|
|
ARCHIVE: Rutgers 'Security List' (incl. misc.security) - Archives (1989)
DOCUMENT: Rutgers 'Security List' for November 1989 (87 messages, 43658 bytes)
SOURCE: http://securitydigest.org/exec/display?f=rutgers/archive/1989/11.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.
START OF DOCUMENT
-----------[000000][next][prev][last][first]---------------------------------------------------- From: Brian Kaplan <KAPLANB@iubacs.bitnet> 3-NOV-1989 1:04:23 To: SECURITY@UGA
Doesn't make any sense. As soon as one formats a disk, all the tracks and sectors become available for data and if there was a virus written on the unformatted disk, it would be overwritten. One could always be safe and use one of the Norton Utilities and erase the disk to government specs. I would worry about it. Bye for now.
-----------[000001][next][prev][last][first]---------------------------------------------------- From: Trond Borgen Mork <borgen%sunnvekst.uninett@norunix> 3-NOV-1989 1:41:15 To: <security@finhutc.earn>
Hello everybody ! I'm interested in information (independent stories) about the California earthquake's impact on computer systems in different companies and organizations. Any stories about prepairedness (good and bad) and consequences because of computer breakdown are highly welcome. It would be particularly interesting to hear about how consulting firms and research institutions dealing with computer security handled the disaster. However, other kinds of companies and organizations are interesting too. I'm a project leader working on information security at Moere og Romsdal Teknologisenter (MRT). MRT is a research institute in Aalesund. Aalesund is a city on the western coast of Norway. Greetings, Trond.
-----------[000002][next][prev][last][first]---------------------------------------------------- From: JohnH <JAHARITO@owucomcn.bitnet> 3-NOV-1989 2:06:38 To: security@ohstvma
Sorry for bothering the list, but it's the only think I can do... Somebody who his name I forget, wrote to me asking for my DES implementetion I replied to him and said I would send you something which I didn't... The reason is that after I replied your mail message, I deleted it and thus couldn't remember your username and address to send you the files... I apologize for that and ask you to send me your address again to send you the file. Again, really sorry, I apologize John Haritos.
-----------[000003][next][prev][last][first]---------------------------------------------------- From: *Hobbit* <hobbit@pyrite.rutgers.edu> 3-NOV-1989 2:34:25 To: security
It's been brought to my attention that Bitnet listservers fairly often mash From: addresses to show security@pyrite.rutgers.edu instead of the original sender of the message. Despite, of course, all my efforts to make Sendmail retain these lines. [Listserv leaves a lot to be desired.] If you're on a bitnet machine and wish to reply to a message, please read the incoming headers carefully to figure out who the message is from [and feel free to contact me if they've been muched beyond belief and you can't figure out who it's from]. Since different machines treat incoming mail differently, there's no way for me to experiment and come up with something that reliably works everywhere... _H*
-----------[000004][next][prev][last][first]---------------------------------------------------- Date: 1 Nov 89 19:07:00 GMT From: XA3I@purccvm.BITNET (Robert Allinson) To: misc.security Subject: Cellular Modems
Does anyone know about the security implication on Cellular Modems.
Since cellular transmissions are in the 800 frequency band, anyone with
a receiver which can tune in to these hight frequency bands could
listen in. Therefore, I have 2 questions:
1. How is a Cellular modem different than regular modems? (What
special features does this type of modem must have.)
2. How about security? If anyone can basically "Tune" in, what
implications will this lead to as far as the technological aspect
of the hardware?
I'd appreciate any comments on this matter.
+---------------------------------------------------------------------+
: Robert C. Allinson Purdue University - Computer Technology :
: Bitnet: XA3I@PURCCVM :
: :
: Work Phone: (317) 494-1638 Administrative Data Processing Center:
: :
+---------------------------------------------------------------------+
-----------[000005][next][prev][last][first]---------------------------------------------------- From: dasys1!eravin@cmcl2.nyu.edu (Ed Ravin) 3-NOV-1989 2:57:15 To: misc-security@cmcl2.nyu.edu
One thing the enlightened cyclists are doing in Manhattan is two always lock the bike up with two different kinds of locks. The average bike thief is only prepared to break one kind of locking system. The usual combination is a U-lock and a flexible cable with padlock. That means the thief would have to carry two different sets of tools to get the bike. Most streetwise bikers also take some old chain links and rivet a little loop of chain between the bicycle seat and the frame, to discourage parts theives from taking the seat. Bike theft is disgusting in this city: even your 3-speed covered with rust isn't safe. The new unit of commerce is the crack vial: as long as your bike is worth at least one vial to someone, it is a potential theft target. -- Ed Ravin | hombre!dasys1!eravin | "A mind is a terrible thing (BigElectricCatPublicUNIX)| eravin@dasys1.UUCP | to waste-- boycott TV!" --------------------------+----------------------+----------------------------- Reader bears responsibility for all opinions expressed in this article.
-----------[000006][next][prev][last][first]---------------------------------------------------- Date: 3 Nov 89 01:12:44 GMT From: meister@GAAK.LCS.MIT.EDU (phil servita) To: misc.security Subject: bike locks
The kryptonite K4 bike lock now comes with a 1000 dollar guarantee against
theft. this guarantee is valid everywhere but New York City. Funny that.
-meister
-----------[000007][next][prev][last][first]---------------------------------------------------- Date: 3 Nov 89 14:02:49 GMT From: ratzan@RWJA.UMDNJ.EDU (Lee Ratzan) To: misc.security Subject: controversy
A recent DoE computer security newsletter states that under certain conditions "merely inserting a disk can cause one to be [virally] infected". This statement is unclear: is it an infected disk into an uninfected system which becomes infected (even without initiating an application program)? Is it inserting a clean disk into an infected system (again, with no application open)? Or what? Can you clarify under what circumstances this infection event can occur? Thanx, Lee
-----------[000008][next][prev][last][first]---------------------------------------------------- Date: 3 Nov 89 15:26:52 GMT From: deh@MORDOR.ENG.UMD.EDU (Douglas Humphrey) To: misc.security Subject: Re: Earthquake
A Tandem Computers VLX system, a fault-tolerant transaction processing system, fell over flat on its back (this is a big mainframe, maybe 6 cabs of 6 feet tall and 28 inches or so wide, and weighs a LOT). It was, of course, still operating just fine flat on its back. The disks were still upright, due to their being shorter and having lower ceters of gravity. From what I have been told, it was uprighted by Tandem CEs and never missed a beat. They had an UPS for power obviously... Doug
-----------[000009][next][prev][last][first]---------------------------------------------------- From: JUTBAAA <JUTBAAA@iup.bitnet> 5-NOV-1989 12:54:07 To: <SECURITY@pyrite.rutgers.edu>
IS THERE A WAY TO ERASE THE PASSWORD FROM THE EEPROM SOMETHING SHORT AND SWEET LIKE THE ONE FOR THE PS2 WILL BE APPRECIATED. Abhik Biswas Indiana University of Pennsylvania, Indiana, PA.
-----------[000010][next][prev][last][first]---------------------------------------------------- From: TENCATI@nssdca.gsfc.nasa.gov (SPAN SECURITY MGR. (301)286_5223) 5-NOV-1989 13:36:45 To: misc-security@uunet.uu.net
On a related note - Did you know that the 976- , and 1-900 people also keep track of who calls, and sells your phone numbers to advertisers in the same manner that credit card companies sell your address? I'm not sure if this is also true for 1-800 calls, since they are AT&T or another carrier company, but apparently there are no rules against selling your number. Ron Tencati NASA/Goddard Space Flight Center Tencati@Nssdca.Gsfc.Nasa.Gov
-----------[000011][next][prev][last][first]---------------------------------------------------- From: deh@mordor.eng.umd.edu (Douglas Humphrey) 5-NOV-1989 14:15:48 To: cygnus@vax1.acs.udel.edu Cc: security@pyrite.rutgers.edu
I used to do this all the time with "thermocons" which were IR sesors that a local (big) security firm placed in front of doorways to trip the drop bolt when people were walking OUT of the secured location. This was a big problem, since fooling the thermocon made the door unlatch. Even if there is no way to do it with a laser (sometimes you could not get line of sight to the sensor) then you can get a can of lighter fluid, squirt it all under the door, and then light it, which I *assure* you will trip the sensor. Remember to put the fire out before you wander through the place and steal stuff.... Doug
-----------[000012][next][prev][last][first]---------------------------------------------------- From: gwyn@brl.mil 5-NOV-1989 14:57:28 To: security@rutgers.edu
>How secure are Sargent & Greenleaf combo locks? >What do we get for their "anti-manipulation" feature - just an extra key >lock that immobilizes the combination dial? It depends on the model, but in general S&G makes pretty good combination locks. "Anti-manipulation" usually indicates just what it says, that the lock design includes features especially aimed at making manipulation (the art of opening a combination lock without knowing the combination a priori) difficult. One such feature would be additional (shallow) fake notches around the periperhy of the wheels. The best feature is one that prevents using the actuator handle to apply drag to the wheel pack.
-----------[000013][next][prev][last][first]---------------------------------------------------- From: CNSM CCR _ Rob Rothkopf <MASROB@ubvmsc.cc.buffalo.edu> 5-NOV-1989 15:38:54 To: security@pyrite.rutgers.edu
I have a home wired with all Radio Shack parts; when the main unit is tested alone without ANY loops, all works fine (keypad, panic buttons, etc). When I add any loops to it, it periodically is tripping for "no apparent reason." The loop is a straight loop consisting of only Vibration Sensors... due to the false tripping the adjusting screw has made the system useless for now as only a LARGE bang would trigger them.. but still, on a calm day, no winds, everyone still, the alarm (armed) is being set. All I could figure is something building up resistance in the circuit.. all wires are stapled to wooden structural supports or studs, the system is grounded and there is a battery backup in place. ANY ideas as to what could be causing the problem??? At times it has been flawless for periods of 2 months and then it starts happening daily!! :( --Rob Rothkopf BITNET: MASROB@UBVMS INTERNET: masrob@ubvms.cc.buffalo.edu
-----------[000014][next][prev][last][first]---------------------------------------------------- From: OPER014@umuc.bitnet 5-NOV-1989 16:26:40 To: SECURITY@UBVM
I know that shorting the 2 pins by the speaker will
get you into a password protected ps/2, but I dont think
it actually reinitializes the password... Its my understanding
that that feature is for repair persons, and they would not
necessarily be want to erase it. Please, somebody tell me if im
wrong...
Also a note to the more security conscious- As an occasional
practical joke I gain entrance to peoples PS/2s by shorting
those 2 pins with a paper clip through vent holes in the case.
(I have only tried this on Model 50s). So you may want to
place some kind of shield inside the box... locked, of course.
incidentally, this was 'fixed' on the 50z- you have to move a
jumper from one pair to the other in a group of three pins...
the jumper is large enough to cover the shorted pins completely.
---------------------------------------------------------------
oper014@umuc
@umuc.umd.edu Jim
Whats that red button do?
