a beat.  They had an UPS for power obviously...

Doug

-----------[000009][next][prev][last][first]----------------------------------------------------
From:      JUTBAAA <JUTBAAA@iup.bitnet>  5-NOV-1989 12:54:07
To:        <SECURITY@pyrite.rutgers.edu>
IS THERE A WAY TO ERASE THE PASSWORD FROM THE EEPROM
SOMETHING SHORT AND SWEET LIKE THE ONE FOR THE PS2
WILL BE APPRECIATED.

Abhik Biswas
Indiana University of Pennsylvania,
Indiana, PA.
-----------[000010][next][prev][last][first]----------------------------------------------------
From:      TENCATI@nssdca.gsfc.nasa.gov   (SPAN SECURITY MGR. (301)286_5223)  5-NOV-1989 13:36:45
To:        misc-security@uunet.uu.net
On a related note -

Did you know that the 976- , and 1-900 people also keep track of who
calls, and sells your phone numbers to advertisers in the same manner that
credit card companies sell your address?

I'm not sure if this is also true for 1-800 calls, since they are AT&T or
another carrier company, but apparently there are no rules against selling
your number.

Ron Tencati
NASA/Goddard Space Flight Center
Tencati@Nssdca.Gsfc.Nasa.Gov
-----------[000011][next][prev][last][first]----------------------------------------------------
From:      deh@mordor.eng.umd.edu (Douglas Humphrey)  5-NOV-1989 14:15:48
To:        cygnus@vax1.acs.udel.edu
Cc:        security@pyrite.rutgers.edu
I used to do this all the time with "thermocons" which were IR
sesors that a local (big) security firm placed in front of doorways
to trip the drop bolt when people were walking OUT of the secured
location.  This was a big problem, since fooling the thermocon 
made the door unlatch.  Even if there is no way to do it with
a laser (sometimes you could not get line of sight to the sensor)
then you can get a can of lighter fluid, squirt it all under the
door, and then light it, which I *assure* you will trip the sensor.

Remember to put the fire out before you wander through the place
and steal stuff....

Doug
-----------[000012][next][prev][last][first]----------------------------------------------------
From:      gwyn@brl.mil  5-NOV-1989 14:57:28
To:        security@rutgers.edu
>How secure are Sargent & Greenleaf combo locks?
>What do we get for their "anti-manipulation" feature - just an extra key
>lock that immobilizes the combination dial?

It depends on the model, but in general S&G makes pretty good combination
locks.  "Anti-manipulation" usually indicates just what it says, that the
lock design includes features especially aimed at making manipulation
(the art of opening a combination lock without knowing the combination a
priori) difficult.  One such feature would be additional (shallow) fake
notches around the periperhy of the wheels.  The best feature is one that
prevents using the actuator handle to apply drag to the wheel pack.
-----------[000013][next][prev][last][first]----------------------------------------------------
From:      CNSM CCR _ Rob Rothkopf <MASROB@ubvmsc.cc.buffalo.edu>  5-NOV-1989 15:38:54
To:        security@pyrite.rutgers.edu
I have a home wired with all Radio Shack parts; when the main unit is tested 
alone without ANY loops, all works fine (keypad, panic buttons, etc).  When I 
add any loops to it, it periodically is tripping for "no apparent reason."

The loop is a straight loop consisting of only Vibration Sensors... due to the 
false tripping the adjusting screw has made the system useless for now as only
a LARGE bang would trigger them.. but still, on a calm day, no winds, everyone 
still, the alarm (armed) is being set.

All I could figure is something building up resistance in the circuit.. all 
wires are stapled to wooden structural supports or studs, the system is
grounded and there is a battery backup in place.

ANY ideas as to what could be causing the problem???  At times it has been
flawless for periods of 2 months and then it starts happening daily!! :(

				--Rob Rothkopf
				BITNET:   MASROB@UBVMS
				INTERNET: masrob@ubvms.cc.buffalo.edu
-----------[000014][next][prev][last][first]----------------------------------------------------
From:      OPER014@umuc.bitnet  5-NOV-1989 16:26:40
To:        SECURITY@UBVM
I know that shorting the 2 pins by the speaker will
get you into a password protected ps/2, but I dont think
it actually reinitializes the password... Its my understanding
that that feature  is for repair persons, and they would not
necessarily be want to erase it. Please, somebody tell me if im
wrong...

Also a note to the more security conscious- As an occasional
practical joke I gain entrance to peoples PS/2s by shorting
those 2 pins with a paper clip through vent holes in the case.
(I have only tried this on Model 50s). So you may want to
place some kind of shield inside the box... locked, of course.
incidentally, this was 'fixed' on the 50z- you have to move a
jumper from one pair to the other in a group of three pins...
the jumper is large enough to cover the shorted pins completely.

---------------------------------------------------------------
oper014@umuc
       @umuc.umd.edu           Jim

Whats that red button do?
-----------[000015][next][prev][last][first]----------------------------------------------------
From:      swn@stingray.rice.edu (Steve Nuchia)  5-NOV-1989 17:13:36
To:        misc-security@uunet.uu.net
> DEC also won't let us put 'internal' hostnames on our business cards. 

The obvious solution is to have DEC-wide unique aliases recognized by
the mail server on dec.com.  Then put unique.id@dec.com on your cards.
If you come across a CMU business card check it out -- excelent example.

Not putting internal names on published documents is a good idea for
two reasons.  First it prevents trouble when the machine you named
goes away, permanently or temporarily.  Secondarily it makes it harder
for the bad guys to use "traffic analysis" and similar techniques to
deduce things about what DEC might be up to.

Personally I think if they care enough to do that there are other ways
to figure it out, but since the technical considerations align with
the political in this case it seems logical to do it right.

In the absence of a usable common address the "security" argument
has to be fought.  It is weak but not invalid, so it becomes a
question of priorities.
-----------[000016][next][prev][last][first]----------------------------------------------------
From:      NESCC@nervm.bitnet (Scott C. Crumpton)  5-NOV-1989 18:02:33
To:        security@pyrite.rutgers.edu
> I found the resistance in each switch to vary, one by over 100 ohms...  secon
> later the same switch read 7 ohms.?!  Hmm...

I installed a RS system in my house and found this to be a major
problem. It appears that RS sells the lowest quality magnetic switches
possible. The only way I was able to solve the problem (short of
replacing all the switches) was to wire each loop to control a 12v
relay. The relay contacts were then wired to the alarm center in
place of the loop.  This had the effect of increasing the loop
current from about .5ma to 50ma.  The increased current and/or the
inductive "kick" from the relay coils seems to have solved the
problem.

Before adding the relays I was averaging one false alarm per week.
Obviously an unacceptable situation that prevented connecting the
noise makers.  After adding the relays I continued testing the system
for 3 months with zero false alarms before connecting the noise
maker. It has now been connected for about 2 years with zero false
alarms.

The moral of the story is that the RS stuff can be made to work
reliably. But probably not by your average consumer.

---Scott.
-----------[000017][next][prev][last][first]----------------------------------------------------
From:      deh@mordor.eng.umd.edu (Douglas Humphrey)  5-NOV-1989 18:36:12
To:        34AEJ7D@cmuvm.bitnet
Cc:        security@pyrite.rutgers.edu
To a large extent, S&Gs are the best ( or one of the best).  We have 
them on a Mosler and and older Remington safe, both GSA certified
storage containers for classified materials, the Remington at Secret
and the Mosler higher than that.  The Mosler is a double safe, with
an S&G MP on the outside, and a special S&G on the inside (built to 
somebodies specifications).  Your local Mosler lock people will 
support the S&Gs with no problem, doing yearly maintenance, etc. and
getting you out of a jamb (pun intended) when you need it...

I am not sure what you mean by "anti-manipulation" feature;  ours are
MP locks, Manipulation Proof, but that really has to do with the 
internals on the lock, not an external locking pawl or anything 
like that. 

By the way, don't make the mistake that a lot of people do and fail
to get yearly maintenance done on the lock(s).  Sure, they most likely
won't need it, and you will be throwing around $100/year to the wind,
except for the day that the damned thing jams on you, and you discover
the extreme cost of having your safe/vault drilled...  Remember that 
these things are designed specifically to make it hard to do this.
The estimate to have one of our drilled by Mosler was many hundreds
of dollars, plus materials costs (14 diamond tipped bits, 2 drills
[they figure that they will burn out 2 doing this] and other assorted
things) plus the cost for them to weld in a plug of hardened steel
and then the possibility (if you are a cleared storage facility) that
the Government folks are not going to like the plug job and require
that you buy a new safe door and have it put on... Big Bucks...

Doug
Digital Express, Inc.

P.S.  We didn't have to have it drilled, we were just asking...
-----------[000018][next][prev][last][first]----------------------------------------------------
Date:      5 Nov 89 23:46:34 GMT
From:      NESCC@nervm.BITNET (Scott C. Crumpton)
To:        misc.security
Subject:   RE: Home Alarm Installations, R.S. Setups

> I found the resistance in each switch to vary, one by over 100 ohms...  secon
> later the same switch read 7 ohms.?!  Hmm...

I installed a RS system in my house and found this to be a major
problem. It appears that RS sells tle lowest quality magnetic switches
possible. The only way I was able to solve the problem (short of
replacing all the switches) was to wire each loop to control a 12v
relay. The relay contacts were then wired to the alarm center in
place of the loop.  This had the effect of increasing the loop
current from about .5ma to 50ma.  The increased current and/or the
inductive "kick" from the$relay coils seems to have solved the
problem.

Before adding the relays I was averaging one false alarm per weeo.
Obviously an unacceptable situation that prevented connecting$the
noise makers.  After adding the relays M continued testmng the system
for 3 months with zero false alarms before connecting$the noise
meker. It has now been connected for about 2 years with zero false
alarms.

The moral of the story is that the RS stuff can be made to work
reliably. But probably not by your average consumer.

---Scott.

-----------[000019][next][prev][last][first]----------------------------------------------------
Date:      5 Nov 89 23:58:33 GMT
From:      wb8foz@MTHVAX.CS.MIAMI.EDU (David Lesher)
To:        misc.security
Subject:   S&G locks, Mosler containers

I believe ONLY the S&G locks are GSA approved. Also, if I am not
mistaken, only Molser containers (presently class VI) are accepted.

The S&G 8400 and 8500's are darn good locks. Uncle Sam uses a lot of
them, not just on containers, but office doors (with a special
extension & strike), and communication center vault doors. But
remember, anything can be gotten into if you have enough time.

A Mosler can be drilled. It is not an easy task. We go to great lengths
to try and get it open before we give up and drill. It takes from four
to 8 hours, IF YOU KNOW WHAT YOU ARE DOING. We bring lots of bits, but
typically use big enough drill motors that they give little trouble
(except when you want to lift one ;-}) If you it do it correctly, the
container can be repaired and reused. If you screw up (or burn it
open), you will need a new control drawer. ($$$$)

-- 
A host is a host & from coast to coast...wb8foz@mthvax.cs.miami.edu 
no one will talk to a host that's close..............(305) 255-RTFM
Unless the host (that isn't close)......................pob 570-335
is busy, hung or dead....................................33257-0335

-----------[000020][next][prev][last][first]----------------------------------------------------
Date:      6 Nov 89 19:01:27 GMT
From:      night@PAWL.RPI.EDU (Trip Martin)
To:        misc.security
Subject:   Re: Privacy vs on-line library

>Did you know that the 976- , and 1-900 people also keep track of who
>calls, and sells your phone numbers to advertisers

Mailing lists appear to be big business.  I am aware of at least one hospital
which sells names and addresses (and said we couldn't do a damn thing about
it).  I for one would like to know how widespread this practice is across
all industries.

