|
|
ARCHIVE: Rutgers 'Security List' (incl. misc.security) - Archives (1990)
DOCUMENT: Rutgers 'Security List' for March 1990 (153 messages, 57135 bytes)
SOURCE: http://securitydigest.org/exec/display?f=rutgers/archive/1990/03.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.
START OF DOCUMENT
-----------[000000][next][prev][last][first]---------------------------------------------------- Date: 1 Mar 90 09:05 EST From: EVERHART@arisia.dnet.ge.com To: SECURITY@pyrite.rutgers.edu Subject: RE: Answerbacks / Vendor Liability
Re the mail vulnerability being fixed in VMS VAXmail, it was also fixed several years earlier by the Software Tools mail, which also filtered control characters. This fix is now ~10 years old. Unfortunately, answerbacks can be triggered all too easily and have on occasion represented serious problems. We had a situation many years ago now where someone set the answerback on one of a small number of terminals connected to a shared VAX to DEL *.*;* when someone left the terminal logged in for an extended period. Naturally this caused consternation all around. It seemed that in addition to control-E triggering the answerback, sometimes nulls might do so also. (I no longer recall what terminal type this was.) In this case, the factor that saved the day was sufficiently paranoid systems people: they had daily backups and could restore the lost files. I believe that this is what is called for, rather than appeals to finding fault with manufacturers or even than finding fault with careless experimenters. (I know of some network meltdowns that have clearly been due to errors while attempting what should have been legitimate activities. The Morris case might have been similar, as well.) Who hasn't experienced accidental deletion of files? If we are to benefit from computing, we maximize that benefit by sharing information. It is everyone's responsibility to take adequate care while doing so. More than ever, regular and adequate backups are an essential part of this. This issue should be considered before buying a computer of any type, and in any use of same. Our VAXen are backed up regularly; my home machine and office pc's have nothing on hard disk that isn't on floppies also. This confers some safety. I consider the office pc a prime candidate for disaster though, as backups are difficult enough to be rare, and disks do crash now and then. Hopefully our next generation of appliance computers will contain backup devices of some sort. If they do not, it is the purchaser who is to blame for losses caused by damage FROM WHATEVER CAUSE to that data. The same applies to shared systems. Glenn Everhart
-----------[000001][next][prev][last][first]---------------------------------------------------- Date: Thu, 1 Mar 90 19:20:12 MST From: jimkirk@outlaw.uwyo.edu (James Kirkpatrick) To: security@pyrite.rutgers.edu Subject: Digital Signature in business?
Does anybody know if Digital Signature is still in business? They used to make a package called CryptMaster (RSA and an RSA/DES hybrid), but directory assistance in Chicago does not have a listing for them. Did they move or did they fold?
-----------[000002][next][prev][last][first]---------------------------------------------------- Date: Thu, 1 Mar 90 19:38:02 MST From: jimkirk@outlaw.uwyo.edu (James Kirkpatrick) To: security@pyrite.rutgers.edu Subject: Medeco vs Keso vs Kaba
Any opinions of the Medeco lock versus the Seargent Keso versus the Kaba lock? The application would be on a safe door, and one consideration beyond security against picking or destructive entry would be vandalism by a frustrated burglar, which could lock out the legitimate owner. The Keso and Kaba seem very similar apart from the angle of the Kaba's cuts, but I don't know how much better/worse they might be compared against Medeco. [for theurious, Keso and Kaba keys are flat with "dimples" of varying depth which match opposing rows of pins in the cylinder; the key is not one that can be easily duplicated, and with up to 20 pins it is difficult to pick open!]
-----------[000003][next][prev][last][first]---------------------------------------------------- Date: 1 Mar 90 13:02:33 GMT From: randall@UVAARPA.VIRGINIA.EDU (Randall Atkinson) To: misc.security Subject: Re: Answerbacks / Vendor Liability
Larry Kilgallen's note implied that DEC's sendmail as distributed was trustworthy. This is not the case. DEC's Ultrix (port of 4.2 BSD) has different bugs and different security holes from the standard UCB distribution. In my experience, it has not been any more or less trustworthy than pure BSD. Although the recent note from CERT about problems in sendmail only referenced SunOS, the problem was in fact present in other vendors sendmail as well (including Ultrix 3). One of the disconcerting things about AT&T's UNIX System V, Release 4 is that it is capable of running many (most ?) BSD sources without conversion. One problem with portable software and standardising OS behaviour is that something that is a problem on one machine is also likely to be a problem on another machine. This makes networks more susceptible to worms and virii just as with humans when a group is genetically homogeneous they are more susceptible to plagues and such. I should note here that I am a very strong supporter of most standardisation issues and strongly believe that the combination of POSIX efforts and the recent ANSI C standard are both very desirable. I just want to point out that there are mixed blessings to it all. In general, electronic security and trusted systems are a very subtle business. The more one learns, the less certain one becomes of anything. Randall Atkinson randall@Virginia.EDU
-----------[000004][next][prev][last][first]---------------------------------------------------- Date: 1 Mar 90 14:05:00 GMT From: EVERHART@arisia.dnet.ge.com To: misc.security Subject: RE: Answerbacks / Vendor Liability
Re the mail vulnerability being fixed in VMS VAXmail, it was also fixed several years earlier by the Software Tools mail, which also filtered control characters. This fix is now ~10 years old. Unfortunately, answerbacks can be triggered all too easily and have on occasion represented serious problems. We had a situation many years ago now where someone set the answerback on one of a small number of terminals connected to a shared VAX to DEL *.*;* when someone left the terminal logged in for an extended period. Naturally this caused consternation all around. It seemed that in addition to control-E triggering the answerback, sometimes nulls might do so also. (I no longer recall what terminal type this was.) In this case, the factor that saved the day was sufficiently paranoid systems people: they had daily backups and could restore the lost files. I believe that this is what is called for, rather than appeals to finding fault with manufacturers or even than finding fault with careless experimenters. (I know of some network meltdowns that have clearly been due to errors while attempting what should have been legitimate activities. The Morris case might have been similar, as well.) Who hasn't experienced accidental deletion of files? If we are to benefit from computing, we maximize that benefit by sharing information. It is everyone's responsibility to take adequate care while doing so. More than ever, regular and adequate backups are an essential part of this. This issue should be considered before buying a computer of any type, and in any use of same. Our VAXen are backed up regularly; my home machine and office pc's have nothing on hard disk that isn't on floppies also. This confers some safety. I consider the office pc a prime candidate for disaster though, as backups are difficult enough to be rare, and disks do crash now and then. Hopefully our next generation of appliance computers will contain backup devices of some sort. If they do not, it is the purchaser who is to blame for losses caused by damage FROM WHATEVER CAUSE to that data. The same applies to shared systems. Glenn Everhart
-----------[000005][next][prev][last][first]---------------------------------------------------- Date: Thu, 1 Mar 90 19:18:33 EST From: wcs@erebus.att.com (William Clare Stewart) To: misc-security@att.att.com Subject: Re: cordless privacy
]I am no lawyer, but I think you ony need the consent of one of the ]parties in order to legally record a phone conversation - at least Well, first of all, Canada and the US have different laws. In the US, a court decision a couple years back decided that cordless phones, unlike wire-based phones, do not give you a legal right to privacy for the segment of the connection that is broadcast between the handset and the base (though I suppose the connection from the base to the wall and beyond is protected.) Second, just because the people have reasonable expectations of a right of privacy against government eavesdropping, that doesn't mean that the *government* respects those rights, and the courts have been supporting the government rather than the people in a lot of recent cases. Bill -- # Bill Stewart AT&T Bell Labs 4M312 Holmdel NJ 201-949-0705 erebus.att.com!wcs # Fax 949-4876. Sometimes found at Somerset 201-271-4712 # He put on the goggles, waved his data glove, and walked off into cyberspace. # Wasn't seen again for days.
-----------[000006][next][prev][last][first]---------------------------------------------------- Date: Fri, 02 Mar 90 09:59:55 -0900 From: "ROBYN L ROBERTSON" <FSRLR@alaska.bitnet> To: security@pyrite.rutgers.edu Subject: Re: Home security
>Regarding window grates, what are the options these days in security >versus being able to get out from the inside quickly in case of fire I solved a similar problem with a set of exploding security bolts. I have not seen these in the U.S., but I expect they are available. They are available in varying diameters and treads, with shear points set at the level desired for the given application. Detonation is accomplished by running a fairly low voltage current of a minimum amperage determined by the number and type of explosive shear bolts used(the electrical line activating the detonation should have a predicted resistance, depending upon the type of shear bolts, and whether they are wired in series or parallel: CAUTION: UNDER NO CIRCUMSTANCES USE A NORMAL VOM OR DVM TO CHECK LINE RESISTANCE, USE ONLY A 'BLASTING OHM-METER') through the detonation curcuit. In event of a compromise of electrical power to the shear bolt system, it is customary to include a back-up power supply, the design and implimentation of which I leave as an exercise to the student. In practice, this sort of emergency escape route is an escape route of 'last resort'. You do not want such a pathway, in extremis, to be compromised. I might note that in the applications where I have seen such bolts used, there has been very narrow access to the area under security, and so casual visitors setting off the escape-route shear bolts was a non-existant problem. In a residence, I would suggest that it might be appropriate to add a fast (perhaps three digit?) number-pad lock on each emergency exit so armed. I also warn that the heads of the bolts, which contain one wire(the bolt body providing 'ground'), should be installed in a manner to preclude tampering. Finally, if detonation will allow explosion debris(very minimal, in most cases) or the security grate to intrude upon property not under the owner's control, there may be legal implications should someone be injured. I have no particular expertise in this area, but I can easily envision, at least in the litigious U.S, some creatin of a felon, minus three fingers on one hand, standing in court beside his equally mercenary American attorney, filing for damages sufferred when your security grate blew up in his face while the gentleman was otherwise occupied attempting to cut through one of the shear bolts holding said security grate in place. Robyn Robertson BITNET: FSRLR@ALASKA Internet: fsrlr@acad3.fai.alaska.edu P.S. Normal precautions re isolation and segmentation of the overal system into descrete sub-units should obtain here, as one would expect. It does no good to have a fancy system to blow all thirty-five windows in a structure free of security grates if a fire on the first floor burns the insulation off critical connections, leading to a short which disables the entire system.
-----------[000007][next][prev][last][first]---------------------------------------------------- Date: 1 Mar 90 20:42:12 GMT From: hollombe%sdcsvax@ttidca.tti.com (The Polymath) To: misc.security Subject: Re: Credit Card Fraud...
}... a couple of students were able to get a hold of a credit-card
}magnetic stip recorder somehow. ...
There needn't be any "somehow" about it. You can build one with less than
$50 worth of parts from Radio Shack. The requirements are defined in an
ANSI standard, right down to the magnetic flux density of the mag-stripe
recording, and available as public information.
Scary, isn't it?