-----------[000015][next][prev][last][first]---------------------------------------------------- From: swn@stingray.rice.edu (Steve Nuchia) 5-NOV-1989 17:13:36 To: misc-security@uunet.uu.net
> DEC also won't let us put 'internal' hostnames on our business cards. The obvious solution is to have DEC-wide unique aliases recognized by the mail server on dec.com. Then put unique.id@dec.com on your cards. If you come across a CMU business card check it out -- excelent example. Not putting internal names on published documents is a good idea for two reasons. First it prevents trouble when the machine you named goes away, permanently or temporarily. Secondarily it makes it harder for the bad guys to use "traffic analysis" and similar techniques to deduce things about what DEC might be up to. Personally I think if they care enough to do that there are other ways to figure it out, but since the technical considerations align with the political in this case it seems logical to do it right. In the absence of a usable common address the "security" argument has to be fought. It is weak but not invalid, so it becomes a question of priorities.
-----------[000016][next][prev][last][first]---------------------------------------------------- From: NESCC@nervm.bitnet (Scott C. Crumpton) 5-NOV-1989 18:02:33 To: security@pyrite.rutgers.edu
> I found the resistance in each switch to vary, one by over 100 ohms... secon > later the same switch read 7 ohms.?! Hmm... I installed a RS system in my house and found this to be a major problem. It appears that RS sells the lowest quality magnetic switches possible. The only way I was able to solve the problem (short of replacing all the switches) was to wire each loop to control a 12v relay. The relay contacts were then wired to the alarm center in place of the loop. This had the effect of increasing the loop current from about .5ma to 50ma. The increased current and/or the inductive "kick" from the relay coils seems to have solved the problem. Before adding the relays I was averaging one false alarm per week. Obviously an unacceptable situation that prevented connecting the noise makers. After adding the relays I continued testing the system for 3 months with zero false alarms before connecting the noise maker. It has now been connected for about 2 years with zero false alarms. The moral of the story is that the RS stuff can be made to work reliably. But probably not by your average consumer. ---Scott.
-----------[000017][next][prev][last][first]---------------------------------------------------- From: deh@mordor.eng.umd.edu (Douglas Humphrey) 5-NOV-1989 18:36:12 To: 34AEJ7D@cmuvm.bitnet Cc: security@pyrite.rutgers.edu
To a large extent, S&Gs are the best ( or one of the best). We have them on a Mosler and and older Remington safe, both GSA certified storage containers for classified materials, the Remington at Secret and the Mosler higher than that. The Mosler is a double safe, with an S&G MP on the outside, and a special S&G on the inside (built to somebodies specifications). Your local Mosler lock people will support the S&Gs with no problem, doing yearly maintenance, etc. and getting you out of a jamb (pun intended) when you need it... I am not sure what you mean by "anti-manipulation" feature; ours are MP locks, Manipulation Proof, but that really has to do with the internals on the lock, not an external locking pawl or anything like that. By the way, don't make the mistake that a lot of people do and fail to get yearly maintenance done on the lock(s). Sure, they most likely won't need it, and you will be throwing around $100/year to the wind, except for the day that the damned thing jams on you, and you discover the extreme cost of having your safe/vault drilled... Remember that these things are designed specifically to make it hard to do this. The estimate to have one of our drilled by Mosler was many hundreds of dollars, plus materials costs (14 diamond tipped bits, 2 drills [they figure that they will burn out 2 doing this] and other assorted things) plus the cost for them to weld in a plug of hardened steel and then the possibility (if you are a cleared storage facility) that the Government folks are not going to like the plug job and require that you buy a new safe door and have it put on... Big Bucks... Doug Digital Express, Inc. P.S. We didn't have to have it drilled, we were just asking...
-----------[000018][next][prev][last][first]---------------------------------------------------- Date: 5 Nov 89 23:46:34 GMT From: NESCC@nervm.BITNET (Scott C. Crumpton) To: misc.security Subject: RE: Home Alarm Installations, R.S. Setups
> I found the resistance in each switch to vary, one by over 100 ohms... secon > later the same switch read 7 ohms.?! Hmm... I installed a RS system in my house and found this to be a major problem. It appears that RS sells tle lowest quality magnetic switches possible. The only way I was able to solve the problem (short of replacing all the switches) was to wire each loop to control a 12v relay. The relay contacts were then wired to the alarm center in place of the loop. This had the effect of increasing the loop current from about .5ma to 50ma. The increased current and/or the inductive "kick" from the$relay coils seems to have solved the problem. Before adding the relays I was averaging one false alarm per weeo. Obviously an unacceptable situation that prevented connecting$the noise makers. After adding the relays M continued testmng the system for 3 months with zero false alarms before connecting$the noise meker. It has now been connected for about 2 years with zero false alarms. The moral of the story is that the RS stuff can be made to work reliably. But probably not by your average consumer. ---Scott.
-----------[000019][next][prev][last][first]---------------------------------------------------- Date: 5 Nov 89 23:58:33 GMT From: wb8foz@MTHVAX.CS.MIAMI.EDU (David Lesher) To: misc.security Subject: S&G locks, Mosler containers
I believe ONLY the S&G locks are GSA approved. Also, if I am not mistaken, only Molser containers (presently class VI) are accepted. The S&G 8400 and 8500's are darn good locks. Uncle Sam uses a lot of them, not just on containers, but office doors (with a special extension & strike), and communication center vault doors. But remember, anything can be gotten into if you have enough time. A Mosler can be drilled. It is not an easy task. We go to great lengths to try and get it open before we give up and drill. It takes from four to 8 hours, IF YOU KNOW WHAT YOU ARE DOING. We bring lots of bits, but typically use big enough drill motors that they give little trouble (except when you want to lift one ;-}) If you it do it correctly, the container can be repaired and reused. If you screw up (or burn it open), you will need a new control drawer. ($$$$) -- A host is a host & from coast to coast...wb8foz@mthvax.cs.miami.edu no one will talk to a host that's close..............(305) 255-RTFM Unless the host (that isn't close)......................pob 570-335 is busy, hung or dead....................................33257-0335
-----------[000020][next][prev][last][first]---------------------------------------------------- Date: 6 Nov 89 19:01:27 GMT From: night@PAWL.RPI.EDU (Trip Martin) To: misc.security Subject: Re: Privacy vs on-line library
>Did you know that the 976- , and 1-900 people also keep track of who >calls, and sells your phone numbers to advertisers Mailing lists appear to be big business. I am aware of at least one hospital which sells names and addresses (and said we couldn't do a damn thing about it). I for one would like to know how widespread this practice is across all industries. -- Trip Martin KA2LIV night@pawl.rpi.edu Finite state machinist night@uruguay.acm.rpi.edu
-----------[000021][next][prev][last][first]---------------------------------------------------- Date: 7 Nov 89 03:21:38 GMT From: sarge@dcdwest.UUCP (Sergeant Bob Heddles) To: misc.security Subject: Shoulder Patches request...
I was wondering where I could get the unit patches (uniform) of the different police and other emergency departments of the U.S.A. and Canada? Is there a catalog company and /or store that carries them? If not would the people on the network with the affilations of the aboved mentioned departments be willing to send one to me? I am trying to build a collection of patches. Any and all help would be greatly appreciated.... Thanks, Bob -- Bob Heddles | ITT Defense Communications Division ucbvax!ucsd!dcdwest!sarge | 10060 Carroll Canyon Road sarge@dcdwest%ucsd.edu | San Diego, CA 92131 Opinions expressed are mine alone. Since no-body else wants them.
-----------[000022][next][prev][last][first]---------------------------------------------------- From: virtech!jje@uunet.uu.net (Jeremy J. Epstein) 9-NOV-1989 1:01:47 To: misc-security@uunet.uu.net
I'm working on a project involving implementing a B3-level Mach system (or portions thereof) in Ada on a DARPA grant. I'd interested in hearing about other people/projects who are working on trusted Mach and/or using Ada on Mach. Please email to uunet!prcrs!abqord!jje or uunet!virtech!jje Thanks Jeremy Epstein TRW Systems Division 703-876-4202
-----------[000023][next][prev][last][first]---------------------------------------------------- From: Noel Del_More <noel@ubbs_nh.mv.com> 9-NOV-1989 1:38:45 To: security@rutgers.edu
I am writing a term paper for one of my graduate courses on the subject of computer security and the effect that it, or should I say the lack of it, has had on our society. In particular I'd like to focus on corporate strategies and responses to actual and/or potential breaches of systems security which have resulted or had the potential of resulting in the loss of assets, intellectual property or sensitive data. I would appreciate receiving information concerning any bibliographic references, case studies or legal actions involving the subject of which you may be aware. In addition, I would very much like to hear about your companies' policies and strategies to prevent and/or deal with breaches of systems security. Thank you, Noel
-----------[000024][next][prev][last][first]---------------------------------------------------- Date: Fri, 27 Oct 89 10:44:45 EDT From: "Jack L. Coffman" <UKA051@ukcc.bitnet> 9-NOV-1989 2:08:48, "Jack L. Coffman" <UKA051@ukcc.bitnet> To: security-request@pyrite.rutgers.edu, security-request@pyrite.rutgers.edu
We at the University of Kentucky run an IDMS data base at the central computing center. Most batch updating is performed at night by our central data control staff. We do have programmers distributed in user offices who now do some batch updating to the data base. Most user departments have people who execute reports using COBOL, MARKIV, OLQ, CULPRIT, and SAS against the data base and extract files. We are at the point of deciding how to set up libraries to allow user departments to update or execute reports from the data base or extract files. Does anyone have any exeprience or words of wisdom on how to approach this decision. Are we unique in allowing user departments to update the data base? Thanks Jack L. Coffman - UKA051@UKCC Security and Contingency Planning Officer 128 McVey Hall University of Kentucky Lexington, Ky 40506-0045 (606)257-2273
-----------[000025][next][prev][last][first]---------------------------------------------------- From: harald@kumquat.ucsb.edu (Ommang) 9-NOV-1989 2:38:01 To: misc-security@ucsd.edu
Hi !
I'm writing a paper for a Graduate class in Computer Security here at
UCSB. The paper will compare security features of two operating systems
that are in use all over the commercial world : Hewlett-Packard's MPE and
UNIX. I have worked with MPE security for several years, so I have that
covered, but I am a fairly novice user of UNIX.
My question is : Can anyone out there recommend (and point to) articles
and books on UNIX security. I will mostly deal with issues
like password and file security, and also ways of aquiring
more capabilities (i.e. system manager / superuser) than
one is supposed to.
Please reply by e-mail to :
harald%cornu@hub.ucsb.edu
==================================================================
"Born in the ice-blue waters of the festooned Norwegian coast.."
- Bertrand Meyer on object-oriented programming
Well, so was Harald Ommang. harald%cornu@hub.ucsb.edu
-----------[000026][next][prev][last][first]---------------------------------------------------- From: nagle@well.sf.ca.us (John Nagle) 9-NOV-1989 7:56:27 To: misc-security@uunet.uu.net
>Next to the speaker on the earlier PS/2's is a pair of jumper pins.
>If you short these while the machine is being powered up, the password
>will be cleared from memory.
How convenient. Was this designed in, or is it a flaw?
