The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: Rutgers 'Security List' (incl. misc.security) - Archives (1990)
DOCUMENT: Rutgers 'Security List' for March 1990 (153 messages, 57135 bytes)
SOURCE: http://securitydigest.org/exec/display?f=rutgers/archive/1990/03.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

-----------[000000][next][prev][last][first]----------------------------------------------------
Date:      1 Mar 90 09:05 EST
From:      EVERHART@arisia.dnet.ge.com
To:        SECURITY@pyrite.rutgers.edu
Subject:   RE: Answerbacks / Vendor Liability
Re the mail vulnerability being fixed in VMS VAXmail, it was also fixed
several years earlier by the Software Tools mail, which also filtered
control characters. This fix is now ~10 years old.
   Unfortunately, answerbacks can be triggered all too easily and
have on occasion represented serious problems. We had a situation many
years ago now where someone set the answerback on one of a small
number of terminals connected to a shared VAX to
DEL *.*;*
when someone left the terminal logged in for an extended period.
   Naturally this caused consternation all around. It seemed that
in addition to control-E triggering the answerback, sometimes nulls
might do so also. (I no longer recall what terminal type this was.)
  In this case, the factor that saved the day was sufficiently
paranoid systems people: they had daily backups and could restore
the lost files. I believe that this is what is called for, rather
than appeals to finding fault with manufacturers or even than
finding fault with careless experimenters. (I know of some network
meltdowns that have clearly been due to errors while attempting
what should have been legitimate activities. The Morris case
might have been similar, as well.) Who hasn't experienced accidental
deletion of files? 
   If we are to benefit from computing, we maximize that benefit by
sharing information. It is everyone's responsibility to take
adequate care while doing so. More than ever, regular and adequate
backups are an essential part of this. This issue should be considered
before buying a computer of any type, and in any use of same. Our
VAXen are backed up regularly; my home machine and office pc's have
nothing on hard disk that isn't on floppies also. This confers
some safety. I consider the office pc a prime candidate for disaster
though, as backups are difficult enough to be rare, and disks
do crash now and then. Hopefully our next generation of appliance
computers will contain backup devices of some sort. If they do
not, it is the purchaser who is to blame for losses caused by
damage FROM WHATEVER CAUSE to that data. The same applies to shared
systems.
Glenn Everhart

-----------[000001][next][prev][last][first]----------------------------------------------------
Date:      Thu, 1 Mar 90 19:20:12 MST
From:      jimkirk@outlaw.uwyo.edu (James Kirkpatrick)
To:        security@pyrite.rutgers.edu
Subject:   Digital Signature in business?
Does anybody know if Digital Signature is still in business?  They used
to make a package called CryptMaster (RSA and an RSA/DES hybrid), but
directory assistance in Chicago does not have a listing for them.  Did
they move or did they fold?

-----------[000002][next][prev][last][first]----------------------------------------------------
Date:      Thu, 1 Mar 90 19:38:02 MST
From:      jimkirk@outlaw.uwyo.edu (James Kirkpatrick)
To:        security@pyrite.rutgers.edu
Subject:   Medeco vs Keso vs Kaba
Any opinions of the Medeco lock versus the Seargent Keso
versus the Kaba lock?  The application would be on a safe door, and
one consideration beyond security against picking or destructive
entry would be vandalism by a frustrated burglar, which could lock out
the legitimate owner.  The Keso and Kaba seem very similar apart from
the angle of the Kaba's cuts, but I don't know how much better/worse they
might be compared against Medeco.

[for theurious, Keso and Kaba keys are flat with "dimples" of varying
depth which match opposing rows of pins in the cylinder; the key is not
one that can be easily duplicated, and with up to 20 pins it is difficult
to pick open!]

-----------[000003][next][prev][last][first]----------------------------------------------------
Date:      1 Mar 90 13:02:33 GMT
From:      randall@UVAARPA.VIRGINIA.EDU (Randall Atkinson)
To:        misc.security
Subject:   Re: Answerbacks / Vendor Liability

Larry Kilgallen's note implied that DEC's sendmail as distributed
was trustworthy.  This is not the case.  DEC's Ultrix (port of 4.2 BSD)
has different bugs and different security holes from the standard
UCB distribution.  In my experience, it has not been any more or
less trustworthy than pure BSD.

Although the recent note from CERT about problems in sendmail only
referenced SunOS, the problem was in fact present in other vendors
sendmail as well (including Ultrix 3).

One of the disconcerting things about AT&T's UNIX System V, Release 4
is that it is capable of running many (most ?) BSD sources without
conversion.  One problem with portable software and standardising
OS behaviour is that something that is a problem on one machine is
also likely to be a problem on another machine.  This makes networks
more susceptible to worms and virii just as with humans when a
group is genetically homogeneous they are more susceptible to
plagues and such.  I should note here that I am a very strong supporter
of most standardisation issues and strongly believe that the combination
of POSIX efforts and the recent ANSI C standard are both very
desirable.  I just want to point out that there are mixed blessings
to it all.

In general, electronic security and trusted systems are a very subtle
business.  The more one learns, the less certain one becomes of anything.

Randall Atkinson
randall@Virginia.EDU

-----------[000004][next][prev][last][first]----------------------------------------------------
Date:      1 Mar 90 14:05:00 GMT
From:      EVERHART@arisia.dnet.ge.com
To:        misc.security
Subject:   RE: Answerbacks / Vendor Liability

Re the mail vulnerability being fixed in VMS VAXmail, it was also fixed
several years earlier by the Software Tools mail, which also filtered
control characters. This fix is now ~10 years old.
   Unfortunately, answerbacks can be triggered all too easily and
have on occasion represented serious problems. We had a situation many
years ago now where someone set the answerback on one of a small
number of terminals connected to a shared VAX to
DEL *.*;*
when someone left the terminal logged in for an extended period.
   Naturally this caused consternation all around. It seemed that
in addition to control-E triggering the answerback, sometimes nulls
might do so also. (I no longer recall what terminal type this was.)
  In this case, the factor that saved the day was sufficiently
paranoid systems people: they had daily backups and could restore
the lost files. I believe that this is what is called for, rather
than appeals to finding fault with manufacturers or even than
finding fault with careless experimenters. (I know of some network
meltdowns that have clearly been due to errors while attempting
what should have been legitimate activities. The Morris case
might have been similar, as well.) Who hasn't experienced accidental
deletion of files? 
   If we are to benefit from computing, we maximize that benefit by
sharing information. It is everyone's responsibility to take
adequate care while doing so. More than ever, regular and adequate
backups are an essential part of this. This issue should be considered
before buying a computer of any type, and in any use of same. Our
VAXen are backed up regularly; my home machine and office pc's have
nothing on hard disk that isn't on floppies also. This confers
some safety. I consider the office pc a prime candidate for disaster
though, as backups are difficult enough to be rare, and disks
do crash now and then. Hopefully our next generation of appliance
computers will contain backup devices of some sort. If they do
not, it is the purchaser who is to blame for losses caused by
damage FROM WHATEVER CAUSE to that data. The same applies to shared
systems.
Glenn Everhart

-----------[000005][next][prev][last][first]----------------------------------------------------
Date:      Thu,  1 Mar 90 19:18:33 EST
From:      wcs@erebus.att.com (William Clare Stewart)
To:        misc-security@att.att.com
Subject:   Re: cordless privacy
]I am no lawyer, but I think you ony need the consent of one of the 
]parties in order to legally record a phone conversation - at least 

	Well, first of all, Canada and the US have different laws.
	In the US, a court decision a couple years back decided that
	cordless phones, unlike wire-based phones, do not give you a
	legal right to privacy for the segment of the connection that
	is broadcast between the handset and the base (though I
	suppose the connection from the base to the wall and beyond
	is protected.)

	Second, just because the people have reasonable expectations
	of a right of privacy against government eavesdropping, that
	doesn't mean that the *government* respects those rights,
	and the courts have been supporting the government rather
	than the people in a lot of recent cases.

				Bill
-- 
# Bill Stewart AT&T Bell Labs 4M312 Holmdel NJ 201-949-0705 erebus.att.com!wcs
# Fax 949-4876.  Sometimes found at Somerset 201-271-4712
# He put on the goggles, waved his data glove, and walked off into cyberspace.
# Wasn't seen again for days.

-----------[000006][next][prev][last][first]----------------------------------------------------
Date:      Fri, 02 Mar 90 09:59:55 -0900
From:      "ROBYN L ROBERTSON"  <FSRLR@alaska.bitnet>
To:        security@pyrite.rutgers.edu
Subject:   Re: Home security
>Regarding window grates, what are the options these days in security
>versus being able to get out from the inside quickly in case of fire

I solved a similar problem with a set of exploding security bolts.  I have
not seen these in the U.S., but I expect they are available.  They are
available in varying diameters and treads, with shear points set at the
level desired for the given application.  Detonation is accomplished by
running a fairly low voltage current of a minimum amperage determined by the
number and type of explosive shear bolts used(the electrical line activating
the detonation should have a predicted resistance, depending upon the type
of shear bolts, and whether they are wired in series or parallel: CAUTION:
UNDER NO CIRCUMSTANCES USE A NORMAL VOM OR DVM TO CHECK LINE RESISTANCE, USE
ONLY A 'BLASTING OHM-METER') through the detonation curcuit.

In event of a compromise of electrical power to the shear bolt system, it is
customary to include a back-up power supply, the design and implimentation
of which I leave as an exercise to the student.  In practice, this sort of
emergency escape route is an escape route of 'last resort'.  You do not want
such a pathway, in extremis, to be compromised.

I might note that in the applications where I have seen such bolts used,
there has been very narrow access to the area under security, and so casual
visitors setting off the escape-route shear bolts was a non-existant problem.
In a residence, I would suggest that it might be appropriate to add a fast
(perhaps three digit?) number-pad lock on each emergency exit so armed.  I
also warn that the heads of the bolts, which contain one wire(the bolt body
providing 'ground'), should be installed in a manner to preclude tampering.
Finally, if detonation will allow explosion debris(very minimal, in most
cases) or the security grate to intrude upon property not under the owner's
control, there may be legal implications should someone be injured.  I have
no particular expertise in this area, but I can easily envision, at least
in the litigious U.S, some creatin of a felon, minus three fingers on one
hand, standing in court beside his equally mercenary American attorney,
filing for damages sufferred when your security grate blew up in his face
while the gentleman was otherwise occupied attempting to cut through one of
the shear bolts holding said security grate in place.

Robyn Robertson
BITNET: FSRLR@ALASKA
Internet: fsrlr@acad3.fai.alaska.edu

P.S.  Normal precautions re isolation and segmentation of the overal system
into descrete sub-units should obtain here, as one would expect.  It does
no good to have a fancy system to blow all thirty-five windows in a structure
free of security grates if a fire on the first floor burns the insulation off
critical connections, leading to a short which disables the entire system.

-----------[000007][next][prev][last][first]----------------------------------------------------
Date:      1 Mar 90 20:42:12 GMT
From:      hollombe%sdcsvax@ttidca.tti.com (The Polymath)
To:        misc.security
Subject:   Re: Credit Card Fraud...

}... a couple of students were able to get a hold of a credit-card
}magnetic stip recorder somehow.  ...

There needn't be any "somehow" about it.  You can build one with less than
$50 worth of parts from Radio Shack.  The requirements are defined in an
ANSI standard, right down to the magnetic flux density of the mag-stripe
recording, and available as public information.

Scary, isn't it?

