|
|
ARCHIVE: Rutgers 'Security List' (incl. misc.security) - Archives (1990)
DOCUMENT: Rutgers 'Security List' for March 1990 (153 messages, 57135 bytes)
SOURCE: http://securitydigest.org/exec/display?f=rutgers/archive/1990/03.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.
START OF DOCUMENT
-----------[000000][next][prev][last][first]---------------------------------------------------- Date: 1 Mar 90 09:05 EST From: EVERHART@arisia.dnet.ge.com To: SECURITY@pyrite.rutgers.edu Subject: RE: Answerbacks / Vendor Liability
Re the mail vulnerability being fixed in VMS VAXmail, it was also fixed several years earlier by the Software Tools mail, which also filtered control characters. This fix is now ~10 years old. Unfortunately, answerbacks can be triggered all too easily and have on occasion represented serious problems. We had a situation many years ago now where someone set the answerback on one of a small number of terminals connected to a shared VAX to DEL *.*;* when someone left the terminal logged in for an extended period. Naturally this caused consternation all around. It seemed that in addition to control-E triggering the answerback, sometimes nulls might do so also. (I no longer recall what terminal type this was.) In this case, the factor that saved the day was sufficiently paranoid systems people: they had daily backups and could restore the lost files. I believe that this is what is called for, rather than appeals to finding fault with manufacturers or even than finding fault with careless experimenters. (I know of some network meltdowns that have clearly been due to errors while attempting what should have been legitimate activities. The Morris case might have been similar, as well.) Who hasn't experienced accidental deletion of files? If we are to benefit from computing, we maximize that benefit by sharing information. It is everyone's responsibility to take adequate care while doing so. More than ever, regular and adequate backups are an essential part of this. This issue should be considered before buying a computer of any type, and in any use of same. Our VAXen are backed up regularly; my home machine and office pc's have nothing on hard disk that isn't on floppies also. This confers some safety. I consider the office pc a prime candidate for disaster though, as backups are difficult enough to be rare, and disks do crash now and then. Hopefully our next generation of appliance computers will contain backup devices of some sort. If they do not, it is the purchaser who is to blame for losses caused by damage FROM WHATEVER CAUSE to that data. The same applies to shared systems. Glenn Everhart
-----------[000001][next][prev][last][first]---------------------------------------------------- Date: Thu, 1 Mar 90 19:20:12 MST From: jimkirk@outlaw.uwyo.edu (James Kirkpatrick) To: security@pyrite.rutgers.edu Subject: Digital Signature in business?
Does anybody know if Digital Signature is still in business? They used to make a package called CryptMaster (RSA and an RSA/DES hybrid), but directory assistance in Chicago does not have a listing for them. Did they move or did they fold?
-----------[000002][next][prev][last][first]---------------------------------------------------- Date: Thu, 1 Mar 90 19:38:02 MST From: jimkirk@outlaw.uwyo.edu (James Kirkpatrick) To: security@pyrite.rutgers.edu Subject: Medeco vs Keso vs Kaba
Any opinions of the Medeco lock versus the Seargent Keso versus the Kaba lock? The application would be on a safe door, and one consideration beyond security against picking or destructive entry would be vandalism by a frustrated burglar, which could lock out the legitimate owner. The Keso and Kaba seem very similar apart from the angle of the Kaba's cuts, but I don't know how much better/worse they might be compared against Medeco. [for theurious, Keso and Kaba keys are flat with "dimples" of varying depth which match opposing rows of pins in the cylinder; the key is not one that can be easily duplicated, and with up to 20 pins it is difficult to pick open!]
-----------[000003][next][prev][last][first]---------------------------------------------------- Date: 1 Mar 90 13:02:33 GMT From: randall@UVAARPA.VIRGINIA.EDU (Randall Atkinson) To: misc.security Subject: Re: Answerbacks / Vendor Liability
Larry Kilgallen's note implied that DEC's sendmail as distributed was trustworthy. This is not the case. DEC's Ultrix (port of 4.2 BSD) has different bugs and different security holes from the standard UCB distribution. In my experience, it has not been any more or less trustworthy than pure BSD. Although the recent note from CERT about problems in sendmail only referenced SunOS, the problem was in fact present in other vendors sendmail as well (including Ultrix 3). One of the disconcerting things about AT&T's UNIX System V, Release 4 is that it is capable of running many (most ?) BSD sources without conversion. One problem with portable software and standardising OS behaviour is that something that is a problem on one machine is also likely to be a problem on another machine. This makes networks more susceptible to worms and virii just as with humans when a group is genetically homogeneous they are more susceptible to plagues and such. I should note here that I am a very strong supporter of most standardisation issues and strongly believe that the combination of POSIX efforts and the recent ANSI C standard are both very desirable. I just want to point out that there are mixed blessings to it all. In general, electronic security and trusted systems are a very subtle business. The more one learns, the less certain one becomes of anything. Randall Atkinson randall@Virginia.EDU
-----------[000004][next][prev][last][first]---------------------------------------------------- Date: 1 Mar 90 14:05:00 GMT From: EVERHART@arisia.dnet.ge.com To: misc.security Subject: RE: Answerbacks / Vendor Liability
Re the mail vulnerability being fixed in VMS VAXmail, it was also fixed several years earlier by the Software Tools mail, which also filtered control characters. This fix is now ~10 years old. Unfortunately, answerbacks can be triggered all too easily and have on occasion represented serious problems. We had a situation many years ago now where someone set the answerback on one of a small number of terminals connected to a shared VAX to DEL *.*;* when someone left the terminal logged in for an extended period. Naturally this caused consternation all around. It seemed that in addition to control-E triggering the answerback, sometimes nulls might do so also. (I no longer recall what terminal type this was.) In this case, the factor that saved the day was sufficiently paranoid systems people: they had daily backups and could restore the lost files. I believe that this is what is called for, rather than appeals to finding fault with manufacturers or even than finding fault with careless experimenters. (I know of some network meltdowns that have clearly been due to errors while attempting what should have been legitimate activities. The Morris case might have been similar, as well.) Who hasn't experienced accidental deletion of files? If we are to benefit from computing, we maximize that benefit by sharing information. It is everyone's responsibility to take adequate care while doing so. More than ever, regular and adequate backups are an essential part of this. This issue should be considered before buying a computer of any type, and in any use of same. Our VAXen are backed up regularly; my home machine and office pc's have nothing on hard disk that isn't on floppies also. This confers some safety. I consider the office pc a prime candidate for disaster though, as backups are difficult enough to be rare, and disks do crash now and then. Hopefully our next generation of appliance computers will contain backup devices of some sort. If they do not, it is the purchaser who is to blame for losses caused by damage FROM WHATEVER CAUSE to that data. The same applies to shared systems. Glenn Everhart
-----------[000005][next][prev][last][first]---------------------------------------------------- Date: Thu, 1 Mar 90 19:18:33 EST From: wcs@erebus.att.com (William Clare Stewart) To: misc-security@att.att.com Subject: Re: cordless privacy
]I am no lawyer, but I think you ony need the consent of one of the ]parties in order to legally record a phone conversation - at least Well, first of all, Canada and the US have different laws. In the US, a court decision a couple years back decided that cordless phones, unlike wire-based phones, do not give you a legal right to privacy for the segment of the connection that is broadcast between the handset and the base (though I suppose the connection from the base to the wall and beyond is protected.) Second, just because the people have reasonable expectations of a right of privacy against government eavesdropping, that doesn't mean that the *government* respects those rights, and the courts have been supporting the government rather than the people in a lot of recent cases. Bill -- # Bill Stewart AT&T Bell Labs 4M312 Holmdel NJ 201-949-0705 erebus.att.com!wcs # Fax 949-4876. Sometimes found at Somerset 201-271-4712 # He put on the goggles, waved his data glove, and walked off into cyberspace. # Wasn't seen again for days.
-----------[000006][next][prev][last][first]---------------------------------------------------- Date: Fri, 02 Mar 90 09:59:55 -0900 From: "ROBYN L ROBERTSON" <FSRLR@alaska.bitnet> To: security@pyrite.rutgers.edu Subject: Re: Home security
>Regarding window grates, what are the options these days in security >versus being able to get out from the inside quickly in case of fire I solved a similar problem with a set of exploding security bolts. I have not seen these in the U.S., but I expect they are available. They are available in varying diameters and treads, with shear points set at the level desired for the given application. Detonation is accomplished by running a fairly low voltage current of a minimum amperage determined by the number and type of explosive shear bolts used(the electrical line activating the detonation should have a predicted resistance, depending upon the type of shear bolts, and whether they are wired in series or parallel: CAUTION: UNDER NO CIRCUMSTANCES USE A NORMAL VOM OR DVM TO CHECK LINE RESISTANCE, USE ONLY A 'BLASTING OHM-METER') through the detonation curcuit. In event of a compromise of electrical power to the shear bolt system, it is customary to include a back-up power supply, the design and implimentation of which I leave as an exercise to the student. In practice, this sort of emergency escape route is an escape route of 'last resort'. You do not want such a pathway, in extremis, to be compromised. I might note that in the applications where I have seen such bolts used, there has been very narrow access to the area under security, and so casual visitors setting off the escape-route shear bolts was a non-existant problem. In a residence, I would suggest that it might be appropriate to add a fast (perhaps three digit?) number-pad lock on each emergency exit so armed. I also warn that the heads of the bolts, which contain one wire(the bolt body providing 'ground'), should be installed in a manner to preclude tampering. Finally, if detonation will allow explosion debris(very minimal, in most cases) or the security grate to intrude upon property not under the owner's control, there may be legal implications should someone be injured. I have no particular expertise in this area, but I can easily envision, at least in the litigious U.S, some creatin of a felon, minus three fingers on one hand, standing in court beside his equally mercenary American attorney, filing for damages sufferred when your security grate blew up in his face while the gentleman was otherwise occupied attempting to cut through one of the shear bolts holding said security grate in place. Robyn Robertson BITNET: FSRLR@ALASKA Internet: fsrlr@acad3.fai.alaska.edu P.S. Normal precautions re isolation and segmentation of the overal system into descrete sub-units should obtain here, as one would expect. It does no good to have a fancy system to blow all thirty-five windows in a structure free of security grates if a fire on the first floor burns the insulation off critical connections, leading to a short which disables the entire system.
-----------[000007][next][prev][last][first]---------------------------------------------------- Date: 1 Mar 90 20:42:12 GMT From: hollombe%sdcsvax@ttidca.tti.com (The Polymath) To: misc.security Subject: Re: Credit Card Fraud...
}... a couple of students were able to get a hold of a credit-card
}magnetic stip recorder somehow. ...
There needn't be any "somehow" about it. You can build one with less than
$50 worth of parts from Radio Shack. The requirements are defined in an
ANSI standard, right down to the magnetic flux density of the mag-stripe
recording, and available as public information.
Scary, isn't it?
--
The Polymath (aka: Jerry Hollombe, hollombe@ttidca.tti.com) Illegitimis non
Citicorp(+)TTI Carborundum
3100 Ocean Park Blvd. (213) 450-9111, x2483
Santa Monica, CA 90405 {csun | philabs | psivax}!ttidca!hollombe
-----------[000008][next][prev][last][first]---------------------------------------------------- Date: 02 March 1990 05:34 CST From: "Grant Hoover" <U26264@uicvm.bitnet> To: security@pyrite.rutgers.edu Subject: Caller ID
> Now that Bell is providing caller id service in some areas I > was wondering if I could capture the number of the caller and Before you get out your soldering iron, keep in mind the bill that Congress might pass that would require the local phone companies to offer blocking. Once this option is in place, the people attacking your BBS will probably use it, and you won't get the chance to capture any numbers. ____ _____ ___ __ __ ______ / | _ \ / \ | \| | |__ __| . . | ___ | < / ^ \ | | | | . \____/ |__|\__| /_/---\_\ |__|\__| |__| \___/ Grant Hoover * University of Illinois at Chicago Bitnet u26264@uicvm * CompuServe 76370,314 Internet u26264@uicvm.cc.uic.edu * GEnie G.HOOVER6
-----------[000009][next][prev][last][first]---------------------------------------------------- Date: 2 Mar 90 00:18:33 GMT From: wcs@erebus.att.com (William Clare Stewart) To: misc.security Subject: Re: cordless privacy
]I am no lawyer, but I think you ony need the consent of one of the ]parties in order to legally record a phone conversation - at least Well, first of all, Canada and the US have different laws. In the US, a court decision a couple years back decided that cordless phones, unlike wire-based phones, do not give you a legal right to privacy for the segment of the connection that is broadcast between the handset and the base (though I suppose the connection from the base to the wall and beyond is protected.) Second, just because the people have reasonable expectations of a right of privacy against government eavesdropping, that doesn't mean that the *government* respects those rights, and the courts have been supporting the government rather than the people in a lot of recent cases. Bill -- # Bill Stewart AT&T Bell Labs 4M312 Holmdel NJ 201-949-0705 erebus.att.com!wcs # Fax 949-4876. Sometimes found at Somerset 201-271-4712 # He put on the goggles, waved his data glove, and walked off into cyberspace. # Wasn't seen again for days.
-----------[000010][next][prev][last][first]---------------------------------------------------- Date: Fri, 2 Mar 90 10:19:07 PST From: rex@isdmnl.menlo.usgs.gov (Rex Sanders) To: security@pyrite.rutgers.edu Subject: RE: Security Auditing
A few years ago, I wrote and distributed a program named "cfs" (check file status) that can run around a system recording & checking file stats. Cfs made it onto one of the last Usenix tapes, and might be somewhere on uunet. Cfs runs fast (compared to shell scripts) - checks stats on over 1000 files in about 45 seconds on a wheezing old VAX 750. If you can't find cfs in some local Unix sources archive, let me know. -- Rex Sanders, US Geological Survey rex@isdmnl.menlo.usgs.gov
-----------[000011][next][prev][last][first]---------------------------------------------------- Date: 2 Mar 90 02:20:12 GMT From: jimkirk@OUTLAW.UWYO.EDU (James Kirkpatrick) To: misc.security Subject: Digital Signature in business?
Does anybody know if Digital Signature is still in business? They used to make a package called CryptMaster (RSA and an RSA/DES hybrid), but directory assistance in Chicago does not have a listing for them. Did they move or did they fold?
-----------[000012][next][prev][last][first]---------------------------------------------------- Date: 2 Mar 90 02:38:02 GMT From: jimkirk@OUTLAW.UWYO.EDU (James Kirkpatrick) To: misc.security Subject: Medeco vs Keso vs Kaba
Any opinions of the Medeco lock versus the Seargent Keso versus the Kaba lock? The application would be on a safe door, and one consideration beyond security against picking or destructive entry would be vandalism by a frustrated burglar, which could lock out the legitimate owner. The Keso and Kaba seem very similar apart from the angle of the Kaba's cuts, but I don't know how much better/worse they might be compared against Medeco. [for theurious, Keso and Kaba keys are flat with "dimples" of varying depth which match opposing rows of pins in the cylinder; the key is not one that can be easily duplicated, and with up to 20 pins it is difficult to pick open!]
-----------[000013][next][prev][last][first]---------------------------------------------------- Date: 2 Mar 90 03:59:45 GMT From: Doug Gwyn <gwyn@smoke.brl.mil> To: misc-security@rutgers.edu Subject: Re: Answerbacks / Vendor Liability
>Would not a simpler rule be "Commit a felony: go to jail"? Why involve >computers in the discussion? Right on! Every time lawmakers try to spell out details, they end up with loopholes, simply because specificity implies lack of coverage. There is nothing magic about computers, or guns for that matter; whether or not an act is a crime should not depend on the tools used. >> FINAL COMMENT: The INTERNET virus should be treated as a product liability >> question. In my opinion, DEC and SUN should pay the cost of the cleanup I've never seen any claims by DEC, Sun, or more to the point, UCB that their UNIX-based operating systems were secure; have you? What is the point of making innocent manufacturers responsible for some person's malicious abuse of their products? You're trying to punish the wrong people..
-----------[000014][next][prev][last][first]---------------------------------------------------- Date: 2 Mar 90 09:45 EST From: EVERHART@arisia.dnet.ge.com To: SECURITY@pyrite.rutgers.edu Subject: RE: Re: Field service spying?
Apparently this sw_inventory.com thing was from one of the local offices; the general DEC field people in my area know nothing of it but took a copy from me to see if they can find where it came from. Seems it's got problems with their corporate policy too. In DEC's defense they have tried to make it clear that the field account should be DISUSERed except when in use. The procedure will ONLY tell about dec images; it looks for .exe images in default locations; at least that's what it did on VMS 4.7 where I tested it; that can be sensitive, but there's nothing there that would tell anything about non-dec images unless they happen to live in the same places the DEC ones do, with the same logicals and same filenames. The procedure was not run by field here. Glenn Everhart
-----------[000015][next][prev][last][first]---------------------------------------------------- Date: Fri, 02 Mar 90 10:20:06 GMT From: MCGDAKI@cms.manchester-computing-centre.ac.uk To: security@pyrite.rutgers.edu Subject: Domestic burglar alarms...
I am considering doing a domestic system and the inertia sensors
coupled with an analyser appeals to me for perimeter protection.
Has anyone had experience using these and how good are they for
reliability and immunity to false alarms?
Arnold Kirk
-----------[000016][next][prev][last][first]---------------------------------------------------- Date: Fri, 2 Mar 90 22:11:01 -0500 From: owen blevins <blevinso@silver.ucs.indiana.edu> To: -v@silver.ucs.indiana.edu, security@ohstvma.bitnet Subject: NATIONAL SECURITY ARCHIVES
Anyone dealth with the NSA? What are they? What research materials do they provide? any and all information would be greatly appreciated! thanks. blevinso@silver.ucs.indiana.edu
-----------[000017][next][prev][last][first]---------------------------------------------------- Date: 2 Mar 90 18:19:07 GMT From: rex@ISDMNL.MENLO.USGS.GOV (Rex Sanders) To: misc.security Subject: RE: Security Auditing
A few years ago, I wrote and distributed a program named "cfs" (check file status) that can run around a system recording & checking file stats. Cfs made it onto one of the last Usenix tapes, and might be somewhere on uunet. Cfs runs fast (compared to shell scripts) - checks stats on over 1000 files in about 45 seconds on a wheezing old VAX 750. If you can't find cfs in some local Unix sources archive, let me know. -- Rex Sanders, US Geological Survey rex@isdmnl.menlo.usgs.gov
-----------[000018][next][prev][last][first]---------------------------------------------------- Date: 2 Mar 90 23:04:31 GMT From: gwyn@SMOKE.BRL.MIL (Doug Gwyn) To: misc.security Subject: Re: thermal lances (was: vault doors)
Anyone who hasn't seen one of these in action is advised to check out the movie "Thief" (starring James Caan) at your local video rental store.