--
The Polymath (aka: Jerry Hollombe, hollombe@ttidca.tti.com) Illegitimis non
Citicorp(+)TTI Carborundum
3100 Ocean Park Blvd. (213) 450-9111, x2483
Santa Monica, CA 90405 {csun | philabs | psivax}!ttidca!hollombe
-----------[000008][next][prev][last][first]---------------------------------------------------- Date: 02 March 1990 05:34 CST From: "Grant Hoover" <U26264@uicvm.bitnet> To: security@pyrite.rutgers.edu Subject: Caller ID
> Now that Bell is providing caller id service in some areas I > was wondering if I could capture the number of the caller and Before you get out your soldering iron, keep in mind the bill that Congress might pass that would require the local phone companies to offer blocking. Once this option is in place, the people attacking your BBS will probably use it, and you won't get the chance to capture any numbers. ____ _____ ___ __ __ ______ / | _ \ / \ | \| | |__ __| . . | ___ | < / ^ \ | | | | . \____/ |__|\__| /_/---\_\ |__|\__| |__| \___/ Grant Hoover * University of Illinois at Chicago Bitnet u26264@uicvm * CompuServe 76370,314 Internet u26264@uicvm.cc.uic.edu * GEnie G.HOOVER6
-----------[000009][next][prev][last][first]---------------------------------------------------- Date: 2 Mar 90 00:18:33 GMT From: wcs@erebus.att.com (William Clare Stewart) To: misc.security Subject: Re: cordless privacy
]I am no lawyer, but I think you ony need the consent of one of the ]parties in order to legally record a phone conversation - at least Well, first of all, Canada and the US have different laws. In the US, a court decision a couple years back decided that cordless phones, unlike wire-based phones, do not give you a legal right to privacy for the segment of the connection that is broadcast between the handset and the base (though I suppose the connection from the base to the wall and beyond is protected.) Second, just because the people have reasonable expectations of a right of privacy against government eavesdropping, that doesn't mean that the *government* respects those rights, and the courts have been supporting the government rather than the people in a lot of recent cases. Bill -- # Bill Stewart AT&T Bell Labs 4M312 Holmdel NJ 201-949-0705 erebus.att.com!wcs # Fax 949-4876. Sometimes found at Somerset 201-271-4712 # He put on the goggles, waved his data glove, and walked off into cyberspace. # Wasn't seen again for days.
-----------[000010][next][prev][last][first]---------------------------------------------------- Date: Fri, 2 Mar 90 10:19:07 PST From: rex@isdmnl.menlo.usgs.gov (Rex Sanders) To: security@pyrite.rutgers.edu Subject: RE: Security Auditing
A few years ago, I wrote and distributed a program named "cfs" (check file status) that can run around a system recording & checking file stats. Cfs made it onto one of the last Usenix tapes, and might be somewhere on uunet. Cfs runs fast (compared to shell scripts) - checks stats on over 1000 files in about 45 seconds on a wheezing old VAX 750. If you can't find cfs in some local Unix sources archive, let me know. -- Rex Sanders, US Geological Survey rex@isdmnl.menlo.usgs.gov
-----------[000011][next][prev][last][first]---------------------------------------------------- Date: 2 Mar 90 02:20:12 GMT From: jimkirk@OUTLAW.UWYO.EDU (James Kirkpatrick) To: misc.security Subject: Digital Signature in business?
Does anybody know if Digital Signature is still in business? They used to make a package called CryptMaster (RSA and an RSA/DES hybrid), but directory assistance in Chicago does not have a listing for them. Did they move or did they fold?
-----------[000012][next][prev][last][first]---------------------------------------------------- Date: 2 Mar 90 02:38:02 GMT From: jimkirk@OUTLAW.UWYO.EDU (James Kirkpatrick) To: misc.security Subject: Medeco vs Keso vs Kaba
Any opinions of the Medeco lock versus the Seargent Keso versus the Kaba lock? The application would be on a safe door, and one consideration beyond security against picking or destructive entry would be vandalism by a frustrated burglar, which could lock out the legitimate owner. The Keso and Kaba seem very similar apart from the angle of the Kaba's cuts, but I don't know how much better/worse they might be compared against Medeco. [for theurious, Keso and Kaba keys are flat with "dimples" of varying depth which match opposing rows of pins in the cylinder; the key is not one that can be easily duplicated, and with up to 20 pins it is difficult to pick open!]
-----------[000013][next][prev][last][first]---------------------------------------------------- Date: 2 Mar 90 03:59:45 GMT From: Doug Gwyn <gwyn@smoke.brl.mil> To: misc-security@rutgers.edu Subject: Re: Answerbacks / Vendor Liability
>Would not a simpler rule be "Commit a felony: go to jail"? Why involve >computers in the discussion? Right on! Every time lawmakers try to spell out details, they end up with loopholes, simply because specificity implies lack of coverage. There is nothing magic about computers, or guns for that matter; whether or not an act is a crime should not depend on the tools used. >> FINAL COMMENT: The INTERNET virus should be treated as a product liability >> question. In my opinion, DEC and SUN should pay the cost of the cleanup I've never seen any claims by DEC, Sun, or more to the point, UCB that their UNIX-based operating systems were secure; have you? What is the point of making innocent manufacturers responsible for some person's malicious abuse of their products? You're trying to punish the wrong people..
-----------[000014][next][prev][last][first]---------------------------------------------------- Date: 2 Mar 90 09:45 EST From: EVERHART@arisia.dnet.ge.com To: SECURITY@pyrite.rutgers.edu Subject: RE: Re: Field service spying?
Apparently this sw_inventory.com thing was from one of the local offices; the general DEC field people in my area know nothing of it but took a copy from me to see if they can find where it came from. Seems it's got problems with their corporate policy too. In DEC's defense they have tried to make it clear that the field account should be DISUSERed except when in use. The procedure will ONLY tell about dec images; it looks for .exe images in default locations; at least that's what it did on VMS 4.7 where I tested it; that can be sensitive, but there's nothing there that would tell anything about non-dec images unless they happen to live in the same places the DEC ones do, with the same logicals and same filenames. The procedure was not run by field here. Glenn Everhart
-----------[000015][next][prev][last][first]---------------------------------------------------- Date: Fri, 02 Mar 90 10:20:06 GMT From: MCGDAKI@cms.manchester-computing-centre.ac.uk To: security@pyrite.rutgers.edu Subject: Domestic burglar alarms...
I am considering doing a domestic system and the inertia sensors
coupled with an analyser appeals to me for perimeter protection.
Has anyone had experience using these and how good are they for
reliability and immunity to false alarms?
Arnold Kirk
-----------[000016][next][prev][last][first]---------------------------------------------------- Date: Fri, 2 Mar 90 22:11:01 -0500 From: owen blevins <blevinso@silver.ucs.indiana.edu> To: -v@silver.ucs.indiana.edu, security@ohstvma.bitnet Subject: NATIONAL SECURITY ARCHIVES
Anyone dealth with the NSA? What are they? What research materials do they provide? any and all information would be greatly appreciated! thanks. blevinso@silver.ucs.indiana.edu
-----------[000017][next][prev][last][first]---------------------------------------------------- Date: 2 Mar 90 18:19:07 GMT From: rex@ISDMNL.MENLO.USGS.GOV (Rex Sanders) To: misc.security Subject: RE: Security Auditing
A few years ago, I wrote and distributed a program named "cfs" (check file status) that can run around a system recording & checking file stats. Cfs made it onto one of the last Usenix tapes, and might be somewhere on uunet. Cfs runs fast (compared to shell scripts) - checks stats on over 1000 files in about 45 seconds on a wheezing old VAX 750. If you can't find cfs in some local Unix sources archive, let me know. -- Rex Sanders, US Geological Survey rex@isdmnl.menlo.usgs.gov
-----------[000018][next][prev][last][first]---------------------------------------------------- Date: 2 Mar 90 23:04:31 GMT From: gwyn@SMOKE.BRL.MIL (Doug Gwyn) To: misc.security Subject: Re: thermal lances (was: vault doors)
Anyone who hasn't seen one of these in action is advised to check out the movie "Thief" (starring James Caan) at your local video rental store.
-----------[000019][next][prev][last][first]---------------------------------------------------- Date: 2 Mar 90 23:04:31 GMT From: Doug Gwyn <gwyn@smoke.brl.mil> To: misc-security@rutgers.edu Subject: Re: thermal lances (was: vault doors)
Anyone who hasn't seen one of these in action is advised to check out the movie "Thief" (starring James Caan) at your local video rental store.
-----------[000020][next][prev][last][first]---------------------------------------------------- Date: 3 Mar 90 03:58:26 GMT From: kelly@uts.amdahl.com (Kelly Goen) To: misc-security@ames.arc.nasa.gov Subject: Re: Home security
>Regarding window grates, what are the options these days in security
>versus being able to get out from the inside quickly in case of fire
AGREED... Window grates are hazradous.... Try 3/16" GE UV Stabilized
LEXAN plastic...remember to use Epoxy based putties when replacing
the glass in the window frame.... the plastic will take more impact than
the iron bars and doesnt give you a feeling of being behind bars....
REMEMBER to UPGRADE the Window Locking System as this is the weakest
part beside the glass on most windows....you might ask if its tough enough
MY side shed window Aluminum Frame took 27 impacts with a 15 lb sledge
before the 2x4 frame the window frame was attached to splintered...
the Iron bars I tested fell prey with 10 seconds to a 7 ft wrecking
bar... Give me LEXAN every TIME!!!
cheers
kelly
-----------[000021][next][prev][last][first]---------------------------------------------------- Date: 3 Mar 90 04:05:31 GMT From: kelly@uts.amdahl.com (Kelly Goen) To: misc-security@ames.arc.nasa.gov Subject: Re: Fire Sprinkler Cameras
>They are built into regular sprinkler heads which have been slightly
>modified to fit a small mirror assembly....
>The company there that was marketing the things is Visual Methods, in
>Westwood NJ. _H*]
Yehah I checked on this one.... Friends those $500.00 sprinkler
fixture are overpriced PLASTIC(RIGHT 500.00 for plastic) JUNK...
out of 6 ordered 4 failed during installtion and setup....all were sent
back to the distributor... have to wait until a better one is available...
cheers
kelly
p.s. There are much better hidden cameras on the market just check
any issue of CCTV Magazine...
-----------[000022][next][prev][last][first]---------------------------------------------------- Date: Sat, 3 Mar 90 13:01 EST From: David Hoelzer <CONSP12@bingvaxa.bitnet> To: security@ohstvma Subject: Cameras
I've helped to design a number of camera boxes, including a converted slide projector, emergency fire lights, and thermostats.. I'll tell you the truth .. Dont bother trying to tell the difference.. We had a camera in full view on top of a vending machine.. We set some other stuff up there too (like boxes and wires.. just junk)... The first two days, everyone just looked at it.. The chairman of the company asked what it was doing there.. Well.. We told him, and later that night one of the security guards, who had seen this camera sitting there, walked out of the building with a few boxes of paper... Needless to say, he was shocked when he saw the footage.. He claimed, "How'd you get that!!! That Camera is broken!!". People assume what they like.. No one has yet realized what the thermostat is, nor the fire box.. The slide projector has caught ten people... One of them even tried to steal it, until they realized that it was hooked into the wall... DSH
-----------[000023][next][prev][last][first]---------------------------------------------------- Date: Sat, 3 Mar 90 15:01:49 EST From: eichin@mit.edu (Mark W. Eichin) To: reynhout@wpi.wpi.edu Cc: misc-security@husc6.harvard.edu Subject: Re: Who (Specificly) has Morris' Worm Code?