-- 
The Polymath (aka: Jerry Hollombe, hollombe@ttidca.tti.com)  Illegitimis non
Citicorp(+)TTI                                                 Carborundum
3100 Ocean Park Blvd.   (213) 450-9111, x2483
Santa Monica, CA  90405 {csun | philabs | psivax}!ttidca!hollombe

-----------[000008][next][prev][last][first]----------------------------------------------------
Date:      02 March 1990 05:34 CST
From:      "Grant Hoover" <U26264@uicvm.bitnet>
To:        security@pyrite.rutgers.edu
Subject:   Caller ID
> Now that Bell is providing caller id service in some areas I
> was wondering if I could capture the number of the caller and

Before you get out your soldering iron, keep in mind the bill
that Congress might pass that would require the local phone
companies to offer blocking. Once this option is in place, the
people attacking your BBS will probably use it, and you won't
get the chance to capture any numbers.

  ____   _____      ___     __  __   ______
 /      |  _  \    /   \   |  \|  | |__  __|   .   .
|   ___ |     <   /  ^  \  |      |   |  |       .
 \____/ |__|\__| /_/---\_\ |__|\__|   |__|     \___/

Grant Hoover   *   University of Illinois at Chicago
Bitnet  u26264@uicvm     *     CompuServe  76370,314
Internet u26264@uicvm.cc.uic.edu  *  GEnie G.HOOVER6

-----------[000009][next][prev][last][first]----------------------------------------------------
Date:      2 Mar 90 00:18:33 GMT
From:      wcs@erebus.att.com (William Clare Stewart)
To:        misc.security
Subject:   Re: cordless privacy

]I am no lawyer, but I think you ony need the consent of one of the 
]parties in order to legally record a phone conversation - at least 

	Well, first of all, Canada and the US have different laws.
	In the US, a court decision a couple years back decided that
	cordless phones, unlike wire-based phones, do not give you a
	legal right to privacy for the segment of the connection that
	is broadcast between the handset and the base (though I
	suppose the connection from the base to the wall and beyond
	is protected.)

	Second, just because the people have reasonable expectations
	of a right of privacy against government eavesdropping, that
	doesn't mean that the *government* respects those rights,
	and the courts have been supporting the government rather
	than the people in a lot of recent cases.

				Bill
-- 
# Bill Stewart AT&T Bell Labs 4M312 Holmdel NJ 201-949-0705 erebus.att.com!wcs
# Fax 949-4876.  Sometimes found at Somerset 201-271-4712
# He put on the goggles, waved his data glove, and walked off into cyberspace.
# Wasn't seen again for days.

-----------[000010][next][prev][last][first]----------------------------------------------------
Date:      Fri, 2 Mar 90 10:19:07 PST
From:      rex@isdmnl.menlo.usgs.gov (Rex Sanders)
To:        security@pyrite.rutgers.edu
Subject:   RE: Security Auditing
A few years ago, I wrote and distributed a program named "cfs"
(check file status) that can run around a system recording &
checking file stats.  Cfs made it onto one of the last Usenix tapes,
and might be somewhere on uunet.  Cfs runs fast (compared to shell
scripts) - checks stats on over 1000 files in about 45 seconds on
a wheezing old VAX 750.  If you can't find cfs in some local Unix
sources archive, let me know.

-- Rex Sanders, US Geological Survey
   rex@isdmnl.menlo.usgs.gov

-----------[000011][next][prev][last][first]----------------------------------------------------
Date:      2 Mar 90 02:20:12 GMT
From:      jimkirk@OUTLAW.UWYO.EDU (James Kirkpatrick)
To:        misc.security
Subject:   Digital Signature in business?

Does anybody know if Digital Signature is still in business?  They used
to make a package called CryptMaster (RSA and an RSA/DES hybrid), but
directory assistance in Chicago does not have a listing for them.  Did
they move or did they fold?

-----------[000012][next][prev][last][first]----------------------------------------------------
Date:      2 Mar 90 02:38:02 GMT
From:      jimkirk@OUTLAW.UWYO.EDU (James Kirkpatrick)
To:        misc.security
Subject:   Medeco vs Keso vs Kaba

Any opinions of the Medeco lock versus the Seargent Keso
versus the Kaba lock?  The application would be on a safe door, and
one consideration beyond security against picking or destructive
entry would be vandalism by a frustrated burglar, which could lock out
the legitimate owner.  The Keso and Kaba seem very similar apart from
the angle of the Kaba's cuts, but I don't know how much better/worse they
might be compared against Medeco.

[for theurious, Keso and Kaba keys are flat with "dimples" of varying
depth which match opposing rows of pins in the cylinder; the key is not
one that can be easily duplicated, and with up to 20 pins it is difficult
to pick open!]

-----------[000013][next][prev][last][first]----------------------------------------------------
Date:      2 Mar 90 03:59:45 GMT
From:      Doug Gwyn <gwyn@smoke.brl.mil>
To:        misc-security@rutgers.edu
Subject:   Re: Answerbacks / Vendor Liability
>Would not a simpler rule be "Commit a felony: go to jail"?  Why involve
>computers in the discussion?

Right on!  Every time lawmakers try to spell out details, they end up
with loopholes, simply because specificity implies lack of coverage.
There is nothing magic about computers, or guns for that matter;
whether or not an act is a crime should not depend on the tools used.

>> FINAL COMMENT:  The INTERNET virus should be treated as a product liability
>> question.  In my opinion, DEC and SUN should pay the cost of the cleanup

I've never seen any claims by DEC, Sun, or more to the point, UCB that
their UNIX-based operating systems were secure; have you?  What is the
point of making innocent manufacturers responsible for some person's
malicious abuse of their products?  You're trying to punish the wrong
people..

-----------[000014][next][prev][last][first]----------------------------------------------------
Date:      2 Mar 90 09:45 EST
From:      EVERHART@arisia.dnet.ge.com
To:        SECURITY@pyrite.rutgers.edu
Subject:   RE: Re: Field service spying?
Apparently this sw_inventory.com thing was from one of the local
offices; the general DEC field people in my area know nothing of
it but took a copy from me to see if they can find where it
came from. Seems it's got problems with their corporate policy
too.
  In DEC's defense they have tried to make it clear that the field
account should be DISUSERed except when in use. The procedure will
ONLY tell about dec images; it looks for .exe images in default
locations; at least that's what it did on VMS 4.7 where I tested
it; that can be sensitive, but there's nothing there that would
tell anything about non-dec images unless they happen to live
in the same places the DEC ones do, with the same logicals and
same filenames. The procedure was not run by field here.
Glenn Everhart

-----------[000015][next][prev][last][first]----------------------------------------------------
Date:      Fri, 02 Mar 90 10:20:06 GMT
From:      MCGDAKI@cms.manchester-computing-centre.ac.uk
To:        security@pyrite.rutgers.edu
Subject:   Domestic burglar alarms...
I am considering doing a domestic system and the inertia sensors
coupled with an analyser appeals to me for perimeter protection.
Has anyone had experience using these and how good are they for
reliability and immunity to false alarms?
                                    Arnold Kirk

-----------[000016][next][prev][last][first]----------------------------------------------------
Date:      Fri, 2 Mar 90 22:11:01 -0500
From:      owen blevins <blevinso@silver.ucs.indiana.edu>
To:        -v@silver.ucs.indiana.edu, security@ohstvma.bitnet
Subject:   NATIONAL SECURITY ARCHIVES
Anyone dealth with the NSA?     What are they? What research
materials do they provide? any and all information would be
greatly appreciated!

thanks.

blevinso@silver.ucs.indiana.edu

-----------[000017][next][prev][last][first]----------------------------------------------------
Date:      2 Mar 90 18:19:07 GMT
From:      rex@ISDMNL.MENLO.USGS.GOV (Rex Sanders)
To:        misc.security
Subject:   RE: Security Auditing

A few years ago, I wrote and distributed a program named "cfs"
(check file status) that can run around a system recording &
checking file stats.  Cfs made it onto one of the last Usenix tapes,
and might be somewhere on uunet.  Cfs runs fast (compared to shell
scripts) - checks stats on over 1000 files in about 45 seconds on
a wheezing old VAX 750.  If you can't find cfs in some local Unix
sources archive, let me know.

-- Rex Sanders, US Geological Survey
   rex@isdmnl.menlo.usgs.gov

-----------[000018][next][prev][last][first]----------------------------------------------------
Date:      2 Mar 90 23:04:31 GMT
From:      gwyn@SMOKE.BRL.MIL (Doug Gwyn)
To:        misc.security
Subject:   Re: thermal lances (was: vault doors)

Anyone who hasn't seen one of these in action is advised to check out the
movie "Thief" (starring James Caan) at your local video rental store.

-----------[000019][next][prev][last][first]----------------------------------------------------
Date:      2 Mar 90 23:04:31 GMT
From:      Doug Gwyn <gwyn@smoke.brl.mil>
To:        misc-security@rutgers.edu
Subject:   Re: thermal lances (was: vault doors)
Anyone who hasn't seen one of these in action is advised to check out the
movie "Thief" (starring James Caan) at your local video rental store.

-----------[000020][next][prev][last][first]----------------------------------------------------
Date:      3 Mar 90 03:58:26 GMT
From:      kelly@uts.amdahl.com (Kelly Goen)
To:        misc-security@ames.arc.nasa.gov
Subject:   Re: Home security
>Regarding window grates, what are the options these days in security
>versus being able to get out from the inside quickly in case of fire

 AGREED... Window grates are hazradous.... Try 3/16" GE UV Stabilized
LEXAN plastic...remember to use Epoxy based putties when replacing
the glass in the window frame.... the plastic will take more impact than
the iron bars and doesnt give you a feeling of being behind bars....
REMEMBER to UPGRADE the Window Locking System as this is the weakest
part beside the glass on most windows....you might ask if its tough enough
MY side shed window Aluminum Frame took 27 impacts with a 15 lb sledge
before the 2x4 frame the window frame was attached to splintered...
the Iron bars I tested fell prey with 10 seconds to a 7 ft wrecking
bar... Give me LEXAN every TIME!!!
     cheers
     kelly

-----------[000021][next][prev][last][first]----------------------------------------------------
Date:      3 Mar 90 04:05:31 GMT
From:      kelly@uts.amdahl.com (Kelly Goen)
To:        misc-security@ames.arc.nasa.gov
Subject:   Re: Fire Sprinkler Cameras
>They are built into regular sprinkler heads which have been slightly
>modified to fit a small mirror assembly....
>The company there that was marketing the things is Visual Methods, in
>Westwood NJ.    _H*]

 Yehah I checked on this one.... Friends those $500.00 sprinkler
fixture are overpriced PLASTIC(RIGHT 500.00 for plastic) JUNK...
out of 6 ordered 4 failed during installtion and setup....all were sent
back to the distributor... have to wait until a better one is available...
           cheers
           kelly
p.s. There are much better hidden cameras on the market just check
any issue of CCTV Magazine...

-----------[000022][next][prev][last][first]----------------------------------------------------
Date:      Sat,  3 Mar 90 13:01 EST
From:      David Hoelzer <CONSP12@bingvaxa.bitnet>
To:        security@ohstvma
Subject:   Cameras
   I've helped to design a number of camera boxes, including a converted slide
projector, emergency fire lights, and thermostats..   I'll tell you the truth
..  Dont bother trying to tell the difference..   We had a camera in full
view on top of a vending machine..  We set some other stuff up there too
(like boxes and wires..  just junk)...   The first two days, everyone just
looked at it..  The chairman of the company asked what it was doing there..
Well..  We told him, and later that night one of the security guards,
who had seen this camera sitting there, walked out of the building with
a few boxes of paper...  Needless to say, he was shocked when he saw the
footage..   He claimed, "How'd you get that!!!  That Camera is broken!!".
People assume what they like..  No one has yet realized what the thermostat
is, nor the fire box..   The slide projector has caught ten people...
One of them even tried to steal it, until they realized that it was hooked into
the wall...