-- 
Trip Martin  KA2LIV       night@pawl.rpi.edu
Finite state machinist    night@uruguay.acm.rpi.edu

-----------[000021][next][prev][last][first]----------------------------------------------------
Date:      7 Nov 89 03:21:38 GMT
From:      sarge@dcdwest.UUCP (Sergeant Bob Heddles)
To:        misc.security
Subject:   Shoulder Patches request...

I was wondering where I could get the unit patches (uniform) of the
different police and other emergency departments of the U.S.A. and
Canada?  Is there a catalog company and /or store that carries
them? If not would the people on the network with the affilations
of the aboved mentioned departments be willing to send one to me? I
am trying to build a collection of patches. Any and all help would
be greatly appreciated....

			Thanks,

			  Bob
-- 
Bob Heddles                        | ITT Defense Communications Division
ucbvax!ucsd!dcdwest!sarge          |     10060 Carroll Canyon Road
sarge@dcdwest%ucsd.edu             |       San Diego, CA 92131
Opinions expressed are mine alone. Since no-body else wants them.

-----------[000022][next][prev][last][first]----------------------------------------------------
From:      virtech!jje@uunet.uu.net (Jeremy J. Epstein)  9-NOV-1989  1:01:47
To:        misc-security@uunet.uu.net
I'm working on a project involving implementing a B3-level
Mach system (or portions thereof) in Ada on a DARPA grant.  I'd interested
in hearing about other people/projects who are working on trusted Mach
and/or using Ada on Mach.

Please email to
	uunet!prcrs!abqord!jje or uunet!virtech!jje

Thanks
Jeremy Epstein
TRW Systems Division
703-876-4202
-----------[000023][next][prev][last][first]----------------------------------------------------
From:      Noel Del_More <noel@ubbs_nh.mv.com>  9-NOV-1989  1:38:45
To:        security@rutgers.edu
I am writing a term paper for one of my graduate courses on the  subject
of computer security and the effect that it, or should I say the lack of
it, has had on our society.

In particular I'd like to focus on corporate strategies and responses to
actual and/or potential breaches of systems security which have resulted
or had the potential of resulting in the loss of assets, intellectual
property or sensitive data.

I would appreciate receiving information  concerning  any  bibliographic
references, case studies or legal actions involving the subject of which
you may be aware.

In addition, I would  very  much  like  to  hear  about  your  companies'
policies  and strategies to prevent and/or deal with breaches of systems
security.

Thank you,
Noel
-----------[000024][next][prev][last][first]----------------------------------------------------
Date:      Fri, 27 Oct 89 10:44:45 EDT
From:      "Jack L. Coffman" <UKA051@ukcc.bitnet>   9-NOV-1989  2:08:48, "Jack L. Coffman" <UKA051@ukcc.bitnet>
To:        security-request@pyrite.rutgers.edu, security-request@pyrite.rutgers.edu
We at the University of Kentucky run an IDMS data base at the
central computing center.  Most batch updating is performed
at night by our central data control staff.

We do have programmers distributed in user offices who now
do some batch updating to the data base.  Most
user departments have people who execute reports using
COBOL, MARKIV, OLQ, CULPRIT, and SAS against the data base
and extract files.

We are at the point of deciding how to set up libraries to allow
user departments to update or execute reports from the data base or
extract files.

Does anyone have any exeprience or words of wisdom on how to approach
this decision. Are we unique in allowing user departments to update
the data base?

Thanks

Jack L. Coffman - UKA051@UKCC
Security and Contingency Planning Officer
128 McVey Hall
University of Kentucky
Lexington, Ky  40506-0045
(606)257-2273
-----------[000025][next][prev][last][first]----------------------------------------------------
From:      harald@kumquat.ucsb.edu (Ommang)  9-NOV-1989  2:38:01
To:        misc-security@ucsd.edu
Hi !
I'm writing a paper for a Graduate class in Computer Security here at
UCSB. The paper will compare security features of two operating systems
that are in use all over the commercial world : Hewlett-Packard's MPE and
UNIX. I have worked with MPE security for several years, so I have that 
covered, but I am a fairly novice user of UNIX. 

My question is : Can anyone out there recommend (and point to) articles
                 and books on UNIX security. I will mostly deal with issues
                 like password and file security, and also ways of aquiring
                 more capabilities (i.e. system manager / superuser) than
                 one is supposed to.

Please reply by e-mail to :
harald%cornu@hub.ucsb.edu

==================================================================
"Born in the ice-blue waters of the festooned Norwegian coast.."
         - Bertrand Meyer on object-oriented programming
Well, so was Harald Ommang.    harald%cornu@hub.ucsb.edu
-----------[000026][next][prev][last][first]----------------------------------------------------
From:      nagle@well.sf.ca.us (John Nagle)  9-NOV-1989  7:56:27
To:        misc-security@uunet.uu.net
>Next to the speaker on the earlier PS/2's is a pair of jumper pins.
>If you short these while the machine is being powered up, the password
>will be cleared from memory.

       How convenient.  Was this designed in, or is it a flaw?

					John Nagle
-----------[000027][next][prev][last][first]----------------------------------------------------
From:      GREENY <MISS026@ecncdc.bitnet>  9-NOV-1989  8:20:05
To:        <security@pyrite.rutgers.edu>
> Is there any work being done in the area of security or authentication for
> FAXen?

well, on the fax machine that we have where I work, it has a security code that
can be set (actually an 8 bit binary number).  If the code is set to all 1's,
then no polling can occur.  If the code is set to all 0's, then anyone can poll
the machine for a fax, and if the code is set anywhere inbetween then they
polling fax machine must have the same security code...

perhaps this Ad agency would do well to set their security codes for
confidential documents?

(at least I *assume* it was confidential...:-> )

Bye for now but not for long
Greeny
BITNET: MISS026@ECNCDC
Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU
GEnie: GREENY
MacNet: GREENY
-----------[000028][next][prev][last][first]----------------------------------------------------
From:      CNSM CCR _ Rob Rothkopf <MASROB@ubvmsc.cc.buffalo.edu>  9-NOV-1989  8:47:18
To:        security@pyrite.rutgers.edu
The University of Buffalo is considering the feasabilities/possibilities of 
establishing a "universal" card-access system for all areas of University 
activity.  This single card would be used by all faculties including:

	-- University Libraries: could be used with copiers
	-- Records/Admissions: could be used as positive student ID
	-- Could be used as "meal card"
	-- Keyless card-entry system into student dormitories
	-- Miscellaneous applications including single-vote verification,
	   purchasing, student accounts (perhaps mom and dad could "easily"
	   add money for students to later have access to for food, etc.)

We've received some literature on the "Smart Card" and how it might fill
our needs; since this is the beginning of this investigation we could use
any input others may have from previous experiences with card systems.

If anyone has experience with/knowledge of the "Smart Card" or *any* other
established card access system, I'd appreciate the advice and info.  Either
reply direct or through the net (some might find this info. useful)

Thanks in advance.

				--Rob Rothkopf
-----------[000029][next][prev][last][first]----------------------------------------------------
From:      "W. K. (Bill) Gorman" <34AEJ7D@cmuvm.bitnet>  9-NOV-1989 21:08:41
To:        SECURITY Digest <SECURITY@UGA>
>It was a wrong assumption from the view that I don't KNOW they are keeping
>track, but I don't KNOW that they AREN'T.  Any such system CAN be abused

The DEA regularly raids "indoor gardening" stores, many of which can and
do serve a legitimate, law-abiding clientele, without ever filing
formal charges against the owners, merely to gain the computerized customer
lists therefrom. If this is not the sort of abuse you refer to, it is skating
very close thereto.
-----------[000030][next][prev][last][first]----------------------------------------------------
From:      davecb@nexus.yorku.ca (David Collier_Brown)  9-NOV-1989 21:28:40
To:        misc-security%mnetor@uunet.uu.net
> Any such system CAN be abused almost trivially and without notice 
> to the users.   [...]  the information to exist, than to be assured (by
>people who don't even understand the system) that such records aren't being
>kept.

  A specific, known example: a crossmatch between a library systems and
a pharmacy system running on the same timesharing service:

  from pharmacy, select females with perscriptions for birth
	controll pills
  crossmatch with library for address and age
  print where age < 30 and city = this one.

--dave c-b
-- 
David Collier-Brown,  | davecb@yunexus, ...!yunexus!davecb or
72 Abitibi Ave.,      | {toronto area...}lethe!dave 
Willowdale, Ontario,  | Joyce C-B:
CANADA. 416-223-8968  |    He's so smart he's dumb.
-----------[000031][next][prev][last][first]----------------------------------------------------
From:      zeleznik@cs.utah.edu (Mike Zeleznik)  9-NOV-1989 21:45:00
To:        security@pyrite.rutgers.edu
Just wanted to point out that this issue of identification while maintaining
privacy has been the subject of a number of research articles in the computer
science community.  One that comes to mind is:

 "Security Without Identification: Transaction Systems to Make Big Brother
 Obsolete", David Chaum, Communications of the ACM, October 1985, p1030+.

Another one, less concerned with privacy, but with many references to things
related to the concept of data surveillance, is:

 "Information Technology and Dataveillance", Roger Clarke, Communications of
 the ACM, May 1988, p498+.

--Mike

  Michael Zeleznik              Computer Science Dept.
                                University of Utah
  zeleznik@cs.utah.edu          Salt Lake City, UT  84112
                                (801) 581-5617
-----------[000032][next][prev][last][first]----------------------------------------------------
From:      davecb@nexus.yorku.ca (David Collier_Brown)  9-NOV-1989 22:10:48
To:        misc-security%mnetor@uunet.uu.net
>Another reason (variation on the above) is that the member libraries
>are billed based on the usage by their people. This requires that the network
>know what library you are from when using this system.

  The libraries are both charged by information providers and funded by
supporting organizations based on use and/or membership.  When working for a
supplier of some slight note, I was surprised at the conflicting needs to
keep track of usage information for funding purposes (and for
book-replacement estimates), and the need to **not** keep track of readership
information for particular books.

  And yes, both are legally mandated and prohibited in differing
justistictions (:-}).

--dave
-- 
David Collier-Brown,  | davecb@yunexus, ...!yunexus!davecb or
72 Abitibi Ave.,      | {toronto area...}lethe!dave 
Willowdale, Ontario,  | Joyce C-B:
CANADA. 416-223-8968  |    He's so smart he's dumb.
-----------[000033][next][prev][last][first]----------------------------------------------------
From:      *Hobbit* <security_request@pyrite.rutgers.edu>  9-NOV-1989 22:23:13
To:        security-list-outbound@pyrite.rutgers.edu
David Stodolsky has submitted the entire text of his paper on
databases for epidemiologocal control.  It is over 38Kb, so rather
than post it I'm making it available via FTP for anyone interested.
It's at pyrite.rutgers.edu in security/epidemic-control.  I will
also mail it to any non-internet recipients [who can't grab this directly]
that ask for a copy...