-----------[000019][next][prev][last][first]---------------------------------------------------- Date: 2 Mar 90 23:04:31 GMT From: Doug Gwyn <gwyn@smoke.brl.mil> To: misc-security@rutgers.edu Subject: Re: thermal lances (was: vault doors)
Anyone who hasn't seen one of these in action is advised to check out the movie "Thief" (starring James Caan) at your local video rental store.
-----------[000020][next][prev][last][first]---------------------------------------------------- Date: 3 Mar 90 03:58:26 GMT From: kelly@uts.amdahl.com (Kelly Goen) To: misc-security@ames.arc.nasa.gov Subject: Re: Home security
>Regarding window grates, what are the options these days in security
>versus being able to get out from the inside quickly in case of fire
AGREED... Window grates are hazradous.... Try 3/16" GE UV Stabilized
LEXAN plastic...remember to use Epoxy based putties when replacing
the glass in the window frame.... the plastic will take more impact than
the iron bars and doesnt give you a feeling of being behind bars....
REMEMBER to UPGRADE the Window Locking System as this is the weakest
part beside the glass on most windows....you might ask if its tough enough
MY side shed window Aluminum Frame took 27 impacts with a 15 lb sledge
before the 2x4 frame the window frame was attached to splintered...
the Iron bars I tested fell prey with 10 seconds to a 7 ft wrecking
bar... Give me LEXAN every TIME!!!
cheers
kelly
-----------[000021][next][prev][last][first]---------------------------------------------------- Date: 3 Mar 90 04:05:31 GMT From: kelly@uts.amdahl.com (Kelly Goen) To: misc-security@ames.arc.nasa.gov Subject: Re: Fire Sprinkler Cameras
>They are built into regular sprinkler heads which have been slightly
>modified to fit a small mirror assembly....
>The company there that was marketing the things is Visual Methods, in
>Westwood NJ. _H*]
Yehah I checked on this one.... Friends those $500.00 sprinkler
fixture are overpriced PLASTIC(RIGHT 500.00 for plastic) JUNK...
out of 6 ordered 4 failed during installtion and setup....all were sent
back to the distributor... have to wait until a better one is available...
cheers
kelly
p.s. There are much better hidden cameras on the market just check
any issue of CCTV Magazine...
-----------[000022][next][prev][last][first]---------------------------------------------------- Date: Sat, 3 Mar 90 13:01 EST From: David Hoelzer <CONSP12@bingvaxa.bitnet> To: security@ohstvma Subject: Cameras
I've helped to design a number of camera boxes, including a converted slide projector, emergency fire lights, and thermostats.. I'll tell you the truth .. Dont bother trying to tell the difference.. We had a camera in full view on top of a vending machine.. We set some other stuff up there too (like boxes and wires.. just junk)... The first two days, everyone just looked at it.. The chairman of the company asked what it was doing there.. Well.. We told him, and later that night one of the security guards, who had seen this camera sitting there, walked out of the building with a few boxes of paper... Needless to say, he was shocked when he saw the footage.. He claimed, "How'd you get that!!! That Camera is broken!!". People assume what they like.. No one has yet realized what the thermostat is, nor the fire box.. The slide projector has caught ten people... One of them even tried to steal it, until they realized that it was hooked into the wall... DSH
-----------[000023][next][prev][last][first]---------------------------------------------------- Date: Sat, 3 Mar 90 15:01:49 EST From: eichin@mit.edu (Mark W. Eichin) To: reynhout@wpi.wpi.edu Cc: misc-security@husc6.harvard.edu Subject: Re: Who (Specificly) has Morris' Worm Code?
What I've been wondering (since reading the early Cornell report) is Did Morris actually use Unix crypt(1) to protect his files? And (as the Cornell report claimed) given that they were able to break them, did they make use of Bob Baldwin's Crypt Breaker's Workshop? _Mark_
-----------[000024][next][prev][last][first]---------------------------------------------------- Date: 3 Mar 90 10:57:29 GMT From: astieber@CSD4.CSD.UWM.EDU (Anthony J Stieber) To: misc.security Subject: What IS a thermal lance (Re: vault doors, was: locks)
Exactly what is a thermal lance? I've seen several references to these but have been unable to figure it out from context. -- <-:(= Tony Stieber astieber@csd4.csd.uwm.edu att!uwm!uwmcsd4!astieber
-----------[000025][next][prev][last][first]---------------------------------------------------- Date: 03 Mar 90 09:27:41+0100 From: Joseph C. Pistritto <cernvax!chx400!cgch!jcp@mcsun.eu.net> To: kelly@uts.amdahl.com Cc: misc-security@ames.arc.nasa.gov Subject: Re: Home security
Well, there ARE other techniques that work against LEXAN. In particular
heating it up will make it bend, allowing sheets to be bent and popped from
the window frame. They used LEXAN in the 'escape-proof' new jail in Towson,
Maryland several years ago. Took the inmates about 3 months to figure away
to make a blowtorch from an aerosol can, point at lexan, heat for several
minutes, kick out panel. They put bars in after that...
With suitable reinforcing, and by keeping the panes small enough, this
problem could possibly be avoided. An interesting possibility is making
those 'colonial' style windows where the panes are about 8 inches by 12
inches, with the panes being Lexan and the normally wood barriers between
pains being made instead from steel would probably work nicely, without
even having the 'look' of security, if that's what you want.
======================================================================
Joseph C. Pistritto HB9NBB N3CKF
'Think of it as Evolution in Action' (J.Pournelle)
Ciba Geigy AG, R1241.1.01, Postfach CH4002 Basel, Switzerland
Internet: jcp@brl.mil Phone: (+41) 61 697 6155
Bitnet: bpistr%cgch.uucp@cernvax.bitnet Fax: (+41) 61 697 2435
Also: cgch!bpistr@mcsun.eu.net
-----------[000026][next][prev][last][first]---------------------------------------------------- Date: 3 Mar 90 20:01:49 GMT From: eichin@MIT.EDU (Mark W. Eichin) To: misc.security Subject: Re: Who (Specificly) has Morris' Worm Code?
What I've been wondering (since reading the early Cornell report) is Did Morris actually use Unix crypt(1) to protect his files? And (as the Cornell report claimed) given that they were able to break them, did they make use of Bob Baldwin's Crypt Breaker's Workshop? _Mark_
-----------[000027][next][prev][last][first]---------------------------------------------------- Date: Sun, 4 Mar 90 11:34:44 pst From: billf@hpcvlx (Bill F. Faus) To: security@rutgers.edu Subject: Re: re: Thermic Lances
Reminds me of a picture in a book I have on the properties of wood. The picture shows a gutted out burned building with only some large wooden posts and beams left standing. Looped over the charred wooden beams are two metal I beams bent to the ground at each end from the heat. The wood beams made it through the fire, but the metal ones failed. --------------- billf@cv.hp.com
-----------[000028][next][prev][last][first]---------------------------------------------------- Date: Sun, 4 Mar 90 16:41:37 GMT From: jik@athena.mit.edu (Jonathan I. Kamens) To: security@pyrite.rutgers.edu Subject: Re: Who (Specificly) has Morris' Worm Code?
Just how easy do you think it is to disassemble a program from machine language into source code form? Granted, Morris made it a little bit easier by failing to strip off the symbol tables before "letting loose" the binaries (There are hypotheses that he did so because he was "in a hurry"...), but he made it harder by XOR'ing all the strings in the entire binary. Yes, it was POSSIBLE to reverse engineer from the binary to the source code. However, I wouldn't say that it only takes "a little reverse-engineering" to do so. I'd say it takes more "reverse-engineering" than most system administrators have the knowledge, time or desire to put into it. Jonathan Kamens USnail: MIT Project Athena 11 Ashford Terrace jik@Athena.MIT.EDU Allston, MA 02134 Office: 617-253-8495 Home: 617-782-0710
-----------[000029][next][prev][last][first]---------------------------------------------------- Date: Mon Mar 05 01:10:28 CEST 1990 From: rop@neabbs.UUCP (HACK-TIC) To: hp4nl!misc-security@relay.eu.net Subject: Re: Computer Abuse / Product Liability / Criminal Statutes / ECPA
Maybe a good definition of a hacker: A hacker is someone who is too busy doing weird things using technology to concern him/herself with defining the term 'hacker'. I don't mean to kill a good discussion here, I just feel that discussions about the definition of the term 'hacker' tend to get boring and predictable after two or three messages. Much more interesting (reffering to the 2nd of March message) is the question wether playing a game on a computer 20.000 miles away isn't a much more efficient way of learning something than going to school in the first place. Rop Gonggrijp, editor of Hack-Tic, a magazine for Dutch hackers....
-----------[000030][next][prev][last][first]---------------------------------------------------- Date: Mon, 5 Mar 90 8:11:07 CST From: "Mark D. McKamey IM SA" <mark@ria-emh2.army.mil> To: security@pyrite.rutgers.edu Subject: Video camera devices
Hello All,
I've recently seen a number of "trick" video camera devices demonstrated on
TV. The teddy bear with a video camera in its belly, and the TV that video ta
tapes the TV viewer while he/she watches the TV.
I am trying to find out who sells devices such as these, and is there any
illegal implications of using one of these devices to video tape how a
babysitter treats a child while the parents are out of the house?
Mark
mark@ria-emh2.army.mil
-----------[000031][next][prev][last][first]---------------------------------------------------- Date: Tue, 6 Mar 90 02:17 PST From: dhunt@nasamail.nasa.gov (DOUGLAS B. HUNT) To: <security@pyrite.rutgers.edu> Subject: RE: LAN security & control review
You should contact the EDP Auditors Foundation in Chicago. They have a variety of publications on these and realted topics. Perhaps Bill Murray who frequently corresponds through this list has some other suggestions. Doug Hunt
-----------[000032][next][prev][last][first]---------------------------------------------------- Date: 5 Mar 90 18:52:30 GMT From: steves@ivory.sandiego.ncr.com (Steve Schlesinger x2150) To: misc.security Subject: Factoring Large Numbers
I have received a report from an independent researcher, Giorgio Coraluppi, that claims to have developed an algorithm to factor large numbers in a relatively short amount of time. I do not have the background to evaluate this work, and would appreciate the names (and addresses) of people working in this field would be interested in reviewing it. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: steve schlesinger steve.schlesinger@sandiego.ncr.com 619-485-2150 NCR - 4010, 16550 W Bernardo Dr, San Diego, CA 92127 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-----------[000033][next][prev][last][first]----------------------------------------------------
Date: 6 Mar 90 17:53:25 GMT
From: KHB1@lehigh.BITNET ("Kathy Healy Brey")
To: misc.security
Subject: Virus Scan on a LAN
Can anyone provide advice or information on the following:
CONFIGURATION
An ethernet LAN running NOVELL with 10 nodes.
Workstations are Zenith 286LP's with 20Meg hard drives & a 3.5" drive.
LAN is for student use.
PROBLEM
We would like to run a virus scan on any floppy inserted into the 3.5
inch drive AT INSERTION. Is this possible? If so, how?
The ideal scenario would be: Student inserts floppy in A:. System
recognizes presence of floppy and scans diskette for known viruses...
(a system-initiated scan, not an operator-initiated scan)
If diskette is O.K., student goes to work. If diskette is contaminated,
it's ejected(?) and student gets locked out of workstation and is
directed to LAN Administration. L.A. grabs diskette and does detective
and control work...
THANKS for any help.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| Kathy Healy Brey, Manager Admin Environment: |
| KHB1@LEHIGH THE INFORMATION CENTER IBM 4381 VSE/SP 2.1.5 |
| 215-758-3006 Lehigh University IA Systems |
| Private U Fairchild-Martindale 8B IBM PCs & Compatibles |
| 6500 Students Bethlehem, PA 18015-3146 Novell LANs |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-----------[000034][next][prev][last][first]---------------------------------------------------- Date: 6 Mar 90 19:30:21 GMT From: chidsey@SMOKE.BRL.MIL (Irving Chidsey) To: misc.security Subject: Re: Wireless Home Security Systems
<Does anyone know how hard it is to jam or fool these wireless home <security systems? Couldn't one just use a spectrum analyzer to determine But home security systems are only designed to be secure enough so that the reward isn't worth the trouble. A spectrum analyser plus the coder + modulator + transmitter combination necessary to jam/break any wireless system likely to be encountered requires more equipment and expertise than your typical random junkie-looking-for-a-tv-to-fence is likely to to be willing or able to put into the ptoject. If you have valuables worthy of such expertise in your home you should put similar expertise into defeating breakins. And you should be willing to spend equaly serious money. Irv -- I do not have signature authority. I am not authorized to sign anything. I am not authorized to commit the BRL, the DOA, the DOD, or the US Government to anything, not even by implication. Irving L. Chidsey <chidsey@brl.mil>
-----------[000035][next][prev][last][first]---------------------------------------------------- Date: 6 Mar 90 19:30:21 GMT From: Irving Chidsey <chidsey@smoke.brl.mil> To: misc-security@rutgers.edu Subject: Re: Wireless Home Security Systems
<Does anyone know how hard it is to jam or fool these wireless home <security systems? Couldn't one just use a spectrum analyzer to determine But home security systems are only designed to be secure enough so that the reward isn't worth the trouble. A spectrum analyser plus the coder + modulator + transmitter combination necessary to jam/break any wireless system likely to be encountered requires more equipment and expertise than your typical random junkie-looking-for-a-tv-to-fence is likely to to be willing or able to put into the ptoject. If you have valuables worthy of such expertise in your home you should put similar expertise into defeating breakins. And you should be willing to spend equaly serious money. Irv -- I do not have signature authority. I am not authorized to sign anything. I am not authorized to commit the BRL, the DOA, the DOD, or the US Government to anything, not even by implication. Irving L. Chidsey <chidsey@brl.mil>
-----------[000036][next][prev][last][first]---------------------------------------------------- Date: 6 Mar 90 20:49:40 GMT From: spaf@cs.purdue.edu (Gene Spafford) To: misc-security@gatech.edu Subject: Contest announcement
The National Center for Computer Crime Data notes with interest the
considerable controversy engendered by the trial and guilty verdict in
the case of Robert T. Morris. In order to expand and focus the
conversation, we announce the "If I were the Robert Morris case judge"
essay contest. We will award $100 to the best essay of 250 words or
less suggesting the appropriate sentence for Mr. Morris.
Security Magazine has agreed to publish the winning essay in its May
issue. Contestants need not be familiar with the federal guidelines
for sentencing, but should assume, for the purpose of their essay,
that the judge can impose any sanctions he or she thinks reasonable.
All essays must be received by the National Center for Computer Crime
Data, 1222-B 17th Avenue, Santa Cruz, CA, 95062 by March 28, 1990.
J.J. Buck BloomBecker, Esq.
Director
[The real sentencing for Mr. Morris will be May 4.
I am not affiliated in any way with the NCCCD --spaf]
--
Gene Spafford
NSF/Purdue/U of Florida Software Engineering Research Center,
Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004
Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf
-----------[000037][next][prev][last][first]---------------------------------------------------- Date: Wed, 7 Mar 90 10:36:00 -0500 From: nitrex!rbl@uunet.uu.net To: security@pyrite.rutgers.edu Subject: Re: Opening an old safe?
