----MESSAGE-BEGIN---- [9001192341.AA22841@ucbarpa.Berkeley.EDU] <1990010219314600> From: CI60UCU@VM.TCS.TULANE.EDU (Charlene Charette) Newsgroups: misc.security Subject: bill changers Message-ID: <9001192341.AA22841@ucbarpa.Berkeley.EDU> Date: 2 Jan 90 19:31:46 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 6 Approved: security@rutgers.edu Posted: Tue Jan 2 20:31:46 1990 We got into a discussion at work the other day and I thought that this would be the place to get an answer. Just how does a vending machine or bill changer determine what bill you've inserted? Some change 1's or 5's. How does it tell the difference between bills? --Charlene Charette ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9001301242.AA21870@ucbarpa.Berkeley.EDU] <1990010222055600> From: tn07+@ANDREW.CMU.EDU (Thomas Neudecker) Newsgroups: misc.security Subject: Yale Pin Tumbler Padlock Message-ID: <9001301242.AA21870@ucbarpa.Berkeley.EDU> Date: 2 Jan 90 22:05:56 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 13 Approved: security@rutgers.edu Posted: Tue Jan 2 23:05:56 1990 About 25 years agos I came across a Yale Towne Pin Tumbler padlock. It is a cast iron lock with a brass bar and cylinder. The key is a thin aluminum stock with a 5 character number imprinted.I believe that the lock - lock series - was once used by the rail roads. One of my two keys was broken last week by someone trying to open the lock by twisting the key. After calling several locksmiths I found no one interested in finding a blank or milling a copy. Does any one have any info about this padlock. Is the key blank restricted? Thanks, Tom Neudecker Carnegie Mellon ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9001200029.AA23625@ucbarpa.Berkeley.EDU] <1990010401514600> From: jrm@LUCID.COM (Joe Marshall) Newsgroups: misc.security Subject: forging documents with a laser printer Message-ID: <9001200029.AA23625@ucbarpa.Berkeley.EDU> Date: 4 Jan 90 01:51:46 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 28 Approved: security@rutgers.edu Posted: Thu Jan 4 02:51:46 1990 Forged court documents would be too easy to detect and rather difficult to pass. Would you give me your car if I showed you a court order that said you had to? The same is true for prescriptions: No one needs 5000 Qualudes. Letters of credit can be easily verified by telephoning the issuing party. I would think that the market for forged Motor Vehicle documents would be very lucrative. I would imagine that forged negotiables would also be popular. Forged identity papers would be useful, too. I can think of 3 techniques that are commonly used to hinder forgery. First, the medium for the document can be hard to obtain. Second, the use of paper documents can be eliminated. Third, the penalties for getting caught using forged documents can be increased. There are problems with these techniques. Increasing penalties is laughable: "Hey Mike, don't do that! It's against the law!" Making the medium hard to obtain means that governments and big businesses can make verifiable documents, but you can't. Eliminating paper altogether generally means putting all the data in a safe place like a Unix box. I think an approach that used encryption to make digital signatures would be terrific. Then individuals could make verifiable documents without compromising their privacy. In order to do this we would need to provide access to encryption to everyone. ~JRM ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9001291800.AA05608@ucbarpa.Berkeley.EDU] <1990010402321600> From: kelly@uts.amdahl.com (Kelly Goen) Newsgroups: misc.security Subject: Re: without wires... Message-ID: <9001291800.AA05608@ucbarpa.Berkeley.EDU> Date: 4 Jan 90 02:32:16 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 11 Approved: security@rutgers.edu Posted: Thu Jan 4 03:32:16 1990 >My GRiD is "tempest shielded", which means you can't spy on me this way. HA HA HA!!! ever hear of a preamp??? attached to an induction pickup coil... or possibly one of those cute DECO or info unlimited xmitters wired internally to the serial port of your keyboard...TEMPEST also depends on GOOD physical security of your environment... otherwise it is indeed quite bypassable!!! cheers kelly p.s. I looked at the TEMPTEST shielded GRIDS... managed to make a NICE measurement on my FSM!!!grin!! ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9001230051.AA20779@ucbarpa.Berkeley.EDU] <1990010723023400> From: Kevin.Parris@p5.f12.n376.z1.FIDONET.ORG (Kevin Parris) Newsgroups: misc.security Subject: A different kind of privacy Message-ID: <9001230051.AA20779@ucbarpa.Berkeley.EDU> Date: 7 Jan 90 23:02:34 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 13 Approved: security@rutgers.edu Posted: Mon Jan 8 00:02:34 1990 >employees have any rights when it comes to using the company computer for >personal reasons? Those activities are, for employees of the State of South Carolina, classified as misappropriation of government resources. While I have not heard of any actual cases, if such things are "noticed" by management, they constitute grounds for disciplinary action, including termination. KRP -- Kevin Parris == ...!usceast!uscacm!12.5!Kevin.Parris ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9001292116.AA00845@ucbarpa.Berkeley.EDU] <1990010816265200> From: jje@virtech.UUCP (Jeremy J. Epstein) Newsgroups: misc.security Subject: Re: UNIX Security, X/OPEN, Orange Book Message-ID: <9001292116.AA00845@ucbarpa.Berkeley.EDU> Date: 8 Jan 90 16:26:52 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 38 Approved: security@rutgers.edu Posted: Mon Jan 8 17:26:52 1990 > 1) I've heard about Agreements or standards the X/OPEN-Foundation > published on this topic. Don't know about X/OPEN, but POSIX has a working group (P1003.6) which is defining security requirements. There are two rated UNIX systems: Gould (now Encore) has a C2 system called UTX/32S (achieved rating about 3 years ago) and AT&T System V/MLS which achieved B1 rating a couple of months ago. There are two vendors who specialize in making UNIX systems secure: SecureWare (Atlanta Georgia) Addamax (Champaign Illinois) Each has worked with several vendors to make B1 versions of their commercial offerings. AT&T also licenses their System V/MLS to other vendors for incorporation into UNIX systems. Sun has SunOS/MLS which is aimed at B1. Trusted Information Systems (TIS) has a B2 version of XENIX. Finally, AT&T is developing a new UNIX system aimed at B2 or B3 (I don't remember which), but it's a major new effort which will become System V Release 4 Version 1, sometime in late 1990 or early 1991. Besides all these, TIS is building a prototype B3 version of Mach, which is related to (but NOT the same as) UNIX. Not all of these systems have been submitted for evaluation. In particular, Secureware, Addamax, and TIS XENIX have been; AT&T has passed; Sun and TIS TMach are not even in the pipeline as far as I know. Some of the integrated systems (i.e., integrations of SecureWare, Addamax, or AT&T with the vendor) have been submitted to the NCSC, but I don't know which ones. Remember, anyone can claim security; unless it's rated by the NCSC (National Computer Security Center) or some equivalent body in another country, it's just talk. Jeremy Epstein TRW Systems Division jje@virtech.uu.net +1 703-876-4202 ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9002030804.AA01897@ucbarpa.Berkeley.EDU] <1990010913410000> From: Kilgallen@DOCKMASTER.NCSC.MIL Newsgroups: misc.security Subject: PS2 Security and Physical Security Message-ID: <9002030804.AA01897@ucbarpa.Berkeley.EDU> Date: 9 Jan 90 13:41:00 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 10 Approved: security@rutgers.edu Posted: Tue Jan 9 14:41:00 1990 >Broken covers should be taken as evidence of compromised data. Presumably these caveats apply to almost all computer security threats, including theft of encrypted data (where the intrusion can also introduce a latent key-grabber in many situations). This is not to criticize Mr. Murray for reminding us -- just to iterate that data security almost always depends on physical security. Larry Kilgallen ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9001212149.AA24770@ucbarpa.Berkeley.EDU] <1990011001010100> From: bob@morningstar.com (Bob Sutterfield) Newsgroups: misc.security Subject: Re: GNU and security Message-ID: <9001212149.AA24770@ucbarpa.Berkeley.EDU> Date: 10 Jan 90 01:01:01 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 11 Approved: security@rutgers.edu Posted: Wed Jan 10 02:01:01 1990 I must admit to dismay at having Stallman call someone else "careless", when the GNUmacs makefile hides a umask in a tar pipe to install everything with 777 protections. That's a very careful implementation of Stallman's attitude toward security. If someone else has a different attitude, they had better be similarly careful. If they didn't watch to see that they were implementing their attitude, then they were careless. No, I don't agree with Stallman on security. Yes, it surprised me too. ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9001212043.AA24447@ucbarpa.Berkeley.EDU] <1990011003530000> From: meister@GAAK.LCS.MIT.EDU (phil servita) Newsgroups: misc.security Subject: Re: GNU and security Message-ID: <9001212043.AA24447@ucbarpa.Berkeley.EDU> Date: 10 Jan 90 03:53:00 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 6 Approved: security@rutgers.edu Posted: Wed Jan 10 04:53:00 1990 I must admit to dismay at having Stallman call someone else "careless", when the GNUmacs makefile hides a umask in a tar pipe to install everything with 777 protections. 777 is one heck of a lot different than 4777... ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9001310313.AA08501@ucbarpa.Berkeley.EDU] <1990011100365200> From: thomas@mvac23.UUCP (Thomas Lapp) Newsgroups: misc.security Subject: RE: FACSCARD Message-ID: <9001310313.AA08501@ucbarpa.Berkeley.EDU> Date: 11 Jan 90 00:36:52 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 14 Approved: security@rutgers.edu Posted: Thu Jan 11 01:36:52 1990 We use the same type of system for buildings on our site. In talking with someone in security, I found out that they are also known as "chest readers" or "butt readers", since people can put their chest (with card in shirt pocket) or butt (with card in wallet in back pocket) up against the reader. I've often seen employees just put the whole wallet up to the reader and it works fine. ;-) - tom -- internet : mvac23!thomas@udel.edu or thomas%mvac23@udel.edu uucp : {ucbvax,mcvax,psuvax1,uunet}!udel!mvac23!thomas Europe Bitnet: THOMAS1@GRATHUN1 Location: Newark, DE, USA Quote : Virtual Address eXtension. Is that like a 9-digit zip code? ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9001310158.AA05683@ucbarpa.Berkeley.EDU] <1990011104152000> From: CTM@cornellc.BITNET (Homer) Newsgroups: misc.security Subject: Re: Electronic-key Radar Detection Protection Message-ID: <9001310158.AA05683@ucbarpa.Berkeley.EDU> Date: 11 Jan 90 04:15:20 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 6 Approved: security@rutgers.edu Posted: Thu Jan 11 05:15:20 1990 How often does a hot car stereo get stolen from the guy who bought it, and how often does the twice stolen stereo get sold to a second guy only to be stolen again. Does hot equipment just keep making the rounds? ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9002080446.AA27671@ucbarpa.Berkeley.EDU] <1990011600275600> From: faatzd@TURING.CS.RPI.EDU (Don Faatz) Newsgroups: misc.security Subject: Re: Privacy Message-ID: <9002080446.AA27671@ucbarpa.Berkeley.EDU> Date: 16 Jan 90 00:27:56 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 10 Approved: security@rutgers.edu Posted: Tue Jan 16 01:27:56 1990 A recent court decision held that conversations on cordless telephones are not subject to "expected privacy" as are conversations on telephones with cords. Hence, police can simply LISTEN to cordless telephone conversations and make arrests based on the conversation. This, in principle, seems fine since one literally BROADCASTS one's conversation with a cordless phone - but what of the person on the other end of the call - he/she has no apriori knowledge of the _cordlessness_ of the callers phone. Does this other person unknowingly surrender his right of privacy .... From: mark@UXA.CSO.UIUC.EDU (mark) Newsgroups: misc.security Subject: I beleive some do ... Message-ID: <9002080326.AA26279@ucbarpa.Berkeley.EDU> Date: 16 Jan 90 02:47:09 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 5 Approved: security@rutgers.edu Posted: Tue Jan 16 03:47:09 1990 I have heard that .... I thought it was Volvo, but I could be wrong... some major auto company equips their car stereos with a 'key' that WILL NOT come out if the stereo is hocked, and it won't work without the 'key'(immediately) mark@uxa.cso.uiuc.edu ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9002080851.AA00760@ucbarpa.Berkeley.EDU] <1990011809280000> From: DEGROOT@rcl.wau.nl ("Kees de Groot, Computer Systems Security") Newsgroups: misc.security Subject: responses on a question about books on security: thanks to all! Message-ID: <9002080851.AA00760@ucbarpa.Berkeley.EDU> Date: 18 Jan 90 09:28:00 GMT Sender: usenet@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 165 Approved: security@rutgers.edu Posted: Thu Jan 18 10:28:00 1990 At the end of November in 1989 I sent a message on the above subject to the security-list. I have appended the responses to the original message for your interest. Thank you for your response! ====================================================================== Subj: Request for info on student-security-course Course on security ================== Security implies a lot of things like defending against malfunctional apparatus, viruses, fraudulous people etc. For all these threats there are a lot of measures like making regularly backups, double or triple system-configurations and anti-virus software. Also a good deal of thinking has to be done to make your organisation internally secure. There are a lot of books covering most of these subjects. In my opinion security is a very important subject to be taught to students. 1. Are there any books covering security in such a way that the book can be used for a course on the subject? 2. Are there security courses for students and if so what subjects are covered? ========================================================================== >From: "Charles P. Pfleeger" Subject: Security textbooks To: DEGROOT@RCL.WAU.NL There are three books that I would consider using to teach a course in computer security (which, incidentally, I did for several years while on the faculty of The University of Tennessee). The books are Lance Hoffman's Modern Methods for Computer Security (Prentice-Hall, 1977-- very dated), Dorothy Denning's Cryptanalysis and Data Security (Addison Wesley, 1982--somewhat dated, rather narrowly focused, although excellent within that focus), and my Security in Computing (Prentice Hall, 1989). Without trying to give an obviously-biased review, let me just mention that it covers encryption and cryptography as a fundamental (but certainly not the only) tool in providing security; studies problems and solutions for providing security in the design of programs, operating systems, database management systems, and networks; and covers risk analysis, physical and administrative protection, legal issues and ethical issues. If you will contact your local Prentice-Hall representative, or write to Prentice-Hall in Englewood Cliffs NJ 07632 USA (there is also a european sales office, but I do not have the address), I am sure you can get a copy for your review. --CPfleeger ====================================================================== >From: Ommang I'm currently taking a class from Dr. Richard A. Kemmerer at UCSB, and we use this book : Charles P. Pfleeger "Security in Computing", Prentice Hall 1989. ISBN 0-13-798943-1. I think the book is pretty good. Kemmerer has also used lots of papers on the topic in his class. SOme of the topics covered : Terminology (trojan horse, trap door, worm, virus, denial of service etc.) Security principles (least privilege, economy of mechanism, complete mediation, separation of privilege, etc.) Security models and principles (Bell-LaPadula, Integrity, Take-Grant, Lattice and ono-interference). Security mechanisms (capabilities, access control lists, authentication mechanisms, secure attention key etc) Protection techniques (penetration analysis, info flow analysis, covert channel analysis etc) Encryption (monoaplphabetic, polyalphabetic, rotors, DES, Hill, etc). Hope this is of some help to you ! Harald ==================================================================== >From: gasser@ultra.enet.dec.com (MORRIE GASSER, 508-264-5055, DTN 293-5055) I saw your request for a book that could be used for a computer security course. My book has been used in a number of courses... Title: Building a Secure Computer System Author: Morrie Gasser Publisher: Van Nostrand Reinhold Co., New York. ISBN No.: 0-442-23022-2 U.K.: Van Nostrand Reinhold at International Thomson Publishing Services Ltd, North Way, Andover, Hants SP10 5BE. # 26.95 U.S.: Van Nostrand Reinhold Co. P.O. Box 668 Florence, Kentucky 41042 Mail order phone: 606-525-6600 $37.95 ===================================================================== >From: IN%"FITSILIS@GRPATVX1.BITNET" 12-DEC-1989 13:04:16.63 Dear Kees We have just completed our thesis work on Computer Security in the Department of Computer Engineering and Informatics at the University of Patras,Greece.We admit that we faced a lot of difficulties in finding adequate bibliography and references on this subject (which shows how an important subject it is!).We believe that one of the best books on Computer Security is "Cryptography and Data Security" by Dorothy Elizabeth Denning,published by Addison-Wesley,ISBN 0-201-10150-5. We supply a sample of the book's contents: -ENCRYPTION ALGORITHMS (transposition,substitution,product(DES),exponential, knapsack ciphers). -CRYPTOGRAPHIC TECHNIQUES (block and stream ciphers,endpoints of encryption, key management) -ACCESS CONTROL (access matrix model,authorization lists,capabilities,take- grant systems). -INFORMATION FLOW CONTROLS (lattice model,execution based and compiler based mechanisms,program verification). -INFERENCE CONTROL (statistical database model,inference control mechanism, methods of attack (trackers etc),methods of defence (statistic restriction,noise addition etc)). This book was published in 1982.If it looks out of date to you,we recommend "Proceedings of the IEEE Symposium on Security and Privacy".These are the procedings of an annual symposium on computer security,containing all the recent work on the subject.We used the 1988 symposium proceedings,IEEE Ctalogue Number 88CH2558-5,ISBN 0-8186-0850-1.Also you can find related papers on the following magazines: -ACM PRESS SIGSAC REVIEW (published 4 times a year). -CRYPTOLOGIA (journal on cryptography). In our opinion,this subject can be taught to students that have elementary knowledge of operating systems,computer networks,databases and a good mathematical background (i.e. information theory,number theory,complexity theory). We wonder if you could keep us informed on the progress of your cources, since we are faced with similar problems (we are preparing a Computer Security course to be taught next year in our department).Also if you have (or received) any further recommendations on the subject,please forward them to us. Friendly, CHARLES CAMEAS PANOS FITSILIS ===================================================================== Mr. de Groot, One excellent text on the subject is SECURITY IN COMPUTING, C. P. Pfleeger, Prentice-Hall, Englewood Cliffs, New Jersey (1989). It is my understanding that this material was taught by the author while he was a professor in the Computer Science Dept. at The University of Tennessee. The author is currently working in private industry as a computer security professional. Regards, Lloyd F. Arrowood Oak Ridge National Laboratory Disclaimer: The views and opinions of the author do not necessarily state or reflect those of the United States Government or any agency thereof. ========================================================================== ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9001181154.AA14874@ucbarpa.Berkeley.EDU] <1990011811552600> From: bpistr@cgch.UUCP Newsgroups: misc.security Subject: Re: vault doors, was: locks Message-ID: <9001181154.AA14874@ucbarpa.Berkeley.EDU> Date: 18 Jan 90 11:55:26 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 11 Approved: security@rutgers.edu Posted: Thu Jan 18 12:55:26 1990 X-Unparsable-Date: Tue, 12 Dec 89 08:50:08 mez but aren't vaults normally lined with fairly difficult stuff to penetrate? Like armor plate or something? Otherwise it would seem that potential transgressors wouldn't bother with vault door either... -jcp- ====================================================================== Joseph C. Pistritto 'Think of it as Evolution in Action' Ciba Geigy AG, R1241.1.01, Postfach CH4002 Basel, Switzerland Internet: bpistr@cgch.uucp Phone: (+41) 61 697 6155 Bitnet: bpistr%cgch.uucp@cernvax.bitnet Fax: (+41) 61 697 2435 From US: cgch!bpistr@mcsun.eu.net ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9002081602.AA03610@ucbarpa.Berkeley.EDU] <1990011813370600> From: chidsey@SMOKE.BRL.MIL (Irving Chidsey) Newsgroups: misc.security Subject: Re: vault doors, was: locks Message-ID: <9002081602.AA03610@ucbarpa.Berkeley.EDU> Date: 18 Jan 90 13:37:06 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 20 Approved: security@rutgers.edu Posted: Thu Jan 18 14:37:06 1990 If I go into the local bank ( during business hours ) I can see the vault door