What I've been wondering (since reading the early Cornell report) is Did Morris actually use Unix crypt(1) to protect his files? And (as the Cornell report claimed) given that they were able to break them, did they make use of Bob Baldwin's Crypt Breaker's Workshop? _Mark_
-----------[000024][next][prev][last][first]---------------------------------------------------- Date: 3 Mar 90 10:57:29 GMT From: astieber@CSD4.CSD.UWM.EDU (Anthony J Stieber) To: misc.security Subject: What IS a thermal lance (Re: vault doors, was: locks)
Exactly what is a thermal lance? I've seen several references to these but have been unable to figure it out from context. -- <-:(= Tony Stieber astieber@csd4.csd.uwm.edu att!uwm!uwmcsd4!astieber
-----------[000025][next][prev][last][first]---------------------------------------------------- Date: 03 Mar 90 09:27:41+0100 From: Joseph C. Pistritto <cernvax!chx400!cgch!jcp@mcsun.eu.net> To: kelly@uts.amdahl.com Cc: misc-security@ames.arc.nasa.gov Subject: Re: Home security
Well, there ARE other techniques that work against LEXAN. In particular
heating it up will make it bend, allowing sheets to be bent and popped from
the window frame. They used LEXAN in the 'escape-proof' new jail in Towson,
Maryland several years ago. Took the inmates about 3 months to figure away
to make a blowtorch from an aerosol can, point at lexan, heat for several
minutes, kick out panel. They put bars in after that...
With suitable reinforcing, and by keeping the panes small enough, this
problem could possibly be avoided. An interesting possibility is making
those 'colonial' style windows where the panes are about 8 inches by 12
inches, with the panes being Lexan and the normally wood barriers between
pains being made instead from steel would probably work nicely, without
even having the 'look' of security, if that's what you want.
======================================================================
Joseph C. Pistritto HB9NBB N3CKF
'Think of it as Evolution in Action' (J.Pournelle)
Ciba Geigy AG, R1241.1.01, Postfach CH4002 Basel, Switzerland
Internet: jcp@brl.mil Phone: (+41) 61 697 6155
Bitnet: bpistr%cgch.uucp@cernvax.bitnet Fax: (+41) 61 697 2435
Also: cgch!bpistr@mcsun.eu.net
-----------[000026][next][prev][last][first]---------------------------------------------------- Date: 3 Mar 90 20:01:49 GMT From: eichin@MIT.EDU (Mark W. Eichin) To: misc.security Subject: Re: Who (Specificly) has Morris' Worm Code?
What I've been wondering (since reading the early Cornell report) is Did Morris actually use Unix crypt(1) to protect his files? And (as the Cornell report claimed) given that they were able to break them, did they make use of Bob Baldwin's Crypt Breaker's Workshop? _Mark_
-----------[000027][next][prev][last][first]---------------------------------------------------- Date: Sun, 4 Mar 90 11:34:44 pst From: billf@hpcvlx (Bill F. Faus) To: security@rutgers.edu Subject: Re: re: Thermic Lances
Reminds me of a picture in a book I have on the properties of wood. The picture shows a gutted out burned building with only some large wooden posts and beams left standing. Looped over the charred wooden beams are two metal I beams bent to the ground at each end from the heat. The wood beams made it through the fire, but the metal ones failed. --------------- billf@cv.hp.com
-----------[000028][next][prev][last][first]---------------------------------------------------- Date: Sun, 4 Mar 90 16:41:37 GMT From: jik@athena.mit.edu (Jonathan I. Kamens) To: security@pyrite.rutgers.edu Subject: Re: Who (Specificly) has Morris' Worm Code?
Just how easy do you think it is to disassemble a program from machine language into source code form? Granted, Morris made it a little bit easier by failing to strip off the symbol tables before "letting loose" the binaries (There are hypotheses that he did so because he was "in a hurry"...), but he made it harder by XOR'ing all the strings in the entire binary. Yes, it was POSSIBLE to reverse engineer from the binary to the source code. However, I wouldn't say that it only takes "a little reverse-engineering" to do so. I'd say it takes more "reverse-engineering" than most system administrators have the knowledge, time or desire to put into it. Jonathan Kamens USnail: MIT Project Athena 11 Ashford Terrace jik@Athena.MIT.EDU Allston, MA 02134 Office: 617-253-8495 Home: 617-782-0710
-----------[000029][next][prev][last][first]---------------------------------------------------- Date: Mon Mar 05 01:10:28 CEST 1990 From: rop@neabbs.UUCP (HACK-TIC) To: hp4nl!misc-security@relay.eu.net Subject: Re: Computer Abuse / Product Liability / Criminal Statutes / ECPA
Maybe a good definition of a hacker: A hacker is someone who is too busy doing weird things using technology to concern him/herself with defining the term 'hacker'. I don't mean to kill a good discussion here, I just feel that discussions about the definition of the term 'hacker' tend to get boring and predictable after two or three messages. Much more interesting (reffering to the 2nd of March message) is the question wether playing a game on a computer 20.000 miles away isn't a much more efficient way of learning something than going to school in the first place. Rop Gonggrijp, editor of Hack-Tic, a magazine for Dutch hackers....
-----------[000030][next][prev][last][first]---------------------------------------------------- Date: Mon, 5 Mar 90 8:11:07 CST From: "Mark D. McKamey IM SA" <mark@ria-emh2.army.mil> To: security@pyrite.rutgers.edu Subject: Video camera devices
Hello All,
I've recently seen a number of "trick" video camera devices demonstrated on
TV. The teddy bear with a video camera in its belly, and the TV that video ta
tapes the TV viewer while he/she watches the TV.
I am trying to find out who sells devices such as these, and is there any
illegal implications of using one of these devices to video tape how a
babysitter treats a child while the parents are out of the house?
Mark
mark@ria-emh2.army.mil
-----------[000031][next][prev][last][first]---------------------------------------------------- Date: Tue, 6 Mar 90 02:17 PST From: dhunt@nasamail.nasa.gov (DOUGLAS B. HUNT) To: <security@pyrite.rutgers.edu> Subject: RE: LAN security & control review
You should contact the EDP Auditors Foundation in Chicago. They have a variety of publications on these and realted topics. Perhaps Bill Murray who frequently corresponds through this list has some other suggestions. Doug Hunt
-----------[000032][next][prev][last][first]---------------------------------------------------- Date: 5 Mar 90 18:52:30 GMT From: steves@ivory.sandiego.ncr.com (Steve Schlesinger x2150) To: misc.security Subject: Factoring Large Numbers
I have received a report from an independent researcher, Giorgio Coraluppi, that claims to have developed an algorithm to factor large numbers in a relatively short amount of time. I do not have the background to evaluate this work, and would appreciate the names (and addresses) of people working in this field would be interested in reviewing it. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: steve schlesinger steve.schlesinger@sandiego.ncr.com 619-485-2150 NCR - 4010, 16550 W Bernardo Dr, San Diego, CA 92127 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-----------[000033][next][prev][last][first]----------------------------------------------------
Date: 6 Mar 90 17:53:25 GMT
From: KHB1@lehigh.BITNET ("Kathy Healy Brey")
To: misc.security
Subject: Virus Scan on a LAN
Can anyone provide advice or information on the following:
CONFIGURATION
An ethernet LAN running NOVELL with 10 nodes.
Workstations are Zenith 286LP's with 20Meg hard drives & a 3.5" drive.
LAN is for student use.
PROBLEM
We would like to run a virus scan on any floppy inserted into the 3.5
inch drive AT INSERTION. Is this possible? If so, how?
The ideal scenario would be: Student inserts floppy in A:. System
recognizes presence of floppy and scans diskette for known viruses...
(a system-initiated scan, not an operator-initiated scan)
If diskette is O.K., student goes to work. If diskette is contaminated,
it's ejected(?) and student gets locked out of workstation and is
directed to LAN Administration. L.A. grabs diskette and does detective
and control work...
THANKS for any help.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| Kathy Healy Brey, Manager Admin Environment: |
| KHB1@LEHIGH THE INFORMATION CENTER IBM 4381 VSE/SP 2.1.5 |
| 215-758-3006 Lehigh University IA Systems |
| Private U Fairchild-Martindale 8B IBM PCs & Compatibles |
| 6500 Students Bethlehem, PA 18015-3146 Novell LANs |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-----------[000034][next][prev][last][first]---------------------------------------------------- Date: 6 Mar 90 19:30:21 GMT From: chidsey@SMOKE.BRL.MIL (Irving Chidsey) To: misc.security Subject: Re: Wireless Home Security Systems
<Does anyone know how hard it is to jam or fool these wireless home <security systems? Couldn't one just use a spectrum analyzer to determine But home security systems are only designed to be secure enough so that the reward isn't worth the trouble. A spectrum analyser plus the coder + modulator + transmitter combination necessary to jam/break any wireless system likely to be encountered requires more equipment and expertise than your typical random junkie-looking-for-a-tv-to-fence is likely to to be willing or able to put into the ptoject. If you have valuables worthy of such expertise in your home you should put similar expertise into defeating breakins. And you should be willing to spend equaly serious money. Irv -- I do not have signature authority. I am not authorized to sign anything. I am not authorized to commit the BRL, the DOA, the DOD, or the US Government to anything, not even by implication. Irving L. Chidsey <chidsey@brl.mil>
-----------[000035][next][prev][last][first]---------------------------------------------------- Date: 6 Mar 90 19:30:21 GMT From: Irving Chidsey <chidsey@smoke.brl.mil> To: misc-security@rutgers.edu Subject: Re: Wireless Home Security Systems
<Does anyone know how hard it is to jam or fool these wireless home <security systems? Couldn't one just use a spectrum analyzer to determine But home security systems are only designed to be secure enough so that the reward isn't worth the trouble. A spectrum analyser plus the coder + modulator + transmitter combination necessary to jam/break any wireless system likely to be encountered requires more equipment and expertise than your typical random junkie-looking-for-a-tv-to-fence is likely to to be willing or able to put into the ptoject. If you have valuables worthy of such expertise in your home you should put similar expertise into defeating breakins. And you should be willing to spend equaly serious money. Irv -- I do not have signature authority. I am not authorized to sign anything. I am not authorized to commit the BRL, the DOA, the DOD, or the US Government to anything, not even by implication. Irving L. Chidsey <chidsey@brl.mil>
-----------[000036][next][prev][last][first]---------------------------------------------------- Date: 6 Mar 90 20:49:40 GMT From: spaf@cs.purdue.edu (Gene Spafford) To: misc-security@gatech.edu Subject: Contest announcement
The National Center for Computer Crime Data notes with interest the
considerable controversy engendered by the trial and guilty verdict in
the case of Robert T. Morris. In order to expand and focus the
conversation, we announce the "If I were the Robert Morris case judge"
essay contest. We will award $100 to the best essay of 250 words or
less suggesting the appropriate sentence for Mr. Morris.
Security Magazine has agreed to publish the winning essay in its May
issue. Contestants need not be familiar with the federal guidelines
for sentencing, but should assume, for the purpose of their essay,
that the judge can impose any sanctions he or she thinks reasonable.
All essays must be received by the National Center for Computer Crime
Data, 1222-B 17th Avenue, Santa Cruz, CA, 95062 by March 28, 1990.
J.J. Buck BloomBecker, Esq.
Director
[The real sentencing for Mr. Morris will be May 4.
I am not affiliated in any way with the NCCCD --spaf]
--
Gene Spafford
NSF/Purdue/U of Florida Software Engineering Research Center,
Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004
Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf
-----------[000037][next][prev][last][first]---------------------------------------------------- Date: Wed, 7 Mar 90 10:36:00 -0500 From: nitrex!rbl@uunet.uu.net To: security@pyrite.rutgers.edu Subject: Re: Opening an old safe?