John Nagle
-----------[000027][next][prev][last][first]---------------------------------------------------- From: GREENY <MISS026@ecncdc.bitnet> 9-NOV-1989 8:20:05 To: <security@pyrite.rutgers.edu>
> Is there any work being done in the area of security or authentication for > FAXen? well, on the fax machine that we have where I work, it has a security code that can be set (actually an 8 bit binary number). If the code is set to all 1's, then no polling can occur. If the code is set to all 0's, then anyone can poll the machine for a fax, and if the code is set anywhere inbetween then they polling fax machine must have the same security code... perhaps this Ad agency would do well to set their security codes for confidential documents? (at least I *assume* it was confidential...:-> ) Bye for now but not for long Greeny BITNET: MISS026@ECNCDC Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU GEnie: GREENY MacNet: GREENY
-----------[000028][next][prev][last][first]---------------------------------------------------- From: CNSM CCR _ Rob Rothkopf <MASROB@ubvmsc.cc.buffalo.edu> 9-NOV-1989 8:47:18 To: security@pyrite.rutgers.edu
The University of Buffalo is considering the feasabilities/possibilities of establishing a "universal" card-access system for all areas of University activity. This single card would be used by all faculties including: -- University Libraries: could be used with copiers -- Records/Admissions: could be used as positive student ID -- Could be used as "meal card" -- Keyless card-entry system into student dormitories -- Miscellaneous applications including single-vote verification, purchasing, student accounts (perhaps mom and dad could "easily" add money for students to later have access to for food, etc.) We've received some literature on the "Smart Card" and how it might fill our needs; since this is the beginning of this investigation we could use any input others may have from previous experiences with card systems. If anyone has experience with/knowledge of the "Smart Card" or *any* other established card access system, I'd appreciate the advice and info. Either reply direct or through the net (some might find this info. useful) Thanks in advance. --Rob Rothkopf
-----------[000029][next][prev][last][first]---------------------------------------------------- From: "W. K. (Bill) Gorman" <34AEJ7D@cmuvm.bitnet> 9-NOV-1989 21:08:41 To: SECURITY Digest <SECURITY@UGA>
>It was a wrong assumption from the view that I don't KNOW they are keeping >track, but I don't KNOW that they AREN'T. Any such system CAN be abused The DEA regularly raids "indoor gardening" stores, many of which can and do serve a legitimate, law-abiding clientele, without ever filing formal charges against the owners, merely to gain the computerized customer lists therefrom. If this is not the sort of abuse you refer to, it is skating very close thereto.
-----------[000030][next][prev][last][first]---------------------------------------------------- From: davecb@nexus.yorku.ca (David Collier_Brown) 9-NOV-1989 21:28:40 To: misc-security%mnetor@uunet.uu.net
> Any such system CAN be abused almost trivially and without notice
> to the users. [...] the information to exist, than to be assured (by
>people who don't even understand the system) that such records aren't being
>kept.
A specific, known example: a crossmatch between a library systems and
a pharmacy system running on the same timesharing service:
from pharmacy, select females with perscriptions for birth
controll pills
crossmatch with library for address and age
print where age < 30 and city = this one.
--dave c-b
--
David Collier-Brown, | davecb@yunexus, ...!yunexus!davecb or
72 Abitibi Ave., | {toronto area...}lethe!dave
Willowdale, Ontario, | Joyce C-B:
CANADA. 416-223-8968 | He's so smart he's dumb.
-----------[000031][next][prev][last][first]---------------------------------------------------- From: zeleznik@cs.utah.edu (Mike Zeleznik) 9-NOV-1989 21:45:00 To: security@pyrite.rutgers.edu
Just wanted to point out that this issue of identification while maintaining
privacy has been the subject of a number of research articles in the computer
science community. One that comes to mind is:
"Security Without Identification: Transaction Systems to Make Big Brother
Obsolete", David Chaum, Communications of the ACM, October 1985, p1030+.
Another one, less concerned with privacy, but with many references to things
related to the concept of data surveillance, is:
"Information Technology and Dataveillance", Roger Clarke, Communications of
the ACM, May 1988, p498+.
--Mike
Michael Zeleznik Computer Science Dept.
University of Utah
zeleznik@cs.utah.edu Salt Lake City, UT 84112
(801) 581-5617
-----------[000032][next][prev][last][first]---------------------------------------------------- From: davecb@nexus.yorku.ca (David Collier_Brown) 9-NOV-1989 22:10:48 To: misc-security%mnetor@uunet.uu.net
>Another reason (variation on the above) is that the member libraries
>are billed based on the usage by their people. This requires that the network
>know what library you are from when using this system.
The libraries are both charged by information providers and funded by
supporting organizations based on use and/or membership. When working for a
supplier of some slight note, I was surprised at the conflicting needs to
keep track of usage information for funding purposes (and for
book-replacement estimates), and the need to **not** keep track of readership
information for particular books.
And yes, both are legally mandated and prohibited in differing
justistictions (:-}).
--dave
--
David Collier-Brown, | davecb@yunexus, ...!yunexus!davecb or
72 Abitibi Ave., | {toronto area...}lethe!dave
Willowdale, Ontario, | Joyce C-B:
CANADA. 416-223-8968 | He's so smart he's dumb.
-----------[000033][next][prev][last][first]---------------------------------------------------- From: *Hobbit* <security_request@pyrite.rutgers.edu> 9-NOV-1989 22:23:13 To: security-list-outbound@pyrite.rutgers.edu
David Stodolsky has submitted the entire text of his paper on databases for epidemiologocal control. It is over 38Kb, so rather than post it I'm making it available via FTP for anyone interested. It's at pyrite.rutgers.edu in security/epidemic-control. I will also mail it to any non-internet recipients [who can't grab this directly] that ask for a copy... _H* --- head of David's message --- Date: 29 Oct 89 20:27:52 GMT From: stodol@diku.dk (David Stodolsky) Subject: Secure Distributed Databases for Epidemiological Control To: misc-security@dkuug.dk English update of: Stodolsky, D. S. (1989, August). Brugerforvaltet datakommunikationssystem til bekaempelse af seksuelt overfoerbare infektionssygdomme [Secure Distributed Databases for Epidemiological Control]. Research proposal submitted to the AIDS-Fund Secretariat, Danish Health Department. (Available from the author at the Psychology Department, University of Copenhagen )
-----------[000034][next][prev][last][first]---------------------------------------------------- Date: 9 Nov 89 18:30:00 GMT From: NORDBERG@scranton.BITNET To: misc.security Subject: Bibliographic references for system breaches
Noel asked about any bibliographic references concerning actual or potential breaches of computer security. Since s/he did not list an e-mail address I'll reply via this discussion group. "The Cuckoo's Egg" by Cliff Stoll just came out and is an interesting case study of breaches of long duration of both academic and military systems (including companies doing business with the military such as BBN, TRW and MITRE). Stoll's efforts to alert various groups met with a fair number of responses that can be characterized only as denial. Stoll, Clifford "The Cuckoo's Egg" Doubleday (c) 1989 ISBN 0-385-24946-2 --------------------------------------------------- Kevin Nordberg Dept. of Philosophy University of Scranton BITNET: NORDBERG@SCRANTON
-----------[000035][next][prev][last][first]---------------------------------------------------- Date: 9 Nov 89 23:17:31 GMT From: MTG@CORNELLC.CIT.CORNELL.EDU (Mike Garcia) To: misc.security Subject: Re: Privacy vs on-line library
>The DEA regularly raids "indoor gardening" stores, many of which can and
>do serve a legitimate, law-abiding clientele, without ever filing
>formal charges against the owners, merely to gain the computerized customer
>lists therefrom.
It does not even have to be computerized.
The Chicago police department has a squad called the "gun squad" which
confiscates unregistered handguns. It is enormously successful in
terms of the number of handguns seized. Reportedly one of the Chicago
PD's techniques is to acquire lists of legally purchased handguns,
which were purchased oustside of Chicago. These lists include the name
and address of the purchaser. The Chicago PD then checks the names on
the lists against the names of store and resturant owners whose places
of business are located in Chicago. When a match is found, the place
of business is searched. Since it is a public place, no search warrent
is needed. If a handgun is found on the premises, it is seized.
These lists are acquired from the US Bureau of Alcohol, Tobacco and
Firearms (BATF). BATF assembles these lists by inspecting the records
of gun shops near, but outside of, Chicago. It is a federal
requirement that all firearm purchases be recorded, and the gun shops
can not refuse BATF access to the records.
In all probability, part of your library's budget is federal money. If
a federal agency wants access to such information, it will have
powerful tools for compelling complience. Once the feds have the data,
they can do whatever they want with it, including giving it to a third
party.
If your library keeps track of what information you access, for
whatever reason, you have no real guarantee that it will not be
misused.
Mike Garcia
-----------[000036][next][prev][last][first]---------------------------------------------------- Date: 10 Nov 89 00:55:36 GMT From: doerschu@REX.CS.TULANE.EDU (David Doerschuk) To: misc.security Subject: Re: REINIALISING PS/2 PASSWORDS
>Next to the speaker on the earlier PS/2's is a pair of jumper pins. PS/2 as in IBM PS/2? I didn't realize there was any password security in the PS/2. Would someone mind posting or emailing a brief explaination? Is this a DOS 4.1 thing? It sounds like its in HARDWARE! Thanks for any information. Dave doerschu@rex.cs.tulane.edu
-----------[000037][next][prev][last][first]---------------------------------------------------- Date: 10 Nov 89 19:53:04 GMT From: gwyn@BRL.MIL To: misc.security Subject: Re: Privacy vs on-line library
>The DEA regularly raids "indoor gardening" stores, many of which can and >do serve a legitimate, law-abiding clientele, without ever filing >formal charges against the owners, merely to gain the computerized customer >lists therefrom. If they're doing this without a warrant issued by a Federal judge, they're violating the law (as I understand it) and certainly are acting against the intentions of the fine folks who founded our system of government. Feel free to blow them away.
-----------[000038][next][prev][last][first]---------------------------------------------------- From: rjg@sialis.mn.org (Robert J. Granvin) 12-NOV-1989 23:41:28 To: misc-security@uunet.uu.net
> You can walk into the library and read the thing, because the library >is supported by the university and assumes that nobody NOT from the university >will use it (or at least the use will be minimal). Universities are supported by tuitions, grants and public and state funding. Universities are centers of knowledge and learning. The libraries of these universities are open and available to everyone. The information contained therein isn't restricted in any form to only students "And others as long as the use is minimal". -- ________Robert J. Granvin________ INTERNET: rjg@sialis.mn.org ____National Computer Systems____ BITNET: rjg%sialis.mn.org@cs.umn.edu __National Information Services__ UUCP: ...amdahl!bungia!sialis!rjg "Insured against Aircraft, including self-propelled missiles and spacecraft."
-----------[000039][next][prev][last][first]---------------------------------------------------- From: "Craig Finseth" <fin@uf.msc.umn.edu> 13-NOV-1989 0:03:06 To: jonhaug@ifi.uio.no Cc: security@rutgers.edu
If security is defined as "a system's ability to maintain confidiality, integrety and availability of information", where does privacy fit? I would say that "security" is an amoral term. It refers to whether the system is performing its job properly. "Privacy," on the other hand, provides constraints on the system's goals. In particular, a system can be secure without being private. Hypothetical example: a credit bureau may operate a secure system. However, the bureau may choose to sell its data to a third party. No security breach has occurred, but a privacy breach has (in this example, at least). Another question: Do you agree with the above 'definition' of privacy? Does your contry's privacy act (if you have one) agree? (1) Yes. (2) Who knows, at least in the U.S.? (:-). Craig A. Finseth fin@msc.umn.edu [CAF13] Minnesota Supercomputer Center, Inc. (612) 624-3375
-----------[000040][next][prev][last][first]---------------------------------------------------- From: Jeff Suttor <ECL4JS2@oac.ucla.edu> 14-NOV-1989 9:11:57 To: security@pyrite.rutgers.edu
> A few programmers can even construct the borrowing history of a given > individual (a moment's thought about how a library works will tell you this) This is not true for the Library I program for. When a circulation transaction is resolved, checked back in, the circ trans is archived but any link to the user record is zeroed out. This allows the archives to be used for stat anal but protects the privacy of the user. Most Libraries are strong believers in information rights and do whatever they can to protect the rights of their users.