standing open. It is a foot thick with massive bolts. I can also see the time clock the prevents opening during non business hours. Through the inner grate with 2-3 cm bars I can see the safe deposit boxes and their double locks. On the floor I can see the sacks full of coins and bills that the armored car just brought. The Vault and door exude solidity, safety, and protection. They let you know that this is the right place to keep your money and valuables. They also warn malefactors that the vault is hard to penetrate. The rest of the vault cannot be seen, but surely so solid a door would be part of an equaly strong, solid vault. Wouldn't it? Vault doors, like safe doors, are at least 50% public relations. Irv -- I do not have signature authority. I am not authorized to sign anything. I am not authorized to commit the BRL, the DOA, the DOD, or the US Government to anything, not even by implication. Irving L. Chidsey ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9002080557.AA28817@ucbarpa.Berkeley.EDU] <1990011818110000> From: A01MES1@niu.BITNET (Michael Stack) Newsgroups: misc.security Subject: Re: RACF database Message-ID: <9002080557.AA28817@ucbarpa.Berkeley.EDU> Date: 18 Jan 90 18:11:00 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 16 Approved: security@rutgers.edu Posted: Thu Jan 18 19:11:00 1990 Most solid state DASD devices have a battery backup (which filters the normal power supply as long as it is available) which is used to dump the memory to some kind of backup device should the normal power fail. We had been preparing to place our JES2 checkpoint on our EMC box when we discovered an integrity problem - there is a circuit breaker on the back of the box (the ONLY visible switch) which apparently connects the memory to the battery; throw the switch and the memory DIES! Of course, we all learned long ago that after a power outage we should reset circuit breakers even though they don't appear to need it! :-< After a couple instances of this (fortunately this didn't happen while we were experimenting with our ACF2 clusters), we are holding off placing the master catalog and JES2 checkpoint there until we regain our confidence in the box. Michael Stack Northern Illinois University ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9002092153.AA15156@ucbarpa.Berkeley.EDU] <1990011822192000> From: jcmorris@MBUNIX.MITRE.ORG (Morris) Newsgroups: misc.security Subject: Re: RACF database Message-ID: <9002092153.AA15156@ucbarpa.Berkeley.EDU> Date: 18 Jan 90 22:19:20 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 9 Approved: security@rutgers.edu Posted: Thu Jan 18 23:19:20 1990 In several of the solid-state DASD boxes I've had pitched to me recently the designer has included a battery and a small PC-style fixed disk. If the power mains die the box disconnects from the channel and dumps its entire contents onto the fixed disk before shutting down. When the power mains come alive again the data can be restored to the semiconductor memory. Sorry, I don't recall which vendors provide this, but you should consider the idea if you're about to trust the security database to the tender mercies of your power company. ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9002092032.AA12468@ucbarpa.Berkeley.EDU] <1990011902154800> From: kelly@uts.amdahl.com (Kelly Goen) Newsgroups: misc.security Subject: Re: vault doors, was: locks Message-ID: <9002092032.AA12468@ucbarpa.Berkeley.EDU> Date: 19 Jan 90 02:15:48 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 10 Approved: security@rutgers.edu Posted: Fri Jan 19 03:15:48 1990 >but aren't vaults normally lined with fairly difficult stuff >to penetrate? Like armor plate or something? Otherwise it I missed the first part of this thread... but THERMIC LANCES will normally penetrate 3' of reinforced concrete within about 2 minutes... and if that will not do the job THERE are PORTABLE(yeah RIGHT!!) Plasma cutting torches avaiable that exceed 16,000 centigrade...(according to the sales literature) I would think this to be adequate for the job... cheers kelly ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1990011910534400> Date: Fri, 19 Jan 90 19:13:44 -0500 From: cjs%cwru@cwjcc.ins.cwru.edu (Christopher J. Seline (CJS@CWRU.CWRU.EDU)) The following is a prepublication draft of an article on TEMPEST. I am posting it to this news group in the hope that it will: (1) stimulate discussion of this issue; (2) expose any technical errors in the document; (3) solicit new sources of information; (4) uncover anything I have forgotten to cover. I will be unable to monitor the discussions of the article. Therefore, PLEASE post your comments to the news group BUT SEND ME A COPY AT THE ADDRESS LISTED BELOW. I have gotten a number of mail messages about the format of this article. Some explanation is in order: The numbered paragraphs following "____________________" on each page are footnotes. I suggest printing out the document rather than reading it on your CRT. Thanks you in advance. Christopher Seline cjs@cwru.cwru.edu cjs@cwru.bitnet (c) 1990 Christopher J. Seline ============================================================================= Eavesdropping On the Electromagnetic Emanations of Digital Equipment: The Laws of Canada, England and the United States This document is a rough draft. The Legal Sections are overviews. T h e y w i l l b e significantly expanded in the next version. We in this country, in this generation, are -- by destiny rather than choice -- the watchmen on the walls of world freedom.[1] -President John F. Kennedy _____________________ 1. Undelivered speech of President John F. Kennedy, Dallas Citizens Council (Nov. 22, 1963) 35-36. In the novel 1984, George Orwell foretold a future where individuals had no expectation of privacy because the state monopolized the technology of spying. The government watched the actions of its subjects from birth to death. No one could protect himself because surveillance and counter- surveillance technology was controlled by the government. This note explores the legal status of a surveillance technology ruefully known as TEMPEST[2]. Using TEMPEST technology the information in any digital device may be intercepted and reconstructed into useful intelligence without the operative ever having to come near his target. The technology is especially useful in the interception of information stored in digital computers or displayed on computer terminals. The use of TEMPEST is not illegal under the laws of the United States[3], or England. Canada has specific laws criminalizing TEMPEST eavesdropping but the laws do more to hinder surveillance countermeasures than to prevent TEMPEST surveillance. In the United States it is illegal for an individual to take effective counter-measures against TEMPEST surveillance. This leads to the conundrum that it is legal for individuals and the government to invade the privacy of others but illegal for individuals to take steps to protect their privacy. The author would like to suggest that the solution to this conundrum is straightforward. Information on _____________________ 2. TEMPEST is an acronym for Transient Electromagnetic Pulse Emanation Standard. This standard sets forth the official views of the United States on the amount of electromagnetic radiation that a device may emit without compromising the information it is processing. TEMPEST is a defensive standard; a device which conforms to this standard is referred to as TEMPEST Certified. The United States government has refused to declassify the acronym for devices used to intercept the electromagnetic information of non-TEMPEST Certified devices. For this note, these devices and the technology behind them will also be referred to as TEMPEST; in which case, TEMPEST stands for Transient Electromagnetic Pulse Surveillance Technology. The United States government refuses to release details regarding TEMPEST and continues an organized effort to censor the dissemination of information about it. For example the NSA succeeded in shutting down a Wang Laboratories presentation on TEMPEST Certified equipment by classifying the contents of the speech and threatening to prosecute the speaker with revealing classified information. [cite coming]. 3. This Note will not discuses how TEMPEST relates to the Warrant Requirement under the United States Constitution. Nor will it discuss the Constitutional exclusion of foreign nationals from the Warrant Requirement. protecting privacy under TEMPEST should be made freely available; TEMPEST Certified equipment should be legally available; and organizations possessing private information should be required by law to protect that information through good computer security practices and the use of TEMPEST Certified equipment. I. INTELLIGENCE GATHERING Spying is divided by professionals into two main types: human intelligence gathering (HUMINT) and electronic intelligence gathering (ELINT). As the names imply, HUMINT relies on human operatives, and ELINT relies on technological operatives. In the past HUMINT was the sole method for collecting intelligence.[4] The HUMINT operative would steal important papers, observe troop and weapon movements[5], lure people into his confidences to extract secrets, and stand under the eavesdrip[6] of houses, eavesdropping on the occupants. As technology has progressed, tasks that once could only be performed by humans have been taken over by machines. So it has been with spying. Modern satellite technology allows troop and weapons movements to be observed with greater precision and from greater distances than a human spy could ever hope to accomplish. The theft of documents and eavesdropping on conversations may now be performed electronically. This means greater safety for the human operative, whose only involvement may be the placing of the initial ELINT devices. This has led to the ascendancy of ELINT over HUMINT because the placement and _____________________ 4. HUMINT has been used by the United States since the Revolution. "The necessity of procuring good intelligence is apparent & need not be further urged -- All that remains for me to add is, that you keep the whole matter as secret as possible. For upon Secrecy, Success depends in Most Enterprises of the kind, and for want of it, they are generally defeated, however well planned & promising a favorable issue." Letter of George Washington (Jul. 26, 1777). 