There is a locksmith in the small Ohio town where my wife just opened a retail jewwelry store. His ex-wife walked up to a locked circa-1910 safe and proceeded to open it --- the combination was unknown. Her comment: "I have a stethoscope in my fingers." If the old Victor safe is anywhere nearby southeastern Ohio/PA/WV, we could arrange a contact. Rob Lake BP Research rbl@BP.COM
-----------[000038][next][prev][last][first]---------------------------------------------------- Date: Wed, 7 Mar 90 09:55 EST From: "And now, #1, The Larch" <AEWALSH@fordmurh.bitnet> To: SECURITY@OHSTVMA Subject: Mutilated Currency (was Re: Bill Changers)
> Easy -- chop the big numbers off the corners of a $20 bill, past them > onto the corners of a $1 bill. Pass this as a $20 bill. This works. As a former bank teller at a commercial bank in Buffalo, I recall a teller actually taking one. If you must pass them off, though, don't do it at a bank - they're much to careful, and know enough to look at the *portrait* when receiving money. > Turn in the mutilated $20 for a fresh one. Yes, well...um-- mutiliated currency must have one side intact (if I recall the rules correctly). Hence it is necessary to do this dastardly deed with *two* 20's, using first one side on the first bill, and the opposite side on the other. > (no, I am not advocating the practice) Me neither. The FBI and the Treasury department do not take kindly to this practice. Try this in a bank (either with funny twenties or bringing in lots of mutilated -- you are likely to get your picture taken by those lovely cameras on the wall. Jeffrey Fordham University AEWALSH@FORDMURH
-----------[000039][next][prev][last][first]---------------------------------------------------- Date: Wed, 07 Mar 90 16:31:01 -0500 From: "Frank Topper" <topper%a1.relay@upenn.edu> To: security@ohstvma.bitnet, dasig@suvm.bitnet Subject: Meeting with the FBI
Dear Security & Dasig Subscribers, Activated by a suggestion from William Sessions, Director of the FBI, my associate Linda May and I scheduled a meeting with the local Philadelphia office to discuss computer, information and network security. We wanted to draw from their experience, learn their perspective, and establish a direct conection with the poeple who can help us in the event of an important security breach -- and to know what they can and can not do regarding the subsequent investigation. We met with two agents last month. Our agenda included discussing security breaches (principal kinds reported, principal deficiencies that enable such breaches, proportion involving perpetrators external/internal to the organization, proportion of organizations which had a security plan, program and officer, and the most important factor(s) for achieving appropriate levels of security), classifications of activities (legal, illegal and questionable), recaps of proposed legislation, and suggested actions & publications. Regarding breaches: They said that banks are the most susceptible to loss, and that most private companies absord losses without prosecuting due to the time, expense, and the wish to not appear stupid. They said that companies that did prosecute breaches had fewer recurring problems. Universities tend to get more young hacker-types, while corporations get embezzlers. Most complaints are financial institutes that get 'hit over the wire' (wire fraud), bulletin boards containing pirated software & credit card access numbers, and, most recently, they are beginning to get calls about virus problems. Although they were not allowed to give details, the FBI is currently involved in two major virus investigations. They see a major problem being when a hacker receives 'celebrity status'. This encourages trying to beat the system since fame and not disrepute is the potential payoff. Statistically, lower-level employees are easier to catch because they leave a trail of their actions. Higher-level (V.P.) employees know the systems and leave less of a trail. Activity types: The FBI gets involved when a Federal crime is committed. Usually this means either: 1)Crime involving more than one state, 2) crimes involving gov't computers or gov't networks, or 3) the more broad 86' Computer Fraud and Abuse Act. Interestingly enough, one of the agents we spoke with participated in the investigation which has lead to the conviction of Robert Morris, Jr. A questionable activity, but not illegal, is when a hacker (or employee) reads files they are not supposed to have seen. Not so related to universities is the new wrinkle provided by cellular phones. In this case the transmission travels through the airwaves to a hardwire transmission point. It is not illegal to listen in to the part broadcasted (although, a recent note on the SECURITY list mentioned that it was illegal to disclose an overheard conversation). Anytime we have a question about an activity we are encourages to contact the agents & get the latest perspective. Legislation-wise, neither agent has received updates on the two 89' proposed acts: Computer Protection & Computer Virus Eradication. They said there is always a lag time between when a law is passed and when they get instructions as to what it means and how it can be used. They can prosecute computer crimes now involving threatsor harassment....and they said if they REALLY WANT to get someone they'll research any and all laws to try to find something to stick on the alleged criminal. They suggest knowing what data is sensitive and take extra precautions. Whatever security programs are running need to be monitored and checked for patterns of unusual activity, i.e., send reports to the user/custodians of each protected system. Lastly, to get around the undesirable impression of security being iron-handed, they stressed the ned for an education program touching every employee with a solid emphasis on WHY the security efforts (and the employyees' efforts) are needed...and what can happen if the efforts are not made. Based on an "OK" form the local agent-in-charge, both agents were willing to come to this university and speak to our planned-for Security Steering Committee, and without making specific recommendations, stress the importance of having a full-time security officer-type and comprehensive education/awareness program. Regards. Frank Topper Information Analyst University of Pennsylvania (215) 898-2171 topper@a1.relay.upenn.edu "I have observed that persons of good sense seldom fall into disputes, except lawyers, university men, and men of all sorts that have been bred at Edinborough." Ben Franklin
-----------[000040][next][prev][last][first]---------------------------------------------------- Date: Wed, 07 Mar 90 17:19:01 -0500 From: "Frank Topper" <topper%a1.relay@upenn.edu> To: security@ohstvma.bitnet Subject: Report on a Security Conference
I sent this report to the Data Administration Special Interest Group. Perhaps you are interested also. Frank ------ Report on the 16th Annual Security Conference held in November, 1989 Dear Dasig Subscribers, Last November I attended a security conference in Atlanta, GA. It was an unusually good event; well-organized, many options for workshops and presentations, and terrific for 'networking' - meeting people from higher ed & the corporate world. As a relative newcomer to the security world I say: If you need to go to a security conference attend the next one of these! The presenters throughout the week were equally divided between vendors/consultants and non-vendors/consultants. Sales pitches were confined to the exhibition area and not sprinkled through the day. In other words, the presentations were not used as platforms for advocating particular technologies or services. Favorite sessions included: Keynote Addresses - - Legal Liability of Corp Officers - FBI Viewpoint (Bill Sessions, Director) - Ethical Considerations (R. Barker, Cornell's Provost) Other presentations/workshops - - How To Gain Sr. Mgmt Support for a Sec. Program - How To Be an Effective Security Officer - Anticipating Future Network Sec. Reqs. and Abuses The exhibits were almost all worth a visit, and ranged form disaster recovery (a melted, blackened VAX hissed & spewed 'smoke') to create-your-own security awareness videos. There were optional ($250 each) full-day sessions the Sunday before and the Thursday following the conference. As there were 8-10 concurrent sessions running every hour & 1/2, and due to the conference organizers not making ALL the session handouts avaiable, I spent the first two days meeting poepl and making deals to get the handouts for the presentations I wasn't attending (you send me yours & I'll send you mine). The organizers did give out several handouts on diskette & said they planned to eventually be able to give out all the handouts this way. Next conference? Atlanta 11/12-11/15/90 Sponsored by: Computer Security Inst. Phone: (508) 393-2600 Cost: $1,295 I am planning a presentation at this next conference, tentatively about creating an info & computer security policy & program in a decentralized environment...from ground zero. I'll be sending around a list of attendees from the 89' conference who came from institutes of higher education. Regards. Frank Topper Info Analyst University of Pennsylvania (215) 898-2171 topper@a1.relay.upenn.edu
-----------[000041][next][prev][last][first]---------------------------------------------------- Date: Wed, 07 Mar 90 17:21:01 -0500 From: "Frank Topper" <topper%a1.relay@upenn.edu> To: security@ohstvma.bitnet Subject: Security Conference Attendees
16th Annual Security Conference Attendees (higher ed) Auriene, Anthony Security Admin. National Ed. Corp. Barker, Robert Provost Cornell U. Benders, Carol L. Info Sys Sec Spec. Howard U. Bosshart, David A. Security Admin U. of Minnesota Brown, Corrine H. Prj Mgr/Std-Sec Ed. Testing Service Bruhn, Mark Data Administrator Indiana U. Coffman, Jack L. Security Control Off U. of KY Computing Ctr Cook, Janet M. Illinois State U. DeCruyenaere, K.C. U. of Manitoba Domin, Anthony C. EDP Audit Mng Penn State U. Fairweather, Ian EDP Security Admin U. of Ottawa Fisher, Charles E. Director U. of South Florida Higashi, Albert Assistant Director U. of Hawaii Hinkson, Betty Instructor Jacksonville State U. Kieffer, Rom Manager, DataComm U. of Calgary Rosenthal, Dan Computer Manager Mississippi College Roy, Yves IR Administrator U. of Ottawa Schott, Jr. Richard R. Info Security Officer Wayne State U. Shelley, Richard DS Officer U. of Virginia Stewart, Dorothy Sas Security U. of Michigan Stromberg, Lars Director Barry U. Tenisci, Teresa Mgr, Bus & Sec U. of British Columbia Thomas, Dave Rochester City Schools Topper, Frank Info Analyst U. of Pennsylvania van Wyk, Kenneth R. Carnegie Mellon U. Some titles were not listed & thus have been left blank. Regards. Frank
-----------[000042][next][prev][last][first]---------------------------------------------------- Date: 7 Mar 90 15:36:00 GMT From: rbl@nitrex.UUCP To: misc.security Subject: Re: Opening an old safe?
There is a locksmith in the small Ohio town where my wife just opened a retail jewwelry store. His ex-wife walked up to a locked circa-1910 safe and proceeded to open it --- the combination was unknown. Her comment: "I have a stethoscope in my fingers." If the old Victor safe is anywhere nearby southeastern Ohio/PA/WV, we could arrange a contact. Rob Lake BP Research rbl@BP.COM
-----------[000043][next][prev][last][first]---------------------------------------------------- Date: 7 Mar 90 17:41:00 GMT From: brough@islndsenet.dec.com (Paul Brough) To: misc-security@decwrl.dec.com Subject: Home security systems
[Message apparently truncated?] ... has the best system for the money, or if I should go to Radio Shack and get some of their stuff. The following is a list of considerations that I am going to use when I purchase the system: 1) Cost should be around $1,000-1,500 2) Cover the following doors a) front door b) back door c) breezeway door d) bulkhead door e) garage to interior breezeway door f) cellar to interior house door 3) Keypad entry perhaps master bedroom keypad 4) Perhaps central station monitoring 5) Passive infrared detectors on the first floor leading to the upstairs 6) PID on the second floor I have literature on a system put out by Fire Burglary Incorp (or something like that) and most of the above fits in, but I understand that Napco (or is it Mapco) has another system out that is supposed to be a little better. Does anyone have any experience in this and can give me more info? By the way, I live in the Worcester/Fitchburg Mass. area. Any and all help will be greatly appreciately. Thank you very much, Paul
-----------[000044][next][prev][last][first]---------------------------------------------------- Date: Thu, 8 Mar 90 01:09 CST From: <JJOYCE@umkcvax1.bitnet> To: misc-security@rutgers.edu Subject: Re:.Opening and old safe ?
Cf. : pp 137-155
"Surely You're Joking, Mr. Feynman!"