There is a locksmith in the small Ohio town where my wife just opened a retail jewwelry store. His ex-wife walked up to a locked circa-1910 safe and proceeded to open it --- the combination was unknown. Her comment: "I have a stethoscope in my fingers." If the old Victor safe is anywhere nearby southeastern Ohio/PA/WV, we could arrange a contact. Rob Lake BP Research rbl@BP.COM
-----------[000038][next][prev][last][first]---------------------------------------------------- Date: Wed, 7 Mar 90 09:55 EST From: "And now, #1, The Larch" <AEWALSH@fordmurh.bitnet> To: SECURITY@OHSTVMA Subject: Mutilated Currency (was Re: Bill Changers)
> Easy -- chop the big numbers off the corners of a $20 bill, past them > onto the corners of a $1 bill. Pass this as a $20 bill. This works. As a former bank teller at a commercial bank in Buffalo, I recall a teller actually taking one. If you must pass them off, though, don't do it at a bank - they're much to careful, and know enough to look at the *portrait* when receiving money. > Turn in the mutilated $20 for a fresh one. Yes, well...um-- mutiliated currency must have one side intact (if I recall the rules correctly). Hence it is necessary to do this dastardly deed with *two* 20's, using first one side on the first bill, and the opposite side on the other. > (no, I am not advocating the practice) Me neither. The FBI and the Treasury department do not take kindly to this practice. Try this in a bank (either with funny twenties or bringing in lots of mutilated -- you are likely to get your picture taken by those lovely cameras on the wall. Jeffrey Fordham University AEWALSH@FORDMURH
-----------[000039][next][prev][last][first]---------------------------------------------------- Date: Wed, 07 Mar 90 16:31:01 -0500 From: "Frank Topper" <topper%a1.relay@upenn.edu> To: security@ohstvma.bitnet, dasig@suvm.bitnet Subject: Meeting with the FBI
Dear Security & Dasig Subscribers, Activated by a suggestion from William Sessions, Director of the FBI, my associate Linda May and I scheduled a meeting with the local Philadelphia office to discuss computer, information and network security. We wanted to draw from their experience, learn their perspective, and establish a direct conection with the poeple who can help us in the event of an important security breach -- and to know what they can and can not do regarding the subsequent investigation. We met with two agents last month. Our agenda included discussing security breaches (principal kinds reported, principal deficiencies that enable such breaches, proportion involving perpetrators external/internal to the organization, proportion of organizations which had a security plan, program and officer, and the most important factor(s) for achieving appropriate levels of security), classifications of activities (legal, illegal and questionable), recaps of proposed legislation, and suggested actions & publications. Regarding breaches: They said that banks are the most susceptible to loss, and that most private companies absord losses without prosecuting due to the time, expense, and the wish to not appear stupid. They said that companies that did prosecute breaches had fewer recurring problems. Universities tend to get more young hacker-types, while corporations get embezzlers. Most complaints are financial institutes that get 'hit over the wire' (wire fraud), bulletin boards containing pirated software & credit card access numbers, and, most recently, they are beginning to get calls about virus problems. Although they were not allowed to give details, the FBI is currently involved in two major virus investigations. They see a major problem being when a hacker receives 'celebrity status'. This encourages trying to beat the system since fame and not disrepute is the potential payoff. Statistically, lower-level employees are easier to catch because they leave a trail of their actions. Higher-level (V.P.) employees know the systems and leave less of a trail. Activity types: The FBI gets involved when a Federal crime is committed. Usually this means either: 1)Crime involving more than one state, 2) crimes involving gov't computers or gov't networks, or 3) the more broad 86' Computer Fraud and Abuse Act. Interestingly enough, one of the agents we spoke with participated in the investigation which has lead to the conviction of Robert Morris, Jr. A questionable activity, but not illegal, is when a hacker (or employee) reads files they are not supposed to have seen. Not so related to universities is the new wrinkle provided by cellular phones. In this case the transmission travels through the airwaves to a hardwire transmission point. It is not illegal to listen in to the part broadcasted (although, a recent note on the SECURITY list mentioned that it was illegal to disclose an overheard conversation). Anytime we have a question about an activity we are encourages to contact the agents & get the latest perspective. Legislation-wise, neither agent has received updates on the two 89' proposed acts: Computer Protection & Computer Virus Eradication. They said there is always a lag time between when a law is passed and when they get instructions as to what it means and how it can be used. They can prosecute computer crimes now involving threatsor harassment....and they said if they REALLY WANT to get someone they'll research any and all laws to try to find something to stick on the alleged criminal. They suggest knowing what data is sensitive and take extra precautions. Whatever security programs are running need to be monitored and checked for patterns of unusual activity, i.e., send reports to the user/custodians of each protected system. Lastly, to get around the undesirable impression of security being iron-handed, they stressed the ned for an education program touching every employee with a solid emphasis on WHY the security efforts (and the employyees' efforts) are needed...and what can happen if the efforts are not made. Based on an "OK" form the local agent-in-charge, both agents were willing to come to this university and speak to our planned-for Security Steering Committee, and without making specific recommendations, stress the importance of having a full-time security officer-type and comprehensive education/awareness program. Regards. Frank Topper Information Analyst University of Pennsylvania (215) 898-2171 topper@a1.relay.upenn.edu "I have observed that persons of good sense seldom fall into disputes, except lawyers, university men, and men of all sorts that have been bred at Edinborough." Ben Franklin
-----------[000040][next][prev][last][first]---------------------------------------------------- Date: Wed, 07 Mar 90 17:19:01 -0500 From: "Frank Topper" <topper%a1.relay@upenn.edu> To: security@ohstvma.bitnet Subject: Report on a Security Conference
I sent this report to the Data Administration Special Interest Group. Perhaps you are interested also. Frank ------ Report on the 16th Annual Security Conference held in November, 1989 Dear Dasig Subscribers, Last November I attended a security conference in Atlanta, GA. It was an unusually good event; well-organized, many options for workshops and presentations, and terrific for 'networking' - meeting people from higher ed & the corporate world. As a relative newcomer to the security world I say: If you need to go to a security conference attend the next one of these! The presenters throughout the week were equally divided between vendors/consultants and non-vendors/consultants. Sales pitches were confined to the exhibition area and not sprinkled through the day. In other words, the presentations were not used as platforms for advocating particular technologies or services. Favorite sessions included: Keynote Addresses - - Legal Liability of Corp Officers - FBI Viewpoint (Bill Sessions, Director) - Ethical Considerations (R. Barker, Cornell's Provost) Other presentations/workshops - - How To Gain Sr. Mgmt Support for a Sec. Program - How To Be an Effective Security Officer - Anticipating Future Network Sec. Reqs. and Abuses The exhibits were almost all worth a visit, and ranged form disaster recovery (a melted, blackened VAX hissed & spewed 'smoke') to create-your-own security awareness videos. There were optional ($250 each) full-day sessions the Sunday before and the Thursday following the conference. As there were 8-10 concurrent sessions running every hour & 1/2, and due to the conference organizers not making ALL the session handouts avaiable, I spent the first two days meeting poepl and making deals to get the handouts for the presentations I wasn't attending (you send me yours & I'll send you mine). The organizers did give out several handouts on diskette & said they planned to eventually be able to give out all the handouts this way. Next conference? Atlanta 11/12-11/15/90 Sponsored by: Computer Security Inst. Phone: (508) 393-2600 Cost: $1,295 I am planning a presentation at this next conference, tentatively about creating an info & computer security policy & program in a decentralized environment...from ground zero. I'll be sending around a list of attendees from the 89' conference who came from institutes of higher education. Regards. Frank Topper Info Analyst University of Pennsylvania (215) 898-2171 topper@a1.relay.upenn.edu
-----------[000041][next][prev][last][first]---------------------------------------------------- Date: Wed, 07 Mar 90 17:21:01 -0500 From: "Frank Topper" <topper%a1.relay@upenn.edu> To: security@ohstvma.bitnet Subject: Security Conference Attendees
16th Annual Security Conference Attendees (higher ed) Auriene, Anthony Security Admin. National Ed. Corp. Barker, Robert Provost Cornell U. Benders, Carol L. Info Sys Sec Spec. Howard U. Bosshart, David A. Security Admin U. of Minnesota Brown, Corrine H. Prj Mgr/Std-Sec Ed. Testing Service Bruhn, Mark Data Administrator Indiana U. Coffman, Jack L. Security Control Off U. of KY Computing Ctr Cook, Janet M. Illinois State U. DeCruyenaere, K.C. U. of Manitoba Domin, Anthony C. EDP Audit Mng Penn State U. Fairweather, Ian EDP Security Admin U. of Ottawa Fisher, Charles E. Director U. of South Florida Higashi, Albert Assistant Director U. of Hawaii Hinkson, Betty Instructor Jacksonville State U. Kieffer, Rom Manager, DataComm U. of Calgary Rosenthal, Dan Computer Manager Mississippi College Roy, Yves IR Administrator U. of Ottawa Schott, Jr. Richard R. Info Security Officer Wayne State U. Shelley, Richard DS Officer U. of Virginia Stewart, Dorothy Sas Security U. of Michigan Stromberg, Lars Director Barry U. Tenisci, Teresa Mgr, Bus & Sec U. of British Columbia Thomas, Dave Rochester City Schools Topper, Frank Info Analyst U. of Pennsylvania van Wyk, Kenneth R. Carnegie Mellon U. Some titles were not listed & thus have been left blank. Regards. Frank
-----------[000042][next][prev][last][first]---------------------------------------------------- Date: 7 Mar 90 15:36:00 GMT From: rbl@nitrex.UUCP To: misc.security Subject: Re: Opening an old safe?
There is a locksmith in the small Ohio town where my wife just opened a retail jewwelry store. His ex-wife walked up to a locked circa-1910 safe and proceeded to open it --- the combination was unknown. Her comment: "I have a stethoscope in my fingers." If the old Victor safe is anywhere nearby southeastern Ohio/PA/WV, we could arrange a contact. Rob Lake BP Research rbl@BP.COM
-----------[000043][next][prev][last][first]---------------------------------------------------- Date: 7 Mar 90 17:41:00 GMT From: brough@islndsenet.dec.com (Paul Brough) To: misc-security@decwrl.dec.com Subject: Home security systems
[Message apparently truncated?] ... has the best system for the money, or if I should go to Radio Shack and get some of their stuff. The following is a list of considerations that I am going to use when I purchase the system: 1) Cost should be around $1,000-1,500 2) Cover the following doors a) front door b) back door c) breezeway door d) bulkhead door e) garage to interior breezeway door f) cellar to interior house door 3) Keypad entry perhaps master bedroom keypad 4) Perhaps central station monitoring 5) Passive infrared detectors on the first floor leading to the upstairs 6) PID on the second floor I have literature on a system put out by Fire Burglary Incorp (or something like that) and most of the above fits in, but I understand that Napco (or is it Mapco) has another system out that is supposed to be a little better. Does anyone have any experience in this and can give me more info? By the way, I live in the Worcester/Fitchburg Mass. area. Any and all help will be greatly appreciately. Thank you very much, Paul
-----------[000044][next][prev][last][first]---------------------------------------------------- Date: Thu, 8 Mar 90 01:09 CST From: <JJOYCE@umkcvax1.bitnet> To: misc-security@rutgers.edu Subject: Re:.Opening and old safe ?
Cf. : pp 137-155
"Surely You're Joking, Mr. Feynman!"
1965
Richard P. Feynman
W. W. Norton & Co., New York
ISBN 0-393-01921-7
J.Joyce
JJOYCE@UMKCVAX1 Bitnet
-----------[000045][next][prev][last][first]----------------------------------------------------
Date: 7 Mar 90 21:31:01 GMT
From: topper%a1.relay@UPENN.EDU ("Frank Topper")
To: misc.security
Subject: Meeting with the FBIDear Security & Dasig Subscribers, Activated by a suggestion from William Sessions, Director of the FBI, my associate Linda May and I scheduled a meeting with the local Philadelphia office to discuss computer, information and network security. We wanted to draw from their experience, learn their perspective, and establish a direct conection with the poeple who can help us in the event of an important security breach -- and to know what they can and can not do regarding the subsequent investigation. We met with two agents last month. Our agenda included discussing security breaches (principal kinds reported, principal deficiencies that enable such breaches, proportion involving perpetrators external/internal to the organization, proportion of organizations which had a security plan, program and officer, and the most important factor(s) for achieving appropriate levels of security), classifications of activities (legal, illegal and questionable), recaps of proposed legislation, and suggested actions & publications. Regarding breaches: They said that banks are the most susceptible to loss, and that most private companies absord losses without prosecuting due to the time, expense, and the wish to not appear stupid. They said that companies that did prosecute breaches had fewer recurring problems. Universities tend to get more young hacker-types, while corporations get embezzlers. Most complaints are financial institutes that get 'hit over the wire' (wire fraud), bulletin boards containing pirated software & credit card access numbers, and, most recently, they are beginning to get calls about virus problems. Although they were not allowed to give details, the FBI is currently involved in two major virus investigations. They see a major problem being when a hacker receives 'celebrity status'. This encourages trying to beat the system since fame and not disrepute is the potential payoff. Statistically, lower-level employees are easier to catch because they leave a trail of their actions. Higher-level (V.P.) employees know the systems and leave less of a trail. Activity types: The FBI gets involved when a Federal crime is committed. Usually this means either: 1)Crime involving more than one state, 2) crimes involving gov't computers or gov't networks, or 3) the more broad 86' Computer Fraud and Abuse Act. Interestingly enough, one of the agents we spoke with participated in the investigation which has lead to the conviction of Robert Morris, Jr. A questionable activity, but not illegal, is when a hacker (or employee) reads files they are not supposed to have seen. Not so related to universities is the new wrinkle provided by cellular phones. In this case the transmission travels through the airwaves to a hardwire transmission point. It is not illegal to listen in to the part broadcasted (although, a recent note on the SECURITY list mentioned that it was illegal to disclose an overheard conversation). Anytime we have a question about an activity we are encourages to contact the agents & get the latest perspective. Legislation-wise, neither agent has received updates on the two 89' proposed acts: Computer Protection & Computer Virus Eradication. They said there is always a lag time between when a law is passed and when they get instructions as to what it means and how it can be used. They can prosecute computer crimes now involving threatsor harassment....and they said if they REALLY WANT to get someone they'll research any and all laws to try to find something to stick on the alleged criminal. They suggest knowing what data is sensitive and take extra precautions. Whatever security programs are running need to be monitored and checked for patterns of unusual activity, i.e., send reports to the user/custodians of each protected system. Lastly, to get around the undesirable impression of security being iron-handed, they stressed the ned for an education program touching every employee with a solid emphasis on WHY the security efforts (and the employyees' efforts) are needed...and what can happen if the efforts are not made. Based on an "OK" form the local agent-in-charge, both agents were willing to come to this university and speak to our planned-for Security Steering Committee, and without making specific recommendations, stress the importance of having a full-time security officer-type and comprehensive education/awareness program. Regards. Frank Topper Information Analyst University of Pennsylvania (215) 898-2171 topper@a1.relay.upenn.edu "I have observed that persons of good sense seldom fall into disputes, except lawyers, university men, and men of all sorts that have been bred at Edinborough." Ben Franklin
-----------[000046][next][prev][last][first]---------------------------------------------------- Date: Thu, 08 Mar 90 14:27:18 PST From: blade@darkside.com (The Blade) To: misc-security@ucbvax.berkeley.edu
I need information on on-line databases that are helpful to the private investigator, such as background info, SS checks, DMV reports, etc... I know of US Data-link but they want $1000 to sign up, any specialized bases are also appricated.
-----------[000047][next][prev][last][first]---------------------------------------------------- Date: 8 Mar 90 07:09:00 GMT From: JJOYCE@umkcvax1.BITNET To: misc.security Subject: Re:.Opening and old safe ?
Cf. : pp 137-155
"Surely You're Joking, Mr. Feynman!"
1965
Richard P. Feynman
W. W. Norton & Co., New York
ISBN 0-393-01921-7
J.Joyce
JJOYCE@UMKCVAX1 Bitnet
-----------[000048][next][prev][last][first]---------------------------------------------------- Date: 8 Mar 90 22:27:18 GMT From: blade@darkside.com (The Blade) To: misc.security Subject: (none)
I need information on on-line databases that are helpful to the private investigator, such as background info, SS checks, DMV reports, etc... I know of US Data-link but they want $1000 to sign up, any specialized bases are also appricated.
-----------[000049][next][prev][last][first]---------------------------------------------------- Date: Fri, 9 Mar 90 13:22:28 EST From: barnett@unclejack.crd.ge.com (Bruce Barnett) To: cb2s+@andrew.cmu.edu, security@pyrite.rutgers.edu Subject: Re: Honda motorcycle keys
We had a case in our area where two people had 1) The same model car 2) The same color 3) Parked near each other in the same parking lot and 4) Had the same trunk key. Someone went to the parking lot and dropped off a package in their trunk. They went back into the Mall, and when they checked their trunk the second time - they "discovered" that their packages were "stolen". -- Bruce G. Barnett <barnett@crdgw1.ge.com> uunet!crdgw1!barnett
-----------[000050][next][prev][last][first]---------------------------------------------------- Date: Fri, 09 Mar 90 16:34:42 PLT From: Alan Zacher <29562883@wsuvm1.bitnet> To: security@ohstvma Subject: datsun keys
about datusn keys. be VERY careful about testing your key in other peoples
vehicles of the same make. people in my family HABITUALLY put the key to our
1980 datsun 210 into the ignition of out 1982 datsun pickup. the key would
turn until it reached the 'on' position, then it would pop out and would not go
back in. i had to take the dang lock apart to reset it and it took about 15
times before we got the brains to change the pickup ign. key. needless to say
we made SURE that the two keys were not semi-interchangeable before we
installed the new cylinder. just thought id warnya.
alan
-----------[000051][next][prev][last][first]---------------------------------------------------- Date: Fri Mar 9 14:10:05 1990 From: guhsd000@crash.cts.com (Paula Ferris) To: misc-security@crash.cts.com Subject: Re: Them Locks Are Easy
Well, I'm glad to see I started a conversation that got some response anyway. My friends motorcycle (Honda) had such high tolorences in the cyclinder and pin assembly that the core could be turn with a screwdriver if you took a little time to play with it and jiggle it into line. If your worried about it, don't make your car a target, most cars in my area anyway are usally first taken for goodies inside (tronics), then end up stripped. It seems if they are going to go through all the trouble to rip off your stuff, they are going to get the most out of it. Pullout stereos, amplifiers in the trunk out of sight and a blinking LED are all good ideas. Even if the LED doen't really go to an alarm, it'll keep alot of lesser hand prints off the car, and with a simple IC LED Flasher, a single "D" cell can drive it continously for a year. At all costs, avoid parking on the street, cars are rarely taken out of the driveway. Usally they are taken out of parking lots (around here Apartment building lots) or off the street. The best thing (without having a garage) is to park under a motion detector/flood light assembly. The action of having the dark driveway flooded with that 300 watt quartz halogen lamp gets attention, and I think is more effective than simply having the area continously lit. Some basic ideas, always, even for a minute, lock the doors with the windows up. Many cars have been boosted when someone runs into the 7-11 "just for a minute." Roll the windows up tight, most manual windows when rolled tight will track outwards on most newer cars, making the user of a slimjim (many new cars still don't use the simple barrier plates and sidebars) have a rough time even getting it inserted, much les[s using it, as well as making wires and such very difficult to use to get to the locks. If anyone really wants your car, they are going to get at it, but you don't have to help them. A former investigator for a very large police department's auto theft unit in the western US.
-----------[000052][next][prev][last][first]---------------------------------------------------- Date: Fri, 09 Mar 90 16:51:45 EST From: Homer <CTM@cornellc.bitnet> To: "Security List." <security@pyrite.rutgers.edu> Subject: Re: Them Locks Are Easy
>Moaning at car manufacturers for providing rotten security is unlikely to
>succeed. They make so much money selling people parts to replace things
>smashed by thieves that it's hardly worth their while improving matters.
I presume that car stereos are the most stolen item in the universe.
You think the stereo manufacturers take this into account when they
project sales into the future? Does a stolen stereo mean another sale?
Does it mean a lost sale to the bozo who buys the hot stereo?
Does it mean a lost sale to those of us who are too scared to have
stereos in our cars?
Do they BENEFIT from thievery? Or is it a detriment to them?
-----------[000053][next][prev][last][first]---------------------------------------------------- Date: 9 Mar 90 17:21:07 EST (Fri) From: simsong@prose.cambridge.ma.us (Simson L. Garfinkel) To: cs4i03ab@maccs.dcss.mcmaster.ca Cc: security@pyrite.rutgers.edu Subject: holograms on bills
Actually, the idea of putting a hologram on a bill is what American Banknote Inc. has staked its livelyhood on. That is the company that makes the holograms that have become standard on credit cards. But its all a hoax. Here's why: First, anybody can make a hologram, even the small foil kind that are embossed. Totall equipment cost is no more than $10,000. That's hardly a deterrent. Second, nobody checks the holograms. Ever notice how different cards use different holograms? They could have done something trickly, like storing information in the hologram that would have required a special reader. But that would have been too expensive. Indeed, the only reason that there are holograms on credit cards --- and the reason they are coming to currency --- is that American Banknote Inc. has succeded in making people think that it is more secure. It isn't. Simson Garfinkel
-----------[000054][next][prev][last][first]---------------------------------------------------- Date: Fri, 9 Mar 90 20:15 EST From: <CJS@cwru.bitnet> To: hobbit@pyrite.rutgers.edu Subject: Car Locks -- They had great locks at Hertz in Belfast
Last time I was in Belfast I rented a car at the airport (I think it was Hertz). They car's didn't use regular keys but something that looked, well, I can't describe it other than to say the key was very strangely shaped. The reason they go to such trouble with locks is the IRA (and maybe the provos (I can't recall)) steal cars and put bombs in them and then park them somewhere. The security forces will assume any abandoned/stolen car has a bomb in it--we all know how you defuse a bomb, you blow it up. So, if any car is stolen it is effectively totalled. I suspect it is hard to get the damn things insured. Hence the extra security. I never could find out who made the locks. cjs
-----------[000055][next][prev][last][first]---------------------------------------------------- Date: 9 Mar 90 19:38:49 GMT From: nagle@well.sf.ca.us (John Nagle) To: misc-security@ucbvax.berkeley.edu Subject: Re: bill changers
Where can I get a cheap bill reader, suitable for use to retrofit an
existing vending machine (a photo booth) for paper money? Used units
are acceptable.