5. "... I wish you to take every possible pains in your powers, by sending trusty persons to Staten Island in whom you can confide, to obtain Intelligence of the Enemy's situation & numbers -- what kind of Troops they are, and what Guards they have -- their strength & where posted." Id. 6. Eavesdrip is an Anglo-Saxon word, and refers to the wide overhanging eaves used to prevent rain from falling close to a house's foundation. The eavesdrip provided "a sheltered place where one could hide to listen clandestinely to conversation within the house." W. MORRIS & M. MORRIS, MORRIS DICTIONARY OF WORD AND PHRASE ORIGINS, 198 (1977). monitoring of ELINT devices may be performed by a technician who has no training in the art of spying. The gathered intelligence may be processed by an intelligence expert, perhaps thousands of miles away, with no need of field experience. ELINT has a number of other advantages over HUMINT. If a spy is caught his existence could embarrass his employing state and he could be forced into giving up the identities of his compatriots or other important information. By its very nature, a discovered ELINT device (bug) cannot give up any information; and the ubiquitous nature of bugs provides the principle state with the ability to plausibly deny ownership or involvement. ELINT devices fall into two broad categories: trespassatory and non-trespassatory. Trespassatory bugs require some type of trespass in order for them to function. A transmitter might require the physical invasion of the target premises for placement, or a microphone might be surreptitiously attached to the outside of a window. A telephone transmitter can be placed anywhere on the phone line, including at the central switch. The trespass comes either when it is physically attached to the phone line, or if it is inductive, when placed in close proximity to the phone line. Even microwave bugs require the placement of the resonator cone within the target premises.[7] Non-trespassatory ELINT devices work by receiving electromagnetic radiation (EMR) as it radiates through the aether, and do not require the placement of bugs. Methods include intercepting[8] information transmitted by satellite, microwave, and radio, including mobile and cellular phone transmissions. This information was purposely transmitted with the intent that some intended person or persons would receive it. Non-trespassatory ELINT also includes the interception of information that was never intended to be transmitted. All electronic devices emit electromagnetic radiation. Some of the radiation, as with radio waves, is intended to transmit information. Much of this radiation is not intended to transmit information and is merely incidental to _____________________ 7. Pursglove, How Russian Spy Radios Work, RADIO ELECTRONICS, 89-91 (Jan 1962). 8. Interception is an espionage term of art and should be differentiated from its more common usage. When information is intercepted, the interceptor as well as the intended recipient receive the information. Interception when not used as a term of art refers to one person receiving something intended for someone else; the intended recipient never receives what he was intended to receive. whatever work the target device is performing.[9] This information can be intercepted and reconstructed into a coherent form. With current TEMPEST technology it is possible to reconstruct the contents of computer video display terminal (VDU) screens from up to a kilometer distant[10]; reconstructing the contents of a computer's _____________________ 9. There are two types of emissions, conducted and radiated. Radiated emissions are formed when components or cables act as antennas for transmit the EMR; when radiation is conducted along cables or other connections but not radiated it is referred to as "conducted". Sources include cables, the ground loop, printed circuit boards, internal wires, the power supply to power line coupling, the cable to cable coupling, switching transistors, and high-power amplifiers. WHITE & M. MARDIGUIAN, EMI CONTROL METHODOLOGY AND PROCEDURES, 10.1 (1985). "[C]ables may act as an antenna to transmit the signals directly or even both receive the signals and re-emit them further away from the source equipment. It is possible that cables acting as an antenna in such a manner could transmit the signals much more efficiently than the equipment itself...A similar effect may occur with metal pipes such as those for domestic water supplies. ... If an earthing [(grounding)] system is not installed correctly such that there is a path in the circuit with a very high resistance (for example where paint prevents conduction and is acting as an insulator), then the whole earthing system could well act in a similar fashion to an antenna. ... [For a VDU] the strongest signals, or harmonics thereof, are usually between 60-250 MHz approximately. There have however been noticeable exception of extremely strong emissions in the television bands and at higher frequencies between 450-800 MHz. Potts, Emission Security, 3 COMPUTER LAW AND SECURITY REPORT 27 (1988). 10. The TEMPEST ELINT operator can distinguish between different VDUs in the same room because of the different EMR characteristics of both homo and heterogeneous units. "[T]here is little comparison between EMR characteristics from otherwise comparable equipment. Only if the [VDU] was made with exactly the same components is there any similarity. If some of the components have come from a different batch, have been updated in some way, and especially if they are from a different manufacturer, then completely different results are obtained. In this way a different mark or version of the same [VDU] will emit different signals. Additionally because of the variation of manufacturing standards between counties, two [VDUs] made by the same company but sourced from different counties will have entirely different EMR signal characteristics...From this it way be thought that there is such a jumble of emissions around, that it would not be possible to isolate those from any one particular source. Again, this is not the case. Most received signals have memory or the contents of its mass storage devices is more complicated and must be performed from a closer distance.[11] The reconstruction of information via EMR, a process for which the United States government refuses to declassify either the exact technique or even its name[12], is not limited to computers and digital devices but is applicable to all devices that generate electromagnetic radiation.[13] TEMPEST is especially effective against VDUs because they produce a very high level of EMR.[14] _____________________ a different line synchronization, due to design, reflection, interference or variation of component tolerances. So that if for instance there are three different signals on the same frequency ... by fine tuning of the RF receiver, antenna manipulation and modification of line synchronization, it is possible to lock onto each of the three signals separately and so read the screen information. By similar techniques, it is entirely possible to discriminate between individual items of equipment in the same room." Potts, supra note 9. For a discussion of the TEMPEST ELINT threat See e.g., Memory Bank, AMERICAN BANKER 20 (Apr 1 1985); Emissions from Bank Computer Systems Make Eavesdropping Easy, Expert Says, AMERICAN BANKER 1 (Mar 26 1985); CRT spying: a threat to corporate security, PC WEEK (Mar 10 1987). 11. TEMPEST is concerned with the transient electromagnetic pulses formed by digital equipment. All electronic equipment radiates EMR which may be reconstructed. Digital equipment processes information as 1's and 0's--on's or off's. Because of this, digital equipment gives off pulses of EMR. These pulses are easier to reconstruct at a distance than the non-pulse EMR given off by analog equipment. For a thorough discussion the radiation problems of broadband digital information see e.g. military standard MIL-STD-461 REO2; White supra note 9, 10.2. 12. See supra note 2. 13. Of special interest to ELINT collectors are EMR from computers, communications centers and avionics. Schultz, Defeating Ivan with TEMPEST, DEFENSE ELECTRONICS 64 (June 1983). 14. The picture on a CRT screen is built up of picture elements (pixels) organized in lines across the screen. The pixels are made of material that fluoresces when struck with energy. The energy is produced by a beam of electrons fired from an electron gun in the back of the picture tube. The electron beam scans the screen of the CRT in a regular repetitive manner. When the voltage of the beam is high then the pixel it is focused upon emits photons and appears as a dot on the screen. By selectively firing the gun as it scans across the face of the CRT, the pixels form characters on the CRT screen. ELINT is not limited to governments. It is routinely used by individuals for their own purposes. Almost all forms of ELINT are available to the individual with either the technological expertise or the money to hire someone with the expertise. Governments have attempted to criminalize all use of ELINT by their subjects--to protect the privacy of both the government and the population. II. UNITED STATES LAW In the United States, Title III of the Omnibus Streets and Crimes Act of 1968[15] criminalizes trespassatory ELINT as the intentional interception of wire communications.[16] As originally passed, Title III did not prohibit non- _____________________ The pixels glow for only a very short time and must be routinely struck by the electron beam to stay lit. To maintain the light output of all the pixels that are supposed to be lit, the electron beam traverses the entire CRT screen sixty times a second. Every time the beam fires it causes a high voltage EMR emission. This EMR can be used to reconstruct the contents of the target CRT screen. TEMPEST ELINT equipment designed to reconstruct the information synchronizes its CRT with the target CRT. First, it uses the EMR to synchronize its electron gun with the electron gun in the target CRT. Then, when the TEMPEST ELINT unit detects EMR indicating that the target CRT fired on a pixel, the TEMPEST ELINT unit fires the electron gun of its CRT. The ELINT CRT is in perfect synchronism with the target CRT; when the target lights a pixel, a corresponding pixel on the TEMPEST ELINT CRT is lit. The exact picture on the target CRT will appear on the TEMPEST ELINT CRT. Any changes on the target screen will be instantly reflected in the TEMPEST ELINT screen. TEMPEST Certified equipment gives off emissions levels that are too faint to be readily detected. Certification levels are set out in National Communications Security Information Memorandum 5100A (NACSIM 5100A). "[E]mission levels are expressed in the time and frequency domain, broadband or narrow band in terms of the frequency domain, and in terms of conducted or radiated emissions." White, supra, note 9, 10.1. For a thorough though purposely misleading discussion of TEMPEST ELINT see Van Eck, Electromagnetic Radiation from Video Display units: An Eavesdropping Risk?, 4 Computers & Security 269 (1985). 15. Pub. L. No. 90-351, 82 Stat. 197. The Act criminalizes trespassatory ELINT by individuals as well as governmental agents. cf. Katz v. United States, 389 U.S. 347 (1967) (Fourth Amendment prohibits surveillance by government not individuals.) 