DSH

-----------[000023][next][prev][last][first]----------------------------------------------------
Date:      Sat, 3 Mar 90 15:01:49 EST
From:      eichin@mit.edu (Mark W. Eichin)
To:        reynhout@wpi.wpi.edu
Cc:        misc-security@husc6.harvard.edu
Subject:   Re: Who (Specificly) has Morris' Worm Code?
What I've been wondering (since reading the early Cornell report) is
Did Morris actually use Unix crypt(1) to protect his files? And (as
the Cornell report claimed) given that they were able to break them,
did they make use of Bob Baldwin's Crypt Breaker's Workshop?
					_Mark_

-----------[000024][next][prev][last][first]----------------------------------------------------
Date:      3 Mar 90 10:57:29 GMT
From:      astieber@CSD4.CSD.UWM.EDU (Anthony J Stieber)
To:        misc.security
Subject:   What IS a thermal lance (Re:  vault doors, was:  locks)

Exactly what is a thermal lance?  I've seen several references to these
but have been unable to figure it out from context.
--
<-:(= Tony Stieber	astieber@csd4.csd.uwm.edu   att!uwm!uwmcsd4!astieber

-----------[000025][next][prev][last][first]----------------------------------------------------
Date:      03 Mar 90 09:27:41+0100
From:      Joseph C. Pistritto <cernvax!chx400!cgch!jcp@mcsun.eu.net>
To:        kelly@uts.amdahl.com
Cc:        misc-security@ames.arc.nasa.gov
Subject:   Re: Home security
Well, there ARE other techniques that work against LEXAN.  In particular
heating it up will make it bend, allowing sheets to be bent and popped from
the window frame.  They used LEXAN in the 'escape-proof' new jail in Towson,
Maryland several years ago.  Took the inmates about 3 months to figure away
to make a blowtorch from an aerosol can, point at lexan, heat for several
minutes, kick out panel.  They put bars in after that...

With suitable reinforcing, and by keeping the panes small enough, this
problem could possibly be avoided.  An interesting possibility is making
those 'colonial' style windows where the panes are about 8 inches by 12
inches, with the panes being Lexan and the normally wood barriers between
pains being made instead from steel would probably work nicely, without
even having the 'look' of security, if that's what you want.

======================================================================
Joseph C. Pistritto  HB9NBB N3CKF
                    'Think of it as Evolution in Action' (J.Pournelle)
  Ciba Geigy AG, R1241.1.01, Postfach CH4002 Basel, Switzerland
  Internet: jcp@brl.mil                       Phone: (+41) 61 697 6155
  Bitnet:   bpistr%cgch.uucp@cernvax.bitnet   Fax:   (+41) 61 697 2435
  Also:     cgch!bpistr@mcsun.eu.net

-----------[000026][next][prev][last][first]----------------------------------------------------
Date:      3 Mar 90 20:01:49 GMT
From:      eichin@MIT.EDU (Mark W. Eichin)
To:        misc.security
Subject:   Re: Who (Specificly) has Morris' Worm Code?

What I've been wondering (since reading the early Cornell report) is
Did Morris actually use Unix crypt(1) to protect his files? And (as
the Cornell report claimed) given that they were able to break them,
did they make use of Bob Baldwin's Crypt Breaker's Workshop?
					_Mark_

-----------[000027][next][prev][last][first]----------------------------------------------------
Date:      Sun, 4 Mar 90 11:34:44 pst
From:      billf@hpcvlx (Bill F. Faus)
To:        security@rutgers.edu
Subject:   Re: re: Thermic Lances
Reminds me of a picture in a book I have on the properties of wood.  
The picture shows a gutted out burned building with only some large
wooden posts and beams left standing.  Looped over the charred
wooden beams are two metal I beams bent to the ground at each
end from the heat.  The wood beams made it through the fire,
but the metal ones failed. 

---------------
billf@cv.hp.com

-----------[000028][next][prev][last][first]----------------------------------------------------
Date:      Sun, 4 Mar 90 16:41:37 GMT
From:      jik@athena.mit.edu (Jonathan I. Kamens)
To:        security@pyrite.rutgers.edu
Subject:   Re: Who (Specificly) has Morris' Worm Code?
  Just how easy do you think it is to disassemble a program from machine
language into source code form?

  Granted, Morris made it a little bit easier by failing to strip off
the symbol tables before "letting loose" the binaries (There are
hypotheses that he did so because he was "in a hurry"...), but he made
it harder by XOR'ing all the strings in the entire binary.

  Yes, it was POSSIBLE to reverse engineer from the binary to the source
code.  However, I wouldn't say that it only takes "a little
reverse-engineering" to do so.  I'd say it takes more
"reverse-engineering" than most system administrators have the
knowledge, time or desire to put into it.

Jonathan Kamens			              USnail:
MIT Project Athena				11 Ashford Terrace
jik@Athena.MIT.EDU				Allston, MA  02134
Office: 617-253-8495			      Home: 617-782-0710

-----------[000029][next][prev][last][first]----------------------------------------------------
Date:      Mon Mar 05 01:10:28 CEST 1990
From:      rop@neabbs.UUCP (HACK-TIC)
To:        hp4nl!misc-security@relay.eu.net
Subject:   Re: Computer Abuse / Product Liability / Criminal Statutes / ECPA
Maybe a good definition of a hacker:
 
A hacker is someone who is too busy doing weird things using
technology to concern him/herself with defining the term 'hacker'.
 
I don't mean to kill a good discussion here, I just feel that
discussions about the definition of the term 'hacker' tend to get
boring and predictable after two or three messages. Much more
interesting (reffering to the 2nd of March message) is the question
wether playing a game on a computer 20.000 miles away isn't a much
more efficient way of learning something than going to school in the
first place.
 
Rop Gonggrijp, editor of Hack-Tic, a magazine for Dutch hackers....

-----------[000030][next][prev][last][first]----------------------------------------------------
Date:      Mon, 5 Mar 90 8:11:07 CST
From:      "Mark D. McKamey IM SA" <mark@ria-emh2.army.mil>
To:        security@pyrite.rutgers.edu
Subject:   Video camera devices
Hello All,

    I've recently seen a number of "trick" video camera devices demonstrated on
TV.  The teddy bear with a video camera in its belly, and the TV that video ta   
tapes the TV viewer while he/she watches the TV.
    I am trying to find out who sells devices such as these, and is there any
illegal implications of using one of these devices to video tape how a 
babysitter treats a child while the parents are out of the house?

Mark

mark@ria-emh2.army.mil

-----------[000031][next][prev][last][first]----------------------------------------------------
Date:      Tue, 6 Mar 90 02:17 PST
From:      dhunt@nasamail.nasa.gov (DOUGLAS B. HUNT)
To:        <security@pyrite.rutgers.edu>
Subject:   RE:      LAN security & control review
You should contact the EDP Auditors Foundation in Chicago.  They have
a variety of publications on these and realted topics.

Perhaps Bill Murray who frequently corresponds through this list has some
other suggestions.

Doug Hunt

-----------[000032][next][prev][last][first]----------------------------------------------------
Date:      5 Mar 90 18:52:30 GMT
From:      steves@ivory.sandiego.ncr.com (Steve Schlesinger x2150)
To:        misc.security
Subject:   Factoring Large Numbers

I have received a report from an independent researcher,
Giorgio Coraluppi, that claims to have developed an algorithm
to factor large numbers in a relatively short amount of time.

I do not have the background to evaluate this work, and would
appreciate the names (and addresses) of people working in this
field would be interested in reviewing it.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
steve schlesinger	steve.schlesinger@sandiego.ncr.com
619-485-2150		NCR - 4010, 16550 W Bernardo Dr, San Diego, CA 92127
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

-----------[000033][next][prev][last][first]----------------------------------------------------
Date:      6 Mar 90 17:53:25 GMT
From:      KHB1@lehigh.BITNET ("Kathy Healy Brey")
To:        misc.security
Subject:   Virus Scan on a LAN

Can anyone provide advice or information on the following:
CONFIGURATION
An ethernet LAN running NOVELL with 10 nodes.
Workstations are Zenith 286LP's with 20Meg hard drives & a 3.5" drive.
LAN is for student use.
PROBLEM
We would like to run a virus scan on any floppy inserted into the 3.5
inch drive AT INSERTION.  Is this possible?  If so, how?
The ideal scenario would be:  Student inserts floppy in A:.  System
recognizes presence of floppy and scans diskette for known viruses...
      (a system-initiated scan, not an operator-initiated scan)
If diskette is O.K., student goes to work.  If diskette is contaminated,
it's ejected(?) and student gets locked out of workstation and is
directed to LAN Administration.  L.A. grabs diskette and does detective
and control work...
THANKS for any help.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| Kathy Healy Brey, Manager                      Admin Environment:    |
| KHB1@LEHIGH       THE INFORMATION CENTER       IBM 4381 VSE/SP 2.1.5 |
| 215-758-3006      Lehigh University            IA Systems            |
| Private U         Fairchild-Martindale 8B      IBM PCs & Compatibles |
| 6500 Students     Bethlehem, PA  18015-3146    Novell LANs           |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

-----------[000034][next][prev][last][first]----------------------------------------------------
Date:      6 Mar 90 19:30:21 GMT
From:      chidsey@SMOKE.BRL.MIL (Irving Chidsey)
To:        misc.security
Subject:   Re: Wireless Home Security Systems

<Does anyone know how hard it is to jam or fool these wireless home
<security systems?  Couldn't one just use a spectrum analyzer to determine

	But home security systems are only designed to be secure enough so
that the reward isn't worth the trouble.  A spectrum analyser plus the coder
+ modulator + transmitter combination necessary to jam/break any wireless
system likely to be encountered requires more equipment and expertise than
your typical random junkie-looking-for-a-tv-to-fence is likely to
to be willing or able to put into the ptoject.  If you have valuables
worthy of such expertise in your home you should put similar expertise
into defeating breakins.  And you should be willing to spend equaly
serious money.

							Irv

-- 
I do not have signature authority.  I am not authorized to sign anything.
I am not authorized to commit the BRL, the DOA, the DOD, or the US Government
to anything, not even by implication.
			Irving L. Chidsey  <chidsey@brl.mil>

-----------[000035][next][prev][last][first]----------------------------------------------------
Date:      6 Mar 90 19:30:21 GMT
From:      Irving Chidsey <chidsey@smoke.brl.mil>
To:        misc-security@rutgers.edu
Subject:   Re: Wireless Home Security Systems
<Does anyone know how hard it is to jam or fool these wireless home
<security systems?  Couldn't one just use a spectrum analyzer to determine

	But home security systems are only designed to be secure enough so
that the reward isn't worth the trouble.  A spectrum analyser plus the coder
+ modulator + transmitter combination necessary to jam/break any wireless
system likely to be encountered requires more equipment and expertise than
your typical random junkie-looking-for-a-tv-to-fence is likely to
to be willing or able to put into the ptoject.  If you have valuables
worthy of such expertise in your home you should put similar expertise
into defeating breakins.  And you should be willing to spend equaly
serious money.

							Irv

-- 
I do not have signature authority.  I am not authorized to sign anything.
I am not authorized to commit the BRL, the DOA, the DOD, or the US Government
to anything, not even by implication.
			Irving L. Chidsey  <chidsey@brl.mil>

-----------[000036][next][prev][last][first]----------------------------------------------------
Date:      6 Mar 90 20:49:40 GMT
From:      spaf@cs.purdue.edu (Gene Spafford)
To:        misc-security@gatech.edu
Subject:   Contest announcement
The National Center for Computer Crime Data notes with interest the
considerable controversy engendered by the trial and guilty verdict in
the case of Robert T. Morris.  In order to expand and focus the
conversation, we announce the "If I were the Robert Morris case judge"
essay contest.  We will award $100 to the best essay of 250 words or
less suggesting the appropriate sentence for Mr. Morris.