John Nagle
-----------[000056][next][prev][last][first]---------------------------------------------------- Date: 9 Mar 90 22:09:00 GMT From: warlock@CSCIHP.CSUCHICO.EDU (John Kennedy) To: misc.security Subject: Re: Bicycle locks
>was partly scraped off, so I couldn't make out the name, but it ends with >NG-TAY. I believe the lock you're referring to is called "MING-TAY", available at your finer K-Mart stores for around $20. What can you expect? (-: -- Warlock, AKA +---------------------------------------------------- John Kennedy | uucp: lampoon!warlock@csuchico.edu CSCI Student | internet: warlock@csuchico.edu CSU Chico +----------------------------------------------------
-----------[000057][next][prev][last][first]---------------------------------------------------- Date: 9 Mar 90 22:21:07 GMT From: simsong@prose.cambridge.ma.us (Simson L. Garfinkel) To: misc.security Subject: holograms on bills
Actually, the idea of putting a hologram on a bill is what American Banknote Inc. has staked its livelyhood on. That is the company that makes the holograms that have become standard on credit cards. But its all a hoax. Here's why: First, anybody can make a hologram, even the small foil kind that are embossed. Totall equipment cost is no more than $10,000. That's hardly a deterrent. Second, nobody checks the holograms. Ever notice how different cards use different holograms? They could have done something trickly, like storing information in the hologram that would have required a special reader. But that would have been too expensive. Indeed, the only reason that there are holograms on credit cards --- and the reason they are coming to currency --- is that American Banknote Inc. has succeded in making people think that it is more secure. It isn't. Simson Garfinkel
-----------[000058][next][prev][last][first]---------------------------------------------------- Date: 10 Mar 90 01:15:00 GMT From: CJS@cwru.BITNET To: misc.security Subject: Car Locks -- They had great locks at Hertz in Belfast
Last time I was in Belfast I rented a car at the airport (I think it was Hertz). They car's didn't use regular keys but something that looked, well, I can't describe it other than to say the key was very strangely shaped. The reason they go to such trouble with locks is the IRA (and maybe the provos (I can't recall)) steal cars and put bombs in them and then park them somewhere. The security forces will assume any abandoned/stolen car has a bomb in it--we all know how you defuse a bomb, you blow it up. So, if any car is stolen it is effectively totalled. I suspect it is hard to get the damn things insured. Hence the extra security. I never could find out who made the locks. cjs
-----------[000059][next][prev][last][first]---------------------------------------------------- Date: 10 Mar 90 03:47:53 GMT From: shawn@mit-eddie.UUCP (Shawn F. Mckay) To: misc.security Subject: Call for Security Hacks
Greetings, I am building a package for use in the war against "System Crackers", it will probably be released in the next few months, I'm aiming at spring, early summer. It will be available to all, though due to its nature, I will have to set something special up so only ligitimate sites end up with it; Ideas on the lowest overhead way to do this would be welcome. If you have a favorite hack you have written to use for this purpose, and would like to offer it to the world for people to use in this fight, please contact me directly so I may include it. Ideas and comments are also welcome. Thanks in advance, -- Shawn
-----------[000060][next][prev][last][first]---------------------------------------------------- Date: Sat, 10 Mar 90 03:47:53 GMT From: mit-eddie!shawn@mit-eddie.gatech.edu (Shawn F. Mckay) To: misc-security@uunet.uu.net Subject: Call for Security Hacks
Greetings, I am building a package for use in the war against "System Crackers", it will probably be released in the next few months, I'm aiming at spring, early summer. It will be available to all, though due to its nature, I will have to set something special up so only ligitimate sites end up with it; Ideas on the lowest overhead way to do this would be welcome. If you have a favorite hack you have written to use for this purpose, and would like to offer it to the world for people to use in this fight, please contact me directly so I may include it. Ideas and comments are also welcome. Thanks in advance, -- Shawn
-----------[000061][next][prev][last][first]---------------------------------------------------- Date: Sat, 10 Mar 90 09:03 EST From: "Mark H. Wood" <IMHW400@indyvax.iupui.edu> To: security@pyrite.rutgers.edu Subject: Re: Them Locks Are Easy
>Moaning at car manufacturers for providing rotten security is unlikely to >succeed. They make so much money selling people parts to replace things >smashed by thieves that it's hardly worth their while improving matters. Does anybody sell decent locks made for car doors? Could I just throw away my junky original-equipment locks and replace them with good ones? Think it might make a difference if I write to Consumer Reports detailing how and *why* it should be done? How about my insurance company? Of course, locks aren't the only part of the problem: they need something stronger than sheet metal to hold them. I can't count the number of cars I've seen with missing trunk locks. Most car doors are still vulnerable to slim-jims. And the windows are still made of fragile glass....
-----------[000062][next][prev][last][first]---------------------------------------------------- Date: Sat, 10 Mar 90 14:13:37 PST From: teda!RATVAX.DNET!ROBERTS@uunet.uu.net (George Roberts) To: security@pyrite.rutgers.edu Subject: RE: Re: Computer Forged Documents - money
> The USofA amazes me, it's got the largest market to make a counterfeit
> worthwhile, and yet probably the oldest "active" currency technology...
I read in the Boston Globe recently that the U.S. Treasury puts small
red and blue threads in its paper money. The item mentioned the paper is
so difficult to make, that many counterfeiters bleach small denominations
and re-print larger denominations onto the bleached bills.
I took out a one dollar bill and sure enough there were tiny little red and
blue threads. They were easiest to see around the edge where there was no
printing.
Maybe they shouldn't put those threads in the ones and fives! (need I explain
the concept?)
- George Roberts
-----------[000063][next][prev][last][first]---------------------------------------------------- Date: 11 Mar 90 00:59:22 GMT From: jac@PAUL.RUTGERS.EDU (Jonathan A. Chandross) To: misc.security Subject: Re: Computer Forged Documents - money
> [Canadian] bill designs from the last few years also feature MACHINE READABLE > serial numbers for nifty swift banking machine sorting, etc. I would be uneasy about money with machine readable serial numbers. Just think how easy it would be for the government to track how you spend your money. For those of you saying "oh sure", I would like to point out that credit card companies sell mailing lists based on total debt, size of monthly payments, whether you pay your bill on time every month, what you buy, how much you make, etc. Every time you use a credit card the information is saved away. And it is surprisingly easy to get access to that information. A Business Week reporter registered for a credit bureau service (like TRW) and got a copy of Dan Quayle's credit history. Danny was not pleased when BW called him for his reaction. > The USofA amazes me, it's got the largest market to make a counterfeit > worthwhile, and yet probably the oldest "active" currency technology... Something like 300 BILLION dollars in paper currency is missing from the money supply. A great deal of it is in eastern Europe and in the hands of drug lords (they do keep some in cash). Just imagine what would happen if the US government said "ok, new currency time; everyone turn in the old. Old currency will only be legal for 5 years." Take a real bite out of crime. Jonathan A. Chandross Internet: jac@paul.rutgers.edu UUCP: rutgers!paul.rutgers.edu!jac
-----------[000064][next][prev][last][first]---------------------------------------------------- Date: 12 Mar 90 14:39:13 GMT From: epstein@trwacs.UUCP (Jeremy Epstein) To: misc.security Subject: Re: car keys
My wife locked herself out of our Mazda a few weeks ago. Rather than calling a locksmith, she called a dealer nearby. They asked her for the VIN, made a key, and brought it over (for $5, instead of $50 or so for a locksmith). They did not ask for proof of ownership, or anything else, which made me quite nervous! -- Jeremy Epstein epstein@trwacs.uu.net TRW Systems Division 703-876-4202
-----------[000065][next][prev][last][first]---------------------------------------------------- Date: 12 Mar 90 14:39:13 GMT From: trwacs!epstein@uunet.uu.net (Jeremy Epstein) To: misc-security@uunet.uu.net Subject: Re: car keys
My wife locked herself out of our Mazda a few weeks ago. Rather than calling a locksmith, she called a dealer nearby. They asked her for the VIN, made a key, and brought it over (for $5, instead of $50 or so for a locksmith). They did not ask for proof of ownership, or anything else, which made me quite nervous! -- Jeremy Epstein epstein@trwacs.uu.net TRW Systems Division 703-876-4202
-----------[000066][next][prev][last][first]---------------------------------------------------- Date: Wed, 14 Mar 90 15:34:58 EST From: sgw@cad.cs.cmu.edu (Stephen Wadlow) To: misc-security@rutgers.edu Subject: Re: Medeco vs Keso vs Kaba
For picking purposed, I'd consider the medeco to be more secure (even moreso for their biaxial line, which actually may be the default by now). I don't expect that your average burglar would generally attempt to pick a medeco. You also have the security that more people know of medeco locks as being "high security locks" and may just avoid the lock. In terms of vandalism, I'd still go with medeco. Medeco's have hardened steel rods inserted in strategic places so as to make drilling difficult, so the brute force method won't easily work. Also, the keyways are more warded then the Kaba/Keso (which I have always seen as beening totally unwarded) so it is far less likely that they will be able to wedge a piece of metal stock into the core just to annoy you. the caveat of it all is that if the burglar wants in badly enough, (s)he'll get in. If they want to vandaize, they will. All security systems have their own weaknesses. Some just aren't as easy to exploit as others. steve
-----------[000067][next][prev][last][first]---------------------------------------------------- Date: 14 Mar 90 10:25:55+0100 From: Joseph C. Pistritto <jcp@cgch.uucp> To: jimkirk@outlaw.uwyo.edu Cc: security@pyrite.rutgers.edu Subject: Re: Medeco vs Keso vs Kaba
Here in Switzerland, virtually every door is locked with a KESO style
lock, (I have seen one Medeco cylinder in use here, it was on a shop
door). Locksmiths here know which blanks of Keso they're not supposed
to duplicate, (always the ones that are used for entrance doors).
Having seen a vandalized Medeco cylinder, I would guess that Keso is
better that way. The keyway is somewhat narrower. Against a really
determined vandal however, all key locks suffer from the 'fill up the
keyway with Araldite (the local epoxy glue)' technique. I don't really
know how to defend against this effectively. Also note that it can be
difficult in some Keso installations to remove the cylinder if you can't
insert a key!.
======================================================================
Joseph C. Pistritto HB9NBB N3CKF
'Think of it as Evolution in Action' (J.Pournelle)
Ciba Geigy AG, R1241.1.01, Postfach CH4002 Basel, Switzerland
Internet: jcp@brl.mil Phone: (+41) 61 697 6155
Bitnet: bpistr%cgch.uucp@cernvax.bitnet Fax: (+41) 61 697 2435
Also: cgch!bpistr@mcsun.eu.net
-----------[000068][next][prev][last][first]---------------------------------------------------- Date: 14 Mar 90 20:34:58 GMT From: sgw@CAD.CS.CMU.EDU (Stephen Wadlow) To: misc.security Subject: Re: Medeco vs Keso vs Kaba
For picking purposed, I'd consider the medeco to be more secure (even moreso for their biaxial line, which actually may be the default by now). I don't expect that your average burglar would generally attempt to pick a medeco. You also have the security that more people know of medeco locks as being "high security locks" and may just avoid the lock. In terms of vandalism, I'd still go with medeco. Medeco's have hardened steel rods inserted in strategic places so as to make drilling difficult, so the brute force method won't easily work. Also, the keyways are more warded then the Kaba/Keso (which I have always seen as beening totally unwarded) so it is far less likely that they will be able to wedge a piece of metal stock into the core just to annoy you. the caveat of it all is that if the burglar wants in badly enough, (s)he'll get in. If they want to vandaize, they will. All security systems have their own weaknesses. Some just aren't as easy to exploit as others. steve
-----------[000069][next][prev][last][first]---------------------------------------------------- Date: 14 Mar 90 21:28:07 GMT From: KRAINIER@EAGLE.WESLEYAN.EDU (geek) To: misc.security Subject: Police repeater detection
Due to a leaky memory, I do not recall all details, but about a month or
two ago I spotted an item in a "yuppie catalog" that purported to detect patrol
cars up to <insert large distance> away by picking up their repeater signals.
The device was designed to be vehicle mounted (so as to pick up police using
radar that is only turned on when you are in sight). Of course, it relies on
the supposition that the officers left their repeaters on while in the vehicle
[they acknowledged this but claimed that most do in fact leave their repeaters
on]. The device did not broadcast what it received, it only indicated that
something was being broadcast.
Anybody seen anything similar? Any comments on range/feasability/other
problems?
-kevin
krainier@eagle.wesleyan.edu
krainier@wesleyan.bitnet
-----------[000070][next][prev][last][first]---------------------------------------------------- Date: Thu, 15 Mar 90 13:03:45 EST From: "Larry Margolis" <MARGOLI@ibm.com> To: security@pyrite.rutgers.edu Subject: Medeco vs Keso vs Kaba
What are your concerns? Pick resistance - all are fairly good; I'd probably give the Medeco an edge, since I believe (although I'm not certain) that the Keso / Kaba rely on having lots of pins and don't add anything else to prevent picking, while the Medeco has a sidebar. Physical security - Medeco cylinders have hardened steel inserts to prevent drilling the pins or the sidebar. Don't know about the others. Key duplication - lots of hardware stores have Medeco key machines; you probably have to go to a locksmith to get the Keso or Kaba key duplicated. If you're concerned about someone borrowing the key and duplicating it, then making unauthorized use at another time, and you want to go Medeco, you can get a cylinder using a restricted blank. Copies are only available by mail with an authorized signature. If you don't want to frustrate a burglar, don't bother with a lock at all! :-) A healthy application of epoxy will screw up any of the locks equally well. If you're worried about that, then the physical security of the Medeco might be a drawback. (Harder for you to drill out if necessary.) A good combination lock will avoid the problems of a keyhole that can be blocked. For that matter, a magnetic lock also has an advantage - if the keyhole is blocked, you can simply drill & file it out without worrying about damaging pins. Miwa (sp?) makes cylinders that operate with a magnetic key. Larry Margolis, MARGOLI@YKTVMV (bitnet), MARGOLI@IBM.COM (csnet)
-----------[000071][next][prev][last][first]---------------------------------------------------- Date: 15 Mar 90 19:30:10 EST (Thu) From: simsong@prose.cambridge.ma.us (Simson L. Garfinkel) To: trwacs!epstein@uunet.uu.net Cc: security@pyrite.rutgers.edu Subject: Answerback
So the system's entire security was based on physical security of the terminals? And there was no auditing --- that is, I could do something on your terminal, and it would look like you did it? This doesn't seem very secure. Even the airline reservation systems require that individuals type in their passwords.
-----------[000072][next][prev][last][first]---------------------------------------------------- Date: Thu, 15 Mar 90 20:23:16 EST From: Miguel_Cruz@ub.cc.umich.edu To: security@pyrite.rutgers.edu Subject: Re: Answerback
> I worked on one system that used answerbacks to automatically log users in But that way, any old crook could just walk up to someone's terminal and have their access... night cleaning crews, the person's kids, anyone. Miguel
-----------[000073][next][prev][last][first]---------------------------------------------------- From: Troy Landers <sequent!tlanders@cse.ogi.edu> 17-MAR-1990 2:26:29 To: misc-security@tektronix.tek.com
I know it is, at least on some cards. When I lived in Illinos, the bank
that I used had this little box that resembled one of those automatic
credit card calling thingamagigs. When I opened my account, they gave
me a card, left me alone in the room (in the vault) and told
me how to use it. All I did was type my PIN number, press a button, and
"swipe" my card through it. Voilla, my card was now encoded with my
PIN. I didn't think about it too much at the time, mostly because
I wasn't aware of all the sneaky things crooks can do, and because I
was a student and didn't have any money to steal anyway :-). Now I
think I would be more reluctant to use a bank with such a system.
Who knows?
Troy
-------------------------------------------------------------------------------
Troy Landers Sequent Computer Systems Inc.
UUCP: ...!sequent!tlanders 15450 S.W. Koll Parkway
Phone: (503) 626-5700 x4491 Beaverton, Oregon 97006-6063
*** My opinions are precisely that! ***
-----------[000074][next][prev][last][first]---------------------------------------------------- From: netcom!onymouse@claris.com (John Debert) 17-MAR-1990 2:27:11 To: misc-security@ames.arc.nasa.gov
Many banks, not-so-long-ago, did record passcodes on the card. That way, they didn't have to use their computer resources for such piddly things. Also, access control software was not yet being produced that was reliable. It was much easier to leave such things up to the ATM. A certain American bank still records passcodes in some cards, if not all. They still use ATM's that expect the passcode to be there. jd onymouse@netcom.UUCP
-----------[000075][next][prev][last][first]---------------------------------------------------- Date: 15 Mar 90 17:31:21 GMT From: nagle@well.sf.ca.us (John Nagle) To: misc.security Subject: Re: Medeco vs Keso vs Kaba
The first major installation of the Sargent Keso system was at
Case Institute of Technology in the 1960s. It was then called the
"Maximum Security" system. It wasn't. One person had made a grand
master for the system within days of installation.
Weaknesses:
1. There are only three depths for each dimple in the keys,
and they can be easily distinguished visually. So, if
you get a glance at a key, you can remember the code
and make your own key later.
2. The keys are easy to make in a drill press. The blank is
just a piece of rod with a diamond-shaped cross section.
3. This is really just an unusual form of pin-tumbler lock,
with all the usual vulnerabilities, including those of
master-keyed systems.
John Nagle
-----------[000076][next][prev][last][first]---------------------------------------------------- From: night@pawl.rpi.edu (Trip Martin) 17-MAR-1990 2:50:37 To: ???