1965
Richard P. Feynman
W. W. Norton & Co., New York
ISBN 0-393-01921-7
J.Joyce
JJOYCE@UMKCVAX1 Bitnet
-----------[000045][next][prev][last][first]----------------------------------------------------
Date: 7 Mar 90 21:31:01 GMT
From: topper%a1.relay@UPENN.EDU ("Frank Topper")
To: misc.security
Subject: Meeting with the FBIDear Security & Dasig Subscribers, Activated by a suggestion from William Sessions, Director of the FBI, my associate Linda May and I scheduled a meeting with the local Philadelphia office to discuss computer, information and network security. We wanted to draw from their experience, learn their perspective, and establish a direct conection with the poeple who can help us in the event of an important security breach -- and to know what they can and can not do regarding the subsequent investigation. We met with two agents last month. Our agenda included discussing security breaches (principal kinds reported, principal deficiencies that enable such breaches, proportion involving perpetrators external/internal to the organization, proportion of organizations which had a security plan, program and officer, and the most important factor(s) for achieving appropriate levels of security), classifications of activities (legal, illegal and questionable), recaps of proposed legislation, and suggested actions & publications. Regarding breaches: They said that banks are the most susceptible to loss, and that most private companies absord losses without prosecuting due to the time, expense, and the wish to not appear stupid. They said that companies that did prosecute breaches had fewer recurring problems. Universities tend to get more young hacker-types, while corporations get embezzlers. Most complaints are financial institutes that get 'hit over the wire' (wire fraud), bulletin boards containing pirated software & credit card access numbers, and, most recently, they are beginning to get calls about virus problems. Although they were not allowed to give details, the FBI is currently involved in two major virus investigations. They see a major problem being when a hacker receives 'celebrity status'. This encourages trying to beat the system since fame and not disrepute is the potential payoff. Statistically, lower-level employees are easier to catch because they leave a trail of their actions. Higher-level (V.P.) employees know the systems and leave less of a trail. Activity types: The FBI gets involved when a Federal crime is committed. Usually this means either: 1)Crime involving more than one state, 2) crimes involving gov't computers or gov't networks, or 3) the more broad 86' Computer Fraud and Abuse Act. Interestingly enough, one of the agents we spoke with participated in the investigation which has lead to the conviction of Robert Morris, Jr. A questionable activity, but not illegal, is when a hacker (or employee) reads files they are not supposed to have seen. Not so related to universities is the new wrinkle provided by cellular phones. In this case the transmission travels through the airwaves to a hardwire transmission point. It is not illegal to listen in to the part broadcasted (although, a recent note on the SECURITY list mentioned that it was illegal to disclose an overheard conversation). Anytime we have a question about an activity we are encourages to contact the agents & get the latest perspective. Legislation-wise, neither agent has received updates on the two 89' proposed acts: Computer Protection & Computer Virus Eradication. They said there is always a lag time between when a law is passed and when they get instructions as to what it means and how it can be used. They can prosecute computer crimes now involving threatsor harassment....and they said if they REALLY WANT to get someone they'll research any and all laws to try to find something to stick on the alleged criminal. They suggest knowing what data is sensitive and take extra precautions. Whatever security programs are running need to be monitored and checked for patterns of unusual activity, i.e., send reports to the user/custodians of each protected system. Lastly, to get around the undesirable impression of security being iron-handed, they stressed the ned for an education program touching every employee with a solid emphasis on WHY the security efforts (and the employyees' efforts) are needed...and what can happen if the efforts are not made. Based on an "OK" form the local agent-in-charge, both agents were willing to come to this university and speak to our planned-for Security Steering Committee, and without making specific recommendations, stress the importance of having a full-time security officer-type and comprehensive education/awareness program. Regards. Frank Topper Information Analyst University of Pennsylvania (215) 898-2171 topper@a1.relay.upenn.edu "I have observed that persons of good sense seldom fall into disputes, except lawyers, university men, and men of all sorts that have been bred at Edinborough." Ben Franklin
-----------[000046][next][prev][last][first]---------------------------------------------------- Date: Thu, 08 Mar 90 14:27:18 PST From: blade@darkside.com (The Blade) To: misc-security@ucbvax.berkeley.edu
I need information on on-line databases that are helpful to the private investigator, such as background info, SS checks, DMV reports, etc... I know of US Data-link but they want $1000 to sign up, any specialized bases are also appricated.
-----------[000047][next][prev][last][first]---------------------------------------------------- Date: 8 Mar 90 07:09:00 GMT From: JJOYCE@umkcvax1.BITNET To: misc.security Subject: Re:.Opening and old safe ?
Cf. : pp 137-155
"Surely You're Joking, Mr. Feynman!"
1965
Richard P. Feynman
W. W. Norton & Co., New York
ISBN 0-393-01921-7
J.Joyce
JJOYCE@UMKCVAX1 Bitnet
-----------[000048][next][prev][last][first]---------------------------------------------------- Date: 8 Mar 90 22:27:18 GMT From: blade@darkside.com (The Blade) To: misc.security Subject: (none)
I need information on on-line databases that are helpful to the private investigator, such as background info, SS checks, DMV reports, etc... I know of US Data-link but they want $1000 to sign up, any specialized bases are also appricated.
-----------[000049][next][prev][last][first]---------------------------------------------------- Date: Fri, 9 Mar 90 13:22:28 EST From: barnett@unclejack.crd.ge.com (Bruce Barnett) To: cb2s+@andrew.cmu.edu, security@pyrite.rutgers.edu Subject: Re: Honda motorcycle keys
We had a case in our area where two people had 1) The same model car 2) The same color 3) Parked near each other in the same parking lot and 4) Had the same trunk key. Someone went to the parking lot and dropped off a package in their trunk. They went back into the Mall, and when they checked their trunk the second time - they "discovered" that their packages were "stolen". -- Bruce G. Barnett <barnett@crdgw1.ge.com> uunet!crdgw1!barnett
-----------[000050][next][prev][last][first]---------------------------------------------------- Date: Fri, 09 Mar 90 16:34:42 PLT From: Alan Zacher <29562883@wsuvm1.bitnet> To: security@ohstvma Subject: datsun keys
about datusn keys. be VERY careful about testing your key in other peoples
vehicles of the same make. people in my family HABITUALLY put the key to our
1980 datsun 210 into the ignition of out 1982 datsun pickup. the key would
turn until it reached the 'on' position, then it would pop out and would not go
back in. i had to take the dang lock apart to reset it and it took about 15
times before we got the brains to change the pickup ign. key. needless to say
we made SURE that the two keys were not semi-interchangeable before we
installed the new cylinder. just thought id warnya.
alan
-----------[000051][next][prev][last][first]---------------------------------------------------- Date: Fri Mar 9 14:10:05 1990 From: guhsd000@crash.cts.com (Paula Ferris) To: misc-security@crash.cts.com Subject: Re: Them Locks Are Easy
Well, I'm glad to see I started a conversation that got some response anyway. My friends motorcycle (Honda) had such high tolorences in the cyclinder and pin assembly that the core could be turn with a screwdriver if you took a little time to play with it and jiggle it into line. If your worried about it, don't make your car a target, most cars in my area anyway are usally first taken for goodies inside (tronics), then end up stripped. It seems if they are going to go through all the trouble to rip off your stuff, they are going to get the most out of it. Pullout stereos, amplifiers in the trunk out of sight and a blinking LED are all good ideas. Even if the LED doen't really go to an alarm, it'll keep alot of lesser hand prints off the car, and with a simple IC LED Flasher, a single "D" cell can drive it continously for a year. At all costs, avoid parking on the street, cars are rarely taken out of the driveway. Usally they are taken out of parking lots (around here Apartment building lots) or off the street. The best thing (without having a garage) is to park under a motion detector/flood light assembly. The action of having the dark driveway flooded with that 300 watt quartz halogen lamp gets attention, and I think is more effective than simply having the area continously lit. Some basic ideas, always, even for a minute, lock the doors with the windows up. Many cars have been boosted when someone runs into the 7-11 "just for a minute." Roll the windows up tight, most manual windows when rolled tight will track outwards on most newer cars, making the user of a slimjim (many new cars still don't use the simple barrier plates and sidebars) have a rough time even getting it inserted, much les[s using it, as well as making wires and such very difficult to use to get to the locks. If anyone really wants your car, they are going to get at it, but you don't have to help them. A former investigator for a very large police department's auto theft unit in the western US.
-----------[000052][next][prev][last][first]---------------------------------------------------- Date: Fri, 09 Mar 90 16:51:45 EST From: Homer <CTM@cornellc.bitnet> To: "Security List." <security@pyrite.rutgers.edu> Subject: Re: Them Locks Are Easy
>Moaning at car manufacturers for providing rotten security is unlikely to
>succeed. They make so much money selling people parts to replace things
>smashed by thieves that it's hardly worth their while improving matters.
I presume that car stereos are the most stolen item in the universe.
You think the stereo manufacturers take this into account when they
project sales into the future? Does a stolen stereo mean another sale?
Does it mean a lost sale to the bozo who buys the hot stereo?
Does it mean a lost sale to those of us who are too scared to have
stereos in our cars?
Do they BENEFIT from thievery? Or is it a detriment to them?
-----------[000053][next][prev][last][first]---------------------------------------------------- Date: 9 Mar 90 17:21:07 EST (Fri) From: simsong@prose.cambridge.ma.us (Simson L. Garfinkel) To: cs4i03ab@maccs.dcss.mcmaster.ca Cc: security@pyrite.rutgers.edu Subject: holograms on bills
Actually, the idea of putting a hologram on a bill is what American Banknote Inc. has staked its livelyhood on. That is the company that makes the holograms that have become standard on credit cards. But its all a hoax. Here's why: First, anybody can make a hologram, even the small foil kind that are embossed. Totall equipment cost is no more than $10,000. That's hardly a deterrent. Second, nobody checks the holograms. Ever notice how different cards use different holograms? They could have done something trickly, like storing information in the hologram that would have required a special reader. But that would have been too expensive. Indeed, the only reason that there are holograms on credit cards --- and the reason they are coming to currency --- is that American Banknote Inc. has succeded in making people think that it is more secure. It isn't. Simson Garfinkel
-----------[000054][next][prev][last][first]---------------------------------------------------- Date: Fri, 9 Mar 90 20:15 EST From: <CJS@cwru.bitnet> To: hobbit@pyrite.rutgers.edu Subject: Car Locks -- They had great locks at Hertz in Belfast
Last time I was in Belfast I rented a car at the airport (I think it was Hertz). They car's didn't use regular keys but something that looked, well, I can't describe it other than to say the key was very strangely shaped. The reason they go to such trouble with locks is the IRA (and maybe the provos (I can't recall)) steal cars and put bombs in them and then park them somewhere. The security forces will assume any abandoned/stolen car has a bomb in it--we all know how you defuse a bomb, you blow it up. So, if any car is stolen it is effectively totalled. I suspect it is hard to get the damn things insured. Hence the extra security. I never could find out who made the locks. cjs
-----------[000055][next][prev][last][first]---------------------------------------------------- Date: 9 Mar 90 19:38:49 GMT From: nagle@well.sf.ca.us (John Nagle) To: misc-security@ucbvax.berkeley.edu Subject: Re: bill changers
Where can I get a cheap bill reader, suitable for use to retrofit an
existing vending machine (a photo booth) for paper money? Used units
are acceptable.