Security Magazine has agreed to publish the winning essay in its May
issue.  Contestants need not be familiar with the federal guidelines
for sentencing, but should assume, for the purpose of their essay,
that the judge can impose any sanctions he or she thinks reasonable.
All essays must be received by the National Center for Computer Crime
Data, 1222-B 17th Avenue, Santa Cruz, CA, 95062 by March 28, 1990.

J.J. Buck BloomBecker, Esq.
Director

[The real sentencing for Mr. Morris will be May 4.

I am not affiliated in any way with the NCCCD  --spaf]
-- 
Gene Spafford
NSF/Purdue/U of Florida  Software Engineering Research Center,
Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004
Internet:  spaf@cs.purdue.edu	uucp:	...!{decwrl,gatech,ucbvax}!purdue!spaf

-----------[000037][next][prev][last][first]----------------------------------------------------
Date:      Wed, 7 Mar 90 10:36:00 -0500
From:      nitrex!rbl@uunet.uu.net
To:        security@pyrite.rutgers.edu
Subject:   Re:  Opening an old safe?
There is a locksmith in the small Ohio town where my wife just opened
a retail jewwelry store.  His ex-wife walked up to a locked circa-1910
safe and proceeded to open it  --- the combination was unknown.  Her
comment: "I have a stethoscope in my fingers."

If the old Victor safe is anywhere nearby southeastern Ohio/PA/WV, we
could arrange a contact.

Rob Lake
BP Research
rbl@BP.COM

-----------[000038][next][prev][last][first]----------------------------------------------------
Date:      Wed,  7 Mar 90 09:55 EST
From:      "And now, #1, The Larch" <AEWALSH@fordmurh.bitnet>
To:        SECURITY@OHSTVMA
Subject:   Mutilated Currency (was Re: Bill Changers)
> Easy -- chop the big numbers off the corners of a $20 bill, past them
> onto the corners of a $1 bill.  Pass this as a $20 bill.

This works.  As a former bank teller at a commercial bank in Buffalo, I recall
a teller actually taking one.  If you must pass them off, though, don't do it
at a bank - they're much to careful, and know enough to look at the *portrait*
when receiving money.

> Turn in the mutilated $20 for a fresh one.

Yes, well...um-- mutiliated currency must have one side intact (if I recall
the rules correctly).  Hence it is necessary to do this dastardly deed with
*two* 20's, using first one side on the first bill, and the opposite side on
the other.

> (no, I am not advocating the practice)

Me neither.  The FBI and the Treasury department do not take kindly
to this practice.  Try this in a bank (either with funny twenties or bringing
in lots of mutilated -- you are likely to get your picture taken by those
lovely cameras on the wall.

Jeffrey
Fordham University
AEWALSH@FORDMURH

-----------[000039][next][prev][last][first]----------------------------------------------------
Date:      Wed, 07 Mar 90 16:31:01 -0500
From:      "Frank Topper" <topper%a1.relay@upenn.edu>
To:        security@ohstvma.bitnet, dasig@suvm.bitnet
Subject:   Meeting with the FBI
Dear Security & Dasig Subscribers,

	Activated by a suggestion from William Sessions, Director of the
FBI, my associate Linda May and I scheduled a meeting with the local
Philadelphia office to discuss computer, information and network security.
We wanted to draw from their experience, learn their perspective, and
establish a direct conection with the poeple who can help us in the event
of an important security breach -- and to know what they can and can not do
regarding the subsequent investigation.

	We met with two agents last month.

	Our agenda included discussing security breaches (principal kinds
reported, principal deficiencies that enable such breaches, proportion
involving perpetrators external/internal to the organization, proportion of
organizations which had a security plan, program and officer, and the most
important factor(s) for achieving appropriate levels of security),
classifications of activities (legal, illegal and questionable), recaps of
proposed legislation, and suggested actions & publications.

	Regarding breaches:
	They said that banks are the most susceptible to loss, and that
most private companies absord losses without prosecuting due to the time,
expense, and the wish to not appear stupid.  They said that companies that
did prosecute breaches had fewer recurring problems.

	Universities tend to get more young hacker-types, while
corporations get embezzlers.  Most complaints are financial institutes that
get 'hit over the wire' (wire fraud), bulletin boards containing pirated
software & credit card access numbers, and, most recently, they are
beginning to get calls about virus problems.

	Although they were not allowed to give details, the FBI is
currently involved in two major virus investigations.

	They see a major problem being when a hacker receives 'celebrity
status'.  This encourages trying to beat the system since fame and not
disrepute is the potential payoff.

	Statistically, lower-level employees are easier to catch because
they leave a trail of their actions.  Higher-level (V.P.) employees know
the systems and leave less of a trail.

	Activity types:
	The FBI gets involved when a Federal crime is committed. Usually
this means either: 1)Crime involving more than one state, 2) crimes
involving gov't computers or gov't networks, or 3) the more broad 86'
Computer Fraud and Abuse Act.  Interestingly enough, one of the agents we
spoke with participated in the investigation which has lead to the
conviction of Robert Morris, Jr.

	A questionable activity, but not illegal, is when a hacker (or
employee) reads files they are not supposed to have seen.  Not so related
to universities is the new wrinkle provided by cellular phones.  In this
case the transmission travels through the airwaves to a hardwire
transmission point.  It is not illegal to listen in to the part broadcasted
(although, a recent note on the SECURITY list mentioned that it was illegal
to disclose an overheard conversation).

	Anytime we have a question about an activity we are encourages to
contact the agents & get the latest perspective.  Legislation-wise, neither
agent has received updates on the two 89' proposed acts: Computer
Protection & Computer Virus Eradication.  They said there is always a lag
time between when a law is passed and when they get instructions as to what
it means and how it can be used.  They can prosecute computer crimes now
involving threatsor harassment....and they said if they REALLY WANT to get
someone they'll research any and all laws to try to find something to stick
on the alleged criminal.

	They suggest knowing what data is sensitive and take extra
precautions.  Whatever security programs are running need to be monitored
and checked for patterns of unusual activity, i.e., send reports to the
user/custodians of each protected system.

	Lastly, to get around the undesirable impression of security being
iron-handed, they stressed the ned for an education program touching every
employee with a solid emphasis on WHY the security efforts (and the
employyees' efforts) are needed...and what can happen if the efforts are
not made.

	Based on an "OK" form the local agent-in-charge, both agents were
willing to come to this university and speak to our planned-for Security
Steering Committee, and without making specific recommendations, stress the
importance of having a full-time security officer-type and comprehensive
education/awareness program.

	Regards.

	Frank Topper
	Information Analyst
	University of Pennsylvania
	(215) 898-2171
	topper@a1.relay.upenn.edu

"I have observed that persons of good sense seldom fall into disputes,
except lawyers, university men, and men of all sorts that have been bred at
Edinborough."  Ben Franklin

-----------[000040][next][prev][last][first]----------------------------------------------------
Date:      Wed, 07 Mar 90 17:19:01 -0500
From:      "Frank Topper" <topper%a1.relay@upenn.edu>
To:        security@ohstvma.bitnet
Subject:   Report on a Security Conference
	I sent this report to the Data Administration Special Interest
Group.  Perhaps you are interested also.

	Frank

------

Report on the 16th Annual Security Conference held in November, 1989

Dear Dasig Subscribers,

	Last November I attended a security conference in Atlanta, GA.  It
was an unusually good event; well-organized, many options for workshops and
presentations, and terrific for 'networking' - meeting people from higher
ed & the corporate world.  As a relative newcomer to the security world I
say: If you need to go to a security conference attend the next one of
these!

	The presenters throughout the week were equally divided between
vendors/consultants and non-vendors/consultants.  Sales pitches were
confined to the exhibition area and not sprinkled through the day.  In
other words, the presentations were not used as platforms for advocating
particular technologies or services.

	Favorite sessions included:
	Keynote Addresses -
		- Legal Liability of Corp Officers
		- FBI Viewpoint (Bill Sessions, Director)
		- Ethical Considerations (R. Barker, Cornell's Provost)
	Other presentations/workshops -
		- How To Gain Sr. Mgmt Support for a Sec. Program
		- How To Be an Effective Security Officer
		- Anticipating Future Network Sec. Reqs. and Abuses

	The exhibits were almost all worth a visit, and ranged form
disaster recovery (a melted, blackened VAX hissed & spewed 'smoke') to
create-your-own security awareness videos.

	There were optional ($250 each) full-day sessions the Sunday before
and the Thursday following the conference.

	As there were 8-10 concurrent sessions running every hour & 1/2,
and due to the conference organizers not making ALL the session handouts
avaiable, I spent the first two days meeting poepl and making deals to get
the handouts for the presentations I wasn't attending (you send me yours &
I'll send you mine).  The organizers did give out several handouts on
diskette & said they planned to eventually be able to give out all the
handouts this way.

	Next conference?
	Atlanta 11/12-11/15/90
	Sponsored by: Computer Security Inst.
	Phone: (508) 393-2600
	Cost: $1,295

	I am planning a presentation at this next conference, tentatively
about creating an info & computer security policy & program in a
decentralized environment...from ground zero.

	I'll be sending around a list of attendees from the 89' conference
who came from institutes of higher education.

	Regards.

	Frank Topper
	Info Analyst
	University of Pennsylvania
	(215) 898-2171
	topper@a1.relay.upenn.edu

-----------[000041][next][prev][last][first]----------------------------------------------------
Date:      Wed, 07 Mar 90 17:21:01 -0500
From:      "Frank Topper" <topper%a1.relay@upenn.edu>
To:        security@ohstvma.bitnet
Subject:   Security Conference Attendees
16th Annual Security Conference Attendees (higher ed)

Auriene, Anthony	Security Admin.		National Ed. Corp.
Barker, Robert		Provost			Cornell U.
Benders, Carol L.	Info Sys Sec Spec.	Howard U.
Bosshart, David A.	Security Admin		U. of Minnesota
Brown, Corrine H.	Prj Mgr/Std-Sec		Ed. Testing Service
Bruhn, Mark		Data Administrator	Indiana U.
Coffman, Jack L.	Security Control Off	U. of KY Computing Ctr
Cook, Janet M.					Illinois State U.
DeCruyenaere, K.C.				U. of Manitoba
Domin, Anthony C.	EDP Audit Mng		Penn State U.
Fairweather, Ian	EDP Security Admin	U. of Ottawa
Fisher, Charles E.	Director		U. of South Florida
Higashi, Albert		Assistant Director	U. of Hawaii
Hinkson, Betty		Instructor		Jacksonville State U.
Kieffer, Rom		Manager, DataComm	U. of Calgary
Rosenthal, Dan		Computer Manager	Mississippi College
Roy, Yves		IR Administrator	U. of Ottawa
Schott, Jr. Richard R.	Info Security Officer	Wayne State U.
Shelley, Richard	DS Officer		U. of Virginia
Stewart, Dorothy	Sas Security		U. of Michigan
Stromberg, Lars		Director		Barry U.
Tenisci, Teresa		Mgr, Bus & Sec		U. of British Columbia
Thomas, Dave					Rochester City Schools
Topper, Frank		Info Analyst		U. of Pennsylvania
van Wyk, Kenneth R.				Carnegie Mellon U.

	Some titles were not listed & thus have been left blank.

	Regards.

	Frank

-----------[000042][next][prev][last][first]----------------------------------------------------
Date:      7 Mar 90 15:36:00 GMT
From:      rbl@nitrex.UUCP
To:        misc.security
Subject:   Re:  Opening an old safe?

There is a locksmith in the small Ohio town where my wife just opened
a retail jewwelry store.  His ex-wife walked up to a locked circa-1910
safe and proceeded to open it  --- the combination was unknown.  Her
comment: "I have a stethoscope in my fingers."