-----------[000041][next][prev][last][first]---------------------------------------------------- From: shz@packard.att.com (Seth Zirin) 14-NOV-1989 18:34:34 To: misc-security@att.att.com
Sargent & Greenleaf locks are very high in quality. Their manipulation resistant locks are still acceptable for use on GSA-rated classified information storage containers. LaGard and Mosler locks are no longer acceptable because they can be compromised with auto-dialers. The manipulation resistance of S&G 8400 and 8500 series locks is not derived through the use of key-locking dials although locking dials are available as an option. The action of the locks is designed to deter manipulation by preventing convenient contact between the lever nose and drive cam. S&G locks are among the best available. Seth Zirin, CPL Member Safe and Vault Technicians Association
-----------[000042][next][prev][last][first]---------------------------------------------------- From: "Robyn Robertson GSRLR@ALASKA" <GSRLR@alaska.bitnet> 14-NOV-1989 19:09:26 To: security@pyrite.rutgers.edu
Finding people? I have spent considerable time and effort doing this sort of work. The only solid rule for tracking people down is that there are no solid rules. In general, finding people depends upon knowing enough about the target subject(i.e. the person you want to find) to gain direction for the search. For instance, I was retained to search for a gentleman that had absconded from the Seattle area with substantial debts left behind. I knew very little about the guy other than his name, the fact that he had a trust fund administered from Los Angeles, and that he had been planning to wed a woman from Seattle when he was last heard from several weeks before. In this case, I managed to locate a marriage license in the King county (Seattle) Courthouse which yielded the name and address of the woman he had, by the time of this search, married. Although the man had covered most of his tracks pretty well, the woman he had married took no effort to obscure her path. Consequently, I had the woman's name and last known residence(in Renton, Washington, a suburb of Seattle)when I left the courthouse. Once I had this, the remaining follow up was reasonably simple. It turnt out that her prior residence she had been living in was up for sale. A visit to the real estate agent acting as broker afforded a reasonably fast face-to-face meeting with the fugative I sought. He, it developed, was handling all the business of his new wife. The real estate agaent very thoughtfully arranged the meeting, and also provided me with the seller's new home address. I tell this story as a means of illustrating an approach to finding people. While in general it is helpful to review information resources like the telephone book, Polk directory, etc., I believe that a general priciple is the best advice. Find out all you can about your target, then determine what, if any, information resources this knowledge of your target implies. If you are uncertain what information your basic knowledge of your target does imply, take what you know to an expert(like the records clerk in the city/county building where the target I mention above had filed his marriage license) and ask the expert what intelligence is necessarily implicit in the information you have as a foundation. Once this is accomplished, the remaining task is to exploit this information. As for expert assistance in developing the leads that you start with, there are as many sources for this intelligence as there are catagories worth exploiting. I know very little about tennis, for instance, but I know enough that if I found that a suspect I sought was a heavy tennis player, I could certainly locate a tennis expert to tell me what organizations associated with tennis might yield the suspect's location. Failing that, if the suspect is a serious tennis player, and I have a good idea what city he might be in, I might be able to develope leads by asking questions at atheletic clubs in the area. Although this approach seems like common sense, many people tend to forget what creatures of habit we humans are, and they consequently fail to exploit the obvious when searching for someone. Nonetheless, I have found this approach fairly useful. Just find out all you can about your target, then think! One must compile all available information on the target subject, then follow it up and exploit whatever leads this information developes. =========================================================================== Robyn Robertson | The opinions expressed here are BITNET: GSRLR@ALASKA | my own Internet: GSRLS@acad3.fai.alaska.edu | P.O.Box 81638 | Fairbanks, AK 99708 |
-----------[000043][next][prev][last][first]---------------------------------------------------- From: Linda L. Julien <leira@eddie.mit.edu> 14-NOV-1989 22:23:44 To: MASROB@ubvmsc.cc.buffalo.edu Cc: security@pyrite.rutgers.edu
I haven't had experience with these systems, but I don't like the idea. If a student loses this one card, they're out of luck until it's replaced. With everything separate, if you lose your keys, you can still eat, and if you lose your library card you can still get into your room. Linda Julien leira@eddie.mit.edu leira@athena.mit.edu
-----------[000044][next][prev][last][first]---------------------------------------------------- From: gwyn@brl.mil 14-NOV-1989 22:54:44 To: security@rutgers.edu
>The DEA regularly raids "indoor gardening" stores, many of which can and >do serve a legitimate, law-abiding clientele, without ever filing >formal charges against the owners, merely to gain the computerized customer >lists therefrom. If they're doing this without a warrant issued by a Federal judge, they're violating the law (as I understand it) and certainly are acting against the intentions of the fine folks who founded our system of government. Feel free to blow them away.
-----------[000045][next][prev][last][first]---------------------------------------------------- From: <WBERBENI@gtri01.bitnet> 14-NOV-1989 23:30:34 To: <security@pyrite.rutgers.edu>
The first thing that comes to my mind after reading about this "Smart Card" is its potential for abuse. If it is lost or stolen, how easily can the 'old' card's access be removed from the system? Also if it is lost or stolen, will a 'backup' of its information be kept in a separate facility - imagine the concern if the student adds $500 to the card, only to have it lost or stolen moments later on the way to class. Just some thoughts that came to mind... Bill Berbenich wberbeni@gtri01.gatech.edu Office of Computing Services @gtri01.bitnet Georgia Institute of Technology
-----------[000046][next][prev][last][first]----------------------------------------------------
Date: 14 Nov 89 00:43:38 GMT
From: willis@RAND.ORG ("Willis H. Ware")
To: misc.security
Subject: Re: Privacy vs security definitionsRE the uncertainty between security and privacy. In brief, security is a system attribute; it has to do with whether a system contains appropriate hardware/software/operational/environmental/ communication safeguards to that it can enforce a security policy -- whatever the policy may be -- and do so with high confidence. The policy might only involve confidentiality, but it can be more. In general security policy will vary from system to system but with notable exceptions, e.g., in the defense community, security policy is uniform throughout. In contrast privacy is an information use attribute. In principle privacy issues exist even in a manual system. The scale is different however, and on one worried about privacy 25 years ago -- but the issue was there nonetheless. Security in either manual or computer system is a prerequisite to privacy; if you cannot control access to information, there's no way that you can control its use. A lot has been said and written about privacy and its relation to security. Two of the most comprehensive treatments of privacy from the US national level are: Report of the Secretary's [DHEW] Committee on Automated Personal Data Systems, "Records, Computers, and the Rights of of Citizens", US Gov Printing Office, 1973; stock number 1700-00116 Report of the Privacy Protection Study Commission [including 5 appendices], "Personal Privacy in an Information Society", US Gov Printing Office, 1977; stock number 052-003-00395-3 Nothing comprehensive has been done more recently at the Federal level. There are many hardback books however. Willis H. Ware RAND Corp
-----------[000047][next][prev][last][first]---------------------------------------------------- From: meister@gaak.lcs.mit.edu (phil servita) 15-NOV-1989 22:59:56 To: security@pyrite.rutgers.edu
The kryptonite K4 bike lock now comes with a 1000 dollar guarantee against
theft. this guarantee is valid everywhere but New York City. Funny that.
-meister
-----------[000048][next][prev][last][first]---------------------------------------------------- From: Nutsy Fagen <MJB8949@ritvax.bitnet> 15-NOV-1989 23:19:15 To: security@pyrite.rutgers.edu
I'd like to get in tough with anyone out there who's had experience
with a Sescoa 3000 alarm reciever. (This applies more toward large-scale
security systems, so if anyone knows of a better list to ask this on, please
let me know that also)
Specifically, we'll be adding a computer to it for monitoring, and
would like to quiet the 'beep' while the computer is on-line. Any expensive
or time-consuming mods wouldn't be too appropriate, since we plan on
upgrading to a Radionics reciever with a year or two.
Thanks ahead of time for any help.
Mike Bunnell
MJB8949@ritvax (bitnet)
-----------[000049][next][prev][last][first]---------------------------------------------------- From: Robert Allinson <XA3I@purccvm.bitnet> 15-NOV-1989 23:35:40 To: <security@uga>
Does anyone know about the security implication on Cellular Modems.
Since cellular transmissions are in the 800 frequency band, anyone with
a receiver which can tune in to these hight frequency bands could
listen in. Therefore, I have 2 questions:
1. How is a Cellular modem different than regular modems? (What
special features does this type of modem must have.)
2. How about security? If anyone can basically "Tune" in, what
implications will this lead to as far as the technological aspect
of the hardware?
I'd appreciate any comments on this matter.
+---------------------------------------------------------------------+
: Robert C. Allinson Purdue University - Computer Technology :
: Bitnet: XA3I@PURCCVM :
: :
: Work Phone: (317) 494-1638 Administrative Data Processing Center:
: :
+---------------------------------------------------------------------+
-----------[000050][next][prev][last][first]---------------------------------------------------- From: Frank Tompkins <TOMPKINS@akronvm.bitnet> 16-NOV-1989 0:16:38 To: tcp-ip@utdalvm1 Cc: security@ohstvma, ibmtcp-l@cunyvm, ibm-nets@uga
Greetings,
Thanks to all of you who responded to my question last month regarding
site policies about the use of Ethernet/Internet and possible integrity
problems. Of the 21 responses I received, almost half (9) were requests
for the results. This implied a lot of interest in the topic, so I was
mildly suprised that I didn't get more responses. Anyway, here's what
I got (first the question again):
. . .
> 1) Other than the well known ease with which thick Ethernet cables
> can be tapped and passing data extracted, are there other weak
> spots (security wise) that we should be aware of regarding the
> physical links,
> and
> 2) What are the policies (briefly) that other campuses have regarding
> allowing confidential administrative data (user id's, passwords,
> and transactions) to flow over Internet links.
. . .
I would be very interested in the content of your replies. We have just
started Ethernet service on our academic 3081 using VM TCP/IP. There is
already a good deal of pressure to allow administrative access to our 3090
running MVS. I would greatly appreciate forwarded replies, and the final
conclusion you reach and why you made that decision. Thanks.
. . .
********* has over 4000 (that's not a typo) VAXs, workstations, Suns, and a
few large IBMs hooked via TCP/IP. The hardware is NSC hyperchannel for a
backbone and their routers on local ethernets. We have lots of business data
and engineering data going internally and internationally. Because of legal
considerations, we have stated over and over that the network is not a
secure network, and had better be treated as such. That probably has been
forgotten along the way, but at least we're on record as trying to do the
right thing. Hope this helps.