John Nagle
-----------[000056][next][prev][last][first]---------------------------------------------------- Date: 9 Mar 90 22:09:00 GMT From: warlock@CSCIHP.CSUCHICO.EDU (John Kennedy) To: misc.security Subject: Re: Bicycle locks
>was partly scraped off, so I couldn't make out the name, but it ends with >NG-TAY. I believe the lock you're referring to is called "MING-TAY", available at your finer K-Mart stores for around $20. What can you expect? (-: -- Warlock, AKA +---------------------------------------------------- John Kennedy | uucp: lampoon!warlock@csuchico.edu CSCI Student | internet: warlock@csuchico.edu CSU Chico +----------------------------------------------------
-----------[000057][next][prev][last][first]---------------------------------------------------- Date: 9 Mar 90 22:21:07 GMT From: simsong@prose.cambridge.ma.us (Simson L. Garfinkel) To: misc.security Subject: holograms on bills
Actually, the idea of putting a hologram on a bill is what American Banknote Inc. has staked its livelyhood on. That is the company that makes the holograms that have become standard on credit cards. But its all a hoax. Here's why: First, anybody can make a hologram, even the small foil kind that are embossed. Totall equipment cost is no more than $10,000. That's hardly a deterrent. Second, nobody checks the holograms. Ever notice how different cards use different holograms? They could have done something trickly, like storing information in the hologram that would have required a special reader. But that would have been too expensive. Indeed, the only reason that there are holograms on credit cards --- and the reason they are coming to currency --- is that American Banknote Inc. has succeded in making people think that it is more secure. It isn't. Simson Garfinkel
-----------[000058][next][prev][last][first]---------------------------------------------------- Date: 10 Mar 90 01:15:00 GMT From: CJS@cwru.BITNET To: misc.security Subject: Car Locks -- They had great locks at Hertz in Belfast
Last time I was in Belfast I rented a car at the airport (I think it was Hertz). They car's didn't use regular keys but something that looked, well, I can't describe it other than to say the key was very strangely shaped. The reason they go to such trouble with locks is the IRA (and maybe the provos (I can't recall)) steal cars and put bombs in them and then park them somewhere. The security forces will assume any abandoned/stolen car has a bomb in it--we all know how you defuse a bomb, you blow it up. So, if any car is stolen it is effectively totalled. I suspect it is hard to get the damn things insured. Hence the extra security. I never could find out who made the locks. cjs
-----------[000059][next][prev][last][first]---------------------------------------------------- Date: 10 Mar 90 03:47:53 GMT From: shawn@mit-eddie.UUCP (Shawn F. Mckay) To: misc.security Subject: Call for Security Hacks
Greetings, I am building a package for use in the war against "System Crackers", it will probably be released in the next few months, I'm aiming at spring, early summer. It will be available to all, though due to its nature, I will have to set something special up so only ligitimate sites end up with it; Ideas on the lowest overhead way to do this would be welcome. If you have a favorite hack you have written to use for this purpose, and would like to offer it to the world for people to use in this fight, please contact me directly so I may include it. Ideas and comments are also welcome. Thanks in advance, -- Shawn
-----------[000060][next][prev][last][first]---------------------------------------------------- Date: Sat, 10 Mar 90 03:47:53 GMT From: mit-eddie!shawn@mit-eddie.gatech.edu (Shawn F. Mckay) To: misc-security@uunet.uu.net Subject: Call for Security Hacks
Greetings, I am building a package for use in the war against "System Crackers", it will probably be released in the next few months, I'm aiming at spring, early summer. It will be available to all, though due to its nature, I will have to set something special up so only ligitimate sites end up with it; Ideas on the lowest overhead way to do this would be welcome. If you have a favorite hack you have written to use for this purpose, and would like to offer it to the world for people to use in this fight, please contact me directly so I may include it. Ideas and comments are also welcome. Thanks in advance, -- Shawn
-----------[000061][next][prev][last][first]---------------------------------------------------- Date: Sat, 10 Mar 90 09:03 EST From: "Mark H. Wood" <IMHW400@indyvax.iupui.edu> To: security@pyrite.rutgers.edu Subject: Re: Them Locks Are Easy
>Moaning at car manufacturers for providing rotten security is unlikely to >succeed. They make so much money selling people parts to replace things >smashed by thieves that it's hardly worth their while improving matters. Does anybody sell decent locks made for car doors? Could I just throw away my junky original-equipment locks and replace them with good ones? Think it might make a difference if I write to Consumer Reports detailing how and *why* it should be done? How about my insurance company? Of course, locks aren't the only part of the problem: they need something stronger than sheet metal to hold them. I can't count the number of cars I've seen with missing trunk locks. Most car doors are still vulnerable to slim-jims. And the windows are still made of fragile glass....
-----------[000062][next][prev][last][first]---------------------------------------------------- Date: Sat, 10 Mar 90 14:13:37 PST From: teda!RATVAX.DNET!ROBERTS@uunet.uu.net (George Roberts) To: security@pyrite.rutgers.edu Subject: RE: Re: Computer Forged Documents - money
> The USofA amazes me, it's got the largest market to make a counterfeit
> worthwhile, and yet probably the oldest "active" currency technology...
I read in the Boston Globe recently that the U.S. Treasury puts small
red and blue threads in its paper money. The item mentioned the paper is
so difficult to make, that many counterfeiters bleach small denominations
and re-print larger denominations onto the bleached bills.
I took out a one dollar bill and sure enough there were tiny little red and
blue threads. They were easiest to see around the edge where there was no
printing.
Maybe they shouldn't put those threads in the ones and fives! (need I explain
the concept?)
- George Roberts
-----------[000063][next][prev][last][first]---------------------------------------------------- Date: 11 Mar 90 00:59:22 GMT From: jac@PAUL.RUTGERS.EDU (Jonathan A. Chandross) To: misc.security Subject: Re: Computer Forged Documents - money
> [Canadian] bill designs from the last few years also feature MACHINE READABLE > serial numbers for nifty swift banking machine sorting, etc. I would be uneasy about money with machine readable serial numbers. Just think how easy it would be for the government to track how you spend your money. For those of you saying "oh sure", I would like to point out that credit card companies sell mailing lists based on total debt, size of monthly payments, whether you pay your bill on time every month, what you buy, how much you make, etc. Every time you use a credit card the information is saved away. And it is surprisingly easy to get access to that information. A Business Week reporter registered for a credit bureau service (like TRW) and got a copy of Dan Quayle's credit history. Danny was not pleased when BW called him for his reaction. > The USofA amazes me, it's got the largest market to make a counterfeit > worthwhile, and yet probably the oldest "active" currency technology... Something like 300 BILLION dollars in paper currency is missing from the money supply. A great deal of it is in eastern Europe and in the hands of drug lords (they do keep some in cash). Just imagine what would happen if the US government said "ok, new currency time; everyone turn in the old. Old currency will only be legal for 5 years." Take a real bite out of crime. Jonathan A. Chandross Internet: jac@paul.rutgers.edu UUCP: rutgers!paul.rutgers.edu!jac
-----------[000064][next][prev][last][first]---------------------------------------------------- Date: 12 Mar 90 14:39:13 GMT From: epstein@trwacs.UUCP (Jeremy Epstein) To: misc.security Subject: Re: car keys
My wife locked herself out of our Mazda a few weeks ago. Rather than calling a locksmith, she called a dealer nearby. They asked her for the VIN, made a key, and brought it over (for $5, instead of $50 or so for a locksmith). They did not ask for proof of ownership, or anything else, which made me quite nervous! -- Jeremy Epstein epstein@trwacs.uu.net TRW Systems Division 703-876-4202
-----------[000065][next][prev][last][first]---------------------------------------------------- Date: 12 Mar 90 14:39:13 GMT From: trwacs!epstein@uunet.uu.net (Jeremy Epstein) To: misc-security@uunet.uu.net Subject: Re: car keys
My wife locked herself out of our Mazda a few weeks ago. Rather than calling a locksmith, she called a dealer nearby. They asked her for the VIN, made a key, and brought it over (for $5, instead of $50 or so for a locksmith). They did not ask for proof of ownership, or anything else, which made me quite nervous! -- Jeremy Epstein epstein@trwacs.uu.net TRW Systems Division 703-876-4202
-----------[000066][next][prev][last][first]---------------------------------------------------- Date: Wed, 14 Mar 90 15:34:58 EST From: sgw@cad.cs.cmu.edu (Stephen Wadlow) To: misc-security@rutgers.edu Subject: Re: Medeco vs Keso vs Kaba
For picking purposed, I'd consider the medeco to be more secure (even moreso for their biaxial line, which actually may be the default by now). I don't expect that your average burglar would generally attempt to pick a medeco. You also have the security that more people know of medeco locks as being "high security locks" and may just avoid the lock. In terms of vandalism, I'd still go with medeco. Medeco's have hardened steel rods inserted in strategic places so as to make drilling difficult, so the brute force method won't easily work. Also, the keyways are more warded then the Kaba/Keso (which I have always seen as beening totally unwarded) so it is far less likely that they will be able to wedge a piece of metal stock into the core just to annoy you. the caveat of it all is that if the burglar wants in badly enough, (s)he'll get in. If they want to vandaize, they will. All security systems have their own weaknesses. Some just aren't as easy to exploit as others. steve
-----------[000067][next][prev][last][first]---------------------------------------------------- Date: 14 Mar 90 10:25:55+0100 From: Joseph C. Pistritto <jcp@cgch.uucp> To: jimkirk@outlaw.uwyo.edu Cc: security@pyrite.rutgers.edu Subject: Re: Medeco vs Keso vs Kaba
Here in Switzerland, virtually every door is locked with a KESO style
lock, (I have seen one Medeco cylinder in use here, it was on a shop
door). Locksmiths here know which blanks of Keso they're not supposed
to duplicate, (always the ones that are used for entrance doors).
Having seen a vandalized Medeco cylinder, I would guess that Keso is
better that way. The keyway is somewhat narrower. Against a really
determined vandal however, all key locks suffer from the 'fill up the
keyway with Araldite (the local epoxy glue)' technique. I don't really
know how to defend against this effectively. Also note that it can be
difficult in some Keso installations to remove the cylinder if you can't
insert a key!.
======================================================================
Joseph C. Pistritto HB9NBB N3CKF
'Think of it as Evolution in Action' (J.Pournelle)
Ciba Geigy AG, R1241.1.01, Postfach CH4002 Basel, Switzerland
Internet: jcp@brl.mil Phone: (+41) 61 697 6155
Bitnet: bpistr%cgch.uucp@cernvax.bitnet Fax: (+41) 61 697 2435
Also: cgch!bpistr@mcsun.eu.net
-----------[000068][next][prev][last][first]---------------------------------------------------- Date: 14 Mar 90 20:34:58 GMT From: sgw@CAD.CS.CMU.EDU (Stephen Wadlow) To: misc.security Subject: Re: Medeco vs Keso vs Kaba
For picking purposed, I'd consider the medeco to be more secure (even moreso for their biaxial line, which actually may be the default by now). I don't expect that your average burglar would generally attempt to pick a medeco. You also have the security that more people know of medeco locks as being "high security locks" and may just avoid the lock. In terms of vandalism, I'd still go with medeco. Medeco's have hardened steel rods inserted in strategic places so as to make drilling difficult, so the brute force method won't easily work. Also, the keyways are more warded then the Kaba/Keso (which I have always seen as beening totally unwarded) so it is far less likely that they will be able to wedge a piece of metal stock into the core just to annoy you. the caveat of it all is that if the burglar wants in badly enough, (s)he'll get in. If they want to vandaize, they will. All security systems have their own weaknesses. Some just aren't as easy to exploit as others. steve
-----------[000069][next][prev][last][first]---------------------------------------------------- Date: 14 Mar 90 21:28:07 GMT From: KRAINIER@EAGLE.WESLEYAN.EDU (geek) To: misc.security Subject: Police repeater detection
Due to a leaky memory, I do not recall all details, but about a month or
two ago I spotted an item in a "yuppie catalog" that purported to detect patrol
cars up to <insert large distance> away by picking up their repeater signals.