If the old Victor safe is anywhere nearby southeastern Ohio/PA/WV, we
could arrange a contact.

Rob Lake
BP Research
rbl@BP.COM

-----------[000043][next][prev][last][first]----------------------------------------------------
Date:      7 Mar 90 17:41:00 GMT
From:      brough@islndsenet.dec.com (Paul Brough)
To:        misc-security@decwrl.dec.com
Subject:   Home security systems
[Message apparently truncated?]  ...
has the best system for the money, or if I should go to Radio Shack and get
some of their stuff.  The following is a list of considerations that I am going
to use when I purchase the system:

		1) Cost should be around $1,000-1,500
		2) Cover the following doors
		   a) front door
		   b) back door
		   c) breezeway door
		   d) bulkhead door
		   e) garage to interior breezeway door
		   f) cellar to interior house door
		3) Keypad entry perhaps master bedroom keypad
		4) Perhaps central station monitoring
		5) Passive infrared detectors on the first floor leading to
		   the upstairs
		6) PID on the second floor

	I have literature on a system put out by Fire Burglary Incorp (or
something like that) and most of the above fits in, but I understand that Napco
(or is it Mapco) has another system out that is supposed to be a little better.
Does anyone have any experience in this and can give me more info?  By the way,
I live in the Worcester/Fitchburg Mass. area.  Any and all help will be
greatly appreciately.

	Thank you very much,

		Paul

-----------[000044][next][prev][last][first]----------------------------------------------------
Date:      Thu, 8 Mar 90 01:09 CST
From:      <JJOYCE@umkcvax1.bitnet>
To:        misc-security@rutgers.edu
Subject:   Re:.Opening and old safe ?
Cf. : pp 137-155
     "Surely You're Joking, Mr. Feynman!"
      1965
      Richard P. Feynman
      W. W. Norton & Co., New York
      ISBN 0-393-01921-7

J.Joyce
JJOYCE@UMKCVAX1  Bitnet

-----------[000045][next][prev][last][first]----------------------------------------------------
Date:      7 Mar 90 21:31:01 GMT
From:      topper%a1.relay@UPENN.EDU ("Frank Topper")
To:        misc.security
Subject:   Meeting with the FBI

Dear Security & Dasig Subscribers,

	Activated by a suggestion from William Sessions, Director of the
FBI, my associate Linda May and I scheduled a meeting with the local
Philadelphia office to discuss computer, information and network security.
We wanted to draw from their experience, learn their perspective, and
establish a direct conection with the poeple who can help us in the event
of an important security breach -- and to know what they can and can not do
regarding the subsequent investigation.

	We met with two agents last month.

	Our agenda included discussing security breaches (principal kinds
reported, principal deficiencies that enable such breaches, proportion
involving perpetrators external/internal to the organization, proportion of
organizations which had a security plan, program and officer, and the most
important factor(s) for achieving appropriate levels of security),
classifications of activities (legal, illegal and questionable), recaps of
proposed legislation, and suggested actions & publications.

	Regarding breaches:
	They said that banks are the most susceptible to loss, and that
most private companies absord losses without prosecuting due to the time,
expense, and the wish to not appear stupid.  They said that companies that
did prosecute breaches had fewer recurring problems.

	Universities tend to get more young hacker-types, while
corporations get embezzlers.  Most complaints are financial institutes that
get 'hit over the wire' (wire fraud), bulletin boards containing pirated
software & credit card access numbers, and, most recently, they are
beginning to get calls about virus problems.

	Although they were not allowed to give details, the FBI is
currently involved in two major virus investigations.

	They see a major problem being when a hacker receives 'celebrity
status'.  This encourages trying to beat the system since fame and not
disrepute is the potential payoff.

	Statistically, lower-level employees are easier to catch because
they leave a trail of their actions.  Higher-level (V.P.) employees know
the systems and leave less of a trail.

	Activity types:
	The FBI gets involved when a Federal crime is committed. Usually
this means either: 1)Crime involving more than one state, 2) crimes
involving gov't computers or gov't networks, or 3) the more broad 86'
Computer Fraud and Abuse Act.  Interestingly enough, one of the agents we
spoke with participated in the investigation which has lead to the
conviction of Robert Morris, Jr.

	A questionable activity, but not illegal, is when a hacker (or
employee) reads files they are not supposed to have seen.  Not so related
to universities is the new wrinkle provided by cellular phones.  In this
case the transmission travels through the airwaves to a hardwire
transmission point.  It is not illegal to listen in to the part broadcasted
(although, a recent note on the SECURITY list mentioned that it was illegal
to disclose an overheard conversation).

	Anytime we have a question about an activity we are encourages to
contact the agents & get the latest perspective.  Legislation-wise, neither
agent has received updates on the two 89' proposed acts: Computer
Protection & Computer Virus Eradication.  They said there is always a lag
time between when a law is passed and when they get instructions as to what
it means and how it can be used.  They can prosecute computer crimes now
involving threatsor harassment....and they said if they REALLY WANT to get
someone they'll research any and all laws to try to find something to stick
on the alleged criminal.

	They suggest knowing what data is sensitive and take extra
precautions.  Whatever security programs are running need to be monitored
and checked for patterns of unusual activity, i.e., send reports to the
user/custodians of each protected system.

	Lastly, to get around the undesirable impression of security being
iron-handed, they stressed the ned for an education program touching every
employee with a solid emphasis on WHY the security efforts (and the
employyees' efforts) are needed...and what can happen if the efforts are
not made.

	Based on an "OK" form the local agent-in-charge, both agents were
willing to come to this university and speak to our planned-for Security
Steering Committee, and without making specific recommendations, stress the
importance of having a full-time security officer-type and comprehensive
education/awareness program.

	Regards.

	Frank Topper
	Information Analyst
	University of Pennsylvania
	(215) 898-2171
	topper@a1.relay.upenn.edu

"I have observed that persons of good sense seldom fall into disputes,
except lawyers, university men, and men of all sorts that have been bred at
Edinborough."  Ben Franklin

-----------[000046][next][prev][last][first]----------------------------------------------------
Date:      Thu, 08 Mar 90 14:27:18 PST
From:      blade@darkside.com (The Blade)
To:        misc-security@ucbvax.berkeley.edu
I need information on on-line databases that are helpful to the private
investigator, such as background info, SS checks, DMV reports, etc...
I know of US Data-link but they want $1000 to sign up, any specialized
bases are also appricated.

-----------[000047][next][prev][last][first]----------------------------------------------------
Date:      8 Mar 90 07:09:00 GMT
From:      JJOYCE@umkcvax1.BITNET
To:        misc.security
Subject:   Re:.Opening and old safe ?

Cf. : pp 137-155
     "Surely You're Joking, Mr. Feynman!"
      1965
      Richard P. Feynman
      W. W. Norton & Co., New York
      ISBN 0-393-01921-7

J.Joyce
JJOYCE@UMKCVAX1  Bitnet

-----------[000048][next][prev][last][first]----------------------------------------------------
Date:      8 Mar 90 22:27:18 GMT
From:      blade@darkside.com (The Blade)
To:        misc.security
Subject:   (none)

I need information on on-line databases that are helpful to the private
investigator, such as background info, SS checks, DMV reports, etc...
I know of US Data-link but they want $1000 to sign up, any specialized
bases are also appricated.

-----------[000049][next][prev][last][first]----------------------------------------------------
Date:      Fri, 9 Mar 90 13:22:28 EST
From:      barnett@unclejack.crd.ge.com (Bruce Barnett)
To:        cb2s+@andrew.cmu.edu, security@pyrite.rutgers.edu
Subject:   Re:  Honda motorcycle keys
We had a case in our area where two people had
	1) The same model car
	2) The same color
	3) Parked near each other in the same parking lot
and
	4) Had the same trunk key.

Someone went to the parking lot and dropped off a package in their trunk.
They went back into the Mall, and when they checked their trunk the second
time - they "discovered" that their packages were "stolen".

-- 
Bruce G. Barnett	<barnett@crdgw1.ge.com>  uunet!crdgw1!barnett

-----------[000050][next][prev][last][first]----------------------------------------------------
Date:      Fri, 09 Mar 90 16:34:42 PLT
From:      Alan Zacher <29562883@wsuvm1.bitnet>
To:        security@ohstvma
Subject:   datsun keys
about datusn keys.  be VERY careful about testing your key in other peoples
vehicles of the same make.  people in my family HABITUALLY put the key to our
1980 datsun 210 into the ignition of out 1982 datsun pickup.  the key would
turn until it reached the 'on' position, then it would pop out and would not go
back in.  i had to take the dang lock apart to reset it and it took about 15
times before we got the brains to change the pickup ign. key.  needless to say
we made SURE that the two keys were not semi-interchangeable before we
installed the new cylinder.  just thought id warnya.

                                 alan

-----------[000051][next][prev][last][first]----------------------------------------------------
Date:      Fri Mar  9 14:10:05 1990
From:      guhsd000@crash.cts.com (Paula Ferris)
To:        misc-security@crash.cts.com
Subject:   Re: Them Locks Are Easy
Well, I'm glad to see I started a conversation that got some response anyway.

My friends motorcycle (Honda) had such high tolorences in the cyclinder and
pin assembly that the core could be turn with a screwdriver if you took a little
time to play with it and jiggle it into line.  If your worried about it,
don't make your car a target, most cars in my area anyway are usally first
taken for goodies inside (tronics), then end up stripped.  It seems if they are
going to go through all the trouble to rip off your stuff, they are going to
get the most out of it.

Pullout stereos, amplifiers in the trunk out of sight and a blinking LED are
all good ideas.  Even if the LED doen't really go to an alarm, it'll keep
alot of lesser hand prints off the car, and with a simple IC LED Flasher, a
single "D" cell can drive it continously for a year.

At all costs, avoid parking on the street, cars are rarely taken out of the 
driveway.  Usally they are taken out of parking lots (around here Apartment
building lots) or off the street.  The best thing (without having a garage)
is to park under a motion detector/flood light assembly.  The action of having
the dark driveway flooded with that 300 watt quartz halogen lamp gets attention,
and I think is more effective than simply having the area continously lit.

Some basic ideas, always, even for a minute, lock the doors with the windows
up.  Many cars have been boosted when someone runs into the 7-11 "just for a
minute."  Roll the windows up tight, most manual windows when rolled tight
will track outwards on most newer cars, making the user of a slimjim (many
new cars still don't use the simple barrier plates and sidebars) have a rough
time even getting it inserted, much les[s using it, as well as making wires and
such very difficult to use to get to the locks.

If anyone really wants your car, they are going to get at it, but you don't
have to help them.

A former investigator for a very large police department's auto theft unit
in the western US.

-----------[000052][next][prev][last][first]----------------------------------------------------
Date:      Fri, 09 Mar 90 16:51:45 EST
From:      Homer <CTM@cornellc.bitnet>
To:        "Security List." <security@pyrite.rutgers.edu>
Subject:   Re: Them Locks Are Easy
>Moaning at car manufacturers for providing rotten security is unlikely to
>succeed. They make so much money selling people parts to replace things
>smashed by thieves that it's hardly worth their while improving matters.

     I presume that car stereos are the most stolen item in the universe.
You think the stereo manufacturers take this into account when they
project sales into the future?  Does a stolen stereo mean another sale?
Does it mean a lost sale to the bozo who buys the hot stereo?
Does it mean a lost sale to those of us who are too scared to have
stereos in our cars?

     Do they BENEFIT from thievery?  Or is it a detriment to them?

-----------[000053][next][prev][last][first]----------------------------------------------------
Date:      9 Mar 90 17:21:07 EST (Fri)
From:      simsong@prose.cambridge.ma.us (Simson L. Garfinkel)
To:        cs4i03ab@maccs.dcss.mcmaster.ca
Cc:        security@pyrite.rutgers.edu
Subject:   holograms on bills
Actually, the idea of putting a hologram on a bill is what American
Banknote Inc. has staked its livelyhood on.  That is the company that
makes the holograms that have become standard on credit cards.