16. 18 U.S.C. 2511(1)(a). trespassatory ELINT,[17] because courts found that non-wire communication lacked any expectation of p2IIIrivacy.[18] The Electronic Communications Privacy Act of 1986[19] amended Title III to include non-wire communication. ECPA was specifically designed to include electronic mail, inter- computer communications, and cellular telephones. To accomplish this, the expectation of privacy test was eliminated.[20] As amended, Title III still outlaws the electronic interception of communications. The word "communications" indicates that someone is attempting to communicate something to someone; it does not refer to the inadvertent transmission of information. The reception and reconstruction of emanated transient electromagnetic pulses (ETEP), however, is based on obtaining information that the target does not mean to transmit. If the ETEP is not intended as communication, and is therefore not transmitted in a form approaching current communications protocols, then it can not be considered communications as contemplated by Congress when it amended Title III. Reception, or interception, of emanated transient electromagnetic pulses is not criminalized by Title III as amended. III. ENGLISH LAW In England the Interception of Communications Act 1985[21] criminalizes the tapping of communications sent over _____________________ 17. United States v. Hall, 488 F.2d 193 (9th Cir. 1973) (found no legislative history indicating Congress intended the act to include radio-telephone conversations). Further, Title III only criminalized the interception of "aural" communications which excluded all forms of computer communications. 18. Willamette Subscription Television v. Cawood, 580 F.Supp 1164 (D. Or. 1984) (non-wire communications lacks any expectation of privacy). 19. Pub. L. No. 99-508, 100 Stat. 1848 (codified at 18 U.S.C. 2510-710) [hereinafter ECPA]. 20. 18 U.S.C. 2511(1)(a) criminalizes the interception of "any wire, oral or electronic communication" without regard to an expectation of privacy. 21. Interception of Communications Act 1985, Long Title, An Act to make new provision for and in connection with the interception of communications sent by post or by means of public telecommunications systems and to amend section 45 of the Telecommunications Act 1984. public telecommunications lines.[22] The interception of communications on a telecommunication line can take place with a physical tap on the line, or the passive interception of microwave or satellite links.[23] These forms of passive interception differ from TEMPEST ELINT because they are intercepting intended communication; TEMPEST ELINT intercepts unintended communication. Eavesdropping on the emanations of computers does not in any way comport to tapping a telecommunication line and therefore falls outside the scope of the statute.[24] IV. CANADIAN LAW Canada has taken direct steps to limit eavesdropping on computers. The Canadian Criminal Amendment Act of 1985 _____________________ 22. Interception of Communications Act 1985 1, Prohibition on Interception: (1) Subject to the following provisions of this section, a person who intentionally intercepts a communication in the course of its transmission by post or by means of a public telecommunications system shall be guilty of an offence and liable-- (a) on summary conviction, to a fine not exceeding the statutory maximum; (b) on conviction on indictment, to imprisonment for a term not exceeding two years or to a fine or to both. *** 23. Tapping (aka trespassatory eavesdropping) is patently in violation of the statute. "The offense created by section 1 of the Interception of Communications Act 1985 covers those forms of eavesdropping on computer communications which involve "tapping" the wires along which messages are being passed. One problem which may arise, however, is the question of whether the communication in question was intercepted in the course of its transmission by means of a public telecommunications system. It is technically possible to intercept a communication at several stages in its transmission, and it may be a question of fact to decide the stage at which it enters the "public" realm. THE LAW COMMISSION,WORKING PAPER NO. 110: COMPUTER MISUSE, 3.30 (1988). 24. "There are also forms of eavesdropping which the Act does not cover. For example. eavesdropping on a V.D.U. [referred to in this text as a CRT] screen by monitoring the radiation field which surrounds it in order to display whatever appears on the legitimate user's screen on the eavesdropper's screen. This activity would not seem to constitute any criminal offence..." THE LAW COMMISSION, WORKING PAPER NO. 110: COMPUTER MISUSE, 3.31 (1988). criminalized indirect access to a computer service.[25] The specific reference to an "electromagnetic device" clearly shows the intent of the legislature to include the use of TEMPEST ELINT equipment within the ambit of the legislation. The limitation of obtaining "any computer service" does lead to some confusion. The Canadian legislature has not made it clear whether "computer service" refers to a computer service bureau or merely the services of a computer. If the Canadians had meant access to any computer, why did they refer to any "computer service". This is especially confusing considering the al- encompassing language of (b) 'any function of a computer system'. Even if the Canadian legislation criminalizes eavesdropping on all computers, it does not solve the problem of protecting the privacy of information. The purpose of criminal law is to control crime.[26] Merely making TEMPEST ELINT illegal will not control its use. First, because it is an inherently passive crime it is impossible to detect and hence punish. Second, making this form of eavesdropping illegal without taking a proactive stance in controlling compromising emanations gives the public a false sense of security. Third, criminalizing the possession of a TEMPEST ELINT device prevents public sector research into countermeasures. Finally, the law will not prevent eavesdropping on private information held in company computers unless disincentives are given for companies that do not take sufficient precautions against eavesdropping and simple, more common, information crimes.[27] _____________________ 25. 301.2(1) of the Canadian criminal code states that anyone who: ... without color of right, (a) obtains, directly or indirectly, any computer service, (b) by means of an electromagnetic ... or other device, intercepts or causes to be intercepted, either directly or indirectly, any function of a computer system ... [is guilty of an indictable offence]. 26. UNITED STATES SENTENCING COMM'N, FEDERAL SENTENCING GUIDELINES MANUAL (1988) (Principles Governing the Redrafting of the Preliminary Guidelines "g." (at an unknown page)) 27. There has been great debate over what exactly is a computer crime. There are several schools of thought. The more articulate school, and the one to which the author adheres holds that the category computer crime should be limited to crimes directed against computers; for example, a terrorist destroying a computer with explosives would fall into this category. Crimes such as putting ghost employees on a payroll computer and V. SOLUTIONS TEMPEST ELINT is passive. The computer or terminal emanates compromising radiation which is intercepted by the TEMPEST device and reconstructed into useful information. Unlike conventional ELINT there is no need to physically trespass or even come near the target. Eavesdropping can be performed from a nearby office or even a van parked within a reasonable distance. This means that there is no classic scene of the crime; and little or no chance of the criminal being discovered in the act.[28] If the crime is discovered it will be ancillary to some other investigation. For example, if an individual is investigated for insider trading a search of his residence may yield a TEMPEST ELINT device. The device would explain how the defendant was obtaining insider information; but it was the insider trading, not the device, that gave away the crime. This is especially true for illegal TEMPEST ELINT performed by the state. Unless the perpetrators are caught in the act there is little evidence of their spying. A trespassatory bug can be detected and located; further, once found it provides tangible evidence that a crime took place. A TEMPEST ELINT device by its inherent passive nature leaves nothing to detect. Since the government is less likely to commit an ancillary crime which might be detected there is a very small chance that the spying will ever be discovered. The only way to prevent eavesdropping is to encourage the use of countermeasures: TEMPEST Certified[29] computers and _____________________ collecting their pay are merely age-old accounting frauds; today the fraud involves a computer because the records are kept on a computer. The computer is merely ancillary to the crime. This has been mislabeled computer crime and should merely be referred to as a fraud perpetrated with the aid of a computer. Finally, there are information crimes. These are crimes related to the purloining or alteration of information. These crimes are more common and more profitable due to the computer's ability to hold and access great amounts of information. TEMPEST ELINT can best be categorized as a information crime. 28. Compare, for example, the Watergate breakin in which the burglars were discovered when they returned to move a poorly placed spread spectrum bug. 29. TEMPEST Certified refers to the equipment having passed a testing and emanations regime specified in NACSIM 5100A. This classified document sets forth the emanations levels that the NSA believes digital equipment can give off without compromising the information it is processing. TEMPEST Certified equipment is theoretically secure against TEMPEST eavesdropping. terminals. In merely making TEMPEST ELINT illegal the public is given the false impression of security; they lulled into believing the problem has been solved. Making certain actions illegal does not prevent them from occurring. This is especially true for a TEMPEST ELINT because it is undetectable. Punishment is an empty threat if there is no chance of being detected; without detection there can be no apprehension and conviction. The only way to prevent some entity from eavesdropping on one's computer or computer terminal is for the equipment not to give off compromising emanation; it must be TEMPEST Certified. The United States can solve this problem by taking a proactive stance on compromising emanations. The National Institute of Standards and Technology (NIST[30]) is in charge of setting forth standards of computer security for the private sector. NIST is also charged with doing basic research to advance the art of computer security. Currently NIST does not discuss TEMPEST with the private sector. For privacy's sake, this policy must be changed to a proactive one. The NIST should publicize the TEMPEST ELINT threat to computer security and should set up a rating system for level of emanations produced by computer equipment.