When I got my cash card back in Sept, the bank told me that the access code was indeed put on the card itself, and implied that this was better because then no bank records would have the access code. In fact, they had my type in my desired access code into a machine which then then ran the card through. Trip Martin night@pawl.rpi.edu -- Trip Martin night@pawl.rpi.edu
-----------[000077][next][prev][last][first]----------------------------------------------------
Date: 15 Mar 90 18:03:45 GMT
From: MARGOLI@IBM.COM ("Larry Margolis")
To: misc.security
Subject: Medeco vs Keso vs KabaWhat are your concerns? Pick resistance - all are fairly good; I'd probably give the Medeco an edge, since I believe (although I'm not certain) that the Keso / Kaba rely on having lots of pins and don't add anything else to prevent picking, while the Medeco has a sidebar. Physical security - Medeco cylinders have hardened steel inserts to prevent drilling the pins or the sidebar. Don't know about the others. Key duplication - lots of hardware stores have Medeco key machines; you probably have to go to a locksmith to get the Keso or Kaba key duplicated. If you're concerned about someone borrowing the key and duplicating it, then making unauthorized use at another time, and you want to go Medeco, you can get a cylinder using a restricted blank. Copies are only available by mail with an authorized signature. If you don't want to frustrate a burglar, don't bother with a lock at all! :-) A healthy application of epoxy will screw up any of the locks equally well. If you're worried about that, then the physical security of the Medeco might be a drawback. (Harder for you to drill out if necessary.) A good combination lock will avoid the problems of a keyhole that can be blocked. For that matter, a magnetic lock also has an advantage - if the keyhole is blocked, you can simply drill & file it out without worrying about damaging pins. Miwa (sp?) makes cylinders that operate with a magnetic key. Larry Margolis, MARGOLI@YKTVMV (bitnet), MARGOLI@IBM.COM (csnet)
-----------[000078][next][prev][last][first]---------------------------------------------------- Date: 15 Mar 90 21:49:23 GMT From: netcom!onymouse@claris.com (John Debert) To: misc-security@ames.arc.nasa.gov Subject: Re: cop detectors
Of course, if a department doesn't want a deal on a quantity purchase of radios, the department may well buy several different makes/ models. Most departments do buy one make and model, though, and do so in quantity. This way, they can get a discount and only need pay for one service contract. It simpifies the problem of figuring out which freqs to check out. > ... While a pocket scanner might receive all of the local > oscillator frequencies used by the local police, its detection range would > likely be less than a hundred feet. OK, I confess: I am not picking up the LO from the hand-helds. The signal is always on the repeater frequency. I don't know where it's coming from inside the radio but I can detect it as much as 1/4 away with a good antenna. (I'm about to see if I can pick up weaker sigs with an LNA after tha antenna.) How did Motorola get away with producing radios like this, I don't know but I don't really mind. jd onymouse@netcom.UUCP
-----------[000079][next][prev][last][first]---------------------------------------------------- Date: 16 Mar 90 01:06:20 GMT From: randall@UVAARPA.VIRGINIA.EDU (Randall Atkinson) To: misc.security Subject: Crime & Secure systems
Sun frequently implies that SunOS 4.x is a C2 system, but then in the security features guide mentions that they never actually had it evaluated by the NCSC. After the Morris' worm, DEC made a great deal of the fact that Ultrix had been more "secure" than other vendors. A more accurate description would have been that DEC broke and lobomotomised Ultrix so that it can't do much of what other BSD systems can. In any event, one doesn't sue the house builder when someone breaks down the door later on and vandalises the house. Electronic crime isn't different from other crime and shouldn't be treated specially.
-----------[000080][next][prev][last][first]---------------------------------------------------- Date: 16 Mar 90 01:57:26 GMT From: gnf3e@uvacs.cs.Virginia.EDU (Greg Fife) To: misc-security@uunet.uu.net Subject: Re: Answerbacks / Vendor Liability
>> FINAL COMMENT: The INTERNET virus should be treated as a product liability
>> question. In my opinion, DEC and SUN should pay the cost of the cleanup
I like this analogy: the UNIX security features of DEC and SUN are like
the padlock that one would put on a tool shed. It provides some level
of security at a moderate price, and any determined fool can get in with
a pair of bolt-cutters. Just like you can spend more money to better secure
your shed, you can spend more staff hours ($$) or buy a more trusted
OS.
No one doubts that the man with the bolt-cutters should be tried as a thief,
and no one suggests that MasterLock should be sued when it happens.
Greg Fife
gnf3e@virginia.edu
uunet!virginia!uvacs!fife
-----------[000081][next][prev][last][first]---------------------------------------------------- Date: 16 Mar 90 02:23:27 GMT From: smb@ulysses.att.com (Steven M. Bellovin) To: misc-security@att.att.com Subject: Re: Computer Abuse / Product Liability / Criminal Statutes / ECPA
} -- the almighty PRESS has given the term "HACKER" } a bad rap.......it's about time they, as well as others, come up with new } terms other than "hacker(s)" to describe these actions. You can't do that. Language is determined by use, not fiat. A few years ago, ``hacker'' had a different meaning. That's changed.
-----------[000082][next][prev][last][first]---------------------------------------------------- Date: 16 Mar 90 06:55:05 GMT From: kelly@uts.amdahl.com (Kelly Goen) To: misc.security Subject: Re: Who (Specificly) has Morris' Worm Code?
Just to be slightly less informative 2600 magazine is a hacker pub... and no I dont know the current address but I will find it and post... cheers kelly
-----------[000083][next][prev][last][first]---------------------------------------------------- Date: Fri, 16 Mar 90 14:05:08 EST From: meister@gaak.lcs.mit.edu (phil servita) To: CAMPBELL@utoroci.bitnet Cc: SECURITY@pyrite.rutgers.edu Subject: Re: Bank card tricks in Toronto
The old Docutel (Olivetti) bank machines did store the password on the stripe.
Not in plaintext, but with a very simple substution cipher which wasnt hard
to break. These machines are no longer in use.
The current crop of machines essentially does the following:
1) Take the password as entered by the user.
2) Append (prepend?) the account ID number.
3) Take the whole shebang and encrypt (with some magic key)
via DES.
4) Compare with an ENCRYPTED string stored on the card.
(sort of like the unix login program)
The article you mentioned is leaving out an awful lot of details...
-meister
-----------[000084][next][prev][last][first]---------------------------------------------------- Date: 16 Mar 90 12:03:58+0100 From: Joseph C. Pistritto <jcp@cgch.uucp> To: security@pyrite.rutgers.edu Subject: trashcan security
It seems extremely common these days for criminals to be
apprehended after extensive poking about in their rubbish. Stuff like
paying the garbage collectors to deliver the trash to investigators or
merely poking around after dark.
Of course, this leads to the question of WHY anyone with anything
to hide would merely THROW AWAY incriminating documents...
The question is, of course, how common is this sort of thing
really, is any sort of a warrant required (in the US anyway), etc.
Sort of the same problem in reverse applies to retailers, do
any of the credit card companies require that used credit card vouchers
be shredded or burned when disposed of, etc?
-jcp-
======================================================================
Joseph C. Pistritto HB9NBB N3CKF
'Think of it as Evolution in Action' (J.Pournelle)
Ciba Geigy AG, R1241.1.01, Postfach CH4002 Basel, Switzerland
Internet: jcp@brl.mil Phone: (+41) 61 697 6155
Bitnet: bpistr%cgch.uucp@cernvax.bitnet Fax: (+41) 61 697 2435
Also: cgch!bpistr@mcsun.eu.net
-----------[000085][next][prev][last][first]---------------------------------------------------- Date: 16 Mar 90 21:35:01 GMT From: hollombe%sdcsvax@ttidca.tti.com (The Polymath) To: misc-security@sdcsvax.ucsd.edu Subject: Re: Home security
}I solved a similar problem with a set of exploding security bolts. ...
This sounds drastic, dangerous and probably illegal. Certainly not
something you want the average DIYer playing with.
Relevant building codes here require at least one window in every bedroom
to have a hinged set of bars that can be unlocked inside the room so they
swing away from the window, allowing exit in an emergency. The locking
mechanism is purely mechanical, so there's no problem with burned through
wiring or shrapnel from explosive bolts killing your neighbor's child.
--
The Polymath (aka: Jerry Hollombe, M.A., CDP, aka: hollombe@ttidca.tti.com)
Citicorp(+)TTI Illegitimis non
3100 Ocean Park Blvd. (213) 450-9111, x2483 Carborundum
Santa Monica, CA 90405 {csun | philabs | psivax}!ttidca!hollombe
-----------[000086][next][prev][last][first]---------------------------------------------------- Date: 17 Mar 90 01:08:48 GMT From: b3s@psuecl.BITNET To: misc.security Subject: Night Goggles
Hello Do you have any infomation where can I purchase Night Goggles? I am studying Infrared Detectors and Night Goggles. So I got a IR-Detector, but I couldn't find information on where to buy Night Goggles. Can you help me ? THANK YOU. BCS.
-----------[000087][next][prev][last][first]---------------------------------------------------- Date: Sat, 17 Mar 90 13:18:38 PST From: roeber@portia.caltech.edu To: security@pyrite.rutgers.edu Subject: Welcome banners
Welcome Banners I recently got a DDN security bulletin (# 90-04) that mentioned that one should make sure any computer welcome banners did not contain the word "Welcome." (The default message on some machines is to have the banner be "Welcome to [nodename].") In a recent court case, a judge threw out a case against a hacker because (he ruled) the message "Welcome to ..." was a clear invitation to everyone.. The bulletin also suggested that the banners not contain system information (e.g., "VAX/VMS 5.2 on VAX 11/780"), as this can be useful to hackers; it should also not contain the words "for official use only," because it seems that to hackers, this message means it *must* be defense (or at least evil-government) related, and therefore attracts them in droves. Cheers, Frederick Roeber roeber@caltech.edu (or) roeber@caltech.bitnet
-----------[000088][next][prev][last][first]---------------------------------------------------- Date: Sat, 17 Mar 90 21:28:51 EST From: Mike <MEYSTMA@duvm.ocs.drexel.edu> To: Multiple Recipients of list Security-L Subject: National Security Agency
NSA is the National Security Agency. Located in Fort Meade, MD,
they are in charge of obtaining and analysing signals intelligence.
They are more secretive than the CIA, and no research information
is available from them.
Personal note: "Hell, if they knew you were axing about 'em,
they'd probably ax the DIA to investigate you!"
Michael A. Meystel
LAMIR
P.O. BOX 374
Merion Station, Pa 19066-0374
Internet : meystma@duvm.ocs.drexel.edu
Bitnet : meystma@duvm.bitnet
COMPUSERVE : 71540,2726
GEnie : M.MEYSTEL
DELPHI : IMAS
-----------[000089][next][prev][last][first]---------------------------------------------------- Date: Sun, 18 Mar 90 02:07:43 CST From: "Rich Winkel UMC Math Department" <MATHRICH@umcvmb.bitnet> To: security@tcsvm Subject: re: national security archives
I have a blurb on them: "The National Security Archive is an innovative non-profit research institute and library facility which serves scholars, journalists, congress, present and former policy makers, public interest organizations and the american public by making available the internal government documentation that is indispensable for reasearch and informed public debate on foreign, intelligence, defense and international economic policy." They get their info from unclassified govt documents, congressional testimony, court records, presidential libraries, FOIA battles and other sources. They publish their documents and indices on microform which they distribute to libraries for a fee. This is where dangerous kooks who would question the wisdom of our national leaders can stretch their first amendment rights to the limit, at least for the time being. But who really wants to know about US complicity in iranian torture under the shah, or kissinger's deal with nixon to sabotage LBJ's vietnam peace talks in exchange for his appointment in the nixon white house, or the domestic propaganda ministry operating out of the US state department, or the REAL reasons for our invasion of panama etc etc etc. Their phone number is 202-797-0882. Rich
-----------[000090][next][prev][last][first]---------------------------------------------------- Date: 17 Mar 90 21:18:38 GMT From: roeber@PORTIA.CALTECH.EDU To: misc.security Subject: Welcome banners
Welcome Banners I recently got a DDN security bulletin (# 90-04) that mentioned that one should make sure any computer welcome banners did not contain the word "Welcome." (The default message on some machines is to have the banner be "Welcome to [nodename].") In a recent court case, a judge threw out a case against a hacker because (he ruled) the message "Welcome to ..." was a clear invitation to everyone.. The bulletin also suggested that the banners not contain system information (e.g., "VAX/VMS 5.2 on VAX 11/780"), as this can be useful to hackers; it should also not contain the words "for official use only," because it seems that to hackers, this message means it *must* be defense (or at least evil-government) related, and therefore attracts them in droves. Cheers, Frederick Roeber roeber@caltech.edu (or) roeber@caltech.bitnet
-----------[000091][next][prev][last][first]---------------------------------------------------- Date: 18 Mar 90 02:28:51 GMT From: MEYSTMA@DUVM.OCS.DREXEL.EDU (Mike) To: misc.security Subject: National Security Agency
NSA is the National Security Agency. Located in Fort Meade, MD,
they are in charge of obtaining and analysing signals intelligence.
They are more secretive than the CIA, and no research information
is available from them.
Personal note: "Hell, if they knew you were axing about 'em,
they'd probably ax the DIA to investigate you!"
Michael A. Meystel
LAMIR
P.O. BOX 374
Merion Station, Pa 19066-0374
Internet : meystma@duvm.ocs.drexel.edu
Bitnet : meystma@duvm.bitnet
COMPUSERVE : 71540,2726
GEnie : M.MEYSTEL
DELPHI : IMAS
-----------[000092][next][prev][last][first]----------------------------------------------------
Date: 18 Mar 90 08:07:43 GMT
From: MATHRICH@umcvmb.BITNET ("Rich Winkel UMC Math Department")
To: misc.security
Subject: re: national security archivesI have a blurb on them: "The National Security Archive is an innovative non-profit research institute and library facility which serves scholars, journalists, congress, present and former policy makers, public interest organizations and the american public by making available the internal government documentation that is indispensable for reasearch and informed public debate on foreign, intelligence, defense and international economic policy." They get their info from unclassified govt documents, congressional testimony, court records, presidential libraries, FOIA battles and other sources. They publish their documents and indices on microform which they distribute to libraries for a fee. This is where dangerous kooks who would question the wisdom of our national leaders can stretch their first amendment rights to the limit, at least for the time being. But who really wants to know about US complicity in iranian torture under the shah, or kissinger's deal with nixon to sabotage LBJ's vietnam peace talks in exchange for his appointment in the nixon white house, or the domestic propaganda ministry operating out of the US state department, or the REAL reasons for our invasion of panama etc etc etc. Their phone number is 202-797-0882. Rich
-----------[000093][next][prev][last][first]---------------------------------------------------- From: roeber@portia.caltech.edu 19-MAR-1990 23:14:01 To: security@pyrite.rutgers.edu
An article in the Los Angeles Times, about some people who made phony ATM cards from paper stock and audio magnetic tape, indicates that the PIN code is not stored on the cards. The people could program the cards with bank account numbers, but the security hole that allowed them to steal money was that one of them, an employee or ex-employee, could reprogram the PINs in the bank database. If the PIN was stored on the card, they could have just picked any number. However, my bank insists that to change my PIN they must re-issue my card. Perhaps there is some type of encryption/verification going on? Question: ATMs use phone lines. Is there any sort of encryption on these lines, to prevent wiretappers from gleaning valid account/PIN combinations? Frederick Roeber roeber@caltech.bitnet roeber@caltech.edu
-----------[000094][next][prev][last][first]---------------------------------------------------- Date: Sun, 18 Mar 90 21:39 EST From: "Rob Rothkopf -- CCR, CNS&M" <MASROB@ubvmsc.cc.buffalo.edu> To: security@pyrite.rutgers.edu Subject: Locks/Security in large institutions (e.g. Universities)
Two questions: 1) In institutions which have frequent room rotations, as in the dormitories of a University, what kinds of policies have been implemented to keep the rooms secure from year to year at your institution? Cylinder rotations can be complicated and costly (institutional politics) if done on a yearly basis but without such actions it would seem that the new residents relatively unsafe. 2) Does anyone have an automated (no security people watching over constantly) and *secure* building entrance system (or have you seen any) in your living area (again, this is primarily focused at the dormitory setting)? I've seen where all the buildings are locked and students are given the building key, but this policy is but a show to look good for parents; in most cases a stranger can simply wait for a key holder to gain entrance and call out to "hold the door for one sec!." As some quick background, the reason for my questions (many thanks to those who responded to my request for information on integrated Card Systems!) is that the University of Buffalo has been selected as the site for the 1993 World Universiad (University Olympic Games) and is actively investigating new methods of securing the dorm area which will serve many of the athletes (if not all) (not that current methods are faulty.. only that additional/alternate methods are being considered). Either send replies to me personally or, preferably, post to this list if you think the content will interest others. Thanks for any help you can give! --Rob Rothkopf
-----------[000095][next][prev][last][first]---------------------------------------------------- From: Craig Leres <leres@helios.ee.lbl.gov> 20-MAR-1990 4:30:19 To: security@rutgers.edu
Quite some time ago, the transaction cards spawned by my bank's ATMs were changed so that the last two digits of the account number are printed as XX. This helps protect those people who leave them behind. (It doesn't help them balance their checkbooks, though.) Craig
-----------[000096][next][prev][last][first]---------------------------------------------------- Date: 19 Mar 90 04:49:21 GMT From: root@grumbly.UUCP (Superuser) To: misc.security Subject: Re: thermal lances (was: vault doors)
->Anyone who hasn't seen one of these in action is advised to check out the ->movie "Thief" ... Then after you've seen the movie - read the book 'the real story'. The movie doesn't follow it very well. Book gives very detailed descriptions of a pro burgler working for the mob. Richard Ducoty
-----------[000097][next][prev][last][first]---------------------------------------------------- Date: 19 Mar 90 04:49:21 GMT From: grumbly!root@uunet.uu.net (Superuser) To: misc-security@uunet.uu.net Subject: Re: thermal lances (was: vault doors)
->Anyone who hasn't seen one of these in action is advised to check out the ->movie "Thief" ... Then after you've seen the movie - read the book 'the real story'. The movie doesn't follow it very well. Book gives very detailed descriptions of a pro burgler working for the mob. Richard Ducoty
-----------[000098][next][prev][last][first]---------------------------------------------------- Date: Mon, 19 Mar 1990 11:23:59 CST From: MCDONALD@vax1.umkc.edu (Gary Lee McDonald) To: security@pyrite.rutgers.edu Subject: Network security problem?
NetFolk, My morning paper (The Kansas City Star, Monday, March 19, 1990) carried a column from The New York Times concerning a new network problem. Machines at LNL DEC, and several other places have been attacked by program to steal password file. Implied unix systems involved, but does anyone know exactly which machines, which operating systems? I'm sure *many* others will be interested in any knowledgable responses! UMKC GaryM. BITNET contact UMKCVAXn (n=1,3) 5100 Rockhill Road Univ. of Mo. at K.C. Cockefair Hall MCDONALD @ UMKCVAX1.BITNET Room 2, Gary Lee McDonald MCDONALD @ VAX1.UMKC.EDU Kansas City, Mo. 64110 POSTMASTER @ either domain
-----------[000099][next][prev][last][first]---------------------------------------------------- Date: Mon, 19 Mar 90 12:47:31 EST From: ecl@mtgzy.att.com (Evelyn C Leeper) To: misc-security@att.att.com Subject: Debate on Computer Hacking
Harper's Magazine (March 1990 issue) has an on-line debate amongst 20 people
(including Clifford Stoll, the author of THE CUCKOO'S EGG) on the subject of
computer hacking.