But its all a hoax.  Here's why:

First, anybody can make a hologram, even the small foil kind that are
embossed.  Totall equipment cost is no more than $10,000.  That's
hardly a deterrent.

Second, nobody checks the holograms.  Ever notice how different cards
use different holograms?  They could have done something trickly, like
storing information in the hologram that would have required a special
reader.  But that would have been too expensive.

Indeed, the only reason that there are holograms on credit cards ---
and the reason they are coming to currency --- is that American
Banknote Inc. has succeded in making people think that it is more secure.

It isn't.

				Simson Garfinkel

-----------[000054][next][prev][last][first]----------------------------------------------------
Date:      Fri, 9 Mar 90 20:15 EST
From:      <CJS@cwru.bitnet>
To:        hobbit@pyrite.rutgers.edu
Subject:   Car Locks -- They had great locks at Hertz in Belfast
Last time I was in Belfast I rented a car at the airport (I think it was
Hertz).  They car's didn't use regular keys but something that looked, well,
I can't describe it other than to say the key was very strangely shaped.
The reason they go to such trouble with locks is the IRA (and maybe the
provos (I can't recall)) steal cars and put bombs in them and then park them
somewhere.  The security forces will assume any abandoned/stolen car has a
bomb in it--we all know how you defuse a bomb, you blow it up.  So, if any
car is stolen it is effectively totalled.  I suspect it is hard to get the
damn things insured.  Hence the extra security.

I never could find out who made the locks.

cjs

-----------[000055][next][prev][last][first]----------------------------------------------------
Date:      9 Mar 90 19:38:49 GMT
From:      nagle@well.sf.ca.us (John Nagle)
To:        misc-security@ucbvax.berkeley.edu
Subject:   Re: bill changers
      Where can I get a cheap bill reader, suitable for use to retrofit an
existing vending machine (a photo booth) for paper money?  Used units
are acceptable.

					John Nagle

-----------[000056][next][prev][last][first]----------------------------------------------------
Date:      9 Mar 90 22:09:00 GMT
From:      warlock@CSCIHP.CSUCHICO.EDU (John Kennedy)
To:        misc.security
Subject:   Re: Bicycle locks

>was partly scraped off, so I couldn't make out the name, but it ends with
>NG-TAY.

  I believe the lock you're referring to is called "MING-TAY", available at
your finer K-Mart stores for around $20.  What can you expect?  (-:

--
Warlock, AKA              +----------------------------------------------------
John Kennedy              | uucp:     lampoon!warlock@csuchico.edu
CSCI Student	          | internet: warlock@csuchico.edu
CSU Chico                 +----------------------------------------------------

-----------[000057][next][prev][last][first]----------------------------------------------------
Date:      9 Mar 90 22:21:07 GMT
From:      simsong@prose.cambridge.ma.us (Simson L. Garfinkel)
To:        misc.security
Subject:   holograms on bills

Actually, the idea of putting a hologram on a bill is what American
Banknote Inc. has staked its livelyhood on.  That is the company that
makes the holograms that have become standard on credit cards.

But its all a hoax.  Here's why:

First, anybody can make a hologram, even the small foil kind that are
embossed.  Totall equipment cost is no more than $10,000.  That's
hardly a deterrent.

Second, nobody checks the holograms.  Ever notice how different cards
use different holograms?  They could have done something trickly, like
storing information in the hologram that would have required a special
reader.  But that would have been too expensive.

Indeed, the only reason that there are holograms on credit cards ---
and the reason they are coming to currency --- is that American
Banknote Inc. has succeded in making people think that it is more secure.

It isn't.

				Simson Garfinkel

-----------[000058][next][prev][last][first]----------------------------------------------------
Date:      10 Mar 90 01:15:00 GMT
From:      CJS@cwru.BITNET
To:        misc.security
Subject:   Car Locks -- They had great locks at Hertz in Belfast

Last time I was in Belfast I rented a car at the airport (I think it was
Hertz).  They car's didn't use regular keys but something that looked, well,
I can't describe it other than to say the key was very strangely shaped.
The reason they go to such trouble with locks is the IRA (and maybe the
provos (I can't recall)) steal cars and put bombs in them and then park them
somewhere.  The security forces will assume any abandoned/stolen car has a
bomb in it--we all know how you defuse a bomb, you blow it up.  So, if any
car is stolen it is effectively totalled.  I suspect it is hard to get the
damn things insured.  Hence the extra security.

I never could find out who made the locks.

cjs

-----------[000059][next][prev][last][first]----------------------------------------------------
Date:      10 Mar 90 03:47:53 GMT
From:      shawn@mit-eddie.UUCP (Shawn F. Mckay)
To:        misc.security
Subject:   Call for Security Hacks

Greetings,

I am building a package for use in the war against "System Crackers",
it will probably be released in the next few months, I'm aiming at
spring, early summer. It will be available to all, though due to its
nature, I will have to set something special up so only ligitimate
sites end up with it; Ideas on the lowest overhead way to do this
would be welcome.

If you have a favorite hack you have written to use for this purpose,
and would like to offer it to the world for people to use in this fight,
please contact me directly so I may include it. Ideas and comments are
also welcome.

				Thanks in advance,
				 -- Shawn

-----------[000060][next][prev][last][first]----------------------------------------------------
Date:      Sat, 10 Mar 90 03:47:53 GMT
From:      mit-eddie!shawn@mit-eddie.gatech.edu (Shawn F. Mckay)
To:        misc-security@uunet.uu.net
Subject:   Call for Security Hacks
Greetings,

I am building a package for use in the war against "System Crackers",
it will probably be released in the next few months, I'm aiming at
spring, early summer. It will be available to all, though due to its
nature, I will have to set something special up so only ligitimate
sites end up with it; Ideas on the lowest overhead way to do this
would be welcome.

If you have a favorite hack you have written to use for this purpose,
and would like to offer it to the world for people to use in this fight,
please contact me directly so I may include it. Ideas and comments are
also welcome.

				Thanks in advance,
				 -- Shawn

-----------[000061][next][prev][last][first]----------------------------------------------------
Date:      Sat, 10 Mar 90 09:03 EST
From:      "Mark H. Wood" <IMHW400@indyvax.iupui.edu>
To:        security@pyrite.rutgers.edu
Subject:   Re: Them Locks Are Easy
>Moaning at car manufacturers for providing rotten security is unlikely to
>succeed. They make so much money selling people parts to replace things
>smashed by thieves that it's hardly worth their while improving matters.

Does anybody sell decent locks made for car doors?  Could I just throw away my
junky original-equipment locks and replace them with good ones?  Think it might
make a difference if I write to Consumer Reports detailing how and *why* it
should be done?  How about my insurance company?

Of course, locks aren't the only part of the problem:  they need something
stronger than sheet metal to hold them.  I can't count the number of cars I've
seen with missing trunk locks.  Most car doors are still vulnerable to
slim-jims.  And the windows are still made of fragile glass....

-----------[000062][next][prev][last][first]----------------------------------------------------
Date:      Sat, 10 Mar 90 14:13:37 PST
From:      teda!RATVAX.DNET!ROBERTS@uunet.uu.net (George Roberts)
To:        security@pyrite.rutgers.edu
Subject:   RE: Re: Computer Forged Documents - money
> The USofA amazes me, it's got the largest market to make a counterfeit
> worthwhile, and yet probably the oldest "active" currency technology...

I read in the Boston Globe recently that the U.S. Treasury puts small
red and blue threads in its paper money.  The item mentioned the paper is
so difficult to make, that many counterfeiters bleach small denominations 
and re-print larger denominations onto the bleached bills.

I took out a one dollar bill and sure enough there were tiny little red and
blue threads.  They were easiest to see around the edge where there was no
printing.

Maybe they shouldn't put those threads in the ones and fives! (need I explain
the concept?)

                                              - George Roberts

-----------[000063][next][prev][last][first]----------------------------------------------------
Date:      11 Mar 90 00:59:22 GMT
From:      jac@PAUL.RUTGERS.EDU (Jonathan A. Chandross)
To:        misc.security
Subject:   Re: Computer Forged Documents - money

> [Canadian] bill designs from the last few years also feature MACHINE READABLE
> serial numbers for nifty swift banking machine sorting, etc.

I would be uneasy about money with machine readable serial numbers. Just
think how easy it would be for the government to track how you spend your
money.  For those of you saying "oh sure", I would like to point out that
credit card companies sell mailing lists based on total debt, size of
monthly payments, whether you pay your bill on time every month, what
you buy, how much you make, etc.  Every time you use a credit card the
information is saved away.

And it is surprisingly easy to get access to that information.  A Business
Week reporter registered for a credit bureau service (like TRW) and got a
copy of Dan Quayle's credit history.  Danny was not pleased when BW called
him for his reaction.

> The USofA amazes me, it's got the largest market to make a counterfeit
> worthwhile, and yet probably the oldest "active" currency technology...

Something like 300 BILLION dollars in paper currency is missing from the
money supply.  A great deal of it is in eastern Europe and in the hands
of drug lords (they do keep some in cash).  Just imagine what would happen
if the US government said "ok, new currency time; everyone turn in the old.
Old currency will only be legal for 5 years."  Take a real bite out of crime.

Jonathan A. Chandross
Internet: jac@paul.rutgers.edu
UUCP: rutgers!paul.rutgers.edu!jac

-----------[000064][next][prev][last][first]----------------------------------------------------
Date:      12 Mar 90 14:39:13 GMT
From:      epstein@trwacs.UUCP (Jeremy Epstein)
To:        misc.security
Subject:   Re: car keys

My wife locked herself out of our Mazda a few weeks ago.  Rather than
calling a locksmith, she called a dealer nearby.  They asked her for
the VIN, made a key, and brought it over (for $5, instead of $50 or
so for a locksmith).

They did not ask for proof of ownership, or anything else, which made
me quite nervous!
-- 
Jeremy Epstein
epstein@trwacs.uu.net
TRW Systems Division
703-876-4202

-----------[000065][next][prev][last][first]----------------------------------------------------
Date:      12 Mar 90 14:39:13 GMT
From:      trwacs!epstein@uunet.uu.net (Jeremy Epstein)
To:        misc-security@uunet.uu.net
Subject:   Re: car keys
My wife locked herself out of our Mazda a few weeks ago.  Rather than
calling a locksmith, she called a dealer nearby.  They asked her for
the VIN, made a key, and brought it over (for $5, instead of $50 or
so for a locksmith).

They did not ask for proof of ownership, or anything else, which made
me quite nervous!
-- 
Jeremy Epstein
epstein@trwacs.uu.net
TRW Systems Division
703-876-4202

-----------[000066][next][prev][last][first]----------------------------------------------------
Date:      Wed, 14 Mar 90 15:34:58 EST
From:      sgw@cad.cs.cmu.edu (Stephen Wadlow)
To:        misc-security@rutgers.edu
Subject:   Re: Medeco vs Keso vs Kaba
For picking purposed, I'd consider the medeco to be more secure (even moreso
for their biaxial line, which actually may be the default by now).  I don't
expect that your average burglar would generally attempt to pick a medeco.
You also have the security that more people know of medeco locks as being
"high security locks" and may just avoid the lock.  