. . .
well I think the biggest issue is not not allow any non-secure machine to be
directly attached to the backbone, since it then can be put in promiscious
mode and monitor the traffic. There is no way to secure a PC or other
workstation type machine. If it is seperated from the backbone by at least a
router, then only information from that particular subnet will be potentially
visible to it. folk kick about the extra cost, but i think it is essential.
. . .
We are currently in the process of setting up as you describe. We were
also concerned about the lack of security of ethernet. As soon as it
arrives I hope to switch our 8232 from VM to MVS. Since we were
assured that there is little difference in most of the TCP/IP code used
on the 2 operating systems we began develloping an encryption technique
for use over ethernet.
The authors of the BW series of ethernet software are part of our
networks & communications group, in fact they both read the TCP/IP lists.
The BW software now supports access via the 8232 and they expect to
have the encryption facility working shortly. This will consist of a new
version of the BW software together with updates to the mainframe
TCP/IP software. Other changes include full color support as well as
handling the YTERM TPRINT command. Kermit is used for file transfers.
. . .
I would be interested in a posted summary of this information, and if you
find any archived documents, I'd be interested in those too. I've only been
on TCPIP-L since May, but I have not seen anything on this subject there or
on another list.
. . .
I too am interested in responses to these questions. Some members on
our campus are also contemplating allowing access to "sensitive"
information via the campus TCP/IP network (using Telnet, FTP, etc.).
Some of our local experts feel that we have little to be concerned
about. However, I read an article in the April issue of "Computer
Communication Review" titled "Security Problems in the TCP/IP
Protocol Suite" by S.M. Bellovin (AT&T Bell Laboratories) that got
me a bit concerned. A follow up article in the July issue by
Stephen Kent (BBN Communications) "Comments on 'Security Problems in
the TCP/IP Protocol Suite'" pointed out inaccuracies, etc. in the
first article but still did not alleviate my apprehension.
In short, Mr. Kent's article seemed to say that the TCP/IP Protocol
Suite isn't secure unless end-to-end encryption is used at the
network layer. My questions: is the article correct? Am I
interpreting the article correctly? If so, are such security
mechanisms implemented on the Internet? If not, can we implement
such a security mechanism on our local network even if the rest of
the Internet doesn't?
. . .
Basically, TCP/IP is not secure, but that is more of a function
of the underlying transport mechanism than it is of TCP/IP.
TCP/IP typically runs in
a LAN or WAN type environment. In this environment, generally
all messages are physically broadcast to everybody, even if they
are logically intended for one target. (There are also messages
which are *supposed* to be broadcast, and *supposed* to be seen
by everybody, but that is a different issue). There are numerous
exceptions to this "everybody sees everything" rule, of course.
Bridges and gateways serve to limit the scope of the "broadcast"
of messages intended for for one destination, but within the
"local" network, everybody sees everything.
The idea with "everybody sees everything"
is that your system looks at and throws away stuff that it
sees that is really for somebody else. Obviously, it is not hard
to simply keep the stuff and not throw it away. In a token ring
environment, it is generally the hardware itself that is making this
determination, so it is a little hard for the casual user to peek at
something he shouldn't. In an Ethernet environment, it is generally
the software that is making the determination, so it is usually easy
for the casual user to peek at every packet that comes by. UNIX
systems often have such peeking programs built in.
Suppose you have an Ethernet in an engineering building for students,
and another Ethernet in an administrative building for administrators.
Further suppose that you want to link both of these nets into the
computing center in yet a third building, using some sort of campus
wide backbone. If you want to be somewhat secure, you will need to
arrange bridges and gateways so that packets from the engineering
building are not seen on the network in the administrative building
and vice versa. However, I don't really know of any good way to
keep the students from stealing each other's passwords by looking
at all packets going by in the local engineering net.
(This is assuming a bright and agressive student who has access to
a reasonable work station on the network, of course).
. . .
>[paraphrased] If you want to be somewhat secure, you will need to
>arrange bridges and gateways so that packets from the administrative network
>(secure) are not seen on the student network (insecure) and vice versa.
>However, I don't really know of any good way to keep the students
>from stealing each other's passwords by looking at all packets going
>by in the local [engineering] net.
End-to-end encryption, of course. The whole problem is, as you say,
that anyone who wants to dump packets, can. This is not a limitation
of IP networks, alone. In any network if you know, or can reverse
engineer the packets, you can get at unencrypted data contained in
them. The minute someone logs in over the network, their password
is insecure.
The "simple" solutions are to encrypt packet contents, provide
security at a network (rather than host), level (a la Kerberos),
or scramble packets so that someone cannot reassemble them in
a meaningful order.
Even so, no network is secure from itself. The best that you can
hope for is to make it impractical or extremely unlikely that someone
will be able to violate your security in a meaningful time frame.
Even THAT won't keep people from using their phone numbers, mother's
name, or favorite team as a password, or even simpler, giving it
to someone else to use or writing down and taping it to the underside
of the keyboard.
The second part of the story, however, is why be secure and how
secure? What I mean is, is your desire to be secure in order to
thwart deliberate malice or is it to limit your liability for
negligent disclosure of confidential records? In the case of
liability, your requirements might be significantly less stringent
than if you were transmitting launch codes for ICBMs.
. . .
We are also allowing TCPIP to proliferate on campus and will have some
administrative access in several months using TCP/IP. As long as we
have a router between public access labs and the main backbone, they
will not be able to see passwords. Even for taps they would only see
passwords on that segment.
We assume that all of the problems of access control remain, but are no
more serious than the ones already created by dialup access.
. . .
The most powerful weapon to avoid ethernet snooping is physical segmentation
of the network. Snoopers cannot read data that does not flow thru their
ethernet. Break the network into many small pieces, and snoopers can at most
see only what is on their small piece. Isolate sensitive users from others,
on different segments. Never combine public PCs and administrative users on the
same segment, for example. Multi-user computers are in general not a problem;
it is the single-user systems where a user may install and use snooping
capability without detection.
. . .
You might want to install MVS TCP/IP and have the admin users come in via
that method. If they need access to VM, run VM/VTAM across a virtual CTCA.
MVS TCP/IP has a much better interface to VTAM/CICS, and is much easier to
keep unauthorized data secure by enforcing the CICS terminal transaction
restrictions.
If you do the DIAL method and your MVS applications do port-based security
for sensitive functions, how do you ensure that J. Random Bozo doesn't
DIAL MVS and end up facing a potentially highly priviledged logon screen.
(We got nailed with this one on our library system) DIAL is a simple rotor
system and (without VMSECURE or RACF) just dumps you into the next free
SPECIAL port.
Other than keeping the physical cable secure, we don't worry too much about
it. Such traffic never leaves our site, and since MVS TCP assiciates a login
name with a list of authorized "ports", it seems to have fixed most of the
big gaping holes.
. . .
I remember reading (handwave: about 2 years ago, in RISKS-DIGEST)
about a hospital which was putting in a network. They had pretty much
decided on ethernet, when some suit found out about collisions: "You mean
sometimes data is transmitted and network errors cause it to be lost!? We
can't have any data get lost in a hospital!" And so they decided that they
couldn't use ethernet.
. . .
For those of you wishing to see what other universities are/have
done, please use the archives here. I maintain an 'ethics' col-
lection here at UNM from the world's universities. All entries
have been submitted for posting by different universities and
authors. You may email or postal mail me your submissions to the
collection. And you may obtain any policy by 'anonymous' ftp
to unma.unm.edu, the directory is ethics. The index is 00.INDEX.
I hope this helps. And yes, I will have it LISTSERV available
soon.
. . .
We are in much the same boat here at New Mexico State Univ. There is
a tremendous amount of concern over opening up network access to
student records, payroll/personnel, and financial data.
Our solution was to encrypt all traffic coming in to the MVS system
using some kind of VAXstation encryption gizmo. This
sledgehammer approach is only feasible because 1) our
MVS runs on a separate CPU (so only the *currently* smaller
Administrative community has to get encryption units)
and 2) there is no requirement for
general-purpose interactive access to MVS (we only run batch and
administrative CICS, no TSO). In other words, our primary requirement
is TELNET and FTP access to a "secure" (as opposed to
"secure + general purpose") system, so we can get away with
requiring that all traffic be encrypted.
This is obviously a short-term stop-gap, but we hope it will
last until something like Kerberos becomes generally available.
. . .
My recommendation:
When in doubt, encrypt.
. . .
A key point would be to keep the administrative traffic off of other
segments of the Ethernet by using bridges. Otherwise, it is a simple
matter for someone with a PC on the Ethernet to obtain some public domain
software and trap all of the packets they want.
Using routers and subnets can help even more. You could put all of the admin.
users on a particular subnet and help prevent people on the main network from
using their IP addresses.
You could also use token-ring to connect your administrative users. That would
go a long way to keep traffic out of the wrong hands.
. . .
I am at the University of ****** - Office of the President. At this time I
do not have anything to suggest, but I would like to get a summary of what you
are getting and what you may do. The U* system has nine campuses, at least a
couple of them are in a similar position (campus-wide TCP/IP net for academics
and students, etc.). Thank you.
. . .
==============================================================================
At this point it appears that we will permit limited Administrative traffic
on our campus net, with the following provisions:
* Bridges will be used to limit users to local subnets. No unsecure
nodes will be allowed directly on the backbone.
* The backbone and as many other links as feasible will be optical fiber.
* We anticipate installing the MVS TCPIP product and to make it the primary
Administrative link.
* Highly sensitive applications (payroll/grades update, etc) will NOT
be permitted to be accessed through the campus internet link.
* Periodic reviews of the network topology with emphasis on network
integrity and security will be performed.
Once again thank you all for your responses.
Frank Tompkins (TOMPKINS@AKRONVM) Bitnet
Systems Programmer (TOMPKINS@VM1.CC.UAKRON.EDU) Internet
University of Akron
Akron, Ohio 44325
-----------[000051][next][prev][last][first]---------------------------------------------------- Date: 14 Nov 89 23:34:14 GMT From: MTG@CORNELLC.CIT.CORNELL.EDU (Mike Garcia) To: misc.security Subject: Re: Privacy
> Feel free to blow them away. Bad advice. A store is a "public" place, and as such a search warrant may not be required to search it. There are a number of conditions that allow the forces of law and order to enter or search without a warrant. Fire and "hot pursuit" come to mind. Interfering with a federal officer is a federal felony. When the FBI photographs mob funerals, occasionaly someone blows their top and punches or shoves a fed. They get a free vacation at tax payer expense.