I don't think I can summarize it well, so go to your local bookstore or library
and read it for yourself.
Evelyn C. Leeper | +1 201-957-2070 | att!mtgzy!ecl or ecl@mtgzy.att.com
--
The only thing necessary for the triumph of evil is for good men to do nothing.
-Edmund Burke
-----------[000100][next][prev][last][first]---------------------------------------------------- Date: 19 Mar 90 17:47:31 GMT From: ecl@mtgzy.att.com (Evelyn C Leeper) To: misc.security Subject: Debate on Computer Hacking
Harper's Magazine (March 1990 issue) has an on-line debate amongst 20 people
(including Clifford Stoll, the author of THE CUCKOO'S EGG) on the subject of
computer hacking.
I don't think I can summarize it well, so go to your local bookstore or library
and read it for yourself.
Evelyn C. Leeper | +1 201-957-2070 | att!mtgzy!ecl or ecl@mtgzy.att.com
--
The only thing necessary for the triumph of evil is for good men to do nothing.
-Edmund Burke
-----------[000101][next][prev][last][first]---------------------------------------------------- From: hollombe%sdcsvax@ttidca.tti.com (The Polymath) 21-MAR-1990 7:56:01 To: misc-security@sdcsvax.ucsd.edu
Many teller machines have cameras associated with them. They can
photograph the person making every transaction.
}Does anyone know if the access code is, in fact, also on the mag
}stripe?
This varies by bank. While the ANSI standard does give a format for each
of the three tracks on the magnetic strip, in practice each issuing
organization uses proprietary systems. Putting the card number on track
two is pretty universal. Track one often includes a repeat of the card
number and the card holder's name, among other things. Track three is
writable and may include up to date account information. A few banks are
foolish enough to put the cardholder's PIN on the card -- sometimes
encrypted, sometimes not. Many systems only look at track two.
I'm not sure what you mean by "access code." The card number includes
fields that identify the issuing bank.
--
The Polymath (aka: Jerry Hollombe, M.A., CDP, aka: hollombe@ttidca.tti.com)
Citicorp(+)TTI Illegitimis non
3100 Ocean Park Blvd. (213) 450-9111, x2483 Carborundum
Santa Monica, CA 90405 {csun | philabs | psivax}!ttidca!hollombe
-----------[000102][next][prev][last][first]---------------------------------------------------- Date: Tue, 20 Mar 90 10:38:03 -0500 From: James M Galvin <galvin@tis.com> To: Doug Gwyn <gwyn@smoke.brl.mil> Cc: misc-security@rutgers.edu Subject: Re: Answerbacks / Vendor Liability
I've never seen any claims by DEC, Sun, or more to the point, UCB that their UNIX-based operating systems were secure; have you? What is the point of making innocent manufacturers responsible for some person's malicious abuse of their products? I am sorry, but I just do not agree with you. While I could accept the fact that UCB is a research institution providing a warrantless service to a community, Sun and DEC do not fall into that category. They are commercial institutions selling a service to the same community. They are not completely innocent by any stretch of the imagination. Oh, they might argue they make no claims as to the suitability of their product for any particular purpose, but distributing a product with DEBUG enabled demonstrates a blatant lack of concern for the community in which they sell their services. They should be held accountable. I do not believe this has anything to do with being secure. It is a question of good programming practices and acceptable software distribution practices. And just to be fair, almost every hardware and software vendor today is guilty of the same crime. I only wish the justice system would see it that way. We can go back and forth about whether or not they should have noticed the DEBUG option being set, but, if I were Robert Morris, and really did not have any bad intentions (but then again with our legal system it doesn't really matter), I would have immediately counter sued Sun and DEC. Wishful thinking suggests every one who was infected by the problem should join the cause. Jim
-----------[000103][next][prev][last][first]---------------------------------------------------- Date: Tue, 20 Mar 90 08:50 CST From: "Assistant Director (Academic)" <BELL@uwpg02.uwinnipeg.ca> To: security <@ohstvma.ircc.ohio-state.edu:security@pyrite.rutgers.edu> Subject: Hardwired Home Security systems
I need some info on hardwired home security systems. I have a home which has been pre-wired with the contacts in place for the windows and doors. What I now need to get is the electronics (wire-panel, control panel, siren, etc) . Any good suggestions of companies that supply these instruments would be much appreciated. Many thanks. -dave-
-----------[000104][next][prev][last][first]---------------------------------------------------- Date: Tue, 20 Mar 90 08:55 EST From: JBH technical <JBHTECH@irishmvs.bitnet> To: Security Digest <Security@ohstvma.bitnet> Subject: New superhacker at work?
Has anyone heard or seen anything anywhere about a new
'superhacker' breaking into various sites on the Internet
recently? I just caught the tail end of a mention of it on
ABC-TV's World News Tonight with Peter Jennings last night
(Mon, 19 March). Having just finished reading The Cuckoo's
Egg, and hearing that Harvard was one of the places this
person apparently tried to get into, my first thought was to
wonder if Cliff Stoll is being diverted from astronomy again
to go after this person :-)
John
-----------[000105][next][prev][last][first]---------------------------------------------------- Date: Tue, 20 Mar 90 17:53 EST From: DXB4769@ritvax.bitnet To: security@pyrite.rutgers.edu Subject: Re: cordless privacy
>...just because people have reasonable expectations of a right of >privacy against government eavesdropping, that doesnt mean that the >*government* respects those rights... Government "bashing" statements like this are unsupported in fact, and really uncalled for. Granted, maybe in the Hoover days gov't intrusion was definately questionable, but in our current society, government respects individual rights. The courts support the government in "eavesdropping" cases - surveillance, that is - because given probable cause, it is absolutely permittable, and I would argue the *responsibility* of the government to take advantage of the technological resources they control in order to conduct an investigation and bring criminals to justice. There is no question that power of this kind must be checked to avoid a "Big Brother" society, and it is checked - by other branches of government (I hope we all remember this from Elementary School). To make unfounded accusations against our government is in effect condemning our entire system. - Dave Bafumo Rochester Insitute of Technology Criminal Justice (Student) BITNET: dxb4769@ritvax INTERNET: dxb4769@ultb.isc.rit.edu CIS : 73147,3026 ********************************************************************* Disclaimer: All opinions are my own. *********************************************************************
-----------[000106][next][prev][last][first]----------------------------------------------------
Date: 20 Mar 90 14:50:00 GMT
From: BELL@uwpg02.uwinnipeg.ca ("Assistant Director ", Academic)
To: misc.security
Subject: Hardwired Home Security systemsI need some info on hardwired home security systems. I have a home which has been pre-wired with the contacts in place for the windows and doors. What I now need to get is the electronics (wire-panel, control panel, siren, etc) . Any good suggestions of companies that supply these instruments would be much appreciated. Many thanks. -dave-
-----------[000107][next][prev][last][first]---------------------------------------------------- Date: 20 Mar 90 15:38:03 GMT From: galvin@TIS.COM (James M Galvin) To: misc.security Subject: Re: Answerbacks / Vendor Liability
I've never seen any claims by DEC, Sun, or more to the point, UCB that their UNIX-based operating systems were secure; have you? What is the point of making innocent manufacturers responsible for some person's malicious abuse of their products? I am sorry, but I just do not agree with you. While I could accept the fact that UCB is a research institution providing a warrantless service to a community, Sun and DEC do not fall into that category. They are commercial institutions selling a service to the same community. They are not completely innocent by any stretch of the imagination. Oh, they might argue they make no claims as to the suitability of their product for any particular purpose, but distributing a product with DEBUG enabled demonstrates a blatant lack of concern for the community in which they sell their services. They should be held accountable. I do not believe this has anything to do with being secure. It is a question of good programming practices and acceptable software distribution practices. And just to be fair, almost every hardware and software vendor today is guilty of the same crime. I only wish the justice system would see it that way. We can go back and forth about whether or not they should have noticed the DEBUG option being set, but, if I were Robert Morris, and really did not have any bad intentions (but then again with our legal system it doesn't really matter), I would have immediately counter sued Sun and DEC. Wishful thinking suggests every one who was infected by the problem should join the cause. Jim
-----------[000108][next][prev][last][first]---------------------------------------------------- Date: 21 Mar 90 08:12:00 EST From: "MCCREA, SAM" <mccrea@ecf.ncsl.nist.gov> To: "security" <security@pyrite.rutgers.edu> Subject: glossaries
The National Institute of Standards and Technology (NIST, formerly NBS)
will be replacing its outdated FIPS PUB 39 (Computer Security Glossary)
with a FIPS PUB that will be a bibliography of computer security
glossaries from both the private sector and federal government agencies.
If anyone knows of any existing computer security glossaries please
send netmail to:
mccrea@ecf.ncsl.nist.gov (Internet)
or
mccrea%ecf.ncsl.nist.gov@cunyvm.cuny.edu (Bitnet)
Thank you very much,
Sam
-----------[000109][next][prev][last][first]---------------------------------------------------- From: "Don't have a cow, man!" <AEWALSH@fordmurh.bitnet> 23-MAR-1990 16:25:55 To: security@ohstvma
A large commercial bank at which I used to bank had a system for "initializing"
and changing one's PIN as follows:
1. An administrator's card was swiped into a medium-sized device
that had an LED screen and numeric keypad. After entering his/her
code, the customer's card was "swiped".
2. The administrator entered the card/account number.
3. The customer entered the desired PIN twice.
Futhermore, American Express offers a program called "Cash Now". Essentially,
it enables you to withdrawl cash or purchase travelers checks at almost any
ATM around the world. On more than one occasion, I have forgotten my PIN number
for my AMEX card. After calling the 800 number, and providing information
about my account (last purchase, etc.), I have been able to change the PIN
over the phone. Scary, isn't it?
My *guess* is that the PIN is not stored on the Mag strip. Rather, it is
accessed into the bank/institution's computer. Just a guess.
Jeffrey Walsh
AEWALSH@FORDMURH
-----------[000110][next][prev][last][first]---------------------------------------------------- Date: Thu, 22 Mar 90 22:38:43 CDT From: phil@wubios.wustl.edu (J. Philip Miller) To: security@pyrite.rutgers.edu Subject: Caller ID (fwd)
That is fine, I will then program my BBS to not accept any call which is
blocked. As long as it is not possible to forge the calling number, this is
rather effective.
-phil
--
J. Philip Miller, Professor, Division of Biostatistics, Box 8067
Washington University Medical School, St. Louis MO 63110
phil@wubios.WUstl.edu - Internet (314) 362-3617 phil@wubios.wustl - bitnet
uunet!wuarchive!wubios!phil-UUCP (314) 362-2693(FAX) C90562JM@WUVMD - bitnet
-----------[000111][next][prev][last][first]---------------------------------------------------- Date: 22 Mar 90 23:25:19 GMT From: rop@neabbs.UUCP (HACK-TIC) To: misc.security Subject: Re: Computer Abuse / Product Liability / Criminal Statutes / ECPA
Maybe a good definition of a hacker: A hacker is someone who is too busy doing weird things using technology to concern him/herself with defining the term 'hacker'. I don't mean to kill a good discussion here, I just feel that discussions about the definition of the term 'hacker' tend to get boring and predictable after two or three messages. Much more interesting (reffering to the 2nd of March message) is the question wether playing a game on a computer 20.000 miles away isn't a much more efficient way of learning something than going to school in the first place. Rop Gonggrijp, editor of Hack-Tic, a magazine for Dutch hackers....
-----------[000112][next][prev][last][first]---------------------------------------------------- Date: 23 Mar 90 08:44:33 GMT From: gwyn@SMOKE.BRL.MIL (Doug Gwyn) To: misc.security Subject: Re: Who (Specificly) has Morris' Worm Code?
>Just how easy do you think it is to disassemble a program from machine >language into source code form? I don't know a suitable metric for this. (I know it's easy, though tedious, for me.) However, some indication can be gained by observing that certainly hundreds, possibly thousands, of "crackers" routinely disassemble copy-protected applications in order to understand the (often deliberately convoluted) code well enough to strip off copy protection. Don Lancaster explained several of the tricks of the trade in one of his Apple II enhancement books. > I'd say it takes more "reverse-engineering" than most system > administrators have the knowledge, time or desire to put into it. Judging by "The Cuckoo's Egg" and personal experience, I'd say that most system administrators aren't very competent, period. I certainly wouldn't ask one of them to disassemble object code; there are many other people with skill in that area who would be a better choice. To give you a small taste of what is involved, let's consider a binary executable image (without symbol table, to make it harder) from, say, a PDP-11 UNIX system and some of the initial steps one might take to disassemble it. 1. Devise plausible environmental hypotheses, which can be checked and revised as the work proceeds. E.g. probably the source language was C and the standard C library was linked into the image after all the application-specific object code. 2. Print out a dump of the code. If it's UNIX, you can tell code from data because they're in different load segments that are clearly spelled out by a small initial header attached to the load image. If you can't figure out where the code is, dump it all as instructions as well as hex words and characters; clear character strings must be data (as well as important operational clues), and gobbledegook instruction sequences must be either data or correct instructions decoded with the wrong starting offset (with variable-length instructions it will converge to correct synchronization within a few instructions). 3. Mark subroutine boundaries. These are easy to spot by their characteristic instructions. Also mark (in a different color) subroutine calls. 4. Using knowledge of how the compiler generates code, identify automatic variables, statics, etc. used within a given function as guidelines in decoding it. E.g. registers 0&1 are temporaries, 2-5 are used for "register" autos, and 6&7 are reserved for SP and PC. You can generally recognize when a long int is being accessed from the characteristic code, and similarly for other situations. 5. Figure out what some of the small subroutines do, give them meaningful names (e.g. ring_bell()), and write these labels beside all calls to them. 6. Now iterate to somewhat larger functions that use several of the smaller ones you've already decoded and assigned names. As you figure them out treat them as in step 5 and iterate with yet larger functions. 7. Occasionally, it can be useful to extract the instructions for some mysterious function into a genuine assembly-language or even C source file, assemble it, and call it from a test program you write to explore the behavior of the function in question. 8. Persistence is rewarded.
-----------[000113][next][prev][last][first]---------------------------------------------------- Date: 23 Mar 90 08:44:33 GMT From: Doug Gwyn <gwyn@smoke.brl.mil> To: misc-security@rutgers.edu Subject: Re: Who (Specificly) has Morris' Worm Code?
>Just how easy do you think it is to disassemble a program from machine >language into source code form? I don't know a suitable metric for this. (I know it's easy, though tedious, for me.) However, some indication can be gained by observing that certainly hundreds, possibly thousands, of "crackers" routinely disassemble copy-protected applications in order to understand the (often deliberately convoluted) code well enough to strip off copy protection. Don Lancaster explained several of the tricks of the trade in one of his Apple II enhancement books. > I'd say it takes more "reverse-engineering" than most system > administrators have the knowledge, time or desire to put into it. Judging by "The Cuckoo's Egg" and personal experience, I'd say that most system administrators aren't very competent, period. I certainly wouldn't ask one of them to disassemble object code; there are many other people with skill in that area who would be a better choice. To give you a small taste of what is involved, let's consider a binary executable image (without symbol table, to make it harder) from, say, a PDP-11 UNIX system and some of the initial steps one might take to disassemble it. 1. Devise plausible environmental hypotheses, which can be checked and revised as the work proceeds. E.g. probably the source language was C and the standard C library was linked into the image after all the application-specific object code. 2. Print out a dump of the code. If it's UNIX, you can tell code from data because they're in different load segments that are clearly spelled out by a small initial header attached to the load image. If you can't figure out where the code is, dump it all as instructions as well as hex words and characters; clear character strings must be data (as well as important operational clues), and gobbledegook instruction sequences must be either data or correct instructions decoded with the wrong starting offset (with variable-length instructions it will converge to correct synchronization within a few instructions). 3. Mark subroutine boundaries. These are easy to spot by their characteristic instructions. Also mark (in a different color) subroutine calls. 4. Using knowledge of how the compiler generates code, identify automatic variables, statics, etc. used within a given function as guidelines in decoding it. E.g. registers 0&1 are temporaries, 2-5 are used for "register" autos, and 6&7 are reserved for SP and PC. You can generally recognize when a long int is being accessed from the characteristic code, and similarly for other situations. 5. Figure out what some of the small subroutines do, give them meaningful names (e.g. ring_bell()), and write these labels beside all calls to them. 6. Now iterate to somewhat larger functions that use several of the smaller ones you've already decoded and assigned names. As you figure them out treat them as in step 5 and iterate with yet larger functions. 7. Occasionally, it can be useful to extract the instructions for some mysterious function into a genuine assembly-language or even C source file, assemble it, and call it from a test program you write to explore the behavior of the function in question. 8. Persistence is rewarded.
-----------[000114][next][prev][last][first]---------------------------------------------------- Date: 24 Mar 90 00:43:57 GMT From: "William K. McFadden" <bill@videovax.tv.tek.com> To: misc-security@tektronix.tek.com Subject: Re: Caller ID
How about: You give me your phone number, or I won't answer the phone.
Programming a BBS to enforce this policy should be pretty simple, assuming you
can get a Caller ID box with a serial port. In fact, I can see a programmable
phone offering this feature (don't ring if caller blocks number) as being a hot
item. Of course, it should also contain a list of numbers you don't like and
check any incoming calls against the list. And a big red button (labeled
"BOZO") that instantly hangs up on the caller and adds his number to the list.
Yeah, that's the ticket!