In terms of vandalism, I'd still go with medeco.  Medeco's have hardened 
steel rods inserted in strategic places so as to make drilling difficult,
so the brute force method won't easily work.  Also, the keyways are more
warded then the Kaba/Keso (which I have always seen as beening totally 
unwarded) so it is far less likely that they will be able to wedge a 
piece of metal stock into the core just to annoy you.

the caveat of it all is that if the burglar wants in badly enough, (s)he'll
get in.  If they want to vandaize, they will.  All security systems have
their own weaknesses.  Some just aren't as easy to exploit as others.

			steve

-----------[000067][next][prev][last][first]----------------------------------------------------
Date:      14 Mar 90 10:25:55+0100
From:      Joseph C. Pistritto <jcp@cgch.uucp>
To:        jimkirk@outlaw.uwyo.edu
Cc:        security@pyrite.rutgers.edu
Subject:   Re: Medeco vs Keso vs Kaba
Here in Switzerland, virtually every door is locked with a KESO style
lock, (I have seen one Medeco cylinder in use here, it was on a shop
door).  Locksmiths here know which blanks of Keso they're not supposed
to duplicate, (always the ones that are used for entrance doors).

Having seen a vandalized Medeco cylinder, I would guess that Keso is
better that way.  The keyway is somewhat narrower.  Against a really
determined vandal however, all key locks suffer from the 'fill up the
keyway with Araldite (the local epoxy glue)' technique.  I don't really
know how to defend against this effectively.  Also note that it can be
difficult in some Keso installations to remove the cylinder if you can't
insert a key!.

======================================================================
Joseph C. Pistritto  HB9NBB N3CKF
                    'Think of it as Evolution in Action' (J.Pournelle)
  Ciba Geigy AG, R1241.1.01, Postfach CH4002 Basel, Switzerland
  Internet: jcp@brl.mil                       Phone: (+41) 61 697 6155
  Bitnet:   bpistr%cgch.uucp@cernvax.bitnet   Fax:   (+41) 61 697 2435
  Also:     cgch!bpistr@mcsun.eu.net

-----------[000068][next][prev][last][first]----------------------------------------------------
Date:      14 Mar 90 20:34:58 GMT
From:      sgw@CAD.CS.CMU.EDU (Stephen Wadlow)
To:        misc.security
Subject:   Re: Medeco vs Keso vs Kaba

For picking purposed, I'd consider the medeco to be more secure (even moreso
for their biaxial line, which actually may be the default by now).  I don't
expect that your average burglar would generally attempt to pick a medeco.
You also have the security that more people know of medeco locks as being
"high security locks" and may just avoid the lock.  

In terms of vandalism, I'd still go with medeco.  Medeco's have hardened 
steel rods inserted in strategic places so as to make drilling difficult,
so the brute force method won't easily work.  Also, the keyways are more
warded then the Kaba/Keso (which I have always seen as beening totally 
unwarded) so it is far less likely that they will be able to wedge a 
piece of metal stock into the core just to annoy you.

the caveat of it all is that if the burglar wants in badly enough, (s)he'll
get in.  If they want to vandaize, they will.  All security systems have
their own weaknesses.  Some just aren't as easy to exploit as others.

			steve

-----------[000069][next][prev][last][first]----------------------------------------------------
Date:      14 Mar 90 21:28:07 GMT
From:      KRAINIER@EAGLE.WESLEYAN.EDU (geek)
To:        misc.security
Subject:   Police repeater detection


    Due to a leaky memory, I do not recall all details, but about a month or
two ago I spotted an item in a "yuppie catalog" that purported to detect patrol
cars up to <insert large distance> away by picking up their repeater signals.
The device was designed to be vehicle mounted (so as to pick up police using
radar that is only turned on when you are in sight).  Of course, it relies on
the supposition that the officers left their repeaters on while in the vehicle
[they acknowledged this but claimed that most do in fact leave their repeaters
on].  The device did not broadcast what it received, it only indicated that
something was being broadcast.

    Anybody seen anything similar?  Any comments on range/feasability/other
problems?

                                                -kevin
                                                krainier@eagle.wesleyan.edu
                                                krainier@wesleyan.bitnet

-----------[000070][next][prev][last][first]----------------------------------------------------
Date:      Thu, 15 Mar 90 13:03:45 EST
From:      "Larry Margolis" <MARGOLI@ibm.com>
To:        security@pyrite.rutgers.edu
Subject:   Medeco vs Keso vs Kaba
What are your concerns?  Pick resistance - all are fairly good; I'd
probably give the Medeco an edge, since I believe (although I'm not
certain) that the Keso / Kaba rely on having lots of pins and don't
add anything else to prevent picking, while the Medeco has a sidebar.

Physical security - Medeco cylinders have hardened steel inserts to
prevent drilling the pins or the sidebar.  Don't know about the others.

Key duplication - lots of hardware stores have Medeco key machines; you
probably have to go to a locksmith to get the Keso or Kaba key duplicated.
If you're concerned about someone borrowing the key and duplicating it,
then making unauthorized use at another time, and you want to go Medeco,
you can get a cylinder using a restricted blank.  Copies are only
available by mail with an authorized signature.

If you don't want to frustrate a burglar, don't bother with a lock at
all!  :-)

A healthy application of epoxy will screw up any of the locks equally
well.  If you're worried about that, then the physical security of the
Medeco might be a drawback.  (Harder for you to drill out if necessary.)
A good combination lock will avoid the problems of a keyhole that can be
blocked.  For that matter, a magnetic lock also has an advantage - if the
keyhole is blocked, you can simply drill & file it out without worrying
about damaging pins.  Miwa (sp?) makes cylinders that operate with a
magnetic key.

Larry Margolis, MARGOLI@YKTVMV (bitnet), MARGOLI@IBM.COM (csnet)

-----------[000071][next][prev][last][first]----------------------------------------------------
Date:      15 Mar 90 19:30:10 EST (Thu)
From:      simsong@prose.cambridge.ma.us (Simson L. Garfinkel)
To:        trwacs!epstein@uunet.uu.net
Cc:        security@pyrite.rutgers.edu
Subject:   Answerback
So the system's entire security was based on physical security of the
terminals?  And there was no auditing --- that is, I could do
something on your terminal, and it would look like you did it?

This doesn't seem very secure.  Even the airline reservation systems
require that individuals type in their passwords.

-----------[000072][next][prev][last][first]----------------------------------------------------
Date:      Thu, 15 Mar 90 20:23:16 EST
From:      Miguel_Cruz@ub.cc.umich.edu
To:        security@pyrite.rutgers.edu
Subject:   Re: Answerback
> I worked on one system that used answerbacks to automatically log users in
 
But that way, any old crook could just walk up to someone's terminal and have
their access... night cleaning crews, the person's kids, anyone.
 
Miguel
 

-----------[000073][next][prev][last][first]----------------------------------------------------
From:      Troy Landers <sequent!tlanders@cse.ogi.edu>  17-MAR-1990  2:26:29
To:        misc-security@tektronix.tek.com
I know it is, at least on some cards.  When I lived in Illinos, the bank
that I used had this little box that resembled one of those automatic
credit card calling thingamagigs.  When I opened my account, they gave
me a card, left me alone in the room (in the vault) and told
me how to use it.  All I did was type my PIN number, press a button, and
"swipe" my card through it.  Voilla, my card was now encoded with my
PIN.  I didn't think about it too much at the time, mostly because
I wasn't aware of all the sneaky things crooks can do, and because I
was a student and didn't have any money to steal anyway :-).  Now I
think I would be more reluctant to use a bank with such a system.
Who knows?

Troy

-------------------------------------------------------------------------------
Troy Landers                                   Sequent Computer Systems Inc.
UUCP:  ...!sequent!tlanders                    15450 S.W. Koll Parkway
Phone: (503) 626-5700 x4491                    Beaverton, Oregon 97006-6063

                  *** My opinions are precisely that! ***
-----------[000074][next][prev][last][first]----------------------------------------------------
From:      netcom!onymouse@claris.com (John Debert)  17-MAR-1990  2:27:11
To:        misc-security@ames.arc.nasa.gov
Many banks, not-so-long-ago, did record passcodes on the card. That way,
they didn't have to use their computer resources for such piddly things.
Also, access control software was not yet being produced that was reliable.
It was much easier to leave such things up to the ATM. 

A certain American bank still records passcodes in some cards, if not all.
They still use ATM's that expect the passcode to be there.

jd 
onymouse@netcom.UUCP
-----------[000075][next][prev][last][first]----------------------------------------------------
Date:      15 Mar 90 17:31:21 GMT
From:      nagle@well.sf.ca.us (John Nagle)
To:        misc.security
Subject:   Re: Medeco vs Keso vs Kaba


      The first major installation of the Sargent Keso system was at
Case Institute of Technology in the 1960s.  It was then called the
"Maximum Security" system.  It wasn't.  One person had made a grand
master for the system within days of installation.

      Weaknesses:

	1.  There are only three depths for each dimple in the keys,
	    and they can be easily distinguished visually.  So, if
	    you get a glance at a key, you can remember the code
	    and make your own key later.

	2.  The keys are easy to make in a drill press.  The blank is
	    just a piece of rod with a diamond-shaped cross section.

	3.  This is really just an unusual form of pin-tumbler lock,
	    with all the usual vulnerabilities, including those of 
	    master-keyed systems.

				John Nagle

-----------[000076][next][prev][last][first]----------------------------------------------------
From:      night@pawl.rpi.edu (Trip Martin)  17-MAR-1990  2:50:37
To:        ???
When I got my cash card back in Sept, the bank told me that the access
code was indeed put on the card itself, and implied that this was better
because then no bank records would have the access code.  In fact, they
had my type in my desired access code into a machine which then then ran
the card through.  

Trip Martin
night@pawl.rpi.edu
-- 

Trip Martin
night@pawl.rpi.edu
-----------[000077][next][prev][last][first]----------------------------------------------------
Date:      15 Mar 90 18:03:45 GMT
From:      MARGOLI@IBM.COM ("Larry Margolis")
To:        misc.security
Subject:   Medeco vs Keso vs Kaba

What are your concerns?  Pick resistance - all are fairly good; I'd
probably give the Medeco an edge, since I believe (although I'm not
certain) that the Keso / Kaba rely on having lots of pins and don't
add anything else to prevent picking, while the Medeco has a sidebar.

Physical security - Medeco cylinders have hardened steel inserts to
prevent drilling the pins or the sidebar.  Don't know about the others.

Key duplication - lots of hardware stores have Medeco key machines; you
probably have to go to a locksmith to get the Keso or Kaba key duplicated.
If you're concerned about someone borrowing the key and duplicating it,
then making unauthorized use at another time, and you want to go Medeco,
you can get a cylinder using a restricted blank.  Copies are only
available by mail with an authorized signature.

If you don't want to frustrate a burglar, don't bother with a lock at
all!  :-)

A healthy application of epoxy will screw up any of the locks equally
well.  If you're worried about that, then the physical security of the
Medeco might be a drawback.  (Harder for you to drill out if necessary.)
A good combination lock will avoid the problems of a keyhole that can be
blocked.  For that matter, a magnetic lock also has an advantage - if the
keyhole is blocked, you can simply drill & file it out without worrying
about damaging pins.  Miwa (sp?) makes cylinders that operate with a
magnetic key.

Larry Margolis, MARGOLI@YKTVMV (bitnet), MARGOLI@IBM.COM (csnet)

-----------[000078][next][prev][last][first]----------------------------------------------------
Date:      15 Mar 90 21:49:23 GMT
From:      netcom!onymouse@claris.com (John Debert)
To:        misc-security@ames.arc.nasa.gov
Subject:   Re: cop detectors
Of course, if a department doesn't want a deal on a quantity purchase of 
radios, the department may well buy several different makes/ models. Most
departments do buy one make and model, though, and do so in quantity. This
 way, they can get a discount and only need pay for one service contract.
It simpifies the problem of figuring out which freqs to check out.

>            ...  While a pocket scanner might receive all of the local
> oscillator frequencies used by the local police, its detection range would
> likely be less than a hundred feet.