-----------[000052][next][prev][last][first]---------------------------------------------------- Date: 15 Nov 89 03:18:34 GMT From: johnl%n3dmc@UUNET.UU.NET (John Limpert) To: misc.security Subject: Re: locks (again)
>Sargent & Greenleaf locks are very high in quality. Who sells these locks? I have only seen them in government installations. -- John A. Limpert I'm the NRA! Internet: johnl@n3dmc.UU.NET UUCP: uunet!n3dmc!johnl
-----------[000053][next][prev][last][first]---------------------------------------------------- From: doerschu@rex.cs.tulane.edu (David Doerschuk) 17-NOV-1989 4:06:56 To: misc-security@ames.arc.nasa.gov
>Next to the speaker on the earlier PS/2's is a pair of jumper pins. PS/2 as in IBM PS/2? I didn't realize there was any password security in the PS/2. Would someone mind posting or emailing a brief explaination? Is this a DOS 4.1 thing? It sounds like its in HARDWARE! Thanks for any information. Dave doerschu@rex.cs.tulane.edu
-----------[000054][next][prev][last][first]---------------------------------------------------- From: gdt@holmes.lcs.mit.edu (Greg Troxel) 17-NOV-1989 4:41:38 To: security@pyrite.rutgers.edu
Is it unlawful to tape record in-person conversations without the knowledge of everyone involved? If so, is the restriction federal, or which states (particularly the People's Republic of Massachusetts) have such laws? Thanks, Greg Troxel <gdt@lcs.mit.edu> [Moderator tack-on: This topic could be a serious flamage magnet. Replies to him, pls. Greg, could you summarize when the flood dies down? Thanx.. _H*]
-----------[000055][next][prev][last][first]---------------------------------------------------- From: Lee Ratzan <ratzan@rwja.umdnj.edu> 17-NOV-1989 5:15:15 To: security@pyrite.rutgers.edu
A recent DoE computer security newsletter states that under certain conditions "merely inserting a disk can cause one to be [virally] infected". This statement is unclear: is it an infected disk into an uninfected system which becomes infected (even without initiating an application program)? Is it inserting a clean disk into an infected system (again, with no application open)? Or what? Can you clarify under what circumstances this infection event can occur? Thanx, Lee
-----------[000056][next][prev][last][first]---------------------------------------------------- From: hedley@imagen.imagen.com (Hedley Rainnie) 17-NOV-1989 5:48:19 To: misc-security@uunet.uu.net
The Wall Street Journal on Wed Nov 1st had a mini-book review of this book.
Clifford Stoll was able to track down a hacker from W. Germany and his book
relates how he did it. Whats interesting about the article is that it said
the hacker used Gnu-Emacs to tamper with atrun and get su privs in that way.
The article said the Gnu-Emacs is a popular program for editing/electronic
mail. The book sounds interesting.
Doubleday 326 pages $19.95
Hedley
--
{decwrl!sun}!imagen!hedley
hedley@imagen.com
-----------[000057][next][prev][last][first]---------------------------------------------------- From: deh@mordor.eng.umd.edu (Douglas Humphrey) 17-NOV-1989 6:17:56 To: borgen%sunnvekst.uninett@norunix.eng.umd.edu Cc: security@pyrite.rutgers.edu
A Tandem Computers VLX system, a fault-tolerant transaction processing system, fell over flat on its back (this is a big mainframe, maybe 6 cabs of 6 feet tall and 28 inches or so wide, and weighs a LOT). It was, of course, still operating just fine flat on its back. The disks were still upright, due to their being shorter and having lower ceters of gravity. From what I have been told, it was uprighted by Tandem CEs and never missed a beat. They had an UPS for power obviously... Doug
-----------[000058][next][prev][last][first]---------------------------------------------------- From: DXB4769@ritvax.bitnet 17-NOV-1989 6:40:02 To: security@pyrite.rutgers.edu
We have a card-access system here at R.I.T. Not completely "universal",but our ID card is used for our meal plan, as well as a debit card. Cash canut be deposited on this card and used at most of the college stores. The card is also used in the Library for ID, the card and book are scanned, and the info is saved in their records. Ufortunately,they havent applied this technology to locks yet...We've still got keys for rooms, buildings, mail- boxes, and anything else you might want to lock up. Dave Bafumo Rochester Institute of Techology (Student) Criminal Justice/Computer Science BITNET: DXB4769@RITVAX CIS: 73147,3026
-----------[000059][next][prev][last][first]---------------------------------------------------- Date: 15 Nov 89 23:45:00 GMT From: WHMurray@DOCKMASTER.NCSC.MIL To: misc.security Subject: "Smart Cards"
Smart cards carry the data to the point of use, rather than requiring
access to a central database. Therefore they must have their own
security so that possession of the card is not sufficient for their use.
Since the card has sufficient processing capability and storage to do
conversion from public to secret codes, the security can be very
sophisticated and, if necessary, different for each application.
The simplest maechanism is a personal identification number similar to
that used with an ATM. The difference is that the reference data is
stored inside the card. At this week's Computer Security Institute
exhibit, IBM showed the use of signature verification to demonstrate the
right to beneficial use of data in the card. The signature reference
data is stored inside the card. AT&T has obtained a patent for
authenticating the owner by the way that he speaks. Once more the
reference data is stored on the card itself. At least in theory, these
three mechanisms can be used in any combination indicated by the
sensitivity of the application.
Since simple posesssion of the card is not sufficient for its use, the
remedy for loss need not involve removing it from the system, though it
likely will be anyway.
Of course there is no requirement that everything be done with a single
card. The use of one card for more than one application does increase
the convenience to the user. While cards are cheap, the use for more
than one application will marginally improve the economics. On the
other hand, the more applications on a single card, the more disruptive
will be its loss.
The use of the card to carry debit balances is similar to the use of
travelers checks. While loss is inconvenient, there is a remedy. (see
David Chaum). Most of us limit the amount that we put into travelers
checks because the interest on the balance transfers to the issuer. For
the same reason, we will limit the size of balnces that we transfer to
the cards. However, when large sums are involved, most of us prefer
travelers checks. In this age of ATMs and credit cards, most of us
limit the amount of currency that we carry to that which we can afford
to lose.
Security, not convenience, is the primary value behind smart cards.
They will be orders of magnitude more secure than currency, travelers
check, checks, letters of credit, coin, or debit and credit cards. Like
these other items they are "tokens" ( artifacts for conveying
privilegees). However, they are much more difficult to counterfeit.
The salient characteristic cannot be seen or observed from outside the
token. It is a secret value that cannot (economically) be read out.
Protocols permit a demonstration that the number is in there without
reading it out.
____________________________________________________________________
William Hugh Murray 216-861-5000
Fellow, 203-966-4769
Information System Security 203-964-7348 (CELLULAR)
ARPA: WHMurray@DOCKMASTER
Ernst & Young MCI-Mail: 315-8580
2000 National City Center TELEX: 6503158580
Cleveland, Ohio 44114 FAX: 203-966-8612
Compu-Serve: 75126,1722
INET: WH.MURRAY/EWINET.USA
21 Locust Avenue, Suite 2D DASnet: [DCM1WM]WMURRAY
New Canaan, Connecticut 06840 PRODIGY: DXBM57A
-----------[000060][next][prev][last][first]---------------------------------------------------- Date: 16 Nov 89 04:59:57 GMT From: night@RPI.EDU (Trip Martin) To: misc.security Subject: Re: Cellular Modems
> 1. How is a Cellular modem different than regular modems? The problem with cellular phones is that a constant connection is not maintained. When you move from cell to cell, the connection is dropped for a very short period of time while the connection gets reestablished. While this is not noticeable on voice, a modem is very sensitive to it. > 2. How about security? If anyone can basically "Tune" in Yup, anyone can tune in, although it is illegal (not that that's going to stop anyone). Since to my knowledge, the cellular phone companies haven't made any attempt to encrypt voice communciations, I don't think it's likely that it will happen with digital communications either. -- Trip Martin KA2LIV Trip_Martin@mts.rpi.edu night@pawl.rpi.edu night@uruguay.acm.rpi.edu ** Murphy's Law of Thermodynamics: Things get worse under pressure **
-----------[000061][next][prev][last][first]---------------------------------------------------- Date: 18 Nov 89 02:08:00 GMT From: tihor@ACF4.NYU.EDU (Stephen Tihor) To: misc.security Subject: Re: "The Cuckoo's Egg" by Clifford Stoll
It is an interesting book, a fun read, decent technical content and it conveys a good view of CLiff himself you is also a fun guy. Recently I talk to some people about the history of events in the book and they indicated that it was not perfect history but good enough for most readers.
-----------[000062][next][prev][last][first]---------------------------------------------------- Date: 19 Nov 89 21:55:00 GMT From: AHAYNES@drew.BITNET To: misc.security Subject: Re: Universal Card System
I have some "knowledge" on the "smart card". When I went on a campus tour of Duke University last spring, my tour guide mentioned about how their "smart card" works. As far as I can recall, their "smart card" also worked like a combination of a credit card and a MAC card. The idea is when you pay for your tuition,you put in an extra $2000 or $3000 towards the "smart card". Now with this "smart card" you could go to the campus supermarket, snack bar, or bookstore and pay with your "smart card". The computerized system then deducts your purchases from your "smart card" account. But there is a catch to this system. You have to use ALL of your money by the end of each semester. The money from your account does NOT transfer from fall to spring semester. If this does happen....Duke takes your money...it's that simple. The "smart card" also works as a "validine", works at the library, and is also the students identification card. I think something like the "smart card" would be very beneficial to the "Drew Community." If you or anybody else have any questions.....please don't hesitate to contact me by E-Mail AHAYNES@DREW.BITNET. Thanks.... Alexandra
-----------[000063][next][prev][last][first]----------------------------------------------------
Date: 20 Nov 89 10:01:00 GMT
From: DEGROOT@rcl.wau.nl ("Kees de Groot, Computer Systems Security")
To: misc.security
Subject: Request for info on student-security-course
Course on security
==================
Security implies a lot of things like defending
against malfunctional apparatus, viruses, fraudulous
people etc. For all these threats there are a lot of
measures like making regularly backups, double or
triple system-configurations and anti-virus
software. Also a good deal of thinking has to be
done to make your organisation internally secure.
There are a lot of books covering most of these
subjects. In my opinion security is a very important
subject to be taught to students.
1. Are there any books covering security in such a
way that the book can be used for a course on the
subject?
2. Are there security courses for students and if so
what subjects are covered?
Thank you for your time,
Tel. +31-8370- .KeesdeGroot (DEGROOT@RCL.WAU.NL) o\/o THERE AINT NO
(8)3557/ Computer Systems Security [] SUCH THING AS
4030 Wageningen Agricultural University .==. A FREE LUNCH!
Computer-centre, the Netherlands
X25: PSI%(+204)18370060638::DEGROOT
disclaimer: I always speak for myself
- if you go too far to the east, you find yourself in the west .. -
-----------[000064][next][prev][last][first]---------------------------------------------------- From: night@pawl.rpi.edu (Trip Martin) 21-NOV-1989 23:15:00 To: security@pyrite.rutgers.edu
>Did you know that the 976- , and 1-900 people also keep track of who >calls, and sells your phone numbers to advertisers Mailing lists appear to be big business. I am aware of at least one hospital which sells names and addresses (and said we couldn't do a damn thing about it). I for one would like to know how widespread this practice is across all industries. -- Trip Martin KA2LIV night@pawl.rpi.edu Finite state machinist night@uruguay.acm.rpi.edu
-----------[000065][next][prev][last][first]---------------------------------------------------- From: wcs@cbnewsh.ATT.COM (Bill Stewart 201_949_0705 ho95c.att.com!wcs) 22-NOV-1989 0:12:37 To: misc-security@att.att.com
An organization I used to work for once had to get an S&G lock drilled out from a secure room door. Took about 2 hours and $600 for our local specialist locksmith to do it. The problem wasn't with the lock itself - the bolt mechanism was attached to the door innards by four screws. One of the screws had come loose and wedged itself in the bolt mechanism, so the bolt wouldn't turn. The door was fairly substantial, and met medium-security specs, but nothing we couldn't have ripped open with a Sawz-All if there had been an emergency. -- # Bill Stewart, AT&T Bell Labs 4M312 Holmdel NJ 201-949-0705 ho95c.att.com!wcs # also 201-271-4712 tarpon.att.com!wcs Somerset 4C423 Corp.Pk 3 FAX 469-1355 # .... counting stars by candlelight ....