_H*

--- head of David's message ---
Date: 29 Oct 89 20:27:52 GMT
From: stodol@diku.dk (David Stodolsky)
Subject: Secure Distributed Databases for Epidemiological Control
To: misc-security@dkuug.dk

English update of: 
Stodolsky, D. S. (1989, August). 
Brugerforvaltet datakommunikationssystem til bekaempelse af seksuelt 
overfoerbare infektionssygdomme 
[Secure Distributed Databases for Epidemiological Control]. 
Research proposal submitted to the AIDS-Fund Secretariat, Danish Health 
Department. 
(Available from the author at the Psychology Department, University of 
Copenhagen )
-----------[000034][next][prev][last][first]----------------------------------------------------
Date:      9 Nov 89 18:30:00 GMT
From:      NORDBERG@scranton.BITNET
To:        misc.security
Subject:   Bibliographic references for system breaches

Noel asked about any bibliographic references concerning actual or
potential breaches of computer security. Since s/he did not list an
e-mail address I'll reply via this discussion group.

"The Cuckoo's Egg" by Cliff Stoll just came out and is an interesting case
study of breaches of long duration of both academic and military
systems (including companies doing business with the military such
as BBN, TRW and MITRE).  Stoll's efforts to alert various groups met with
a fair number of responses that can be characterized only as denial.

Stoll, Clifford
"The Cuckoo's Egg"
Doubleday (c) 1989
ISBN 0-385-24946-2

---------------------------------------------------
Kevin Nordberg
Dept. of Philosophy
University of Scranton
BITNET: NORDBERG@SCRANTON

-----------[000035][next][prev][last][first]----------------------------------------------------
Date:      9 Nov 89 23:17:31 GMT
From:      MTG@CORNELLC.CIT.CORNELL.EDU (Mike Garcia)
To:        misc.security
Subject:   Re: Privacy vs on-line library

>The DEA regularly raids "indoor gardening" stores, many of which can and
>do serve a legitimate, law-abiding clientele, without ever filing
>formal charges against the owners, merely to gain the computerized customer
>lists therefrom.

It does not even have to be computerized.

The Chicago police department has a squad called the "gun squad" which
confiscates unregistered handguns.  It is enormously successful in
terms of the number of handguns seized.  Reportedly one of the Chicago
PD's techniques is to acquire lists of legally purchased handguns,
which were purchased oustside of Chicago.  These lists include the name
and address of the purchaser.  The Chicago PD then checks the names on
the lists against the names of store and resturant owners whose places
of business are located in Chicago.  When a match is found, the place
of business is searched.  Since it is a public place, no search warrent
is needed.  If a handgun is found on the premises, it is seized.

These lists are acquired from the US Bureau of Alcohol, Tobacco and
Firearms (BATF).  BATF assembles these lists by inspecting the records
of gun shops near, but outside of, Chicago.  It is a federal
requirement that all firearm purchases be recorded, and the gun shops
can not refuse BATF access to the records.

In all probability, part of your library's budget is federal money.  If
a federal agency wants access to such information, it will have
powerful tools for compelling complience.  Once the feds have the data,
they can do whatever they want with it, including giving it to a third
party.

If your library keeps track of what information you access, for
whatever reason, you have no real guarantee that it will not be
misused.

                            Mike Garcia

-----------[000036][next][prev][last][first]----------------------------------------------------
Date:      10 Nov 89 00:55:36 GMT
From:      doerschu@REX.CS.TULANE.EDU (David Doerschuk)
To:        misc.security
Subject:   Re: REINIALISING PS/2 PASSWORDS

>Next to the speaker on the earlier PS/2's is a pair of jumper pins.

PS/2 as in IBM PS/2?  I didn't realize there was any password security
in the PS/2.  Would someone mind posting or emailing a brief explaination?
Is this a DOS 4.1 thing?  It sounds like its in HARDWARE!

Thanks for any information.

Dave
doerschu@rex.cs.tulane.edu

-----------[000037][next][prev][last][first]----------------------------------------------------
Date:      10 Nov 89 19:53:04 GMT
From:      gwyn@BRL.MIL
To:        misc.security
Subject:   Re:  Privacy vs on-line library

>The DEA regularly raids "indoor gardening" stores, many of which can and
>do serve a legitimate, law-abiding clientele, without ever filing
>formal charges against the owners, merely to gain the computerized customer
>lists therefrom.

If they're doing this without a warrant issued by a Federal judge,
they're violating the law (as I understand it) and certainly are
acting against the intentions of the fine folks who founded our
system of government.  Feel free to blow them away.

-----------[000038][next][prev][last][first]----------------------------------------------------
From:      rjg@sialis.mn.org (Robert J. Granvin)  12-NOV-1989 23:41:28
To:        misc-security@uunet.uu.net
>	You can walk into the library and read the thing, because the library
>is supported by the university and assumes that nobody NOT from the university
>will use it (or at least the use will be minimal).

Universities are supported by tuitions, grants and public and state
funding.  Universities are centers of knowledge and learning.

The libraries of these universities are open and available to
everyone.  The information contained therein isn't restricted in any
form to only students "And others as long as the use is minimal".

-- 
________Robert J. Granvin________        INTERNET: rjg@sialis.mn.org
____National Computer Systems____          BITNET: rjg%sialis.mn.org@cs.umn.edu
__National Information Services__            UUCP: ...amdahl!bungia!sialis!rjg
 "Insured against Aircraft, including self-propelled missiles and spacecraft."
-----------[000039][next][prev][last][first]----------------------------------------------------
From:      "Craig Finseth" <fin@uf.msc.umn.edu>  13-NOV-1989  0:03:06
To:        jonhaug@ifi.uio.no
Cc:        security@rutgers.edu
   If security is defined as "a system's ability to maintain
   confidiality, integrety and availability of information", where does
   privacy fit?

I would say that "security" is an amoral term.  It refers to whether
the system is performing its job properly.

"Privacy," on the other hand, provides constraints on the system's
goals.

In particular, a system can be secure without being private.
Hypothetical example: a credit bureau may operate a secure system.
However, the bureau may choose to sell its data to a third party.  No
security breach has occurred, but a privacy breach has (in this
example, at least).

   Another question: Do you agree with the above 'definition' of privacy?
   Does your contry's privacy act (if you have one) agree?

(1) Yes.  (2) Who knows, at least in the U.S.? (:-).

Craig A. Finseth			fin@msc.umn.edu [CAF13]
Minnesota Supercomputer Center, Inc.	(612) 624-3375
-----------[000040][next][prev][last][first]----------------------------------------------------
From:      Jeff Suttor                          <ECL4JS2@oac.ucla.edu>  14-NOV-1989  9:11:57
To:        security@pyrite.rutgers.edu
> A few programmers can even construct the borrowing history  of a given
> individual (a moment's thought about how a library works will tell you this)

This is not true for the Library I program for.  When a circulation
transaction is resolved, checked back in, the circ trans is archived but
any link to the user record is zeroed out.  This allows the archives to
be used for stat anal but protects the privacy of the user.  Most
Libraries are strong believers in information rights and do whatever
they can to protect the rights of their users.
-----------[000041][next][prev][last][first]----------------------------------------------------
From:      shz@packard.att.com (Seth Zirin)  14-NOV-1989 18:34:34
To:        misc-security@att.att.com
Sargent & Greenleaf locks are very high in quality.  Their manipulation
resistant locks are still acceptable for use on GSA-rated classified
information storage containers.  LaGard and Mosler locks are no longer
acceptable because they can be compromised with auto-dialers.

The manipulation resistance of S&G 8400 and 8500 series locks is not
derived through the use of key-locking dials although locking dials
are available as an option.  The action of the locks is designed to
deter manipulation by preventing convenient contact between the lever
nose and drive cam.

S&G locks are among the best available.

Seth Zirin, CPL
Member Safe and Vault Technicians Association
-----------[000042][next][prev][last][first]----------------------------------------------------
From:      "Robyn Robertson GSRLR@ALASKA"  <GSRLR@alaska.bitnet>  14-NOV-1989 19:09:26
To:        security@pyrite.rutgers.edu
Finding people?  I have spent considerable time and effort doing this
sort of work.  The only solid rule for tracking people down is that there
are no solid rules.

In general, finding people depends upon knowing enough about the target
subject(i.e. the person you want to find) to gain direction for the search.
For instance, I was retained to search for a gentleman that had absconded
from the Seattle area with substantial debts left behind.  I knew very
little about the guy other than his name, the fact that he had a trust
fund administered from Los Angeles, and that he had been planning to wed
a woman from Seattle when he was last heard from several weeks before.

In this case, I managed to locate a marriage license in the King county
(Seattle) Courthouse which yielded the name and address of the woman he
had, by the time of this search, married.  Although the man had covered
most of his tracks pretty well, the woman he had married took no effort
to obscure her path.

Consequently, I had the woman's name and last known residence(in
Renton, Washington, a suburb of Seattle)when I left the courthouse.  Once
I had this, the remaining follow up was reasonably simple.  It turnt out
that her prior residence she had been living in was up for sale.  A visit
to the real estate agent acting as broker afforded a reasonably fast
face-to-face meeting with the fugative I sought.   He, it developed, was
handling all the business of his new wife.  The real estate agaent very
thoughtfully arranged the meeting, and also provided me with the seller's
new home address.

I tell this story as a means of illustrating an approach to finding people.
While in general it is helpful to review information resources like the
telephone book, Polk directory, etc., I believe that a general priciple
is the best advice.  Find out all you can about your target, then determine
what, if any, information resources this knowledge of your target implies.
If you are uncertain what information your basic knowledge of your target
does imply, take what you know to an expert(like the records clerk in the
city/county building where the target I mention above had filed his marriage
license) and ask the expert what intelligence is necessarily implicit in
the information you have as a foundation.  Once this is accomplished, the
remaining task is to exploit this information.

As for expert assistance in developing the leads that you start with,
there are as many sources for this intelligence as there are catagories
worth exploiting.  I know very little about tennis, for instance,
but I know enough that if I found that a suspect I sought was a heavy tennis
player, I could certainly locate a tennis expert to tell me what
organizations associated with tennis might yield the suspect's location.
Failing that, if the suspect is a serious tennis player, and I have a good
idea what city he might be in, I might be able to develope leads by asking
questions at atheletic clubs in the area.

Although this approach seems like common sense, many people tend to forget
what creatures of habit we humans are, and they consequently fail to
exploit the obvious when searching for someone.  Nonetheless, I have found
this approach fairly useful.  Just find out all you can about your target,
then think! One must compile all available information on the target
subject, then follow it up and exploit whatever leads this information
developes.

===========================================================================
Robyn Robertson                         | The opinions expressed here are
BITNET: GSRLR@ALASKA                    |              my own
Internet: GSRLS@acad3.fai.alaska.edu    |
P.O.Box 81638                           |
Fairbanks, AK   99708                   |
-----------[000043][next][prev][last][first]----------------------------------------------------
From:      Linda L. Julien <leira@eddie.mit.edu>  14-NOV-1989 22:23:44
To:        MASROB@ubvmsc.cc.buffalo.edu
Cc:        security@pyrite.rutgers.edu
I haven't had experience with these systems, but I don't like the
idea.  If a student loses this one card, they're out of luck until
it's replaced.  With everything separate, if you lose your keys, you
can still eat, and if you lose your library card you can still get into
your room.