--
Bill McFadden Tektronix, Inc. P.O. Box 500 MS 58-639 Beaverton, OR 97077
bill@videovax.tv.tek.com, {hplabs,uw-beaver,decvax}!tektronix!videovax!bill
Phone: (503) 627-6920 "The biggest difference between developing a missle
component and a toy is the 'cost constraint.'" -- John Anderson, Engineer, TI
-----------[000115][next][prev][last][first]---------------------------------------------------- Date: 24 Mar 90 06:52:43 GMT From: dmr@alice.att.com To: misc-security@uunet.uu.net Subject: Re: Contest announcement
My own contest is "Most appalling display of classlessness in dealing with a serious subject." The nominees are: 1) National Center for Computer Crime Data, Security Magazine, and Gene Spafford, for their "How High Shall We Hang Robert Morris?" contest. 2) Gene Spafford, for the most tasteless article ever to appear in CACM (special credits for the Jodie Foster joke). Dennis Ritchie
-----------[000116][next][prev][last][first]---------------------------------------------------- Date: 25 MAR 90 00:55:41 CDT From: MARK KINSLER <KINSLER@usmcp6.bitnet> To: <SECURITY@TCSVM> Subject: Opening an old safe
Re the locksmith in the little Ohio town who could open up an old safe by feel: Since it's a small town and probably doesn't have a lot of safes in it, doesn't it seem likely that the guy knew the combination and just said that he'd done it by feel? He probably knows every safe in the surrounding area. Change the combination. <kinsler@usmcp6.bitnet>, U of Southern Mississippi, Gulf Coast
-----------[000117][next][prev][last][first]---------------------------------------------------- Date: 25 Mar 90 05:55:41 GMT From: KINSLER@usmcp6.BITNET (MARK KINSLER) To: misc.security Subject: Opening an old safe
Re the locksmith in the little Ohio town who could open up an old safe by feel: Since it's a small town and probably doesn't have a lot of safes in it, doesn't it seem likely that the guy knew the combination and just said that he'd done it by feel? He probably knows every safe in the surrounding area. Change the combination. <kinsler@usmcp6.bitnet>, U of Southern Mississippi, Gulf Coast
-----------[000118][next][prev][last][first]---------------------------------------------------- Date: Sun, 25 Mar 1990 14:13:19 EST From: *Hobbit* <hobbit@pyrite.rutgers.edu> To: security Subject: WARNING -- change in how "security" is delivered
I have changed my remailing method slightly, such that the return-path is "/dev/null@localhost" instead of "security@pyrite.rutgers.edu". Note that if your mailer reads the return-path: header [as it should] when you reply to a message, you will lose, so you may have to explicitly send to the list address or who you intended to reply to. This is actually a good thing, since simply "replying" would sometimes send your reply to the incoming list feed instead of the sender. Then I'd get the message and wouldn't be able to tell where you wanted to put it. I get many of these, i.e. messages that look like the person was trying to reply to a sender and wound up sending it to the list. I will grant you that this "unixish" syntax may not do the right thing on all kinds of hosts, but it will still generate an invalid address and die where it stands under any mailer that tries to return errors to return-path:. Some mailers return to Sender: which is also present; this I can't do much about. This is in a weak attempt to reduce the large number of mailer failures I get back every day. It is very rare that all the addresses on the list actually work at the same time -- there's always one losing host out there someplace that ate its aliases file or can't find another machine farther down the line. This should make the errors die at the source. I will periodically send a message with the "real" return-path, just so I can update my list and make sure things are still working. This should also help me unload this perpetual backlog. One thing that delays resending is wading through all these mail failures and trying to deal with them before I send out more messages. I really wish people would keep their mailers in better operating condition! _H*
-----------[000119][next][prev][last][first]---------------------------------------------------- Date: Sun, 25 Mar 90 17:38 CST From: MCDILDA_WA%ZOO <@utadnx.cc.utexas.edu:MCDILDA_WA@ZOO.decnet> To: security@pyrite.rutgers.edu Subject: Re: Opening an old safe?
You also might try using a 'Black Light (UV)' to shine on the exterior
of the safe. I tried this on an old safe, and found the combination written
in pencil on the back panel.
Wayne McDilda
Network Specialist
Texas SP&GSC
Austin, Texas (512) 475-2452 or mcdilda_wa@spgsc.decnet.utexas.edu
Disclaimer: I'm not paid enough to have my own opinions
[ This is not my father's VAXmobile ]
-----------[000120][next][prev][last][first]---------------------------------------------------- Date: 25 Mar 90 18:05:12 GMT From: nagle@well.sf.ca.us (John Nagle) To: misc.security Subject: Re: "National Center for Computer Crime Data"
>All essays must be received by the National Center for Computer Crime
>Data, 1222-B 17th Avenue, Santa Cruz, CA, 95062 by March 28, 1990.
Who are these guys? Are they government, law enforcement, or are they
selling something?
John Nagle
-----------[000121][next][prev][last][first]---------------------------------------------------- Date: 25 Mar 90 19:13:19 GMT From: hobbit@PYRITE.RUTGERS.EDU (*Hobbit*) To: misc.security Subject: WARNING -- change in how "security" is delivered
I have changed my remailing method slightly, such that the return-path is "/dev/null@localhost" instead of "security@pyrite.rutgers.edu". Note that if your mailer reads the return-path: header [as it should] when you reply to a message, you will lose, so you may have to explicitly send to the list address or who you intended to reply to. This is actually a good thing, since simply "replying" would sometimes send your reply to the incoming list feed instead of the sender. Then I'd get the message and wouldn't be able to tell where you wanted to put it. I get many of these, i.e. messages that look like the person was trying to reply to a sender and wound up sending it to the list. I will grant you that this "unixish" syntax may not do the right thing on all kinds of hosts, but it will still generate an invalid address and die where it stands under any mailer that tries to return errors to return-path:. Some mailers return to Sender: which is also present; this I can't do much about. This is in a weak attempt to reduce the large number of mailer failures I get back every day. It is very rare that all the addresses on the list actually work at the same time -- there's always one losing host out there someplace that ate its aliases file or can't find another machine farther down the line. This should make the errors die at the source. I will periodically send a message with the "real" return-path, just so I can update my list and make sure things are still working. This should also help me unload this perpetual backlog. One thing that delays resending is wading through all these mail failures and trying to deal with them before I send out more messages. I really wish people would keep their mailers in better operating condition! _H*
-----------[000122][next][prev][last][first]---------------------------------------------------- Date: 25 Mar 90 23:38:00 GMT From: MCDILDA_WA@ZOO.decnet (MCDILDA_WA%ZOO) To: misc.security Subject: Re: Opening an old safe?
You also might try using a 'Black Light (UV)' to shine on the exterior
of the safe. I tried this on an old safe, and found the combination written
in pencil on the back panel.
Wayne McDilda
Network Specialist
Texas SP&GSC
Austin, Texas (512) 475-2452 or mcdilda_wa@spgsc.decnet.utexas.edu
Disclaimer: I'm not paid enough to have my own opinions
[ This is not my father's VAXmobile ]
-----------[000123][next][prev][last][first]---------------------------------------------------- Date: 26 Mar 90 07:41:28 GMT From: annala@neuro.usc.edu (A J Annala) To: misc-security@ucbvax.berkeley.edu Subject: Re: Opening an old safe?
Many people have the misconception (largely propagated by the media) that safes can be opened by people using sensitive stethescopes. However, by and large no competent professional safecracker relies on sound. Instead, at least at the "agency" school, they teach students to rely on developing a sensitive touch. Many safes (particularly old crakerjack boxes) are not built to particularly tight tolerances. As a consequence, you can simply feel the tumblers behind the dial when them impact each other. By turning the dial back and forth (let's not get too specific here) one can build up a chart of where the tumblers impact each other and where the indentation for the locking mechanism exists on each wheel. More modern "spy proof" & "manipulation proof" locks resist such penetration attempts. However, if you have a reasonably long period of time just about any safe can be opened. A thermal lance is typically a hollow fuel rod with a high pressure oxygen source in the center (2000-4000 psi gas tank) used to usually used to burn through the exterior of a safe. Unfortunately, they are very messy, loud, emit a lot of light, and often burn up the contents of the safe. You would most often be better off getting inside knowledge about where to drill the safe door, set up a jig with some low speed high torque drill and a set of cobalt drill bits. By the way, beware of alarm sensors and tear gas bottles that may be hidden inside the door of the safe. Apart from military operations, no one is fool enough to try to "blow" a safe these days. However, if you're in a hurry, spend a little time to learn how to make shaped cutting charges to slice through the bolts in the door of the safe. Plastique will do the job in a pinch ... but some time spend casting more uniform charges with metal liners will reduce the amount of explosive and consequent mess to clean up. If you want to do it right check out some old "It Takes A Thief" and the more recent "Die Hard" movies. They both illustrate appropriate methods for opening the most resistant safes.
-----------[000124][next][prev][last][first]---------------------------------------------------- Date: 26 Mar 90 07:44:04 GMT From: annala@NEURO.USC.EDU (A J Annala) To: misc.security Subject: Re: Opening an old safe?
One final note: It is often easier to go through the walls of a safe or a vault than it is to try to penentrate the door of the device. This point is often missed by the amateur who takes the challenge of opening the safe head on.
-----------[000125][next][prev][last][first]---------------------------------------------------- Date: Mon, 26 Mar 90 17:15 EST From: "Don't have a cow, man!" <AEWALSH@fordmurh.bitnet> To: security@ohstvma Subject: Ink for Currency (was Computer Forged Documents -
While we're on the subject of paper for American currency, allow me to pose a question on *ink*. I was told that one of the ways (not THE way, if there is one) to double-check for authenticity of a bill is to rub the face side on a piece of white paper. In every case, a green smudge was produced. One of my former managers told me that this is a technique to weed out counterfeit currency, because the ink used by the US Mint never "dries" - it will always yield a smudge. Is this true? Jeffrey Fordham University AEWALSH@FORDMURH
-----------[000126][next][prev][last][first]---------------------------------------------------- Date: 26 Mar 90 18:47:19 GMT From: nagle@well.sf.ca.us (John Nagle) To: misc-security@uunet.uu.net Subject: Re: What IS a thermal lance (Re: vault doors, was: locks)
>Exactly what is a thermal lance?
It's a cutting torch that burns steel as fuel. A simple form is seven
steel rods arranged in a hexagonal array inside a steel tube. Oxygen is
pumped in one end of the tube and the other end is ignited, usually by
first lighting a wood block, which will burn nicely in oxygen, and using
it to ignite the steel. One of these will cut through a railroad rail in
a few tens of seconds.
There are several major drawbacks to the thermal lance. The type of
steel used is critical, and there are hazards if a poor type is chosen.
The amount of oxygen used is very high; you tend to need many cylinders
to get any real work done. The lance itself is consumed rapidly, so you need
plenty of lance sections. This makes it a very expensive tool to use.
It's not used much by criminals, since the amount of equipment you have to
bring along is high. Typical uses include clearing railroad wrecks.
John Nagle
-----------[000127][next][prev][last][first]---------------------------------------------------- Date: 26 Mar 90 19:19:28 GMT From: hollombe%sdcsvax@ttidca.tti.com (The Polymath) To: misc-security@sdcsvax.ucsd.edu Subject: Re: Re: Computer Forged Documents - money
}I read in the Boston Globe recently that the U.S. Treasury puts small
}red and blue threads in its paper money. The item mentioned the paper is
}so difficult to make, that many counterfeiters bleach small denominations
}and re-print larger denominations onto the bleached bills.
Not only is it difficult to make, it's difficult to get. A few years ago
we wanted to print up some "funny money" to use for testing automatic
teller machines. The paper used had to be the same density and thickness
as that used for real money (also the same width and length, of course),
since modern ATMs are very sophisticated about such things.
We suddenly found ourselves explaining to some very interested Treasury
officials exactly why we wanted this particular paper and what we intended
to do with it.
We eventually got it, without the red and blue threads (ATMs aren't _that_
sophisticated -- yet).
--
The Polymath (aka: Jerry Hollombe, M.A., CDP, aka: hollombe@ttidca.tti.com)
Citicorp(+)TTI Illegitimis non
3100 Ocean Park Blvd. (213) 450-9111, x2483 Carborundum
Santa Monica, CA 90405 {csun | philabs | psivax}!ttidca!hollombe
-----------[000128][next][prev][last][first]---------------------------------------------------- Date: Tue, 27 Mar 90 03:24 CST From: GREENY <MISS026@ecncdc.bitnet> To: <security@pyrite.rutgers.edu> Subject: re^3: money....
> took out a one dollar bill and sure enough there were tiny little red and > blue threads... uh huh....there sure are, but have you forgotten that the colors of the USA are Red, WHITE, and Blue? There are some clear threads in there as well that are supposed to show up under UV light....also, the ink contains certain amounts of magnetic particles... Bye for now but not for long Greeny BITNET: MISS026@ECNCDC Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU GEnie: GREENY MacNet: GREENY
-----------[000129][next][prev][last][first]---------------------------------------------------- Date: Tue, 27 Mar 90 08:13:00 EST From: 34AEJ7D@cmuvm.bitnet To: SECURITY Digest <SECURITY@OHSTVMA> Subject: Re: car keys
>They did not ask for proof of ownership, or anything else I have personally seen police departments unlock a locked vehicle (mine) with a device they have for that purpose. They didn't ask me for ID or proof of ownership, either - just took my word that it was my car and that I was locked out. OK, so maybe they ran the plate, but I *could* have known the owner's name and been using it to bluff such a check (if I were either stupid or desperate).
-----------[000130][next][prev][last][first]---------------------------------------------------- Date: Tue, 27 Mar 90 08:28:00 EST From: edelheit@smiley.mitre.org (Jeff Edelheit x7586) To: topper%a1.relay@upenn.edu Cc: security@pyrite.rutgers.edu Subject: Re: Report on a Security Conference
An alternative conference is the NIST/NCSC annual conference. It provides civil, military and commercial sector perspective on security. It addresses real live security issues of today plus a fair amount of what is going on in the research community. You will also get presentations from non-US nationals. There is virtually no commercial hype. It's usually a 2.5 day conference with a day of tutorials preceding the first day. The conference will be held in Washington, DC in the September/ October timeframe. There are usually several thousand attendees and the cost is minimal (e.g., ~$300). Regards, Jeff Edelheit (edelheit%smiley@gateway.mitre.org) The MITRE Corporation 7525 Colshire Drive McLean, VA 22102
-----------[000131][next][prev][last][first]---------------------------------------------------- Date: Tue, 27 Mar 90 13:56 EST From: WHMurray@dockmaster.ncsc.mil To: VIRUS-L@lehiibm1.bitnet, security@rutgers.edu Subject: Announcement IFIPSEC '91
Seventh International Conference on
Information Security
"Creating Confidence in Information Processing"
First Announcement and Call for Papers
LOCATION
The conference will be held in Brighton, a large coastal
town in southern England. One of Britain's premier resorts,
Brighton is one hour from London by rail, and convenient to
both London Airports,
The conference will be held at the Metropole Hotel. The
hotel is located on the ocean near the town centre.
DATES
15-17 May, 1991
ORGANIZERS
The conference is being organized by IFIP Technical
Committee on Security (TC11) in cooperation with the British
Computer Society and the European Region of the EDPAA. It
is being sponsored by Digital Equipment Company, Ltd.
LANGUAGE
The official language of the conference will be English.
CONFERENCE SECRETARIAT
IFIP/Sec '91
Elsevier Science Publishers Ltd.
Mayfield House
256 Banbury Road
Oxford OX2 7DH UK
Tel: +44 (0)865 512242
Fax: +44 (0)865 310981
Organizing Committee, David t. Lindsay, Chairman
Programme Committee, Wyn L. Price, Chairman
North American Members of the Programme Committee:
Jim H. Finch
Peter P. C. H. Kingston
Martin Kratz
William H. Murray (WHMurray@DOCKMASTER.NCSC.MIL)
CONFERENCE OBJECTIVES
The conference objectives are:
* to emphasize the importance of information security as a
critical management reuqirement
* to address the need to enhance the integrity and
security of computer based systems and data networks
* to share knowledge in the development and use of
information security management methods and systems
security and technical tools
* to address the differing, as well as common, interests
of management, auditors, security practioners, and the
data processing community
* to promote international co-operation in the advancement
of information and computer security practices and
technologies
CALL FOR PAPERS
Contributions are invited describing practical experience
and research on all aspects of computer, network, and
information security including business, professional,
legal, research and educational areas. (Papers with
over-emphasis on specific product marketing will not be
accepted.)
Abstracts should be more than 200 and less than 1000 words
in length, typed, double-spaced, on one side of the sheet.
The Committee will select papers based on submitted
abstracts. Abstracts are due 31 May 1990. Authors will be
notified of acceptance by 30 September 1990 and camera ready
copy of the papers will be due 28 February 1991.
ADDITIONAL INFORMATION
An additional announcement including the programme and
registration details will be available in December 1990.
For a copy of the official announcement please send name and
postal address to: WHMurray@DOCKMASTER.NCSC.MIL
-----------[000132][next][prev][last][first]---------------------------------------------------- Date: 27 Mar 90 17:20:43 PST (Tue) From: sagpd1!jharkins@ncr-sd.sandiego.ncr.com (Jim Harkins) To: security-request@rutgers.edu Subject: Clearing a building nightly
My company has just moved into a new facility, equipped with a security system that we turn on at night. The problem is, how do we make sure everyone is out of the building before turning it on? The current thinking is that if anyone is working past 7 PM they go to the lobby and sign in, then the last person to leave turns on the alarm. However, when deadlines approach people tend to get so involved in the current problem that several times they'll look up and say "dang, it's 9:00. I better sign in!". Needless to say if the alarm was already turned on then the cops, and our security officer get called. This is embarressing to say the least. It happened last week (not to me). So we need to know how to ensure the building is empty before turning the system on. This silly building is layed out like a maze, thus a security guard making a quick check stands a very good chance of missing an employee visiting the litterbox. We don't have a paging system and have no intention of getting one. We talked about installing buzzers throughout the building to warn late workers to go sign in but this is very expensive. I'm sure several other companies have been faced with this problem. Any ideas on what to do would be appreciated. jim jharkins@sagpd1 We are all aware of the high cost of alcohol abuse. To help solve this problem take this signature to your local liquor store for $1.00 off your next purchase.
-----------[000133][next][prev][last][first]---------------------------------------------------- Date: 27 Mar 90 09:24:00 GMT From: MISS026@ecncdc.BITNET (GREENY) To: misc.security Subject: re^3: money....
> took out a one dollar bill and sure enough there were tiny little red and > blue threads... uh huh....there sure are, but have you forgotten that the colors of the USA are Red, WHITE, and Blue? There are some clear threads in there as well that are supposed to show up under UV light....also, the ink contains certain amounts of magnetic particles... Bye for now but not for long Greeny BITNET: MISS026@ECNCDC Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU GEnie: GREENY MacNet: GREENY
-----------[000134][next][prev][last][first]---------------------------------------------------- Date: Tue Mar 27 20:22:10 1990 From: guhsd000@crash.cts.com (Paula Ferris) To: misc-security@crash.cts.com Subject: Re: Video camera devices
Visual Methods Inc. 35 Charles Street Westwood, NJ 07675 They manufacture all types of video equipment for everything from ATM machines video systems to dual image fiberoptic arrays, as well as the worlds smallest full color TV camera. As for legal aspects, I don't know. I do know in a public place, such as a store, or a wharehouse at a business, you can record without notifying people in the area that they may be recorded so long as it's video only with no sound. You might be able to use this in a private atmosphere, or try a understated sign (near the driveway maybe) with someting to the extent that the property maybe utilizing video survailence. I think most people would interpret it as the outside grounds are being watched rather than inside. But, I'm not a lawyer, so take your own chances.