-----------[000066][next][prev][last][first]---------------------------------------------------- From: wb8foz@mthvax.cs.miami.edu (David Lesher) 22-NOV-1989 0:45:23 To: security@rutgers.edu
I believe ONLY the S&G locks are GSA approved. Also, if I am not mistaken, only Molser containers (presently class VI) are accepted. The S&G 8400 and 8500's are darn good locks. Uncle Sam uses a lot of them, not just on containers, but office doors (with a special extension & strike), and communication center vault doors. But remember, anything can be gotten into if you have enough time. A Mosler can be drilled. It is not an easy task. We go to great lengths to try and get it open before we give up and drill. It takes from four to 8 hours, IF YOU KNOW WHAT YOU ARE DOING. We bring lots of bits, but typically use big enough drill motors that they give little trouble (except when you want to lift one ;-}) If you it do it correctly, the container can be repaired and reused. If you screw up (or burn it open), you will need a new control drawer. ($$$$) -- A host is a host & from coast to coast...wb8foz@mthvax.cs.miami.edu no one will talk to a host that's close..............(305) 255-RTFM Unless the host (that isn't close)......................pob 570-335 is busy, hung or dead....................................33257-0335
-----------[000067][next][prev][last][first]---------------------------------------------------- From: deh@mordor.eng.umd.edu (Douglas Humphrey) 22-NOV-1989 1:24:24 To: jac@paul.rutgers.edu Cc: security@pyrite.rutgers.edu
There is a difference between a vault and a safe. The mosler safe that we use could be picked up and carried off if you had a small crane and unbolted it from the floor I guess... It is not a vault, in that it is not a room, part of a building, with a large door on it. In 'drilling a vault' and it causing the bars at the edges to be released, if the door is in the locked position already, the bars should already be released and in the jamb. I can't see where they could become 'more released'... As to the door being unusable, the only way to do that would be to have a vault door that had thermite bars and cause itself to weld shut if it thought it was being tampered with. The doors being asbestos filled, some are and some use a foam ceramic that is pretty neat. Something like space shuttle tiles... Still, a torch (the right kind) would have no real problem cutting through, nor would a cut-away wheel of correct hardness. You just have to spend a lot of time and energy. Our mosler is not fireproof, though the secure file is. The file is asbestos lined, which is most likely a problem for some government agency or another, though I don't spend any great amount of time in the safe ;-) so I guess it doesn't scare me too much. If you have a vault, in most cases it makes more sense to go through the wall(s), floor, or ceiling. They take precautions, of course, but seldom to the level that they do with the door. Remember, the real reason for the door is psychological; it looks so mean and heavy that nobody would believe that they could get through it. Not believing they can do it, they never try, and thus never do! Otherwise, wouldn't it be much more plain, and hiden away where people couldn't see it? Doug
-----------[000068][next][prev][last][first]----------------------------------------------------
Date: 20 Nov 89 18:21:51 GMT
From: 34AEJ7D@cmuvm.BITNET ("W. K. Gorman", Bill)
To: misc.security
Subject: without wires...
I have seen several references to devices used to intercept and display
the keystrokes entered on a PC in a nearby building/room by sensing the
electronic signature produced as each key is pressed, with no actual,
physical connection to the target PC. How do these devices function, and how
can we detect/interdict their use?
W. K. "Bill" Gorman 34AEJ7D@CMUVM.BITNET
Acknowledge-To: <34AEJ7D@CMUVM>
-----------[000069][next][prev][last][first]---------------------------------------------------- Date: 20 Nov 89 21:41:55 GMT From: jcmorris@MBUNIX.MITRE.ORG (Morris) To: misc.security Subject: Re: REINIALISING PS/2 PASSWORDS
The PS/2 hardware (OK, it's in the BIOS. Purist.) supports two passwords:
one at power-up time, and one to temporarily lock the keyboard. By default
neither is required; the setup disk ("Reference Disk" in IBMspeak) is used
to set them up. A DOS command ("kb") is used to lock the keyboard by
modifying a hardware control register; BIOS reads the subsequent input
from the keyboard and presents it to the hardware for comparison against the
(CMOS-resident) password. It appears to be solid as long as you can keep
people and metallic probes out of the guts of the machine.
(Yes, there may be some pickable nits in the above...we've got tons of PS/2
boxes here, but none on my desk. I _think_ I've got it right...)
Joe Morris
-----------[000070][next][prev][last][first]---------------------------------------------------- From: ARTABAR@MTUS5 22-NOV-1989 18:20:57 To: SECURITY@OHSTVMA
What are the policies at your institution concerning monitoring of mail and
other inbound files, as well as interactive chatting (TALK, TELL, IRC, etc)?
Would you consider it a violation of personal security if your mail and
chatting was being monitored by your institution?
Just a couple of questions as food for thought.
Andy
-----------[000071][next][prev][last][first]---------------------------------------------------- From: <NORDBERG@scranton.bitnet> 22-NOV-1989 18:56:03 To: security@pyrite.rutgers.edu
Noel asked about any bibliographic references concerning actual or potential breaches of computer security. Since s/he did not list an e-mail address I'll reply via this discussion group. "The Cuckoo's Egg" by Cliff Stoll just came out and is an interesting case study of breaches of long duration of both academic and military systems (including companies doing business with the military such as BBN, TRW and MITRE). Stoll's efforts to alert various groups met with a fair number of responses that can be characterized only as denial. Stoll, Clifford "The Cuckoo's Egg" Doubleday (c) 1989 ISBN 0-385-24946-2 --------------------------------------------------- Kevin Nordberg Dept. of Philosophy University of Scranton BITNET: NORDBERG@SCRANTON
-----------[000072][next][prev][last][first]---------------------------------------------------- From: jad@dayton.dhdsc.mn.org (J. Deters) 22-NOV-1989 19:33:31 To: security@rutgers.edu
A frequent culprit in false alarms is moisture somewhere in the loop.
"Take this simple quiz!"
1. Do you notice a higher incidence of false alarms during rainy
weather, or in high humidity situations?
2. Have you done (or had done) any plumbing recently?
3. Condensation buildup on windows can seep into the surrounding
woodwork and play havoc with bare splices that touch that wood.
Do your windows 'fog up' now more than they did two months ago?
4. The staples you used -- were they insulated (paper or plastic)?
Piercing the wire or crushing the jacket can easily cause your
wonderful hidden problems.
5. Damp wood may be swelling up and putting a strain on a poorly
made joint.
To isolate your problem, you may consider connecting up each device
on its own independent loop, or putting two or three on each loop
until you can narrow it down to which device is failing. Then,
test the individual wiring and device, and repair or replace as
needed.
Hope this helps,
-j
--
J. Deters
jad@dayton.DHDSC.MN.ORG .\ /. "Smile -- Cthulu loathes you!"
john@jaded.DHDSC.MN.ORG \_____/
-----------[000073][next][prev][last][first]----------------------------------------------------
Date: 21 Nov 89 16:09:00 GMT
From: system@LNS61.TN.CORNELL.EDU ("SYSTEM MANAGER")
To: misc.security
Subject: re: controversyLee, You recently posted a message to the security mailing list. Unfortunately, you neglected to include a "signature", and the message that I received via the Bitnet forwarding list contained no return address other than the security mailing list itself. As a result, I'm posting my response there (in full public view. gak. ;-) [Moderator injection: This is real close to being fixed. Apparently only one of the "peer" sites that redistribute this stuff on Bitnet is at fault, due to its running outdated versions of listserv. This should be upgraded as soon as the political/administrative red tape is out of the way.] You asked: > This statement is unclear: is it an infected disk into >an uninfected system which becomes infected (even without initiating >an application program)? No. Simply inserting an infected disk into an uninfected system does not infect that system until some code on the infected disk is executed. I am intentionally not being specific about what code has to be executed. That detail is a function of the type of virus and computer. Booting from an infected disk or running an infected program are the usual "vectors". >Is it inserting a clean disk into an infected >system (again, with no application open)? Yes. Inserting a "clean", write-enabled diskette into a drive on a system that is already infected may cause that diskette to become infected. The details of how the infection propagates is a function of the type of virus and computer. When you insert a diskette into a drive, most systems attempt to read the appropriate blocks on the diskette to determine the volume label and other information. Most viruses subvert the computer's native I/O software and intercept all I/O requests. When such a virus notices that a write-enabled diskette has been newly inserted in a drive, it will attempt to make a copy of itself on that diskette. Again, the details of what a virus will do varies. On some systems, there is enough room in the boot blocks for the entire virus. Some viruses insert themselves into standard system programs. Others will mark some disk blocks as bad and hide most of the code there. Minimal modifications of a boot block or system program are needed to load the real code from the "bad blocks". Later when you try to boot from that disk, or run the infected program, the virus copy will again subvert the I/O system of your computer and look for write-enabled disks to infect. Modern computers implement write-protection in the hardware of the disk drive. Apparently only old Apple computers used software to protect their disks from writing. So long as your drive isn't broken (or modified), your disks are safe from infection if the write protect tab is in the correct state. For further details, you should subscribe to the virus mailing list. You might contact the moderator, Kenneth R. van Wyk <krvw@SEI.CMU.EDU>, to learn how to subscribe. The procedure varies somewhat depending on your actual address. I hope this helps explain the situation. Selden E. Ball, Jr. (Wilson Lab's network and system manager) Cornell University Voice: +1-607-255-0688 Laboratory of Nuclear Studies FAX: +1-607-255-8062 Wilson Synchrotron Lab BITNET: SYSTEM@CRNLNS Judd Falls & Dryden Road Internet: SYSTEM@LNS61.TN.CORNELL.EDU Ithaca, NY, USA 14853-8001 HEPnet/SPAN: LNS61::SYSTEM = 44283::SYSTEM
-----------[000074][next][prev][last][first]---------------------------------------------------- Date: 22 Nov 89 00:25:00 GMT From: UCS_KAS@shsu.BITNET (Ken Selvia 409-294-3547) To: misc.security Subject: RE: Re: Privacy vs on-line library
Students are given access to various parts of the student-information
system via terminals in the library here. One of the things they can
change is their "Buckley" status. Unless they request otherwise, we
can give information about them to anyone (I suppose anyone...) who
asks for it. The message below is the one they receive when they
select the option of changing their Buckley status:
============================================================================
Under the terms of the Family Educational Rights and Privacy
Act, Sam Houston State University has established the following
as directory information:
Name Birthdate and Place of Birth
Local/Home Addresses Local/Home Telephone Numbers
Major/Minor Classification
Extra-curricular Activities Honors and Awards
Names and Addresses of Parents/Legal Guardians
Weight, Height, and Related Information of Athletic Team Member
Age, Race, Sex, and Marital Status
============================================================================
Students can also display this information about other students when
available. (ie. If we have it, and the other student has not changed their
Buckley status.) Recently some insurance company bought a mailing list from
us and they put our name on the letters. Parents were given the impression
that the university was somehow responsible for the letters. I assume the
lawyers are busy figuring out what to do about it.