Linda Julien
leira@eddie.mit.edu
leira@athena.mit.edu
-----------[000044][next][prev][last][first]----------------------------------------------------
From:      gwyn@brl.mil  14-NOV-1989 22:54:44
To:        security@rutgers.edu
>The DEA regularly raids "indoor gardening" stores, many of which can and
>do serve a legitimate, law-abiding clientele, without ever filing
>formal charges against the owners, merely to gain the computerized customer
>lists therefrom.

If they're doing this without a warrant issued by a Federal judge,
they're violating the law (as I understand it) and certainly are
acting against the intentions of the fine folks who founded our
system of government.  Feel free to blow them away.
-----------[000045][next][prev][last][first]----------------------------------------------------
From:      <WBERBENI@gtri01.bitnet>  14-NOV-1989 23:30:34
To:        <security@pyrite.rutgers.edu>
   The first thing that comes to my mind after reading about this "Smart Card"
is its potential for abuse. If it is lost or stolen, how easily can the 'old'
card's access be removed from the system? Also if it is lost or stolen, will a
'backup' of its information be kept in a separate facility - imagine the
concern if the student adds $500 to the card, only to have it lost or stolen
moments later on the way to class. Just some thoughts that came to mind...

Bill Berbenich                             wberbeni@gtri01.gatech.edu
Office of Computing Services                       @gtri01.bitnet
Georgia Institute of Technology
-----------[000046][next][prev][last][first]----------------------------------------------------
Date:      14 Nov 89 00:43:38 GMT
From:      willis@RAND.ORG ("Willis H. Ware")
To:        misc.security
Subject:   Re: Privacy vs security definitions

RE the uncertainty between security and privacy.

In brief, security is a system attribute; it has to do with whether a
system contains appropriate hardware/software/operational/environmental/
communication safeguards to that it can enforce a security policy --
whatever the policy may be -- and do so with high confidence.  The policy
might only involve confidentiality, but it can be more.  In general
security policy will vary from system to system but with notable
exceptions, e.g., in the defense community, security policy is uniform
throughout.

In contrast privacy is an information use attribute.  In principle privacy
issues exist even in a manual system.  The scale is different however, and
on one worried about privacy 25 years ago -- but the issue was there
nonetheless.  Security in either manual or computer system is a
prerequisite to privacy; if you cannot control access to information,
there's no way that you can control its use.

A lot has been said and written about privacy and its relation to
security.  Two of the most comprehensive treatments of privacy from the
US national level are:

	Report of the Secretary's [DHEW] Committee on Automated Personal
		Data Systems, "Records, Computers, and the Rights of
		of Citizens", US Gov Printing Office, 1973; stock
		number 1700-00116

	Report of the Privacy Protection Study Commission [including
		5 appendices], "Personal Privacy in an Information
		Society", US Gov Printing Office, 1977; stock
		number 052-003-00395-3

Nothing comprehensive has been done more recently at the Federal level.
There are many hardback books however.

					Willis H. Ware
					RAND Corp

-----------[000047][next][prev][last][first]----------------------------------------------------
From:      meister@gaak.lcs.mit.edu (phil servita)  15-NOV-1989 22:59:56
To:        security@pyrite.rutgers.edu
The kryptonite K4 bike lock now comes with a 1000 dollar guarantee against
theft. this guarantee is valid everywhere but New York City. Funny that.

                                        -meister
-----------[000048][next][prev][last][first]----------------------------------------------------
From:      Nutsy Fagen <MJB8949@ritvax.bitnet>  15-NOV-1989 23:19:15
To:        security@pyrite.rutgers.edu
        I'd like to get in tough with anyone out there who's had experience
with a Sescoa 3000 alarm reciever.  (This applies more toward large-scale
security systems, so if anyone knows of a better list to ask this on, please
let me know that also)
        Specifically, we'll be adding a computer to it for monitoring, and
would like to quiet the 'beep' while the computer is on-line.  Any expensive
or time-consuming mods wouldn't be too appropriate, since we plan on
upgrading to a Radionics reciever with a year or two.

        Thanks ahead of time for any help.

        Mike Bunnell

MJB8949@ritvax  (bitnet)
-----------[000049][next][prev][last][first]----------------------------------------------------
From:      Robert Allinson <XA3I@purccvm.bitnet>  15-NOV-1989 23:35:40
To:        <security@uga>
Does anyone know about the security implication on Cellular Modems.
Since cellular transmissions are in the 800 frequency band, anyone with
a receiver which can tune in to these hight frequency bands could
listen in.   Therefore, I have 2 questions:

    1.  How is a Cellular modem different than regular modems? (What
        special features does this type of modem must have.)

    2.  How about security?  If anyone can basically "Tune" in, what
        implications will this lead to as far as the technological aspect
        of the hardware?

I'd appreciate any comments on this matter.

+---------------------------------------------------------------------+
: Robert C. Allinson          Purdue University - Computer Technology :
: Bitnet:  XA3I@PURCCVM                                               :
:                                                                     :
: Work Phone: (317) 494-1638     Administrative Data Processing Center:
:                                                                     :
+---------------------------------------------------------------------+
-----------[000050][next][prev][last][first]----------------------------------------------------
From:      Frank Tompkins <TOMPKINS@akronvm.bitnet>  16-NOV-1989  0:16:38
To:        tcp-ip@utdalvm1
Cc:        security@ohstvma, ibmtcp-l@cunyvm, ibm-nets@uga
Greetings,
Thanks to all of you who responded to my question last month regarding
site policies about the use of Ethernet/Internet and possible integrity
problems.  Of the 21 responses I received, almost half (9) were requests
for the results.  This implied a lot of interest in the topic, so I was
mildly suprised that I didn't get more responses.  Anyway, here's what
I got (first the question again):
  . . .
>   1)  Other than the well known ease with which thick Ethernet cables
>       can be tapped and passing data extracted, are there other weak
>       spots (security wise) that we should be aware of regarding the
>       physical links,
> and
>   2)  What are the policies (briefly) that other campuses have regarding
>       allowing confidential administrative data (user id's, passwords,
>       and transactions) to flow over Internet links.
   . . .
I would be very interested in the content of your replies. We have just
started Ethernet service on our academic 3081 using VM TCP/IP. There is
already a good deal of pressure to allow administrative access to our 3090
running MVS. I would greatly appreciate forwarded replies, and the final
conclusion you reach and why you made that decision. Thanks.
  . . .
********* has over 4000 (that's not a typo) VAXs, workstations, Suns, and a
few large IBMs hooked via TCP/IP. The hardware is NSC hyperchannel for a
backbone and their routers on local ethernets. We have lots of business data
and engineering data going internally and internationally. Because of legal
considerations, we have stated over and over that the network is not a
secure network, and had better be treated as such. That probably has been
forgotten along the way, but at least we're on record as trying to do the
right thing.  Hope this helps.
  . . .
well I think the biggest issue is not not allow any non-secure machine to be
directly attached to the backbone, since it then can be put in promiscious
mode and monitor the traffic.  There is no way to secure a PC or other
workstation type machine. If it is seperated from the backbone by at least a
router, then only information from that particular subnet will be potentially
visible to it.  folk kick about the extra cost, but i think it is essential.
  . . .
We are currently in the process of setting up as you describe. We were
also concerned about the lack of security of ethernet. As soon as it
arrives I hope to switch our 8232 from VM to MVS.  Since we were
assured that there is little difference in most of the TCP/IP code used
on the 2 operating systems we began develloping an encryption technique
for use over ethernet.
The authors of the BW series of ethernet software are part of our
networks & communications group, in fact they both read the TCP/IP lists.
The BW software now supports access via the 8232 and they expect to
have the encryption facility working shortly. This will consist of a new
version of the BW software together with updates to the mainframe
TCP/IP software.  Other changes include full color support as well as
handling the YTERM TPRINT command.  Kermit is used for file transfers.
  . . .
I would be interested in a posted summary of this information, and if you
find any archived documents, I'd be interested in those too.  I've only been
on TCPIP-L since May, but I have not seen anything on this subject there or
on another list.
  . . .
I too am interested in responses to these questions.  Some members on
our campus are also contemplating allowing access to "sensitive"
information via the campus TCP/IP network (using Telnet, FTP, etc.).

Some of our local experts feel that we have little to be concerned
about.  However, I read an article in the April issue of "Computer
Communication Review" titled "Security Problems in the TCP/IP
Protocol Suite" by S.M. Bellovin (AT&T Bell Laboratories) that got
me a bit concerned.  A follow up article in the July issue by
Stephen Kent (BBN Communications) "Comments on 'Security Problems in
the TCP/IP Protocol Suite'" pointed out inaccuracies, etc. in the
first article but still did not alleviate my apprehension.

In short, Mr. Kent's article seemed to say that the TCP/IP Protocol
Suite isn't secure unless end-to-end encryption is used at the
network layer.  My questions:  is the article correct?  Am I
interpreting the article correctly?  If so, are such security
mechanisms implemented on the Internet?  If not, can we implement
such a security mechanism on our local network even if the rest of
the Internet doesn't?
  . . .
Basically, TCP/IP is not secure, but that is more of a function
of the underlying transport mechanism than it is of TCP/IP.
TCP/IP typically runs in
a LAN or WAN type environment.  In this environment, generally
all messages are physically broadcast to everybody, even if they
are logically intended for one target.  (There are also messages
which are *supposed* to be broadcast, and *supposed* to be seen
by everybody, but that is a different issue).  There are numerous
exceptions to this "everybody sees everything" rule, of course.
Bridges and gateways serve to limit the scope of the "broadcast"
of messages intended for for one destination, but within the
"local" network, everybody sees everything.

The idea with "everybody sees everything"
is that your system looks at and throws away stuff that it
sees that is really for somebody else.  Obviously, it is not hard
to simply keep the stuff and not throw it away.  In a token ring
environment, it is generally the hardware itself that is making this
determination, so it is a little hard for the casual user to peek at
something he shouldn't.  In an Ethernet environment, it is generally
the software that is making the determination, so it is usually easy
for the casual user to peek at every packet that comes by.  UNIX
systems often have such peeking programs built in.

Suppose you have an Ethernet in an engineering building for students,
and another Ethernet in an administrative building for administrators.
Further suppose that you want to link both of these nets into the
computing center in yet a third building, using some sort of campus
wide backbone.  If you want to be somewhat secure, you will need to
arrange bridges and gateways so that packets from the engineering
building are not seen on the network in the administrative building
and vice versa.  However, I don't really know of any good way to
keep the students from stealing each other's passwords by looking
at all packets going by in the local engineering net.
(This is assuming a bright and agressive student who has access to
a reasonable work station on the network, of course).
  . . .
>[paraphrased] If you want to be somewhat secure, you will need to
>arrange bridges and gateways so that packets from the administrative network
>(secure) are not seen on the student network (insecure) and vice versa.
>However, I don't really know of any good way to keep the students
>from stealing each other's passwords by looking at all packets going
>by in the local [engineering] net.