The device was designed to be vehicle mounted (so as to pick up police using
radar that is only turned on when you are in sight). Of course, it relies on
the supposition that the officers left their repeaters on while in the vehicle
[they acknowledged this but claimed that most do in fact leave their repeaters
on]. The device did not broadcast what it received, it only indicated that
something was being broadcast.
Anybody seen anything similar? Any comments on range/feasability/other
problems?
-kevin
krainier@eagle.wesleyan.edu
krainier@wesleyan.bitnet
-----------[000070][next][prev][last][first]---------------------------------------------------- Date: Thu, 15 Mar 90 13:03:45 EST From: "Larry Margolis" <MARGOLI@ibm.com> To: security@pyrite.rutgers.edu Subject: Medeco vs Keso vs Kaba
What are your concerns? Pick resistance - all are fairly good; I'd probably give the Medeco an edge, since I believe (although I'm not certain) that the Keso / Kaba rely on having lots of pins and don't add anything else to prevent picking, while the Medeco has a sidebar. Physical security - Medeco cylinders have hardened steel inserts to prevent drilling the pins or the sidebar. Don't know about the others. Key duplication - lots of hardware stores have Medeco key machines; you probably have to go to a locksmith to get the Keso or Kaba key duplicated. If you're concerned about someone borrowing the key and duplicating it, then making unauthorized use at another time, and you want to go Medeco, you can get a cylinder using a restricted blank. Copies are only available by mail with an authorized signature. If you don't want to frustrate a burglar, don't bother with a lock at all! :-) A healthy application of epoxy will screw up any of the locks equally well. If you're worried about that, then the physical security of the Medeco might be a drawback. (Harder for you to drill out if necessary.) A good combination lock will avoid the problems of a keyhole that can be blocked. For that matter, a magnetic lock also has an advantage - if the keyhole is blocked, you can simply drill & file it out without worrying about damaging pins. Miwa (sp?) makes cylinders that operate with a magnetic key. Larry Margolis, MARGOLI@YKTVMV (bitnet), MARGOLI@IBM.COM (csnet)
-----------[000071][next][prev][last][first]---------------------------------------------------- Date: 15 Mar 90 19:30:10 EST (Thu) From: simsong@prose.cambridge.ma.us (Simson L. Garfinkel) To: trwacs!epstein@uunet.uu.net Cc: security@pyrite.rutgers.edu Subject: Answerback
So the system's entire security was based on physical security of the terminals? And there was no auditing --- that is, I could do something on your terminal, and it would look like you did it? This doesn't seem very secure. Even the airline reservation systems require that individuals type in their passwords.
-----------[000072][next][prev][last][first]---------------------------------------------------- Date: Thu, 15 Mar 90 20:23:16 EST From: Miguel_Cruz@ub.cc.umich.edu To: security@pyrite.rutgers.edu Subject: Re: Answerback
> I worked on one system that used answerbacks to automatically log users in But that way, any old crook could just walk up to someone's terminal and have their access... night cleaning crews, the person's kids, anyone. Miguel
-----------[000073][next][prev][last][first]---------------------------------------------------- From: Troy Landers <sequent!tlanders@cse.ogi.edu> 17-MAR-1990 2:26:29 To: misc-security@tektronix.tek.com
I know it is, at least on some cards. When I lived in Illinos, the bank
that I used had this little box that resembled one of those automatic
credit card calling thingamagigs. When I opened my account, they gave
me a card, left me alone in the room (in the vault) and told
me how to use it. All I did was type my PIN number, press a button, and
"swipe" my card through it. Voilla, my card was now encoded with my
PIN. I didn't think about it too much at the time, mostly because
I wasn't aware of all the sneaky things crooks can do, and because I
was a student and didn't have any money to steal anyway :-). Now I
think I would be more reluctant to use a bank with such a system.
Who knows?
Troy
-------------------------------------------------------------------------------
Troy Landers Sequent Computer Systems Inc.
UUCP: ...!sequent!tlanders 15450 S.W. Koll Parkway
Phone: (503) 626-5700 x4491 Beaverton, Oregon 97006-6063
*** My opinions are precisely that! ***
-----------[000074][next][prev][last][first]---------------------------------------------------- From: netcom!onymouse@claris.com (John Debert) 17-MAR-1990 2:27:11 To: misc-security@ames.arc.nasa.gov
Many banks, not-so-long-ago, did record passcodes on the card. That way, they didn't have to use their computer resources for such piddly things. Also, access control software was not yet being produced that was reliable. It was much easier to leave such things up to the ATM. A certain American bank still records passcodes in some cards, if not all. They still use ATM's that expect the passcode to be there. jd onymouse@netcom.UUCP
-----------[000075][next][prev][last][first]---------------------------------------------------- Date: 15 Mar 90 17:31:21 GMT From: nagle@well.sf.ca.us (John Nagle) To: misc.security Subject: Re: Medeco vs Keso vs Kaba
The first major installation of the Sargent Keso system was at
Case Institute of Technology in the 1960s. It was then called the
"Maximum Security" system. It wasn't. One person had made a grand
master for the system within days of installation.
Weaknesses:
1. There are only three depths for each dimple in the keys,
and they can be easily distinguished visually. So, if
you get a glance at a key, you can remember the code
and make your own key later.
2. The keys are easy to make in a drill press. The blank is
just a piece of rod with a diamond-shaped cross section.
3. This is really just an unusual form of pin-tumbler lock,
with all the usual vulnerabilities, including those of
master-keyed systems.
John Nagle
-----------[000076][next][prev][last][first]---------------------------------------------------- From: night@pawl.rpi.edu (Trip Martin) 17-MAR-1990 2:50:37 To: ???
When I got my cash card back in Sept, the bank told me that the access code was indeed put on the card itself, and implied that this was better because then no bank records would have the access code. In fact, they had my type in my desired access code into a machine which then then ran the card through. Trip Martin night@pawl.rpi.edu -- Trip Martin night@pawl.rpi.edu
-----------[000077][next][prev][last][first]----------------------------------------------------
Date: 15 Mar 90 18:03:45 GMT
From: MARGOLI@IBM.COM ("Larry Margolis")
To: misc.security
Subject: Medeco vs Keso vs KabaWhat are your concerns? Pick resistance - all are fairly good; I'd probably give the Medeco an edge, since I believe (although I'm not certain) that the Keso / Kaba rely on having lots of pins and don't add anything else to prevent picking, while the Medeco has a sidebar. Physical security - Medeco cylinders have hardened steel inserts to prevent drilling the pins or the sidebar. Don't know about the others. Key duplication - lots of hardware stores have Medeco key machines; you probably have to go to a locksmith to get the Keso or Kaba key duplicated. If you're concerned about someone borrowing the key and duplicating it, then making unauthorized use at another time, and you want to go Medeco, you can get a cylinder using a restricted blank. Copies are only available by mail with an authorized signature. If you don't want to frustrate a burglar, don't bother with a lock at all! :-) A healthy application of epoxy will screw up any of the locks equally well. If you're worried about that, then the physical security of the Medeco might be a drawback. (Harder for you to drill out if necessary.) A good combination lock will avoid the problems of a keyhole that can be blocked. For that matter, a magnetic lock also has an advantage - if the keyhole is blocked, you can simply drill & file it out without worrying about damaging pins. Miwa (sp?) makes cylinders that operate with a magnetic key. Larry Margolis, MARGOLI@YKTVMV (bitnet), MARGOLI@IBM.COM (csnet)
-----------[000078][next][prev][last][first]---------------------------------------------------- Date: 15 Mar 90 21:49:23 GMT From: netcom!onymouse@claris.com (John Debert) To: misc-security@ames.arc.nasa.gov Subject: Re: cop detectors
Of course, if a department doesn't want a deal on a quantity purchase of radios, the department may well buy several different makes/ models. Most departments do buy one make and model, though, and do so in quantity. This way, they can get a discount and only need pay for one service contract. It simpifies the problem of figuring out which freqs to check out. > ... While a pocket scanner might receive all of the local > oscillator frequencies used by the local police, its detection range would > likely be less than a hundred feet. OK, I confess: I am not picking up the LO from the hand-helds. The signal is always on the repeater frequency. I don't know where it's coming from inside the radio but I can detect it as much as 1/4 away with a good antenna. (I'm about to see if I can pick up weaker sigs with an LNA after tha antenna.) How did Motorola get away with producing radios like this, I don't know but I don't really mind. jd onymouse@netcom.UUCP
-----------[000079][next][prev][last][first]---------------------------------------------------- Date: 16 Mar 90 01:06:20 GMT From: randall@UVAARPA.VIRGINIA.EDU (Randall Atkinson) To: misc.security Subject: Crime & Secure systems
Sun frequently implies that SunOS 4.x is a C2 system, but then in the security features guide mentions that they never actually had it evaluated by the NCSC. After the Morris' worm, DEC made a great deal of the fact that Ultrix had been more "secure" than other vendors. A more accurate description would have been that DEC broke and lobomotomised Ultrix so that it can't do much of what other BSD systems can. In any event, one doesn't sue the house builder when someone breaks down the door later on and vandalises the house. Electronic crime isn't different from other crime and shouldn't be treated specially.
-----------[000080][next][prev][last][first]---------------------------------------------------- Date: 16 Mar 90 01:57:26 GMT From: gnf3e@uvacs.cs.Virginia.EDU (Greg Fife) To: misc-security@uunet.uu.net Subject: Re: Answerbacks / Vendor Liability
>> FINAL COMMENT: The INTERNET virus should be treated as a product liability
>> question. In my opinion, DEC and SUN should pay the cost of the cleanup
I like this analogy: the UNIX security features of DEC and SUN are like
the padlock that one would put on a tool shed. It provides some level
of security at a moderate price, and any determined fool can get in with
a pair of bolt-cutters. Just like you can spend more money to better secure
your shed, you can spend more staff hours ($$) or buy a more trusted
OS.
No one doubts that the man with the bolt-cutters should be tried as a thief,
and no one suggests that MasterLock should be sued when it happens.
Greg Fife
gnf3e@virginia.edu
uunet!virginia!uvacs!fife
-----------[000081][next][prev][last][first]---------------------------------------------------- Date: 16 Mar 90 02:23:27 GMT From: smb@ulysses.att.com (Steven M. Bellovin) To: misc-security@att.att.com Subject: Re: Computer Abuse / Product Liability / Criminal Statutes / ECPA
} -- the almighty PRESS has given the term "HACKER" } a bad rap.......it's about time they, as well as others, come up with new } terms other than "hacker(s)" to describe these actions. You can't do that. Language is determined by use, not fiat. A few years ago, ``hacker'' had a different meaning. That's changed.
-----------[000082][next][prev][last][first]---------------------------------------------------- Date: 16 Mar 90 06:55:05 GMT From: kelly@uts.amdahl.com (Kelly Goen) To: misc.security Subject: Re: Who (Specificly) has Morris' Worm Code?