[31] Further, legislation should be enacted to require the labeling of all computer equipment with its level of emanations and whether it is TEMPEST Certified. Only if the public knows of the problem can it begin to take steps to solve it. Title III makes possession of a surveillance device a crime, unless it is produced under contract to the government. This means that research into surveillance and counter-surveillance equipment is monopolized by the government and a few companies working under contract with _____________________ NACSIM 5100A is classified, as are all details of TEMPEST. To obtain access to it, contractor must prove that there is demand within the government for the specific type of equipment that intend to certify. Since the standard is classified, the contractors can not sell the equipment to non-secure governmental agencies or the public. This prevents reverse engineering of the standard for its physical embodiment, the Certified equipment. By preventing the private sector from owning this anti- eavesdropping equipment, the NSA has effectively prevented the them from protecting the information in their computers. 30. Previously the Bureau of Standards. The NIST is a division of the Commerce Department. 31. In this case computer equipment would include all peripheral computer equipment. There is no use is using a TEMPEST Certified computer if the printer or the modem are not Certified. the government. If TEMPEST eavesdropping is criminalized, then possession of TEMPEST ELINT equipment will be criminal. Unfortunately,this does not solve the problem. Simple TEMPEST ELINT equipment is easy to make. For just a few dollars many older television sets can be modified to receive and reconstruct EMR. For less than a hundred dollars a more sophisticated TEMPEST ELINT receiver can be produced[32]. The problem with criminalizing the possession of TEMPEST ELINT equipment is not just that the law will have little effect on the use of such equipment, but that it will have a negative effect on counter-measures research. To successfully design counter-measures to a particular surveillance technique it is vital to have a complete empirical understanding of how that technique works. Without the right to legally manufacture a surveillance device there is no possible way for a researcher to have the knowledge to produce an effective counter-measures device. It is axiomatic: without a surveillance device, it is impossible to test a counter-measures device. A number of companies produce devices to measure the emanations from electrical equipment. Some of these devices are specifically designed for bench marking TEMPEST Certified equipment. This does not solve the problem. The question arises: how much radiation at a particular frequency is compromising? The current answer is to refer _____________________ 32. The NSA has tried to limit the availability of TEMPEST information to prevent the spread of the devices. For a discussion of the First Amendment and prior restraint See, e.g. The United States of America v. Progressive, Inc. 467 F.Supp 990 (1979, WD Wis.)(magazine intended to publish plans for nuclear weapon; prior restraint injunction issued), reh. den. United States v. Progressive Inc. 486 F.Supp 5 (1979, WD Wis.), motion den Morland v. Sprecher 443 US 709 (1979)(mandamus), motion denied United States v. Progressive, Inc. 5 Media L R (1979, 7th Cir.), dismd. without op. U.S. v. Progressive, Inc 610 F.2d 819 (1979, 7th Cir.); New York Times, Co. v. United States, 403 U.S. 713 (1971)(per curium)(Pentagon Papers case: setting forth prior restraint standard which government was unable to meet); T. EMERSON, THE SYSTEM OF FREEDOM OF EXPRESSION (1970); Balance Between Scientific Freedom and NAtional Security, 23 JURIMETRICS J. 1 (1982)(current laws and regulations limiting scientific and technical expression exceed the legitimate needs of national security); Hon. M. Feldman, Why the First Amendment is not Incompatible with National Security, HERITAGE FOUNDATION REPORTS (Jan. 14, 1987). Compare Bork, Neutral Principles and Some First Amendment Problems, 47 IND. L. J. 1 (First Amendment applies only to political speech); G. Lewy, Can Democracy Keep Secrets, 26 POLICY REVIEW 17 (1983)(endorsing draconian secrecy laws mirroring the English system). to NACSIM 5100A. This document specifies the emanations levels suitable for Certification. The document is only available to United States contractors having sufficient security clearance and an ongoing contract to produce TEMPEST Certified computers for the government. Further, the correct levels are specified by the NSA and there is no assurance that, while these levels are sufficient to prevent eavesdropping by unfriendly operatives, equipment certified under NACSIM 5100A will have levels low enough to prevent eavesdropping by the NSA itself. The accessibility of supposedly correct emanations levels does not solve the problem of preventing TEMPEST eavesdropping. Access to NACSIM 5100A limits the manufacturer to selling the equipment only to United States governmental agencies with the need to process secret information.[33] Without the right to possess TEMPEST ELINT equipment manufacturers who wish to sell to the public sector cannot determine what a safe level of emanations is. Further those manufacturers with access to NACSIM 5100A should want to verify that the levels set out in the document are, in fact, low enough to prevent interception. Without an actual eavesdropping device with which to test, no manufacturer will be able to produce genuinely uncompromising equipment. Even if the laws allow ownership of TEMPEST Certified equipment by the public, and even if the public is informed of TEMPEST's threat to privacy, individuals' private information will not necessarily by protected. Individuals may choose to protect their own information on their own computers. Companies may choose whether to protect their own private information. But companies that hold the private information of individuals must be forced to take steps to protect that information. In England the Data Protection Act 1984[34] imposes sanctions against anyone who stores the personal information[35] on a computer and fails to take reasonable _____________________ 33. For example, the NSA has just recently allowed the Drug Enforcement Agency (DEA) to purchase TEMPEST Certified computer equipment. The DEA wanted secure computer equipment because wealthy drug lords had were using TEMPEST eavesdropping equipment. 34. An Act to regulate the use of automatically processed information relating to individuals and the provision of services in respect of such information. -Data Protection Act 1984, Long Title. 35. "Personal data" means data consisting of information which relates to a living individual who can be identified from that measures to prevent disclosure of that information. The act mandates that personal data may not be stored in any computer unless the computer bureau or data user[36] has registered under the act.[37] This provides for a central registry and the tracking of which companies or persons maintain databases of personal information. Data users and bureaux must demonstrate a need and purpose behind their possession of personal data. The act provides tort remedies to any person who is damaged by disclosure of the personal data.[38] Reasonable care to prevent the disclosure is a defense.[39] English _____________________ information (or from that and other information in the possession of the data user), including any expression of opinion about the individual but not any indication of the intentions of the data user in respect of that individual. -Data Protection Act 1984 1(3) 36. "Data user" means a person who holds data, and a persons "Holds" data if -- (a) the data form part of a collection of data processed or intended to be processed by or on behalf of that person as mentioned in subsection (2) above; [subsection (2) defines "data"] and (b) that person (either alone or jointly or in common with other persons) controls the contents and use of the data comprised in the collection; and (c) the data are in the form in which they have been or are intended to be processed as mentioned in paragraph (a) above or (though not for the time being in that form) in a form into which they have been converted after being so processed and with a view to being further so processed on a subsequent occasion. - Data Protection Act 1(5). 37. Data Protection Act 1984, 4,5. 38. An individual who is the subject of personal data held by a data user... and who suffers damage by reason of (1)(c) ... the disclosure of the data, or access having been obtained to the data without such authority as aforesaid shall be entitled to compensation from the data user... for any distress which the individual has suffered by reason of the ... disclosure or access. - Data Protection Act 1984 23. 39. ... it shall be a defense to prove that ... the data user ... had taken such care as in all the circumstances was reasonably required to prevent the... disclosure or access in question. Data Protection Act 1984 23(3) courts have not yet ruled what level of computer security measures constitute reasonable care. Considering the magnitude of invasion possible with TEMPEST ELINT it should be clear by now that failure to use TEMPEST Certified equipment is prima facie unreasonable care. The Remedies section of the act provides incentive for these entities to provide successful protection of person data from disclosure or illicit access. Failure to protect the data will result in monetary loss. This may be looked at from the economic efficiency viewpoint as allocating the cost of disclosure the persons most able to bear those costs, and also most able to prevent disclosure. Data users that store personal data would use TEMPEST Certified equipment as part of their computer security plan, thwarting would-be eavesdroppers. The Data Protection Act 1984 allocates risk to those who can bear it best and provides an incentive for them to keep other individuals' data private. This act should be adopted by the United States as part of a full-spectrum plan to combat TEMPEST eavesdropping. Data users are in the best position to prevent disclosure through proper computer security. Only by making them liable for failures in security can we begin to rein in TEMPEST ELINT. VII Recommendations Do not criminalize TEMPEST ELINT. Most crimes that TEMPEST ELINT would aid, such a insider trading, are already illegal; the current laws are adequate. The National Institute of Standards and Technology should immediately begin a program to educate the private sector about TEMPEST. Only if individuals are aware of the threat can they take appropriate precautions or decide whether any precautions are necessary. Legislation should be enacted to require all electronic equipment to prominently display its level of emanations and whether it is TEMPEST Certified. If individuals are to choose to protect themselves they must be able to make a informed decision regarding how much protection is enough. TEMPEST Certified equipment should be available to the private sector. The current ban on selling to non- governmental agencies prevents individuals who need to protect information from having the technology to do so. Possession of TEMPEST ELINT equipment should not be made illegal. The inherently passive nature and simple design of TEMPEST ELINT equipment means that making its possession illegal will not deter crime; the units can be easily manufactured and are impossible to detect. Limiting their availability serves only to monopolize the countermeasures research, information, and equipment for the government; this prevents the testing, design and manufacture of counter-measures by the private sector. Legislation mirroring England's Data Protection Act 1984 should be enacted. Preventing disclosure of personal data can only be accomplished by giving those companies holding the data a reason to protect it. If data users are held liable for their failure to take reasonable security precautions they will begin to take reasonable security precautions, including the use of TEMPEST Certified equipment. ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9002110621.AA02235@ucbarpa.Berkeley.EDU] <1990011918000400> From: ratzan@RWJA.UMDNJ.EDU (Lee Ratzan) Newsgroups: misc.security Subject: biological computer viruses Message-ID: <9002110621.AA02235@ucbarpa.Berkeley.EDU> Date: 19 Jan 90 18:00:04 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 15 Approved: security@rutgers.edu Posted: Fri Jan 19 19:00:04 1990 Just a thought... We anthropomorphize certain computer programs and call them viruses in order to better conceptualize their actions for the sake of our internal cognitive models. The biological model is used:computer viruses replicate, they can be malignant, they can infect and be disinfected etc. It is the biological model which drives the image to explain the computer model. What if this situation be reversed? If we would try to explain the biological phenomena of a virus in terms of how a computer virus operates perhaps we might obtain insight into the biology which is now lacking because of cognitive blinders? Just thinking... Lee Ratzan Unix systems University of Medicine/Dentistry of NJ ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9002091856.AA11004@ucbarpa.Berkeley.EDU] <1990011922593300> From: morgan@PARIS.ICS.UCI.EDU (Tim Morgan) Newsgroups: misc.security Subject: Cardkey locks Message-ID: <9002091856.AA11004@ucbarpa.Berkeley.EDU> Date: 19 Jan 90 22:59:33 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 8 Approved: security@rutgers.edu Posted: Fri Jan 19 23:59:33 1990 Does anyone have information on cheap but effective cardkey lock systems? How about manufacturers who sell off-the-shelf components which can be connected to a computer (eg, a card reader that sends ASCII over RS-232). Thanks, Tim Morgan UC Irvine ICS Dept. ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9002110503.AA01801@ucbarpa.Berkeley.EDU] <1990012120545300> From: rlk@THINK.COM (Robert L. Krawitz) Newsgroups: misc.security Subject: GNU and security Message-ID: <9002110503.AA01801@ucbarpa.Berkeley.EDU> Date: 21 Jan 90 20:54:53 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 7 Approved: security@rutgers.edu Posted: Sun Jan 21 21:54:53 1990 777 is one heck of a lot different than 4777... This is true, but forcibly installing everything writable leaves a lot of holes open for trojan horses (there's precious little that you can't do with Emacs Lisp), and it's hard to see any compelling technical reason for this installation mode. ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9002092335.AA17130@ucbarpa.Berkeley.EDU] <1990012205552100> From: KINSLER@usmcp6.BITNET (MARK KINSLER) Newsgroups: misc.security Subject: Home security Message-ID: <9002092335.AA17130@ucbarpa.Berkeley.EDU> Date: 22 Jan 90 05:55:21 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 11 Approved: security@rutgers.edu Posted: Mon Jan 22 06:55:21 1990 Nothing works like heavy doors, strong (not complex--drug addicts don't pick locks), and window grates. This won't win you the House Beautiful award, but you'll be safe. It's not obvious to me how panes of glass are supposed to deter intruders. Best philosophy: Put yourself in the place of an intruder and see how you could break in. An alarm is a good idea, of course, but it should be a backup for physical security. If the decorator doesn't like your home reinforcements then you are probably on the right track. If you can open a door with a good kick or three then you need to reinforce it... ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9002162105.AA15198@ucbarpa.Berkeley.EDU] <1990012213440000> From: AEWALSH@fordmurh.BITNET (Jeffrey Walsh) Newsgroups: misc.security Subject: Re: Bill Changers Message-ID: <9002162105.AA15198@ucbarpa.Berkeley.EDU> Date: 22 Jan 90 13:44:00 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 10 Approved: security@rutgers.edu Posted: Mon Jan 22 14:44:00 1990 I've been told that the bill changer scans the portrait to determine the type of bill that has been inserted. As far as determining authenticity, I don't know. Remind me to tell you about an interesting way that con-artists can construct what appears to be a bill of higher denomination than the one that actually exists. Jeffrey AEWALSH@FORDMURH.BITNET ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9001230319.AA23641@ucbarpa.Berkeley.EDU] <1990012303195900> From: Craig.A.Summerhill.SUMMERHI@WSUVM1.Berkeley.EDU Newsgroups: misc.security Subject: Cuckoo's Egg Message-ID: <9001230319.AA23641@ucbarpa.Berkeley.EDU> Date: 23 Jan 90 03:19:59 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 22 Approved: security@rutgers.edu Posted: Tue Jan 23 04:19:59 1990 X-Unparsable-Date: 2 January 1990, 10:40:10 PLT Stoll, Clifford. The cuckoo's egg : tracking a spy through the maze of computer espionage / by Clifford Stoll. 1st ed. New York : Doubleday, 1989. vi, 326p; 25 cm. Includes bibliographical references (p. 325-326) ISBN 0385249462 : $18.95 Take this citation to any "ordinary" bookstore, and they can order it if they don't have it in stock. The ISBN number is used by the book trade industry as a stock control number and an order number to request copies from jobbers, wholesalers, etc... In the unlikely event the book is "sold out." Then I would suggest you contact a library and have it borrowed for you from elsewhere if they don't own it. I would imagine TRW has a corporate information center of some kind that can have the material delivered to your office. Regards, Craig A. Summerhill Assistant Systems Librarian ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9002130720.AA00493@ucbarpa.Berkeley.EDU] <1990012313180200> From: jik@PIT-MANAGER.MIT.EDU (Jonathan I. Kamens) Newsgroups: misc.security Subject: Re: Policy Message-ID: <9002130720.AA00493@ucbarpa.Berkeley.EDU> Date: 23 Jan 90 13:18:02 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 32 Approved: security@rutgers.edu Posted: Tue Jan 23 14:18:02 1990 I am somewhat involved with the administration of news here at Project Athena, and I have never heard "mechanized privacy invasion" given as the primary reason why we do not run the arbitron scripts here, although it may be one of the reasons (the discussion hasn't come up since I've been here, so it's quite possible that at one point privacy concerns were discussed but I missed the discussion). The main reason we don't run the arbitron scripts is that because of the way Project Athena works, the arbitron script wouldn't be able to read most users' .newsrc files in order to compile the statistics. At Project Athena, users' files are stored in NFS (or AFS, for a small number of users) filesystems. The news service at Athena is run by the Student Information Processing Board (SIPB), which is INDEPENDENT of Project Athena's administration, and therefore does not have any super-user privileges on any Project Athena user fileservers. Since user accounts have a top-level directory permission of 711 and a umask of 077 by default, .newsrc files are not world-readable by default, and therefore any arbitron script run by the SIPB wouldn't be able to read them. Short form of the above: yes, the arbitron scripts may be an invasion of privacy; however, even if the SIPB didn't think they were, we still wouldn't be able to use them to generate statistics. Just one of the prices you pay for working in a distributed computing environment, I guess.... Jonathan Kamens USnail: MIT Project Athena 11 Ashford Terrace jik@Athena.MIT.EDU Allston, MA 02134 Office: 617-253-8495 Home: 617-782-0710 ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9002110724.AA02638@ucbarpa.Berkeley.EDU] <1990012314063300> From: bob@morningstar.com Newsgroups: misc.security Subject: Policy Message-ID: <9002110724.AA02638@ucbarpa.Berkeley.EDU> Date: 23 Jan 90 14:06:33 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 29 Approved: security@rutgers.edu Posted: Tue Jan 23 15:06:33 1990 ...the arbitron scripts may be an invasion of privacy... I may have misunderstood or misremembered Ambar's comments, but that was one point I thought she made. It may not have been the primary reason Athena doesn't run arbitron, but would be one of interest to a security mailing list/newsgroup. however, even if the SIPB didn't think they were, we still wouldn't be able to use them to generate statistics [because of a healthy policy of not trusting root across the wire to read users' files]. OSU CIS similarly mistrusts root across the wire, and has similar default user account modes and umasks. With some mildly clever hacquery, Karl Kleinpaste has modified the arbitron script to send a proxy of itself to each file server holding users' home directories, where it runs as root to peruse users' .newsrc files. The results are then collated into a single chunk that is sent in to Arbitron Central. I'd be quite interested to know whether Athena's practice is policy or pragmatics! (I have no beef with either, I'm just curious.) Just one of the prices you pay for working in a distributed computing environment, I guess.... There are other ways of running a computing environment that can legitimately call themselves "distributed"! Athena's model is right honorable and obviously successful and well-known, but not unique, exclusive nor necessarily the best for everyone. ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9002162248.AA17384@ucbarpa.Berkeley.EDU] <1990012314273900> From: MFOWLER@gtri01.BITNET ("Melissa A. Fowler") Newsgroups: misc.security Subject: tapes and x-ray machines Message-ID: <9002162248.AA17384@ucbarpa.Berkeley.EDU> Date: 23 Jan 90 14:27:39 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 12 Approved: security@rutgers.edu Posted: Tue Jan 23 15:27:39 1990 I have frequently carried tapes through airports and recently took 3 3480s to Australia. X-ray will not damage the tapes, I put the tapes in my checked baggage (which going internationally is x-rayed). I have also had no problem handing a tape to a security guard when going through the metal detectors. For the record, X-ray machines will not damage film less than 1000 speed. Most film used is 200 or 400. I also sent all my (exposed and unexposed) film through the X-ray machines in multiple airports with no problems. If you are still worried, you can purchase a lead film bag. I would suspect traveling internationally, the bag might draw attention. Melissa A. Fowler ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9002100115.AA18552@ucbarpa.Berkeley.EDU] <1990012314525500> From: mchinni@PICA.ARMY.MIL ("Michael J. Chinni, SMCAR-CCS-E") Newsgroups: misc.security Subject: MORRIS CONVICTED Message-ID: <9002100115.AA18552@ucbarpa.Berkeley.EDU> Date: 23 Jan 90 14:52:55 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 37 Approved: security@rutgers.edu Posted: Tue Jan 23 15:52:55 1990 The following is an excerpt from a message sent by one of our computer security people. [It was also the Big News Item all around Usenix... _H*] /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ Michael J. Chinni Picatinny Arsenal, New Jersey ARPA: mchinni@pica.army.mil UUCP: ...!uunet!pica.army.mil!mchinni /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ Verdict: "GUILTY" Student "worm" whiz is found guilty. A U.S. court jury returned its verdict about 9:30 pm after approximately six hours of deliberation. Robert T. Morris was found guilty of federal computer tampering charges for unleashing a rogue program that crippled a nationwide computer network (Internet system). A date for sentencing has not yet been set. Morris faces up to five years in prison and a $250,000 fine. He is the first person brought to trial under a 1986 federal computer fraud and abuse law that makes it a felony to break into a federal computer network and prevent authorized use of the system. Morris testified that he had made a programming error that caused a computer "worm" to go berserk and cripple the Internet system back on November 2, 1988. The "worm" he designed immobilized an estimated 6,000 computers linked to Internet, including ones at the NASA, some military facilities and a few major universi- ties. Morris's attorney Thomas Guidobomi argued that Morris never intended to prevent authorized access. However testimony showed Morris did in deed deliber- ately steal computer passwords from hundreds of people so the "worm" could break into as many computers as possible. It was brought out in the trial that he took deliberate and conscious steps to make the rogue program difficult to detect and eliminate. Morris camouflaged sending of the program by unleashing it from the computer system at Massachusetts Institute of Technology in Cambridge and made it look like it had been sent from the University of California at Berkeley so authorship of the program could not be traced to him at Cornell. Other evidences showed Morris had at least six eariler versions of the "worm", which had been found on his Cornell computer accounts and that his own comments on the "worm" program used the words "break-in" and "steal". ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1990012315200800> Date: 23 Jan 90 15:20:08 GMT From: gregm@csd4.csd.uwm.edu (Greg Mumm) Subject: Slim-Jim purchase To: misc-security@uunet.uu.net Anyone know where I can get a Slim-Jim from? I think that's what they call those thin metal devices that cops use to unlock car doors with. How much do they cost? Are they legal? I would like to purchase it as a joke for my brother. Internet: gregm@csd4.csd.uwm.edu Bitnet: gregm%csd4.csd.uwm.edu@INTERBIT Uucp: uunet!gregm@csd4.csd.uwm.edu Name : Greg Mumm [Moderator add-on: US General Tools had 'em, last I checked. "Not legal for sale in NY or NJ." I had the item cut out and tacked on my door for a while, with the header line modified to read "Never get locked out of your [neighbor's] car again!" But why buy one when they show you a *picture* of what the thing looks like, complete with a cutaway view of the car door?!?!? Find a piece of packing strap and take a pair of shears to it. _H*] ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9002181250.AA17394@ucbarpa.Berkeley.EDU] <1990012320503900> From: ratzan@RWJA.UMDNJ.EDU (Lee Ratzan) Newsgroups: misc.security Subject: grants Message-ID: <9002181250.AA17394@ucbarpa.Berkeley.EDU> Date: 23 Jan 90 20:50:39 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 12 Approved: security@rutgers.edu Posted: Tue Jan 23 21:50:39 1990 Now that the Morris case has been at least legally resolved there is a high probability that the publicity will engender more realization on aspects of computer security. To this end there may be agencies, schools or companies who would be willing to fund innovative approaches or assist in the development of security related issues. Does anyone know of present sources of funding in this regard? It would be in our best interest as professionals in the field to be aware of such support. Lee Ratzan Univ Med/Dent NJ ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9002170047.AA00724@ucbarpa.Berkeley.EDU] <1990012711594000> From: rbl@UUNET.UU.NET Newsgroups: misc.security Subject: Re: RACF database Message-ID: <9002170047.AA00724@ucbarpa.Berkeley.EDU> Date: 27 Jan 90 11:59:40 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 20 Approved: security@rutgers.edu Posted: Sat Jan 27 12:59:40 1990 I designed (one of) the first solid state disks. One of my former graduate students did his dissertation on performance issues in using one under UNIX. My design was marketed as the "EMU" by Monolithic Systems Corp, Englewood, CO. For those concerned about data loss on power fail, a Battery Backup Unit was offered as an option. For best UNIX performance, I'd suggest a dual-port solid state disk, with /tmp or /usr/tmp on one port and either your database or the commonly-used system programs on the other. The bottleneck is then moved from the electromechanics of the classic disk drive to the device driver. Most device drivers are VERY wasteful of time because they have to wait about 17,000 - 36,000 microseconds for the desired sector to come around. When that latency is removed by installing a solid-state disk, a driver latency of about 1,000+ microseconds then appears. Questions gladly answered! Rob Lake BP Research uunet!nitrex!rbl ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1990013003101600> Date: Tue, 30 Jan 90 08:10:16 EST From: AZM@cu.nih.gov Subject: Re: Finding a key blank To: security@pyrite.rutgers.edu > [Moderator add-on: Most hardware stores and other places that have blanks > *will* sell you blanks, especially if you express indignation at their weak > attempts to not do so. Keep at it. _H*] I do not know what part of the country you are in, but I live in Maryland (the ancestral home of goody twoshoes, and test market for all future restrictions on American's rights). Here no locksmith, or locksmith supply house, or hardware store will sell you key blanks. Of course, the real reason for the restriction is to "lock up" the keymaking business as a big money-maker for the locksmiths. What they tell those who try to buy blanks is that you must be a licensed lock- smith. I tried to buy a lousy flat blank to make a key for a microscope cabinet and was refused out of hand. I even tried bringing the cabinet with me to show them what I wanted it for, but was still refused. At least here in Maryland these are not weak attempts, they are absolute and total restrictions. For my part, rather than give ANY money at all to these profit-hungry, blood-sucking "artisans" I will go to my grave never having seen the insides of the nine cabinets that I need keys for. Now that I have vented my spleen on the subject of refusal on the part of locksmiths to dispense keyblanks I DO have a constructive solution to the problem. At virtually every flea market you will find one or more people selling rings, or strings, or cans or boxes full of old keys, and at ridiculously low prices (I paid $3 for a can containing 147 keys). Although it may involve consider- ably more effort than working from "blank" key blanks, it is quite possible to reshape existing keys to fit other locks. In a few cases it is possible to find keys that require only a touch of the jewelers file here and there to fit another lock. I have done this successfully on quite a few occasions. In other cases I have found exact matches, sometimes in unusual ways. I bought a small, nineteenth century, mahogany box that was locked and required a small "skeleton" key. At another time I bought a small Reichert microscope from the turn of the century that came with a locked, leather-covered box. Just on a whim I tried the micro- scope key in the mahogany box and found it an exact match. The two locks are half a century apart in manufacture. I guess the bottom line is, that as our country becomes more and more restrictive, it will be necessary to counter by becoming more and more innovative. Kokkor Hekkus AZM@NIHCU ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9002172111.AA10263@ucbarpa.Berkeley.EDU] <1990013107084000> From: KINSLER@usmcp6.BITNET (MARK KINSLER) Newsgroups: misc.security Subject: Do hot stereos make the rounds? Message-ID: <9002172111.AA10263@ucbarpa.Berkeley.EDU> Date: 31 Jan 90 07:08:40 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 7 Approved: security@rutgers.edu Posted: Wed Jan 31 08:08:40 1990 Yup, they sure do. Often they get blown out a few times in the process. I ran a stereo repair shop in the Garfield section of Pittsburgh and saw machines that had to have been swiped several times. The lifespan seems to average about three thefts. An electronic key would be an excellent deterrent to car stereo theft. , U of Southern Mississippi, Gulf Coast ----MESSAGE-END---- ----MESSAGE-BEGIN---- [9002211940.AA21607@ucbarpa.Berkeley.EDU] <1990013107120100> From: KINSLER@usmcp6.BITNET (MARK KINSLER) Newsgroups: misc.security Subject: Remote alarm systems Message-ID: <9002211940.AA21607@ucbarpa.Berkeley.EDU> Date: 31 Jan 90 07:12:01 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 5 Approved: security@rutgers.edu Posted: Wed Jan 31 08:12:01 1990 Mostly they still use the 100 year old dc current loop system. A rented phone line with a current change sensor on it is all they've used since ADT started in about 1860. , U of Southern Mississippi, Gulf Coast ----MESSAGE-END----