End-to-end encryption, of course. The whole problem is, as you say,
that anyone who wants to dump packets, can. This is not a limitation
of IP networks, alone. In any network if you know, or can reverse
engineer the packets, you can get at unencrypted data contained in
them. The minute someone logs in over the network, their password
is insecure.

The "simple" solutions are to encrypt packet contents, provide
security at a network (rather than host), level (a la Kerberos),
or scramble packets so that someone cannot reassemble them in
a meaningful order.

Even so, no network is secure from itself. The best that you can
hope for is to make it impractical or extremely unlikely that someone
will be able to violate your security in a meaningful time frame.
Even THAT won't keep people from using their phone numbers, mother's
name, or favorite team as a password, or even simpler, giving it
to someone else to use or writing down and taping it to the underside
of the keyboard.

The second part of the story, however, is why be secure and how
secure? What I mean is, is your desire to be secure in order to
thwart deliberate malice or is it to limit your liability for
negligent disclosure of confidential records? In the case of
liability, your requirements might be significantly less stringent
than if you were transmitting launch codes for ICBMs.
  . . .
We are also allowing TCPIP to proliferate on campus and will have some
administrative access in several months using TCP/IP.  As long as we
have a router between public access labs and the main backbone, they
will not be able to see passwords.  Even for taps they would only see
passwords on that segment.

We assume that all of the problems of access control remain, but are no
more serious than the ones already created by dialup access.
  . . .
The most powerful weapon to avoid ethernet snooping is physical segmentation
of the network. Snoopers cannot read data that does not flow thru their
ethernet. Break the network into many small pieces, and snoopers can at most
see only what is on their small piece. Isolate sensitive users from others,
on different segments. Never combine public PCs and administrative users on the
same segment, for example. Multi-user computers are in general not a problem;
it is the single-user systems where a user may install and use snooping
capability without detection.
  . . .
You might want to install MVS TCP/IP and have the admin users come in via
that method. If they need access to VM, run VM/VTAM across a virtual CTCA.
MVS TCP/IP has a much better interface to VTAM/CICS, and is much easier to
keep unauthorized data secure by enforcing the CICS terminal transaction
restrictions.

If you do the DIAL method and your MVS applications do port-based security
for sensitive functions, how do you ensure that J. Random Bozo doesn't
DIAL MVS and end up facing a potentially highly priviledged logon screen.
(We got nailed with this one on our library system) DIAL is a simple rotor
system and (without VMSECURE or RACF) just dumps you into the next free
SPECIAL port.

Other than keeping the physical cable secure, we don't worry too much about
it. Such traffic never leaves our site, and since MVS TCP assiciates a login
name with a list of authorized "ports", it seems to have fixed most of the
big gaping holes.
  . . .
	I remember reading (handwave: about 2 years ago, in RISKS-DIGEST)
about a hospital which was putting in a network.  They had pretty much
decided on ethernet, when some suit found out about collisions: "You mean
sometimes data is transmitted and network errors cause it to be lost!?  We
can't have any data get lost in a hospital!"  And so they decided that they
couldn't use ethernet.
  . . .
For those of you wishing to see what other universities are/have
done, please use the archives here.  I maintain an 'ethics' col-
lection here at UNM from the world's universities.  All entries
have been submitted for posting by different universities and
authors.  You may email or postal mail me your submissions to the
collection.  And you may obtain any policy by 'anonymous' ftp
to unma.unm.edu, the directory is ethics.  The index is 00.INDEX.
I hope this helps.  And yes, I will have it LISTSERV available
soon.
  . . .
We are in much the same boat here at New Mexico State Univ. There is
a tremendous amount of concern over opening up network access to
student records, payroll/personnel, and financial data.
Our solution was to encrypt all traffic coming in to the MVS system
using some kind of VAXstation encryption gizmo. This
sledgehammer approach is only feasible because 1) our
MVS runs on a separate CPU (so only the *currently* smaller
Administrative community has to get encryption units)
and 2) there is no requirement for
general-purpose interactive access to MVS (we only run batch and
administrative CICS, no TSO). In other words, our primary requirement
is TELNET and FTP access to a "secure" (as opposed to
"secure + general purpose") system, so we can get away with
requiring that all traffic be encrypted.
This is obviously a short-term stop-gap, but we hope it will
last until something like Kerberos becomes generally available.
  . . .
     My recommendation:

          When in doubt, encrypt.
  . . .
A key point would be to keep the administrative traffic off of other
segments of the Ethernet by using bridges.  Otherwise,  it is a simple
matter for someone with a PC on the Ethernet to obtain some public domain
software and trap all of the packets they want.

Using routers and subnets can help even more.  You could put all of the admin.
users on a particular subnet and help prevent people on the main network from
using their IP addresses.

You could also use token-ring to connect your administrative users.  That would
go a long way to keep traffic out of the wrong hands.
  . . .
I am at the University of ****** - Office of the President. At this time I
do not have anything to suggest, but I would like to get a summary of what you
are getting and what you may do. The U* system has nine campuses, at least a
couple of them are in a similar position (campus-wide TCP/IP net for academics
and students, etc.). Thank you.
  . . .
==============================================================================
At this point it appears that we will permit limited Administrative traffic
on our campus net, with the following provisions:

 * Bridges will be used to limit users to local subnets.  No unsecure
      nodes will be allowed directly on the backbone.

 * The backbone and as many other links as feasible will be optical fiber.

 * We anticipate installing the MVS TCPIP product and to make it the primary
      Administrative link.

 * Highly sensitive applications (payroll/grades update, etc) will NOT
      be permitted to be accessed through the campus internet link.

 * Periodic reviews of the network topology with emphasis on network
      integrity and security will be performed.

Once again thank you all for your responses.

Frank Tompkins            (TOMPKINS@AKRONVM)            Bitnet
Systems Programmer        (TOMPKINS@VM1.CC.UAKRON.EDU)  Internet
University of Akron
Akron, Ohio   44325
-----------[000051][next][prev][last][first]----------------------------------------------------
Date:      14 Nov 89 23:34:14 GMT
From:      MTG@CORNELLC.CIT.CORNELL.EDU (Mike Garcia)
To:        misc.security
Subject:   Re: Privacy

> Feel free to blow them away.

Bad advice.

A store is a "public" place, and as such a search warrant may not be
required to search it.  There are a number of conditions that allow the
forces of law and order to enter or search without a warrant.  Fire and
"hot pursuit" come to mind.

Interfering with a federal officer is a federal felony.  When the FBI
photographs mob funerals, occasionaly someone blows their top and
punches or shoves a fed.  They get a free vacation at tax payer
expense.

-----------[000052][next][prev][last][first]----------------------------------------------------
Date:      15 Nov 89 03:18:34 GMT
From:      johnl%n3dmc@UUNET.UU.NET (John Limpert)
To:        misc.security
Subject:   Re: locks (again)

>Sargent & Greenleaf locks are very high in quality.

Who sells these locks?  I have only seen them in government installations.

-- 
John A. Limpert			I'm the NRA!
Internet: johnl@n3dmc.UU.NET	UUCP: uunet!n3dmc!johnl

-----------[000053][next][prev][last][first]----------------------------------------------------
From:      doerschu@rex.cs.tulane.edu (David Doerschuk)  17-NOV-1989  4:06:56
To:        misc-security@ames.arc.nasa.gov
>Next to the speaker on the earlier PS/2's is a pair of jumper pins.

PS/2 as in IBM PS/2?  I didn't realize there was any password security
in the PS/2.  Would someone mind posting or emailing a brief explaination?
Is this a DOS 4.1 thing?  It sounds like its in HARDWARE!

Thanks for any information.

Dave
doerschu@rex.cs.tulane.edu
-----------[000054][next][prev][last][first]----------------------------------------------------
From:      gdt@holmes.lcs.mit.edu (Greg Troxel)  17-NOV-1989  4:41:38
To:        security@pyrite.rutgers.edu
Is it unlawful to tape record in-person conversations without the
knowledge of everyone involved?
If so, is the restriction federal, or which states (particularly the
People's Republic of Massachusetts) have such laws?
	Thanks,
	Greg Troxel
	<gdt@lcs.mit.edu>

[Moderator tack-on:  This topic could be a serious flamage magnet.  Replies
to him, pls.  Greg, could you summarize when the flood dies down?  Thanx..
_H*]
-----------[000055][next][prev][last][first]----------------------------------------------------
From:      Lee Ratzan <ratzan@rwja.umdnj.edu>  17-NOV-1989  5:15:15
To:        security@pyrite.rutgers.edu
A recent DoE computer security newsletter states that under certain
conditions "merely inserting a disk can cause one to be [virally]
infected". This statement is unclear: is it an infected disk into
an uninfected system which becomes infected (even without initiating
an application program)? Is it inserting a clean disk into an infected
system (again, with no application open)? Or what? Can you clarify
under what circumstances this infection event can occur?

Thanx,
Lee
-----------[000056][next][prev][last][first]----------------------------------------------------
From:      hedley@imagen.imagen.com (Hedley Rainnie)  17-NOV-1989  5:48:19
To:        misc-security@uunet.uu.net
The Wall Street Journal on Wed Nov 1st had a mini-book review of this book.
Clifford Stoll was able to track down a hacker from W. Germany and his book
relates how he did it. Whats interesting about the article is that it said
the hacker used Gnu-Emacs to tamper with atrun and get su privs in that way.
The article said the Gnu-Emacs is a popular program for editing/electronic
mail. The book sounds interesting.

Doubleday 326 pages $19.95

Hedley
-- 
{decwrl!sun}!imagen!hedley
hedley@imagen.com
-----------[000057][next][prev][last][first]----------------------------------------------------
From:      deh@mordor.eng.umd.edu (Douglas Humphrey)  17-NOV-1989  6:17:56
To:        borgen%sunnvekst.uninett@norunix.eng.umd.edu
Cc:        security@pyrite.rutgers.edu
A Tandem Computers VLX system, a fault-tolerant transaction processing
system, fell over flat on its back (this is a big mainframe, maybe 6
cabs of 6 feet tall and 28 inches or so wide, and weighs a LOT).

It was, of course, still operating just fine flat on its back.  The disks
were still upright, due to their being shorter and having lower ceters
of gravity.  From what I have been told, it was uprighted by Tandem
CEs and never missed a beat.  They had an UPS for power obviously...

Doug
-----------[000058][next][prev][last][first]----------------------------------------------------
From:      DXB4769@ritvax.bitnet  17-NOV-1989  6:40:02
To:        security@pyrite.rutgers.edu
We have a card-access system here at R.I.T. Not completely "universal",but
our ID card is used for our meal plan, as well as a debit card. Cash canut
be deposited on this card and used at most of the college stores.  The card
is also used in the Library for ID, the card and book are scanned, and the
info is saved in their records. Ufortunately,they havent applied this
technology to locks yet...We've still got keys for rooms, buildings, mail-
boxes, and anything else you might want to lock up.