Just to be slightly less informative 2600 magazine is a hacker pub... and no I dont know the current address but I will find it and post... cheers kelly
-----------[000083][next][prev][last][first]---------------------------------------------------- Date: Fri, 16 Mar 90 14:05:08 EST From: meister@gaak.lcs.mit.edu (phil servita) To: CAMPBELL@utoroci.bitnet Cc: SECURITY@pyrite.rutgers.edu Subject: Re: Bank card tricks in Toronto
The old Docutel (Olivetti) bank machines did store the password on the stripe.
Not in plaintext, but with a very simple substution cipher which wasnt hard
to break. These machines are no longer in use.
The current crop of machines essentially does the following:
1) Take the password as entered by the user.
2) Append (prepend?) the account ID number.
3) Take the whole shebang and encrypt (with some magic key)
via DES.
4) Compare with an ENCRYPTED string stored on the card.
(sort of like the unix login program)
The article you mentioned is leaving out an awful lot of details...
-meister
-----------[000084][next][prev][last][first]---------------------------------------------------- Date: 16 Mar 90 12:03:58+0100 From: Joseph C. Pistritto <jcp@cgch.uucp> To: security@pyrite.rutgers.edu Subject: trashcan security
It seems extremely common these days for criminals to be
apprehended after extensive poking about in their rubbish. Stuff like
paying the garbage collectors to deliver the trash to investigators or
merely poking around after dark.
Of course, this leads to the question of WHY anyone with anything
to hide would merely THROW AWAY incriminating documents...
The question is, of course, how common is this sort of thing
really, is any sort of a warrant required (in the US anyway), etc.
Sort of the same problem in reverse applies to retailers, do
any of the credit card companies require that used credit card vouchers
be shredded or burned when disposed of, etc?
-jcp-
======================================================================
Joseph C. Pistritto HB9NBB N3CKF
'Think of it as Evolution in Action' (J.Pournelle)
Ciba Geigy AG, R1241.1.01, Postfach CH4002 Basel, Switzerland
Internet: jcp@brl.mil Phone: (+41) 61 697 6155
Bitnet: bpistr%cgch.uucp@cernvax.bitnet Fax: (+41) 61 697 2435
Also: cgch!bpistr@mcsun.eu.net
-----------[000085][next][prev][last][first]---------------------------------------------------- Date: 16 Mar 90 21:35:01 GMT From: hollombe%sdcsvax@ttidca.tti.com (The Polymath) To: misc-security@sdcsvax.ucsd.edu Subject: Re: Home security
}I solved a similar problem with a set of exploding security bolts. ...
This sounds drastic, dangerous and probably illegal. Certainly not
something you want the average DIYer playing with.
Relevant building codes here require at least one window in every bedroom
to have a hinged set of bars that can be unlocked inside the room so they
swing away from the window, allowing exit in an emergency. The locking
mechanism is purely mechanical, so there's no problem with burned through
wiring or shrapnel from explosive bolts killing your neighbor's child.
--
The Polymath (aka: Jerry Hollombe, M.A., CDP, aka: hollombe@ttidca.tti.com)
Citicorp(+)TTI Illegitimis non
3100 Ocean Park Blvd. (213) 450-9111, x2483 Carborundum
Santa Monica, CA 90405 {csun | philabs | psivax}!ttidca!hollombe
-----------[000086][next][prev][last][first]---------------------------------------------------- Date: 17 Mar 90 01:08:48 GMT From: b3s@psuecl.BITNET To: misc.security Subject: Night Goggles
Hello Do you have any infomation where can I purchase Night Goggles? I am studying Infrared Detectors and Night Goggles. So I got a IR-Detector, but I couldn't find information on where to buy Night Goggles. Can you help me ? THANK YOU. BCS.
-----------[000087][next][prev][last][first]---------------------------------------------------- Date: Sat, 17 Mar 90 13:18:38 PST From: roeber@portia.caltech.edu To: security@pyrite.rutgers.edu Subject: Welcome banners
Welcome Banners I recently got a DDN security bulletin (# 90-04) that mentioned that one should make sure any computer welcome banners did not contain the word "Welcome." (The default message on some machines is to have the banner be "Welcome to [nodename].") In a recent court case, a judge threw out a case against a hacker because (he ruled) the message "Welcome to ..." was a clear invitation to everyone.. The bulletin also suggested that the banners not contain system information (e.g., "VAX/VMS 5.2 on VAX 11/780"), as this can be useful to hackers; it should also not contain the words "for official use only," because it seems that to hackers, this message means it *must* be defense (or at least evil-government) related, and therefore attracts them in droves. Cheers, Frederick Roeber roeber@caltech.edu (or) roeber@caltech.bitnet
-----------[000088][next][prev][last][first]---------------------------------------------------- Date: Sat, 17 Mar 90 21:28:51 EST From: Mike <MEYSTMA@duvm.ocs.drexel.edu> To: Multiple Recipients of list Security-L Subject: National Security Agency
NSA is the National Security Agency. Located in Fort Meade, MD,
they are in charge of obtaining and analysing signals intelligence.
They are more secretive than the CIA, and no research information
is available from them.
Personal note: "Hell, if they knew you were axing about 'em,
they'd probably ax the DIA to investigate you!"
Michael A. Meystel
LAMIR
P.O. BOX 374
Merion Station, Pa 19066-0374
Internet : meystma@duvm.ocs.drexel.edu
Bitnet : meystma@duvm.bitnet
COMPUSERVE : 71540,2726
GEnie : M.MEYSTEL
DELPHI : IMAS
-----------[000089][next][prev][last][first]---------------------------------------------------- Date: Sun, 18 Mar 90 02:07:43 CST From: "Rich Winkel UMC Math Department" <MATHRICH@umcvmb.bitnet> To: security@tcsvm Subject: re: national security archives
I have a blurb on them: "The National Security Archive is an innovative non-profit research institute and library facility which serves scholars, journalists, congress, present and former policy makers, public interest organizations and the american public by making available the internal government documentation that is indispensable for reasearch and informed public debate on foreign, intelligence, defense and international economic policy." They get their info from unclassified govt documents, congressional testimony, court records, presidential libraries, FOIA battles and other sources. They publish their documents and indices on microform which they distribute to libraries for a fee. This is where dangerous kooks who would question the wisdom of our national leaders can stretch their first amendment rights to the limit, at least for the time being. But who really wants to know about US complicity in iranian torture under the shah, or kissinger's deal with nixon to sabotage LBJ's vietnam peace talks in exchange for his appointment in the nixon white house, or the domestic propaganda ministry operating out of the US state department, or the REAL reasons for our invasion of panama etc etc etc. Their phone number is 202-797-0882. Rich
-----------[000090][next][prev][last][first]---------------------------------------------------- Date: 17 Mar 90 21:18:38 GMT From: roeber@PORTIA.CALTECH.EDU To: misc.security Subject: Welcome banners
Welcome Banners I recently got a DDN security bulletin (# 90-04) that mentioned that one should make sure any computer welcome banners did not contain the word "Welcome." (The default message on some machines is to have the banner be "Welcome to [nodename].") In a recent court case, a judge threw out a case against a hacker because (he ruled) the message "Welcome to ..." was a clear invitation to everyone.. The bulletin also suggested that the banners not contain system information (e.g., "VAX/VMS 5.2 on VAX 11/780"), as this can be useful to hackers; it should also not contain the words "for official use only," because it seems that to hackers, this message means it *must* be defense (or at least evil-government) related, and therefore attracts them in droves. Cheers, Frederick Roeber roeber@caltech.edu (or) roeber@caltech.bitnet
-----------[000091][next][prev][last][first]---------------------------------------------------- Date: 18 Mar 90 02:28:51 GMT From: MEYSTMA@DUVM.OCS.DREXEL.EDU (Mike) To: misc.security Subject: National Security Agency
NSA is the National Security Agency. Located in Fort Meade, MD,
they are in charge of obtaining and analysing signals intelligence.
They are more secretive than the CIA, and no research information
is available from them.
Personal note: "Hell, if they knew you were axing about 'em,
they'd probably ax the DIA to investigate you!"
Michael A. Meystel
LAMIR
P.O. BOX 374
Merion Station, Pa 19066-0374
Internet : meystma@duvm.ocs.drexel.edu
Bitnet : meystma@duvm.bitnet
COMPUSERVE : 71540,2726
GEnie : M.MEYSTEL
DELPHI : IMAS
-----------[000092][next][prev][last][first]----------------------------------------------------
Date: 18 Mar 90 08:07:43 GMT
From: MATHRICH@umcvmb.BITNET ("Rich Winkel UMC Math Department")
To: misc.security
Subject: re: national security archivesI have a blurb on them: "The National Security Archive is an innovative non-profit research institute and library facility which serves scholars, journalists, congress, present and former policy makers, public interest organizations and the american public by making available the internal government documentation that is indispensable for reasearch and informed public debate on foreign, intelligence, defense and international economic policy." They get their info from unclassified govt documents, congressional testimony, court records, presidential libraries, FOIA battles and other sources. They publish their documents and indices on microform which they distribute to libraries for a fee. This is where dangerous kooks who would question the wisdom of our national leaders can stretch their first amendment rights to the limit, at least for the time being. But who really wants to know about US complicity in iranian torture under the shah, or kissinger's deal with nixon to sabotage LBJ's vietnam peace talks in exchange for his appointment in the nixon white house, or the domestic propaganda ministry operating out of the US state department, or the REAL reasons for our invasion of panama etc etc etc. Their phone number is 202-797-0882. Rich
-----------[000093][next][prev][last][first]---------------------------------------------------- From: roeber@portia.caltech.edu 19-MAR-1990 23:14:01 To: security@pyrite.rutgers.edu
An article in the Los Angeles Times, about some people who made phony ATM cards from paper stock and audio magnetic tape, indicates that the PIN code is not stored on the cards. The people could program the cards with bank account numbers, but the security hole that allowed them to steal money was that one of them, an employee or ex-employee, could reprogram the PINs in the bank database. If the PIN was stored on the card, they could have just picked any number. However, my bank insists that to change my PIN they must re-issue my card. Perhaps there is some type of encryption/verification going on? Question: ATMs use phone lines. Is there any sort of encryption on these lines, to prevent wiretappers from gleaning valid account/PIN combinations? Frederick Roeber roeber@caltech.bitnet roeber@caltech.edu
-----------[000094][next][prev][last][first]---------------------------------------------------- Date: Sun, 18 Mar 90 21:39 EST From: "Rob Rothkopf -- CCR, CNS&M" <MASROB@ubvmsc.cc.buffalo.edu> To: security@pyrite.rutgers.edu Subject: Locks/Security in large institutions (e.g. Universities)
Two questions: 1) In institutions which have frequent room rotations, as in the dormitories of a University, what kinds of policies have been implemented to keep the rooms secure from year to year at your institution? Cylinder rotations can be complicated and costly (institutional politics) if done on a yearly basis but without such actions it would seem that the new residents relatively unsafe. 2) Does anyone have an automated (no security people watching over constantly) and *secure* building entrance system (or have you seen any) in your living area (again, this is primarily focused at the dormitory setting)? I've seen where all the buildings are locked and students are given the building key, but this policy is but a show to look good for parents; in most cases a stranger can simply wait for a key holder to gain entrance and call out to "hold the door for one sec!." As some quick background, the reason for my questions (many thanks to those who responded to my request for information on integrated Card Systems!) is that the University of Buffalo has been selected as the site for the 1993 World Universiad (University Olympic Games) and is actively investigating new methods of securing the dorm area which will serve many of the athletes (if not all) (not that current methods are faulty.. only that additional/alternate methods are being con