-----------[000135][next][prev][last][first]---------------------------------------------------- Date: 27 Mar 90 18:56:00 GMT From: WHMurray@DOCKMASTER.NCSC.MIL To: misc.security Subject: Announcement IFIPSEC '91
Seventh International Conference on
Information Security
"Creating Confidence in Information Processing"
First Announcement and Call for Papers
LOCATION
The conference will be held in Brighton, a large coastal
town in southern England. One of Britain's premier resorts,
Brighton is one hour from London by rail, and convenient to
both London Airports,
The conference will be held at the Metropole Hotel. The
hotel is located on the ocean near the town centre.
DATES
15-17 May, 1991
ORGANIZERS
The conference is being organized by IFIP Technical
Committee on Security (TC11) in cooperation with the British
Computer Society and the European Region of the EDPAA. It
is being sponsored by Digital Equipment Company, Ltd.
LANGUAGE
The official language of the conference will be English.
CONFERENCE SECRETARIAT
IFIP/Sec '91
Elsevier Science Publishers Ltd.
Mayfield House
256 Banbury Road
Oxford OX2 7DH UK
Tel: +44 (0)865 512242
Fax: +44 (0)865 310981
Organizing Committee, David t. Lindsay, Chairman
Programme Committee, Wyn L. Price, Chairman
North American Members of the Programme Committee:
Jim H. Finch
Peter P. C. H. Kingston
Martin Kratz
William H. Murray (WHMurray@DOCKMASTER.NCSC.MIL)
CONFERENCE OBJECTIVES
The conference objectives are:
* to emphasize the importance of information security as a
critical management reuqirement
* to address the need to enhance the integrity and
security of computer based systems and data networks
* to share knowledge in the development and use of
information security management methods and systems
security and technical tools
* to address the differing, as well as common, interests
of management, auditors, security practioners, and the
data processing community
* to promote international co-operation in the advancement
of information and computer security practices and
technologies
CALL FOR PAPERS
Contributions are invited describing practical experience
and research on all aspects of computer, network, and
information security including business, professional,
legal, research and educational areas. (Papers with
over-emphasis on specific product marketing will not be
accepted.)
Abstracts should be more than 200 and less than 1000 words
in length, typed, double-spaced, on one side of the sheet.
The Committee will select papers based on submitted
abstracts. Abstracts are due 31 May 1990. Authors will be
notified of acceptance by 30 September 1990 and camera ready
copy of the papers will be due 28 February 1991.
ADDITIONAL INFORMATION
An additional announcement including the programme and
registration details will be available in December 1990.
For a copy of the official announcement please send name and
postal address to: WHMurray@DOCKMASTER.NCSC.MIL
-----------[000136][next][prev][last][first]---------------------------------------------------- Date: Tue, 27 Mar 90 23:44:38 EDT From: Iqbal Qazi <WQ956C@gwuvm.bitnet> To: security@pyrite.rutgers.edu Subject: Curious
A friend of mine had this question and I thought someone out there could
answer it. What organizations were formed by the National Security
Act of 1947? The CIA is one of them, anyone know any more? I think
there are 5.
Thanks,
Iqbal Qazi
WQ956C at GWUVM
-----------[000137][next][prev][last][first]---------------------------------------------------- Date: Wed, 28 Mar 90 11:27:09 MST From: Bob Kaneshige <KHAAV@asuacad.bitnet> To: security@pyrite.rutgers.edu Subject: Re: Them Locks Are Easy
Are there any vette owners out there? If so, do you supplement the factory alarm system with a brand 'X' security alarm? I have an '82 and I do not feel quite 'secure' with what GM has installed in it. I've looked at several aftermarket systems, most notably the ones offerred by Alpine, Kenwood, Audiovox, plus UNGO box, Enforcer, Viper, Sentry, and Autopage. Most of them have features for glass breakage, shock sensor, motion sensor, starter disable, panic, automatic door lock, flashing LEDs, manual override, remote arming, and just about anything imaginable. By talking to the salemen, what you usually hear is that their "brand 'X' is the best on the market"..if I bought everyone they recommended and installed them, my battery would be dead in a short time :-). I realize that if someone really wanted to steal your car, no alarm in the world will prevent it, short of having a doberman sitting in the seat with the windows open. If anyone is satisfied with their brand 'X' system, I'd like to hear from them. Thanks... Bob
-----------[000138][next][prev][last][first]---------------------------------------------------- Date: 28 Mar 90 04:49:37 GMT From: fantom@wam.umd.edu (Thomas Mark Swiss) To: misc.security Subject: Reading list wanted
Hi, all. I've been looking around for some good texts on computer security
but haven't been able to find any good books on the subject. I would be quite
gratefull is anyone could recommend an introductory text. I'm mainly interested
in system security, but would also like to learn about data encryption and copy
protection.
Thanks!
================================================================================
Tom Swiss | "The time will come when men such as I will look on
fantom@cscwam.umd.edu | the murder of animals as they now look on the murder
"I Think, therefore | of men." - Leonardo da Vinci
I'm Dangerous..." |
-----------[000139][next][prev][last][first]---------------------------------------------------- Date: Wed, 28 Mar 90 10:46:36 EST From: ARDAVAN@carleton.ca To: security@pyrite.rutgers.edu Subject: Security Cameras
I'm looking for some information which would lead to manufacturers
of security equipment used for monitoring purposes (Closed Circuit TV).
The idea is to use cameras (either hidden or obvious) which are connected
to a VCR. The VCR takes time-lapsed photos of an area which contains
equipment (PC's mostly) so that anyone walking away with the stuff will
be captured on tape.
Any names and addresses of manufacturers of such equipment, past
experiences with hidden/visible cameras would be appreciated. If any
of the addresses are in Canada, so much the better.
Ardavan <Ardavan_Tajbakhsh@Carleton.CA>
-----------[000140][next][prev][last][first]---------------------------------------------------- Date: Wed, 28 Mar 90 20:22:51 PST From: Craig Leres <leres@helios.ee.lbl.gov> To: CJS@cwru.bitnet Cc: security@pyrite.rutgers.edu (*Hobbit*) Subject: Re: Car Locks -- They had great locks at Hertz in Belfast
> I never could find out who made the locks. Too bad; I'd like to get a few sets to install in my cars. Ever see a key for a late model Mercedes? There are wiggily little channels along the side of the key. And I'm pretty sure that you can set the alarm off by inserting the wrong key or trying to pick the lock. Craig
-----------[000141][next][prev][last][first]---------------------------------------------------- Date: Thu, 29 Mar 90 09:45:22 EST From: Mark.Leone@f.gp.cs.cmu.edu To: misc-security@rutgers.edu Subject: Re: datsun keys
>about datusn keys. be VERY careful about testing your key in other peoples >vehicles of the same make. I'll second this for Honda keys. My brother accidentally used his Honda Civic key to start my Mom's Civic. The key jammed in the "start" position, preventing the starter motor from disengaging even though the engine had started. The net result was an engine fire! Luckily we always carry a fire extinguisher and managed to get the fire out and the key unjammed before any serious damage to the engine (or us) occurred. The starter was completely destroyed, of course. - Mark
-----------[000142][next][prev][last][first]---------------------------------------------------- Date: Thu, 29 Mar 1990 15:56:12 EST From: *Hobbit* <hobbit@pyrite.rutgers.edu> To: security@localhost Subject: okay, okay
... so I haven't read RFC822/823 in a while. My initial trials with this configuration returned very few errors, so I had the mistaken impression that it was actually working. A verbose queue run tells me that mail is still being delivered with an envelope address of "security", however, so this isn't the correct method. I've been informed that "correct" mailers *will* reply to the From: field, but there are a lot of different mailers out there, many of them incorrect, that will send replies to all kinds of different places. I have no control over these other than yelling at postmasters, and you have NO IDEA how heartily sick of yelling at postmasters I have become over the years. Often enough there isn't even a "postmaster" address at some sites, and I don't have to re-read RFC822 et al to know that THAT is a bozo no-no. If your mailer deals with the From: field then fine, if it doesn't then you stand to lose unless you explicitly mail to the sender. It all depends on your site. The fact remains that most mailers try to return errors to the *envelope* address. Over the next few days I will be playing with various configurations until I find something that works, so if you see some odd-looking errors you'll know why. I didn't mean for this to turn into a mailer flame, which has nothing to do with security. But the volume of "Wrong!" replies I've gotten back has made it into something of a debacle, so next time I go to change something I won't WASTE YOUR TIME with any announcements at all, and just watch everything quietly break. Fair enough? _H*
-----------[000143][next][prev][last][first]---------------------------------------------------- Date: Thu, 29 Mar 90 19:06:18 EST From: jordan@morgan.com (Jordan Hayes) To: security@rutgers.edu Subject: Re: Them Locks Are Easy
Pullout stereos, amplifiers in the trunk out of sight and a blinking LED are all good ideas. Pullout stereos are only good if you pull them out *all* the time (as many folks who had theirs "pulled out" will tell you). Amplifier in the trunk *might* help. I had mine taken anyway. It took 8 hours to get installed. It took a bit of time to get out, but they got it out ... grrr ... /jordan
-----------[000144][next][prev][last][first]---------------------------------------------------- Date: 29 Mar 90 14:45:22 GMT From: Mark.Leone@F.GP.CS.CMU.EDU To: misc.security Subject: Re: datsun keys
>about datusn keys. be VERY careful about testing your key in other peoples >vehicles of the same make. I'll second this for Honda keys. My brother accidentally used his Honda Civic key to start my Mom's Civic. The key jammed in the "start" position, preventing the starter motor from disengaging even though the engine had started. The net result was an engine fire! Luckily we always carry a fire extinguisher and managed to get the fire out and the key unjammed before any serious damage to the engine (or us) occurred. The starter was completely destroyed, of course. - Mark
-----------[000145][next][prev][last][first]---------------------------------------------------- Date: 29 Mar 90 14:59:53 GMT From: guhsd000@crash.cts.com (Paula Ferris) To: misc.security Subject: investigative services
You may want to try to get a hold of IRSC, I think it stands for
Information Resource Service Company.
I use to use them for Skip Tracing, and general investigative work on my own,
I do not know what their current signup fees, and per search fees are.
As I recall, they have some 700 databases, including a complete copy of the
CBI credit database, which is very handy, I think they renamed their cope the
y
something different.
I just found the price sheet, searches run from $3.75 for a driving record to
$125 for a "Business Factual Data Report."
Anyway, try reaching:
Tom C. Bownes at IRSC at:
3777 N. Harbor Blvd.
Fullerton, CA 92635
CA 800/321-2278
US 800/841-1990
or 714/526-8485
-----------[000146][next][prev][last][first]---------------------------------------------------- Date: Thu, 29 Mar 90 17:24:26 GMT From: jad@dayton.dhdsc.mn.org (J. Deters) To: security@rutgers.edu Subject: Re: Home security systems
I just installed an Ademco Vista 4140XM in my house, and it has the capacity to cover all of the above sensors/accessories out of the box. 9 wired loops, and can handle a 64 zone polled loop. Has full support for central station monitoring, and can be used with wireless systems, too (yuck.) I also have a 5137 console with it. 32 character alphanumeric display, on-line help/instructions, and custom programmable with your descriptions/words/etc. I *really* like it. If anyone would like the name/number of the company I bought mine from, email me. Being in Mass., you probably will want to buy locally, however. By the way, you really should include several fire/smoke sensors to your above list. -j -- J. Deters INTERNET: jad@dayton.DHDSC.MN.ORG .\ /. "Smile -- Cthulu loathes you!" UUCP: ...!bungia!dayton!jad \_____/ ICBM: 44^58'36"N by 93^16'12"W
-----------[000147][next][prev][last][first]---------------------------------------------------- Date: 29 Mar 90 20:56:12 GMT From: hobbit@PYRITE.RUTGERS.EDU (*Hobbit*) To: misc.security Subject: okay, okay
... so I haven't read RFC822/823 in a while. My initial trials with this configuration returned very few errors, so I had the mistaken impression that it was actually working. A verbose queue run tells me that mail is still being delivered with an envelope address of "security", however, so this isn't the correct method. I've been informed that "correct" mailers *will* reply to the From: field, but there are a lot of different mailers out there, many of them incorrect, that will send replies to all kinds of different places. I have no control over these other than yelling at postmasters, and you have NO IDEA how heartily sick of yelling at postmasters I have become over the years. Often enough there isn't even a "postmaster" address at some sites, and I don't have to re-read RFC822 et al to know that THAT is a bozo no-no. If your mailer deals with the From: field then fine, if it doesn't then you stand to lose unless you explicitly mail to the sender. It all depends on your site. The fact remains that most mailers try to return errors to the *envelope* address. Over the next few days I will be playing with various configurations until I find something that works, so if you see some odd-looking errors you'll know why. I didn't mean for this to turn into a mailer flame, which has nothing to do with security. But the volume of "Wrong!" replies I've gotten back has made it into something of a debacle, so next time I go to change something I won't WASTE YOUR TIME with any announcements at all, and just watch everything quietly break. Fair enough? _H*
-----------[000148][next][prev][last][first]---------------------------------------------------- Date: Fri, 30 Mar 90 11:38:55 CST From: Jonathon Simon <JSIMON@trinity.bitnet> To: SECURITY <security@TCSVM> Subject: MVS SECURITY ( password exit )
We our interested in increasing security for our:
MVS/SP guest (JES2), and have considered
the idea of writing a small program to function in place of RACF -
essentially a "poor-man's" BATCH security EXIT. We have been unable to get
funding for a full blown system like RACF, TOP SECRET, etc., and would
settle (for the time being) for a simple PASSWORD to USER/ACCOUNT cross
reference validation prior to job execution. This wouldn't prevent unauthor-
ized file accesses, but it could help with our auditing by helping to
guarantee that batch job USERs are indeed who they say they are.
Q: Has anyone else written their own OS security module(s)? If so, would
you be willing to help us get started by sending us samples? Or, are you
aware of any user group tapes containing such security exits.
P.S. Please address me directly since I am not on the IBM-MAIN list.
Thanks.
-----------[000149][next][prev][last][first]---------------------------------------------------- Date: Fri Mar 30 11:29:53 1990 From: guhsd000@crash.cts.com (Paula Ferris) To: misc-security@crash.cts.com Subject: investigative services
You may want to try to get a hold of IRSC, I think it stands for
Information Resource Service Company.
I use to use them for Skip Tracing, and general investigative work on my own,
I do not know what their current signup fees, and per search fees are.
As I recall, they have some 700 databases, including a complete copy of the
CBI credit database, which is very handy, I think they renamed their cope the
y
something different.
I just found the price sheet, searches run from $3.75 for a driving record to
$125 for a "Business Factual Data Report."
Anyway, try reaching:
Tom C. Bownes at IRSC at:
3777 N. Harbor Blvd.
Fullerton, CA 92635
CA 800/321-2278
US 800/841-1990
or 714/526-8485
-----------[000150][next][prev][last][first]---------------------------------------------------- Date: Fri, 30 Mar 90 18:38 EST From: WHMurray@dockmaster.ncsc.mil To: security@rutgers.edu Cc: rsa@well.sf.ca.us Subject: Factoring Large Numbers
>I have received a report from an independent researcher, >Giorgio Coraluppi, that claims to have developed an algorithm >to factor large numbers in a relatively short amount of time. This might have been of interest to the SECURITY list because the RSA public key crypto system relies for its security, in part, upon the fact that, while it is trivial to find the product of two large prime numbers, it is difficult to find the two primes from the product. However, it does not rely upon the elapsed time required, but rather upon the cost. There is a great deal of published work dealing with trading off other cost against time. There has even been on demonstration using cooperating processors across the internet. The demonstration got the cost for large products down to days. The cost was not too high becasue the processors only applied otherwise slack time to the effort. However, it required a tremendous amount of access and cooperation. Perhaps more important, the RSA system does not rely upon large products (say 2**32) or even upon astronomical numbers (say 2**56) but rather upon super large astronomical numbers on the order of 2**400-800. Even this choice is arbitrary and keys of arbitrary length are possible. The cost or "work-factor" of attack, i.e., security, goes up exponentially with the length of the product, but the effect on performance is linear. The man who comes up with an algorithm to factor arbitrarily large numbers in linear time will not have to advertise. Chances are one in ten that he works for NSA, and one in twenty that he works for GBHQ. Failing that, the chances are one in a hundred that one or the other of those two agencies will bump him off in such a way as to cast suspicion on the other. Failing all of that he will certainly be famous for fifteen minutes and may be as famous as Turing or VonNeumann, perhaps even Einstein or Newton. William Hugh Murray, Fellow, Information System Security, Ernst & Young 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840
-----------[000151][next][prev][last][first]---------------------------------------------------- Date: 30 Mar 90 17:38:55 GMT From: JSIMON@trinity.BITNET (Jonathon Simon) To: misc.security Subject: MVS SECURITY ( password exit )
We our interested in increasing security for our:
MVS/SP guest (JES2), and have considered
the idea of writing a small program to function in place of RACF -
essentially a "poor-man's" BATCH security EXIT. We have been unable to get
funding for a full blown system like RACF, TOP SECRET, etc., and would
settle (for the time being) for a simple PASSWORD to USER/ACCOUNT cross
reference validation prior to job execution. This wouldn't prevent unauthor-
ized file accesses, but it could help with our auditing by helping to
guarantee that batch job USERs are indeed who they say they are.
Q: Has anyone else written their own OS security module(s)? If so, would
you be willing to help us get started by sending us samples? Or, are you
aware of any user group tapes containing such security exits.
P.S. Please address me directly since I am not on the IBM-MAIN list.
Thanks.
-----------[000152][next][prev][last][first]---------------------------------------------------- Date: 30 Mar 90 18:25:57 GMT From: optilink!cramer@uunet.uu.net (Clayton Cramer) To: misc-security@uunet.uu.net Subject: Re: Computer Forged Documents - money
> Old currency will only be legal for 5 years." Take a real bite out of crime.
Someone posted a comparision of crime rates between Europe and the
U.S. recently, and surprisingly enough, European counterfeiting
rates were much higher than the U.S. (Makes no sense to me either,
but that may explain why the Europeans put so much energy into
fancy printing jobs).
Recalling currency isn't without precedent. In the last century,
the treasury replaced all of one denomination because of ONE
counterfeiting ring producing exceptionally high quality work.
Of course, our bills used to be Hollerith-card sized, and were
replaced earlier in this century.
--
Clayton E. Cramer {pyramid,pixar,tekbspa}!optilink!cramer
Politicians prefer unarmed peasants. Ask the Lithuanians.
----------------------------------------------------------------------------
Disclaimer? You must be kidding! No company would hold opinions like mine!
END OF DOCUMENT
| ISSN 1742-948X 01 (Online) | 2005/03/01 | Copyright 2002-2008 securitydigest.org. All rights reserved. |