Dave Bafumo
Rochester Institute of Techology
(Student)
Criminal Justice/Computer Science
BITNET: DXB4769@RITVAX
CIS: 73147,3026
-----------[000059][next][prev][last][first]----------------------------------------------------
Date:      15 Nov 89 23:45:00 GMT
From:      WHMurray@DOCKMASTER.NCSC.MIL
To:        misc.security
Subject:   "Smart Cards"

Smart cards carry the data to the point of use, rather than requiring
access to a central database.  Therefore they must have their own
security so that possession of the card is not sufficient for their use.

Since the card has sufficient processing capability and storage to do
conversion from public to secret codes, the security can be very
sophisticated and, if necessary, different for each application.  

The simplest maechanism is a personal identification number similar to
that used with an ATM.  The difference is that the reference data is
stored inside the card.  At this week's Computer Security Institute
exhibit, IBM showed the use of signature verification to demonstrate the
right to beneficial use of data in the card.  The signature reference
data is stored inside the card.  AT&T has obtained a patent for
authenticating the owner by the way that he speaks.  Once more the
reference data is stored on the card itself.  At least in theory, these
three mechanisms can be used in any combination indicated by the
sensitivity of the application.

Since simple posesssion of the card is not sufficient for its use, the
remedy for loss need not involve removing it from the system, though it
likely will be anyway.  

Of course there is no requirement that everything be done with a single
card.  The use of one card for more than one application does increase
the convenience to the user.  While cards are cheap, the use for more
than one application will marginally improve the economics.  On the
other hand, the more applications on a single card, the more disruptive
will be its loss.

The use of the card to carry debit balances is similar to the use of
travelers checks.  While loss is inconvenient, there is a remedy. (see
David Chaum).  Most of us limit the amount that we put into travelers
checks because the interest on the balance transfers to the issuer.  For
the same reason, we will limit the size of balnces that we transfer to
the cards.  However, when large sums are involved, most of us prefer
travelers checks.  In this age of ATMs and credit cards, most of us
limit the amount of currency that we carry to that which we can afford
to lose.

Security, not convenience, is the primary value behind smart cards.
They will be orders of magnitude more secure than currency, travelers
check, checks, letters of credit, coin, or debit and credit cards.  Like
these other items they are "tokens" (  artifacts for conveying
privilegees).  However, they are much more difficult to counterfeit.
The salient characteristic cannot be seen or observed from outside the
token.  It is a secret value that cannot (economically) be read out.
Protocols permit a demonstration that the number is in there without
reading it out.

____________________________________________________________________
William Hugh Murray                     216-861-5000
Fellow,                                 203-966-4769
Information System Security             203-964-7348 (CELLULAR)
                                        ARPA: WHMurray@DOCKMASTER
Ernst & Young                           MCI-Mail: 315-8580
2000 National City Center               TELEX: 6503158580
Cleveland, Ohio 44114                   FAX: 203-966-8612
                                        Compu-Serve: 75126,1722
                                        INET: WH.MURRAY/EWINET.USA
21 Locust Avenue, Suite 2D              DASnet: [DCM1WM]WMURRAY
New Canaan, Connecticut 06840           PRODIGY: DXBM57A

-----------[000060][next][prev][last][first]----------------------------------------------------
Date:      16 Nov 89 04:59:57 GMT
From:      night@RPI.EDU (Trip Martin)
To:        misc.security
Subject:   Re: Cellular Modems

>    1.  How is a Cellular modem different than regular modems?

The problem with cellular phones is that a constant connection is
not maintained.  When you move from cell to cell, the connection
is dropped for a very short period of time while the connection 
gets reestablished.  While this is not noticeable on voice, a modem
is very sensitive to it.

>    2.  How about security?  If anyone can basically "Tune" in

Yup, anyone can tune in, although it is illegal (not that that's going
to stop anyone).  Since to my knowledge, the cellular phone companies
haven't made any attempt to encrypt voice communciations, I don't think
it's likely that it will happen with digital communications either.

-- 
Trip Martin  KA2LIV                           Trip_Martin@mts.rpi.edu 
night@pawl.rpi.edu                          night@uruguay.acm.rpi.edu
** Murphy's Law of Thermodynamics: Things get worse under pressure **

-----------[000061][next][prev][last][first]----------------------------------------------------
Date:      18 Nov 89 02:08:00 GMT
From:      tihor@ACF4.NYU.EDU (Stephen Tihor)
To:        misc.security
Subject:   Re: "The Cuckoo's Egg" by Clifford Stoll

It is an interesting book, a fun read, decent technical content and it
conveys a good view of CLiff himself you is also a fun guy.  Recently I
talk to some people about the history of events in the book and they
indicated that it was not perfect history but good enough for most
readers.

-----------[000062][next][prev][last][first]----------------------------------------------------
Date:      19 Nov 89 21:55:00 GMT
From:      AHAYNES@drew.BITNET
To:        misc.security
Subject:   Re: Universal Card System

I have some "knowledge" on the "smart card".  When I went on a campus
tour of Duke University last spring, my tour guide mentioned about
how their "smart card" works.

As far as I can recall, their "smart card" also worked like a
combination of a credit card and a MAC card. The idea is when you pay
for your tuition,you put in an extra $2000 or $3000 towards the "smart
card". Now with this "smart card" you could go to the campus
supermarket, snack bar, or bookstore and pay with your "smart card".
The computerized system then deducts your purchases from your "smart
card" account.  But there is a catch to this system.  You have to use
ALL of your money by the end of each semester.  The money from your
account does NOT transfer from fall to spring semester. If this does
happen....Duke takes your money...it's that simple.

The "smart card" also works as a "validine", works at the library, and
is also the students identification card.

I think something like the "smart card" would be very beneficial
to the "Drew Community."

If you or anybody else have any questions.....please don't hesitate to
contact me by E-Mail AHAYNES@DREW.BITNET.

Thanks....
Alexandra

-----------[000063][next][prev][last][first]----------------------------------------------------
Date:      20 Nov 89 10:01:00 GMT
From:      DEGROOT@rcl.wau.nl ("Kees de Groot, Computer Systems Security")
To:        misc.security
Subject:   Request for info on student-security-course

Course on security
==================
        Security implies a lot of things like defending
        against malfunctional apparatus, viruses, fraudulous
        people etc. For all these threats there are a lot of
        measures like making regularly backups, double or
        triple system-configurations and anti-virus
        software. Also a good deal of thinking has to be
        done to make your organisation internally secure.

        There are a lot of books covering most of these
        subjects. In my opinion security is a very important
        subject to be taught to students.

        1. Are there any books covering security in such a
           way that the book can be used for a course on the
           subject?

        2. Are there security courses for students and if so
           what subjects are covered?

        Thank you for your time,

Tel. +31-8370-  .KeesdeGroot   (DEGROOT@RCL.WAU.NL)   o\/o  THERE AINT NO
     (8)3557/   Computer Systems Security              []   SUCH THING AS
        4030    Wageningen Agricultural University    .==.  A FREE LUNCH!
                Computer-centre, the Netherlands
                X25:    PSI%(+204)18370060638::DEGROOT
disclaimer:     I always speak for myself
- if you go too far to the east, you find yourself in the west ..  -

-----------[000064][next][prev][last][first]----------------------------------------------------
From:      night@pawl.rpi.edu (Trip Martin)  21-NOV-1989 23:15:00
To:        security@pyrite.rutgers.edu
>Did you know that the 976- , and 1-900 people also keep track of who
>calls, and sells your phone numbers to advertisers

Mailing lists appear to be big business.  I am aware of at least one hospital
which sells names and addresses (and said we couldn't do a damn thing about
it).  I for one would like to know how widespread this practice is across
all industries.

-- 
Trip Martin  KA2LIV       night@pawl.rpi.edu
Finite state machinist    night@uruguay.acm.rpi.edu
-----------[000065][next][prev][last][first]----------------------------------------------------
From:      wcs@cbnewsh.ATT.COM (Bill Stewart 201_949_0705 ho95c.att.com!wcs)  22-NOV-1989  0:12:37
To:        misc-security@att.att.com
An organization I used to work for once had to get an S&G lock
drilled out from a secure room door.  Took about 2 hours and $600
for our local specialist locksmith to do it.  The problem wasn't
with the lock itself - the bolt mechanism was attached to the door
innards by four screws.  One of the screws had come loose and wedged
itself in the bolt mechanism, so the bolt wouldn't turn.  The door
was fairly substantial, and met medium-security specs, but nothing we
couldn't have ripped open with a Sawz-All  if there had been an
emergency.
-- 
# Bill Stewart, AT&T Bell Labs 4M312 Holmdel NJ 201-949-0705 ho95c.att.com!wcs
# also 201-271-4712 tarpon.att.com!wcs Somerset 4C423 Corp.Pk 3 FAX 469-1355

#		.... counting stars by candlelight ....
-----------[000066][next][prev][last][first]----------------------------------------------------
From:      wb8foz@mthvax.cs.miami.edu (David Lesher)  22-NOV-1989  0:45:23
To:        security@rutgers.edu
I believe ONLY the S&G locks are GSA approved. Also, if I am not
mistaken, only Molser containers (presently class VI) are accepted.

The S&G 8400 and 8500's are darn good locks. Uncle Sam uses a lot of
them, not just on containers, but office doors (with a special
extension & strike), and communication center vault doors. But
remember, anything can be gotten into if you have enough time.

A Mosler can be drilled. It is not an easy task. We go to great lengths
to try and get it open before we give up and drill. It takes from four
to 8 hours, IF YOU KNOW WHAT YOU ARE DOING. We bring lots of bits, but
typically use big enough drill motors that they give little trouble
(except when you want to lift one ;-}) If you it do it correctly, the
container can be repaired and reused. If you screw up (or burn it
open), you will need a new control drawer. ($$$$)

-- 
A host is a host & from coast to coast...wb8foz@mthvax.cs.miami.edu 
no one will talk to a host that's close..............(305) 255-RTFM
Unless the host (that isn't close)......................pob 570-335
is busy, hung or dead....................................33257-0335
-----------[000067][next][prev][last][first]----------------------------------------------------
From:      deh@mordor.eng.umd.edu (Douglas Humphrey)  22-NOV-1989  1:24:24
To:        jac@paul.rutgers.edu
Cc:        security@pyrite.rutgers.edu
There is a difference between a vault and a safe.  The mosler safe that
we use could be picked up and carried off if you had a small crane
and unbolted it from the floor I guess... It is not a vault, in that 
it is not a room, part of a building, with a large door on it.

In 'drilling a vault' and it causing the bars at the edges to be released,
if the door is in the locked position already, the bars should already
be released and in the jamb.  I can't see where they could become 
'more released'...  As to the door being unusable, the only way to 
do that would be to have a vault door that had thermite bars and 
cause itself to weld shut if it thought it was being tampered with.

The doors being asbestos filled, some are and some use a foam ceramic
that is pretty neat.  Something like space shuttle tiles...  Still, 
a torch (the right kind) would have no real problem cutting through,
nor would a cut-away wheel of correct hardness.  You just have to spend a 
lot of time and energy.  Our mosler is not fireproof, though the 
secure file is.  The file is asbestos lined, which is most likely a 
problem for some government agency or another, though I don't spend
any great amount of time in the safe  ;-)  so I guess it doesn't 
scare me too much.  