BTW: I believe a 10,000 name list sells for around $2,000.00!
On the good side: Credit card companies can't wait to GIVE cards to
graduating seniors. I must have received 6 pre-approved applications
just because I was going to graduate. They hook you ASAP. Hmm, maybe
it's not so good...
Regards, Ken.
Kenneth Selvia Programmer Analyst (BITNET: UCS_KAS@SHSU.BITNET)
Sam Houston State University Huntsville, TX 77341
[This is probably not the official or unofficial position of SHSU]
-----------[000075][next][prev][last][first]---------------------------------------------------- Date: 22 Nov 89 00:43:57 GMT From: eickmeye@GIRTAB.USC.EDU (Biff Henderson) To: misc.security Subject: Re: REINIALISING PS/2 PASSWORDS
It is in hardware and it is the IBM PS/2s. All of the PS/2s which I have (been unfortunate enough to) come in contact with have this option. The password is set using the "setup" software which comes with the machine. When the machine is cold-booted (i.e. turned on, as opposed to warm-booted with the Ctrl-Alt-Del key sequence), a "key" symbol appears in the top left corner of the screen, something like: o-n Yes, it is a simple representation as above, although I do not have it exactly correct; they use some high-end ASCII symbols (in the 128-255 range) to make the key look a bit better. If the password is not typed correctly, you get a large X underneath the key and a second attempt, then a third attempt. If the three attempts are all incorrect, then you must power down the machine and restart it. The password may be changed by typing the old password followed by a special character, I think it's the forward-slash /, followed by the new password. Of course, the password may also be deleted. I believe the maximum length of the password is eight characters. These are my recollections from using PS/2s, but perhaps an owner could shed more light on the exact situation if my recollections are incorrect.
-----------[000076][next][prev][last][first]---------------------------------------------------- Date: 22 Nov 89 16:36:58 GMT From: jwm@STDA.JHUAPL.EDU (Jim Meritt) To: misc.security Subject: Re: Privacy vs on-line library
If a list of where these on-line libraries are and how to reach them is
available, PLEASE send it to me.
^^^^
(Insert appropriate wimpering here)
"In these matters the only certainty is that nothing is certain"
- Pliny the Elder
These were the opinions of :
jwm@aplcen.apl.jhu.edu - or - jwm@aplvax.uucp - or - meritt%aplvm.BITNET
-----------[000077][next][prev][last][first]---------------------------------------------------- Date: 22 Nov 89 17:59:00 GMT From: TOM@fandma.BITNET (Tom - Tech Support) To: misc.security Subject: Policy
While this shouldn't be taken as an official policy statement, there is no question that monitoring of incoming mail, outgoing mail, or interactive traffic would be considered a violation of privacy. A flagrant violation at that! In my opinion, even monitoring the volume of traffic to/from an individual would be a privacy issue. We do check on disk useage on a regular basis -we do not allocate quotas even though we could- but that is to the extent that heavy users are asked to housekeep. If that doesn't work, we run a full directory to look for duplicate files, etc. We would then ask them again to remove excess files. This has always worked. ****************************************************************************** * FRANKLIN & MARSHALL COLLEGE COMPUTER SERVICES -TECH. SUPPORT * * Thomas C. Mahoney, Computer Electronics Technician * * PO Box 3003 BITNET: Tom@FANDM * * Lancaster, PA 17604 AppleLink: A0159 * * Disclaimer: Better than datclaimer. (717) 291-4005 * * Last year I cudn't spell teknishun and now I are one. * * ****************************************************************************
-----------[000078][next][prev][last][first]---------------------------------------------------- Date: 23 Nov 89 21:30:33 GMT From: pat@grebyn.com (Pat Bahn) To: misc.security Subject: Mac Security Software
Does anyone out there have some good software to encrypt files on a MAC??? I have a mac2 and SE that are going to start handling personally sensitive data where I can't control physical access, is there anyway to password protect the hard disk???? That or encrypt the files? Thanks -- ============================================================================= Pat @ grebyn.com | If the human mind was simple enough to understand, 301-948-8142 | We'd be too simple to understand it. =============================================================================
-----------[000079][next][prev][last][first]---------------------------------------------------- From: dcdwest!sarge@ucsd.edu (Sergeant Bob Heddles) 27-NOV-1989 12:32:50 To: ???
I was wondering where I could get the unit patches (uniform) of the different police and other emergency departments of the U.S.A. and Canada? Is there a catalog company and /or store that carries them? If not would the people on the network with the affilations of the aboved mentioned departments be willing to send one to me? I am trying to build a collection of patches. Any and all help would be greatly appreciated.... Thanks, Bob -- Bob Heddles | ITT Defense Communications Division ucbvax!ucsd!dcdwest!sarge | 10060 Carroll Canyon Road sarge@dcdwest%ucsd.edu | San Diego, CA 92131 Opinions expressed are mine alone. Since no-body else wants them.
-----------[000080][next][prev][last][first]---------------------------------------------------- From: joel achtenberg <C04810JA@wuvmd.bitnet> 27-NOV-1989 13:02:46 To: security@pyrite.rutgers.edu
At washington university (st louis) we have a number of different cards, not a universal card. Student ID's have recently switched to a mag-strip, used for validation in the cashier's office and for access to athletic facilities, special events, etc. The same card is used in the library. A different card is available for purchase and use in laser printers and photocopy machines; money can be added as necessary. A similar, but separate card is used by the food service for students on meal plans; money is deducted from the card with each meal purchased and additional credit can be purchased. A Universal card would certainly be useful, from my point of view, but would have significant administrative problems since the various cards currently are controlled by several different departments.
-----------[000081][next][prev][last][first]---------------------------------------------------- From: Mike Garcia <MTG@cornellc.cit.cornell.edu> 27-NOV-1989 13:24:38 To: security@pyrite.rutgers.edu
>The DEA regularly raids "indoor gardening" stores, many of which can and
>do serve a legitimate, law-abiding clientele, without ever filing
>formal charges against the owners, merely to gain the computerized customer
>lists therefrom.
It does not even have to be computerized.
The Chicago police department has a squad called the "gun squad" which
confiscates unregistered handguns. It is enormously successful in
terms of the number of handguns seized. Reportedly one of the Chicago
PD's techniques is to acquire lists of legally purchased handguns,
which were purchased oustside of Chicago. These lists include the name
and address of the purchaser. The Chicago PD then checks the names on
the lists against the names of store and resturant owners whose places
of business are located in Chicago. When a match is found, the place
of business is searched. Since it is a public place, no search warrent
is needed. If a handgun is found on the premises, it is seized.
These lists are acquired from the US Bureau of Alcohol, Tobacco and
Firearms (BATF). BATF assembles these lists by inspecting the records
of gun shops near, but outside of, Chicago. It is a federal
requirement that all firearm purchases be recorded, and the gun shops
can not refuse BATF access to the records.
In all probability, part of your library's budget is federal money. If
a federal agency wants access to such information, it will have
powerful tools for compelling complience. Once the feds have the data,
they can do whatever they want with it, including giving it to a third
party.
If your library keeps track of what information you access, for
whatever reason, you have no real guarantee that it will not be
misused.
Mike Garcia
-----------[000082][next][prev][last][first]----------------------------------------------------
Date: 27 Nov 89 21:46:00 GMT
From: DAVE@unmb.BITNET ("David D. Grisham")
To: misc.security
Subject: Security for Novell
Those of you who have Novell networks and virus problems,
I ask:
Has anyone bought and implemented the Novell scanning
program "netscan"? We (UNM) are purchasing VIRUSCAN for a
few machines, at $15 per this is reasonable. However, $1000
for a site license of NETSCAN is a bit steep. We won't buy it
unless it is working at other institutions with great results.
Can you who do, please write me or post?
I'd also like to hear if anyone can suggest a better
product. The security of networks is the one problem
facing us all. Thanks in advance.
dave
Dave Grisham, Security Administrator, CIRT Phone (505) 277-8148
University of New Mexico USENET DAVE@hydra.UNM.EDU
Albuquerque, New Mexico 87131 BITNET DAVE@UNMB
my comment for the day-
It is to bad that the DOS world can't put out a product like
Disinfectant (Damn good and free). Do all the nice guys
wear Macs?
-----------[000083][next][prev][last][first]---------------------------------------------------- Date: 27 Nov 89 23:31:33 GMT From: daemon@MCNC.ORG (David Daemon) To: misc.security Subject: Re: "The Cuckoo's Egg" by Clifford Stoll
The GNU Emacs support utility that caused the problem was installed setuid, when it had never been designed to be setuid. Setuid programs need to be carefully(!) designed to work securely with such privileges, and you WILL get in trouble cavalierly making random programs setuid. I don't believe that the GNU Emacs installation instructions ever suggested making that program setuid. A cautious system administrator would not have done so - I, for one, didn't. I understand that certain features may have been lacking for some versions of Unix running emacs without this utility setuid, but I am confident that there were different, secure, alternatives, which could have provided the same features. I don't recall more specific details, because the BSD 4.[23] versions of Unix that I was using never forced me to deal with them. Stephen P. Schaefer MCNC sps@mcnc.org P.O. Box 12889 ...!mcnc!sps RTP, NC 27709
-----------[000084][next][prev][last][first]----------------------------------------------------
Date: 28 Nov 89 00:40:54 GMT
From: GSRLR@alaska.BITNET ("Robyn Robertson GSRLR@ALASKA")
To: misc.security
Subject: (none)In response to the recent query re e-mail security at various sites, our local VAXen computer manager responded to me with the following msg. Our area netwok consists of three VAXen located at various far flung sites here in the state, as well as a pair of additional machines here in Fairbanks which belong to the math department and campus security. Our mail package for e-mail within our network is a home grown system which serves our local DECnet as well as Internet and BITNET msgs. through interface with the espective daemons. The 'PHONE' utility is a DEC chat package. => #48 ACAD3A::FXJWK Mon 27 Nov 1989 09:53 ( 5/ 329) >From: Jo Knox - Academic Computing Nothing is monitored here, although the system does keep track of the numbers of messages sent and received, and personally, I would feel it a violation not of personal security, but of privacy to do so.... Incidentally, this does not include the VAX/VMS PHONE utility, which uses open mailboxes---PHONE can be tapped by anyone.
-----------[000085][next][prev][last][first]----------------------------------------------------
Date: 29 Nov 89 18:14:22 GMT
From: GSRLR@alaska.BITNET ("Robyn Robertson")
To: misc.security
Subject: (none)>>How true. I understand that some crime investigators appreciate that >>the best time to try to find somebody in a public place that they >>"randomly" frequent is precisely one week after a time they were known >>to be there, e.g. when a crime occurred. An interesting observation. I am sometimes astonished at the discussions on this list concerning the technology of security. I have had close contact with literally hundreds of convicted felons, and the most overwhelming characteristic of this group is the collective ignorance these people share. I will not deny that there is criminal expertise in the world, but the reality is, most people dedicated to criminal enterprise become so after they have met successive frustrations in their attempts to make a way through the world without resort to crime. I think that this implies a very high level of social dysfunction, and a powerful characteristic of this dysfunction seems to generally include very poor academic performance. This tends to keep the level of technical expertise in the criminal counterculture to an absolute minimum. Certainly, there is reason in technological overkill where very sensitive data or materials is concerned(Items within the three classes of 'intern