If you have a vault, in most cases it makes more sense to go through 
the wall(s), floor, or ceiling.  They take precautions, of course, 
but seldom to the level that they do with the door.  Remember, the 
real reason for the door is psychological;  it looks so mean and 
heavy that nobody would believe that they could get through it.
Not believing they can do it, they never try, and thus never do!
Otherwise, wouldn't it be much more plain, and hiden away where people
couldn't see it?

Doug
-----------[000068][next][prev][last][first]----------------------------------------------------
Date:      20 Nov 89 18:21:51 GMT
From:      34AEJ7D@cmuvm.BITNET ("W. K.  Gorman", Bill)
To:        misc.security
Subject:   without wires...


     I have seen several references to devices used to intercept and display
the keystrokes entered on a PC in a nearby building/room by sensing the
electronic signature produced as each key is pressed, with no actual,
physical connection to the target PC. How do these devices function, and how
can we detect/interdict their use?

W. K. "Bill" Gorman 34AEJ7D@CMUVM.BITNET
Acknowledge-To: <34AEJ7D@CMUVM>

-----------[000069][next][prev][last][first]----------------------------------------------------
Date:      20 Nov 89 21:41:55 GMT
From:      jcmorris@MBUNIX.MITRE.ORG (Morris)
To:        misc.security
Subject:   Re: REINIALISING PS/2 PASSWORDS

The PS/2 hardware (OK, it's in the BIOS.  Purist.) supports two passwords:
one at power-up time, and one to temporarily lock the keyboard.  By default
neither is required; the setup disk ("Reference Disk" in IBMspeak) is used
to set them up.  A DOS command ("kb") is used to lock the keyboard by
modifying a hardware control register; BIOS reads the subsequent input
from the keyboard and presents it to the hardware for comparison against the
(CMOS-resident) password.  It appears to be solid as long as you can keep
people and metallic probes out of the guts of the machine.

(Yes, there may be some pickable nits in the above...we've got tons of PS/2
boxes here, but none on my desk.  I _think_ I've got it right...)

Joe Morris

-----------[000070][next][prev][last][first]----------------------------------------------------
From:      ARTABAR@MTUS5  22-NOV-1989 18:20:57
To:        SECURITY@OHSTVMA
What are the policies at your institution concerning monitoring of mail and
other inbound files, as well as interactive chatting (TALK, TELL, IRC, etc)?

Would you consider it a violation of personal security if your mail and
chatting was being monitored by your institution?
                Just a couple of questions as food for thought.
                              Andy
-----------[000071][next][prev][last][first]----------------------------------------------------
From:      <NORDBERG@scranton.bitnet>  22-NOV-1989 18:56:03
To:        security@pyrite.rutgers.edu
Noel asked about any bibliographic references concerning actual or
potential breaches of computer security. Since s/he did not list an
e-mail address I'll reply via this discussion group.

"The Cuckoo's Egg" by Cliff Stoll just came out and is an interesting case
study of breaches of long duration of both academic and military
systems (including companies doing business with the military such
as BBN, TRW and MITRE).  Stoll's efforts to alert various groups met with
a fair number of responses that can be characterized only as denial.

Stoll, Clifford
"The Cuckoo's Egg"
Doubleday (c) 1989
ISBN 0-385-24946-2

---------------------------------------------------
Kevin Nordberg
Dept. of Philosophy
University of Scranton
BITNET: NORDBERG@SCRANTON
-----------[000072][next][prev][last][first]----------------------------------------------------
From:      jad@dayton.dhdsc.mn.org (J. Deters)  22-NOV-1989 19:33:31
To:        security@rutgers.edu
A frequent culprit in false alarms is moisture somewhere in the loop.
"Take this simple quiz!"

1.  Do you notice a higher incidence of false alarms during rainy
    weather, or in high humidity situations?

2.  Have you done (or had done) any plumbing recently?

3.  Condensation buildup on windows can seep into the surrounding
    woodwork and play havoc with bare splices that touch that wood.
    Do your windows 'fog up' now more than they did two months ago?

4.  The staples you used -- were they insulated (paper or plastic)?
    Piercing the wire or crushing the jacket can easily cause your
    wonderful hidden problems.

5.  Damp wood may be swelling up and putting a strain on a poorly
    made joint.

To isolate your problem, you may consider connecting up each device
on its own independent loop, or putting two or three on each loop
until you can narrow it down to which device is failing.  Then,
test the individual wiring and device, and repair or replace as
needed.

Hope this helps,
-j
--
J. Deters
jad@dayton.DHDSC.MN.ORG    .\ /.    "Smile -- Cthulu loathes you!"
john@jaded.DHDSC.MN.ORG   \_____/
-----------[000073][next][prev][last][first]----------------------------------------------------
Date:      21 Nov 89 16:09:00 GMT
From:      system@LNS61.TN.CORNELL.EDU ("SYSTEM MANAGER")
To:        misc.security
Subject:   re: controversy

Lee,

You recently posted a message to the security mailing list.
Unfortunately, you neglected to include a "signature", and the message
that I received via the Bitnet forwarding list contained no return address
other than the security mailing list itself. As a result, I'm posting
my response there (in full public view. gak. ;-)

[Moderator injection: This is real close to being fixed.  Apparently only
one of the "peer" sites that redistribute this stuff on Bitnet is at fault,
due to its running outdated versions of listserv.  This should be upgraded
as soon as the political/administrative red tape is out of the way.]

You asked:

> This statement is unclear: is it an infected disk into
>an uninfected system which becomes infected (even without initiating
>an application program)? 

No.

Simply inserting an infected disk into an uninfected system does not 
infect that system until some code on the infected disk is executed.
I am intentionally not being specific about what code has to be
executed. That detail is a function of the type of virus and computer.
Booting from an infected disk or running an infected program are the
usual "vectors".

>Is it inserting a clean disk into an infected
>system (again, with no application open)? 

Yes.

Inserting a "clean", write-enabled diskette into a drive on a system that 
is already infected may cause that diskette to become infected. The 
details of how the infection propagates is a function of the type of virus 
and computer.

When you insert a diskette into a drive, most systems attempt to read
the appropriate blocks on the diskette to determine the volume label
and other information. Most viruses subvert the computer's native I/O
software and intercept all I/O requests. When such a virus notices
that a write-enabled diskette has been newly inserted in a drive,
it will attempt to make a copy of itself on that diskette.

Again, the details of what a virus will do varies. 
On some systems, there is enough room in the boot blocks for the entire virus.
Some viruses insert themselves into standard system programs.
Others will mark some disk blocks as bad and hide most of the code 
there. Minimal modifications of a boot block or system program are
needed to load the real code from the "bad blocks".

Later when you try to boot from that disk, or run the infected program,
the virus copy will again subvert the I/O system of your computer
and look for write-enabled disks to infect.

Modern computers implement write-protection in the hardware of the disk
drive. Apparently only old Apple computers used software to protect 
their disks from writing. So long as your drive isn't broken (or modified), 
your disks are safe from infection if the write protect tab is in the
correct state.

For further details, you should subscribe to the virus mailing list.
You might contact the moderator, Kenneth R. van Wyk <krvw@SEI.CMU.EDU>,
to learn how to subscribe. The procedure varies somewhat depending
on your actual address.

I hope this helps explain the situation.

Selden E. Ball, Jr.
(Wilson Lab's network and system manager)

Cornell University                 Voice: +1-607-255-0688 
Laboratory of Nuclear Studies        FAX: +1-607-255-8062
Wilson Synchrotron Lab            BITNET: SYSTEM@CRNLNS
Judd Falls & Dryden Road        Internet: SYSTEM@LNS61.TN.CORNELL.EDU
Ithaca, NY, USA 14853-8001   HEPnet/SPAN: LNS61::SYSTEM = 44283::SYSTEM

-----------[000074][next][prev][last][first]----------------------------------------------------
Date:      22 Nov 89 00:25:00 GMT
From:      UCS_KAS@shsu.BITNET (Ken Selvia 409-294-3547)
To:        misc.security
Subject:   RE: Re: Privacy vs on-line library

Students are given access to various parts of the student-information
system via terminals in the library here.  One of the things they can
change is their "Buckley" status.  Unless they request otherwise, we
can give information about them to anyone (I suppose anyone...) who
asks for it.  The message below is the one they receive when they
select the option of changing their Buckley status:

============================================================================
      Under the terms of the Family Educational Rights and Privacy
      Act, Sam Houston State University has established the following
      as directory information:

      Name                            Birthdate and Place of Birth
      Local/Home Addresses            Local/Home Telephone Numbers
      Major/Minor                     Classification
      Extra-curricular Activities     Honors and Awards

      Names and Addresses of Parents/Legal Guardians
      Weight, Height, and Related Information of Athletic Team Member
      Age, Race, Sex, and Marital Status
============================================================================

Students can also display this information about other students when
available.  (ie. If we have it, and the other student has not changed their
Buckley status.)  Recently some insurance company bought a mailing list from
us and they put our name on the letters.  Parents were given the impression
that the university was somehow responsible for the letters. I assume the
lawyers are busy figuring out what to do about it.

BTW: I believe a 10,000 name list sells for around $2,000.00!

On the good side: Credit card companies can't wait to GIVE cards to
graduating seniors.  I must have received 6 pre-approved applications
just because I was going to graduate.  They hook you ASAP.  Hmm, maybe
it's not so good...

Regards, Ken.

Kenneth Selvia    Programmer Analyst    (BITNET:  UCS_KAS@SHSU.BITNET)
Sam Houston State University                      Huntsville, TX 77341
[This is probably not the official or unofficial position of SHSU]

-----------[000075][next][prev][last][first]----------------------------------------------------
Date:      22 Nov 89 00:43:57 GMT
From:      eickmeye@GIRTAB.USC.EDU (Biff Henderson)
To:        misc.security
Subject:   Re: REINIALISING PS/2 PASSWORDS

It is in hardware and it is the IBM PS/2s.

All of the PS/2s which I have (been unfortunate enough to) come in contact
with have this option.  The password is set using the "setup" software
which comes with the machine.  When the machine is cold-booted (i.e. turned
on, as opposed to warm-booted with the Ctrl-Alt-Del key sequence), a "key"
symbol appears in the top left corner of the screen, something like:

o-n

Yes, it is a simple representation as above, although I do not have it
exactly correct; they use some high-end ASCII symbols (in the 128-255 range)
to make the key look a bit better.

If the password is not typed correctly, you get a large X underneath the
key and a second attempt, then a third attempt.  If the three attempts are
all incorrect, then you must power down the machine and restart it.

The password may be changed by typing the old password followed by a special
character, I think it's the forward-slash /, followed by the new password.
Of course, the password may also be deleted.

I believe the maximum length of the password is eight characters.

These are my recollections from using PS/2s, but perhaps an owner could
shed more light on the exact situation if my recollections are incorrect.

-----------[000076][next][prev][last][first]----------------------------------------------------
Date:      22 Nov 89 16:36:58 GMT
From:      jwm@STDA.JHUAPL.EDU (Jim Meritt)
To:        misc.security
Subject:   Re: Privacy vs on-line library

If a list of where these on-line libraries are and how to reach them is
available, PLEASE send it to me.
            ^^^^
(Insert appropriate wimpering here)

"In these matters the only certainty is that nothing is certain"
					- Pliny the Elder
These were the opinions of :
jwm@aplcen.apl.jhu.edu  - or - jwm@aplvax.uucp  - or - meritt%aplvm.BITNET

-----------[000077][next][prev][last][first]----------------------------------------------------
Date:      22 Nov 89 17:59:00 GMT
From:      TOM@fandma.BITNET (Tom - Tech Support)
To:        misc.security
Subject:   Policy

While this shouldn't be taken as an official policy statement, there is no
question that monitoring of incoming mail, outgoing mail, or interactive
traffic would be considered a violation of privacy.  A flagrant violation
at that!  In my opinion, even monitoring the volume of traffic to/from an
individual would be a privacy issue.

We do check on disk useage on a regular basis -we do not allocate
quotas even though we could- but that is to the extent that heavy users are
asked to housekeep.  If that doesn't work, we run a full directory to look
for duplicate files, etc.  We would then ask them again to remove excess
files.  This has always worked.

******************************************************************************
* FRANKLIN & MARSHALL COLLEGE               COMPUTER SERVICES -TECH. SUPPORT *
*           Thomas C. Mahoney, Computer Electronics Technician               *
* PO Box 3003                                            BITNET: Tom@FANDM   *
* Lancaster, PA  17604                                   AppleLink: A0159    *
* Disclaimer: Better than datclaimer.                    (717) 291-4005      *
*           Last year I cudn't spell teknishun and now I are one.            *
* ****************************************************************************

-----------[000078][next][prev][last][first]----------------------------------------------------
Date:      23 Nov 89 21:30:33 GMT
From:      pat@grebyn.com (Pat Bahn)
To:        misc.security
Subject:   Mac Security Software

Does anyone out there have some good software to encrypt files on a
MAC???  I have a mac2 and SE that are going to start handling personally
sensitive data where I can't control physical access, is there anyway
to password protect the hard disk???? That or encrypt the files?

Thanks
-- 
=============================================================================
Pat @ grebyn.com  | If the human mind was simple enough to understand,
301-948-8142      | We'd be too simple to understand it.   
=============================================================================

-----------[000079][next][prev][last][first]----------------------------------------------------
From:      dcdwest!sarge@ucsd.edu (Sergeant Bob Heddles)  27-NOV-1989 12:32:50
To:        ???
I was wondering where I could get the unit patches (uniform) of the
different police and other emergency departments of the U.S.A. and
Canada?  Is there a catalog company and /or store that carries
them? If not would the people on the network with the affilations
of the aboved mentioned departments be willing to send one to me? I
am trying to build a collection of patches. Any and all help would
be greatly appreciated....

			Thanks,

			  Bob
-- 
Bob Heddles                        | ITT Defense Communications Division
ucbvax!ucsd!dcdwest!sarge          |     10060 Carroll Canyon Road
sarge@dcdwest%ucsd.edu             |       San Diego, CA 92131
Opinions expressed are mine alone. Since no-body else wants them.
-----------[000080][next][prev][last][first]----------------------------------------------------
From:      joel achtenberg <C04810JA@wuvmd.bitnet>  27-NOV-1989 13:02:46
To:        security@pyrite.rutgers.edu
At washington university (st louis) we have a number of different
cards, not a universal card.  Student ID's have recently switched to
a mag-strip, used for validation in the cashier's office and for access
to athletic facilities, special events, etc.  The same card is used in
the library.  A different card is available for purchase and use in
laser printers and photocopy machines; money can be added as necessary.
A similar, but separate card is used by the food service for students
on meal plans; money is deducted from the card with each meal purchased
and additional credit can be purchased.  A Universal card would certainly
be useful, from my point of view, but would have significant administrative
problems since the various cards currently are controlled by several
different departments.
-----------[000081][next][prev][last][first]----------------------------------------------------
From:      Mike Garcia <MTG@cornellc.cit.cornell.edu>  27-NOV-1989 13:24:38
To:        security@pyrite.rutgers.edu
>The DEA regularly raids "indoor gardening" stores, many of which can and
>do serve a legitimate, law-abiding clientele, without ever filing
>formal charges against the owners, merely to gain the computerized customer
>lists therefrom.

It does not even have to be computerized.

The Chicago police department has a squad called the "gun squad" which
confiscates unregistered handguns.  It is enormously successful in
terms of the number of handguns seized.  Reportedly one of the Chicago
PD's techniques is to acquire lists of legally purchased handguns,
which were purchased oustside of Chicago.  These lists include the name
and address of the purchaser.  The Chicago PD then checks the names on
the lists against the names of store and resturant owners whose places
of business are located in Chicago.  When a match is found, the place
of business is searched.  Since it is a public place, no search warrent
is needed.  If a handgun is found on the premises, it is seized.

These lists are acquired from the US Bureau of Alcohol, Tobacco and
Firearms (BATF).  BATF assembles these lists by inspecting the records
of gun shops near, but outside of, Chicago.  It is a federal
requirement that all firearm purchases be recorded, and the gun shops
can not refuse BATF access to the records.

In all probability, part of your library's budget is federal money.  If
a federal agency wants access to such information, it will have
powerful tools for compelling complience.  Once the feds have the data,
they can do whatever they want with it, including giving it to a third
party.

If your library keeps track of what information you access, for
whatever reason, you have no real guarantee that it will not be
misused.

                            Mike Garcia

-----------[000082][next][prev][last][first]----------------------------------------------------
Date:      27 Nov 89 21:46:00 GMT
From:      DAVE@unmb.BITNET ("David D. Grisham")
To:        misc.security
Subject:   Security for Novell

Those of you who have Novell networks and virus problems,
I ask:
        Has anyone bought and implemented the Novell scanning
program "netscan"?  We (UNM) are purchasing VIRUSCAN for a
few machines, at $15 per this is reasonable.  However, $1000
for a site license of NETSCAN is a bit steep.  We won't buy it
unless it is working at other institutions with great results.
Can you who do, please write me or post?
        I'd also like to hear if anyone can suggest a better
product.   The security of networks is the one problem
facing us all.  Thanks in advance.
dave

  Dave Grisham, Security Administrator, CIRT      Phone (505) 277-8148
  University of New Mexico                        USENET DAVE@hydra.UNM.EDU
  Albuquerque, New Mexico  87131                  BITNET DAVE@UNMB

my comment for the day-
     It is to bad that the DOS world can't put out a product like
     Disinfectant (Damn good and free).  Do all the nice guys
     wear Macs?

-----------[000083][next][prev][last][first]----------------------------------------------------
Date:      27 Nov 89 23:31:33 GMT
From:      daemon@MCNC.ORG (David Daemon)
To:        misc.security
Subject:   Re: "The Cuckoo's Egg" by Clifford Stoll

The GNU Emacs support utility that caused the problem was installed
setuid, when it had never been designed to be setuid.  Setuid programs
need to be carefully(!) designed to work securely with such
privileges, and you WILL get in trouble cavalierly making random
programs setuid.  I don't believe that the GNU Emacs installation
instructions ever suggested making that program setuid.  A cautious
system administrator would not have done so - I, for one, didn't.  I
understand that certain features may have been lacking for some
versions of Unix running emacs without this utility setuid, but I am
confident that there were different, secure, alternatives, which could
have provided the same features.  I don't recall more specific
details, because the BSD 4.[23] versions of Unix that I was using
never forced me to deal with them.

	Stephen P. Schaefer		MCNC
	sps@mcnc.org			P.O. Box 12889
	...!mcnc!sps			RTP, NC 27709

-----------[000084][next][prev][last][first]----------------------------------------------------
Date:      28 Nov 89 00:40:54 GMT
From:      GSRLR@alaska.BITNET ("Robyn Robertson GSRLR@ALASKA")
To:        misc.security
Subject:   (none)

In response to the recent query re e-mail security at various sites, our
local VAXen computer manager responded to me with the following msg.  Our
area netwok consists of three VAXen located at various far flung sites here
in the state, as well as a pair of additional machines here in Fairbanks
which belong to the math department and campus security.

Our mail package for e-mail within our network is a home grown system which
serves our local DECnet as well as Internet and BITNET msgs. through
interface with the espective daemons.  The 'PHONE' utility is a DEC chat
package.

=> #48 ACAD3A::FXJWK       Mon 27 Nov 1989  09:53  (   5/  329)

>From:     Jo Knox - Academic Computing

Nothing is monitored here, although the system does keep track of the numbers
of messages sent and received, and personally, I would feel it a violation not
of personal security, but of privacy to do so....
Incidentally, this does not include the VAX/VMS PHONE utility, which uses
open mailboxes---PHONE can be tapped by anyone.

-----------[000085][next][prev][last][first]----------------------------------------------------
Date:      29 Nov 89 18:14:22 GMT
From:      GSRLR@alaska.BITNET ("Robyn Robertson")
To:        misc.security
Subject:   (none)

>>How true.  I understand that some crime investigators appreciate that
>>the best time to try to find somebody in a public place that they
>>"randomly" frequent is precisely one week after a time they were known
>>to be there, e.g. when a crime occurred.

An interesting observation.  I am sometimes astonished at the discussions
on this list concerning the technology of security.  I have had close
contact with literally hundreds of convicted felons, and the most
overwhelming characteristic of this group is the collective ignorance these
people share.  I will not deny that there is criminal expertise in the
world, but the reality is, most people dedicated to criminal enterprise
become so after they have met successive frustrations in their attempts to
make a way through the world without resort to crime.  I think that this
implies a very high level of social dysfunction, and a powerful
characteristic of this dysfunction seems to generally include very poor
academic performance. This tends to keep the level of technical expertise in
the criminal counterculture to an absolute minimum.

Certainly, there is reason in technological overkill where very sensitive
data or materials is concerned(Items within the three classes of
'international currencies'; armaments/explosives, precious stones/metals,
and pharmaceuticals, both intoxicants and the sort of meddicinals used to
treat combat sustained trauma.  I call these "internationa currencies"
because governments may rise and fall, plagues, war and terrible catastrophes
may sweep the earth, but these three classes of materials ALWAYS retain
their value, often even increasing in value amid catastrophe.)  Yet for the
vast majority of applications, there is just not enough expertise out there
among criminals to justify the expense of extemely high tech security
devices.  The age of television has created a myth of criminal technical
expertise far more substantial than the fact.
****************************************************************************
Robyn RRobertson
BITNET: FSRLR@ALASKA
Internet: gsrlr@acad3.fai.alaska.edu
P.O.Box 81638
Fairbanks, AK   99708

-----------[000086][next][prev][last][first]----------------------------------------------------
Date:      29 Nov 89 20:16:35 GMT
From:      len@CSD4.CSD.UWM.EDU (Leonard P Levine)
To:        misc.security
Subject:   Re: Personal Computer Viruses

> What if your formatting program was corrupted?  Suppose it wrote a copy of
> a virus out onto every disk it formatted?
> I would worry about it.

I agree.  Even so simple a virus as the Pakistanii virus will survive a soft
reboot, and will corrupt the boot sector of every disk formatted.

+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
| Leonard P. Levine                  e-mail len@evax.cs.uwm.edu |
| Professor, Computer Science             Office (414) 229-5170 |
| University of Wisconsin-Milwaukee       Home   (414) 962-4719 |
| Milwaukee, WI 53201 U.S.A.              FAX    (414) 229-6958 |
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +

END OF DOCUMENT