OK, I confess: I am not picking up the LO from the hand-helds. The signal
is always on the repeater frequency. I don't know where it's coming from
inside the radio but I can detect it as much as 1/4 away with a good antenna.
(I'm about to see if I can pick up weaker sigs with an LNA after tha antenna.)
How did Motorola get away with producing radios like this, I don't know but
I don't really mind.

jd
onymouse@netcom.UUCP

-----------[000079][next][prev][last][first]----------------------------------------------------
Date:      16 Mar 90 01:06:20 GMT
From:      randall@UVAARPA.VIRGINIA.EDU (Randall Atkinson)
To:        misc.security
Subject:   Crime & Secure systems

Sun frequently implies that SunOS 4.x is a C2 system, but then in the
security features guide mentions that they never actually had it evaluated
by the NCSC.  After the Morris' worm, DEC made a great deal of the fact 
that Ultrix had been more "secure" than other vendors.  A more accurate
description would have been that DEC broke and lobomotomised Ultrix 
so that it can't do much of what other BSD systems can.

In any event, one doesn't sue the house builder when someone breaks 
down the door later on and vandalises the house.  Electronic crime 
isn't different from other crime and shouldn't be treated specially.

-----------[000080][next][prev][last][first]----------------------------------------------------
Date:      16 Mar 90 01:57:26 GMT
From:      gnf3e@uvacs.cs.Virginia.EDU (Greg Fife)
To:        misc-security@uunet.uu.net
Subject:   Re: Answerbacks / Vendor Liability
>> FINAL COMMENT:  The INTERNET virus should be treated as a product liability
>> question.  In my opinion, DEC and SUN should pay the cost of the cleanup

I like this analogy: the UNIX security features of DEC and SUN are like
the padlock that one would put on a tool shed.  It provides some level
of security at a moderate price, and any determined fool can get in with
a pair of bolt-cutters.  Just like you can spend more money to better secure
your shed, you can spend more staff hours ($$) or buy a more trusted
OS.

No one doubts that the man with the bolt-cutters should be tried as a thief,
and no one suggests that MasterLock should be sued when it happens.

                               Greg Fife
                               gnf3e@virginia.edu
                               uunet!virginia!uvacs!fife

-----------[000081][next][prev][last][first]----------------------------------------------------
Date:      16 Mar 90 02:23:27 GMT
From:      smb@ulysses.att.com (Steven M. Bellovin)
To:        misc-security@att.att.com
Subject:   Re: Computer Abuse / Product Liability / Criminal Statutes / ECPA
} -- the almighty PRESS has given the term "HACKER"
} a bad rap.......it's about time they, as well as others, come up with new
} terms other than "hacker(s)" to describe these actions.

You can't do that.  Language is determined by use, not fiat.  A few years
ago, ``hacker'' had a different meaning.  That's changed.

-----------[000082][next][prev][last][first]----------------------------------------------------
Date:      16 Mar 90 06:55:05 GMT
From:      kelly@uts.amdahl.com (Kelly Goen)
To:        misc.security
Subject:   Re: Who (Specificly) has Morris' Worm Code?


 Just to be slightly less informative 2600 magazine is a hacker
pub... and no I dont know the current address but I will find it and post...
   cheers
   kelly

-----------[000083][next][prev][last][first]----------------------------------------------------
Date:      Fri, 16 Mar 90 14:05:08 EST
From:      meister@gaak.lcs.mit.edu (phil servita)
To:        CAMPBELL@utoroci.bitnet
Cc:        SECURITY@pyrite.rutgers.edu
Subject:   Re:  Bank card tricks in Toronto
The old Docutel (Olivetti) bank machines did store the password on the stripe.
Not in plaintext, but with a very simple substution cipher which wasnt hard 
to break. These machines are no longer in use. 

The current crop of machines essentially does the following:

         1) Take the password as entered by the user.
         2) Append (prepend?) the account ID number.
         3) Take the whole shebang and encrypt (with some magic key)
            via DES. 
         4) Compare with an ENCRYPTED string stored on the card.
            (sort of like the unix login program)

The article you mentioned is leaving out an awful lot of details...

                                            -meister

-----------[000084][next][prev][last][first]----------------------------------------------------
Date:      16 Mar 90 12:03:58+0100
From:      Joseph C. Pistritto <jcp@cgch.uucp>
To:        security@pyrite.rutgers.edu
Subject:   trashcan security
        It seems extremely common these days for criminals to be
apprehended after extensive poking about in their rubbish.  Stuff like
paying the garbage collectors to deliver the trash to investigators or
merely poking around after dark.

        Of course, this leads to the question of WHY anyone with anything
to hide would merely THROW AWAY incriminating documents...

        The question is, of course, how common is this sort of thing
really, is any sort of a warrant required (in the US anyway), etc.

        Sort of the same problem in reverse applies to retailers, do
any of the credit card companies require that used credit card vouchers
be shredded or burned when disposed of, etc?
                                                -jcp-

======================================================================
Joseph C. Pistritto  HB9NBB N3CKF
                    'Think of it as Evolution in Action' (J.Pournelle)
  Ciba Geigy AG, R1241.1.01, Postfach CH4002 Basel, Switzerland
  Internet: jcp@brl.mil                       Phone: (+41) 61 697 6155
  Bitnet:   bpistr%cgch.uucp@cernvax.bitnet   Fax:   (+41) 61 697 2435
  Also:     cgch!bpistr@mcsun.eu.net

-----------[000085][next][prev][last][first]----------------------------------------------------
Date:      16 Mar 90 21:35:01 GMT
From:      hollombe%sdcsvax@ttidca.tti.com (The Polymath)
To:        misc-security@sdcsvax.ucsd.edu
Subject:   Re: Home security
}I solved a similar problem with a set of exploding security bolts.  ...

This sounds drastic, dangerous and probably illegal.  Certainly not
something you want the average DIYer playing with.

Relevant building codes here require at least one window in every bedroom
to have a hinged set of bars that can be unlocked inside the room so they
swing away from the window, allowing exit in an emergency.  The locking
mechanism is purely mechanical, so there's no problem with burned through
wiring or shrapnel from explosive bolts killing your neighbor's child.

-- 
The Polymath (aka: Jerry Hollombe, M.A., CDP, aka: hollombe@ttidca.tti.com)
Citicorp(+)TTI                                    Illegitimis non
3100 Ocean Park Blvd.   (213) 450-9111, x2483       Carborundum
Santa Monica, CA  90405 {csun | philabs | psivax}!ttidca!hollombe

-----------[000086][next][prev][last][first]----------------------------------------------------
Date:      17 Mar 90 01:08:48 GMT
From:      b3s@psuecl.BITNET
To:        misc.security
Subject:   Night Goggles

Hello

Do you have any infomation where can I purchase Night Goggles?
I am studying Infrared Detectors and Night Goggles.
So I got a IR-Detector, but I couldn't find information on where to
buy Night Goggles. Can you help me ?
THANK YOU.
BCS.

-----------[000087][next][prev][last][first]----------------------------------------------------
Date:      Sat, 17 Mar 90 13:18:38 PST
From:      roeber@portia.caltech.edu
To:        security@pyrite.rutgers.edu
Subject:   Welcome banners
Welcome Banners

I recently got a DDN security bulletin (# 90-04) that mentioned that one
should make sure any computer welcome banners did not contain the word
"Welcome."  (The default message on some machines is to have the banner
be "Welcome to [nodename].")  In a recent court case, a judge threw out
a case against a hacker because (he ruled) the message "Welcome to ..."
was a clear invitation to everyone..  The bulletin also suggested that
the banners not contain system information (e.g., "VAX/VMS 5.2 on VAX
11/780"), as this can be useful to hackers; it should also not contain
the words "for official use only," because it seems that to hackers, this
message means it *must* be defense (or at least evil-government) related,
and therefore attracts them in droves.

Cheers,
Frederick Roeber
roeber@caltech.edu (or) roeber@caltech.bitnet

-----------[000088][next][prev][last][first]----------------------------------------------------
Date:      Sat, 17 Mar 90 21:28:51 EST
From:      Mike <MEYSTMA@duvm.ocs.drexel.edu>
To:        Multiple Recipients of list Security-L
Subject:   National Security Agency
     NSA is the National Security Agency. Located in Fort Meade, MD,
     they are in charge of obtaining and analysing signals intelligence.

     They are more secretive than the CIA, and no research information
     is available from them.

     Personal note: "Hell, if they knew you were axing about 'em,
     they'd probably ax the DIA to investigate you!"

     Michael A. Meystel
     LAMIR
     P.O. BOX 374
     Merion Station, Pa 19066-0374

     Internet  : meystma@duvm.ocs.drexel.edu
       Bitnet  : meystma@duvm.bitnet
   COMPUSERVE  : 71540,2726
        GEnie  : M.MEYSTEL
       DELPHI  : IMAS

-----------[000089][next][prev][last][first]----------------------------------------------------
Date:      Sun, 18 Mar 90 02:07:43 CST
From:      "Rich Winkel    UMC Math Department" <MATHRICH@umcvmb.bitnet>
To:        security@tcsvm
Subject:   re: national security archives
I have a blurb on them:
"The National Security Archive is an innovative non-profit research
institute and library facility which serves scholars, journalists, congress,
present and former policy makers, public interest organizations and the
american public by making available the internal government documentation
that is indispensable for reasearch and informed public debate on foreign,
intelligence, defense and international economic policy."
They get their info from unclassified govt documents, congressional
testimony, court records, presidential libraries, FOIA battles and other
sources.  They publish their documents and indices on microform which they
distribute to libraries for a fee.
This is where dangerous kooks who would question the wisdom of our national
leaders can stretch their first amendment rights to the limit, at least for
the time being.  But who really wants to know about US complicity in iranian
torture under the shah, or kissinger's deal with nixon to sabotage LBJ's
vietnam peace talks in exchange for his appointment in the nixon white house,
or the domestic propaganda ministry operating out of the US state department,
or the REAL reasons for our invasion of panama etc etc etc.
Their phone number is 202-797-0882.

Rich

-----------[000090][next][prev][last][first]----------------------------------------------------
Date:      17 Mar 90 21:18:38 GMT
From:      roeber@PORTIA.CALTECH.EDU
To:        misc.security
Subject:   Welcome banners

Welcome Banners

I recently got a DDN security bulletin (# 90-04) that mentioned that one
should make sure any computer welcome banners did not contain the word
"Welcome."  (The default message on some machines is to have the banner
be "Welcome to [nodename].")  In a recent court case, a judge threw out
a case against a hacker because (he ruled) the message "Welcome to ..."
was a clear invitation to everyone..  The bulletin also suggested that
the banners not contain system information (e.g., "VAX/VMS 5.2 on VAX
11/780"), as this can be useful to hackers; it should also not contain
the words "for official use only," because it seems that to hackers, this
message means it *must* be defense (or at least evil-government) related,
and therefore attracts them in droves.

Cheers,
Frederick Roeber
roeber@caltech.edu (or) roeber@caltech.bitnet

-----------[000091][next][prev][last][first]----------------------------------------------------
Date:      18 Mar 90 02:28:51 GMT
From:      MEYSTMA@DUVM.OCS.DREXEL.EDU (Mike)
To:        misc.security
Subject:   National Security Agency


     NSA is the National Security Agency. Located in Fort Meade, MD,
     they are in charge of obtaining and analysing signals intelligence.

     They are more secretive than the CIA, and no research information
     is available from them.

     Personal note: "Hell, if they knew you were axing about 'em,
     they'd probably ax the DIA to investigate you!"

     Michael A. Meystel
     LAMIR
     P.O. BOX 374
     Merion Station, Pa 19066-0374

     Internet  : meystma@duvm.ocs.drexel.edu
       Bitnet  : meystma@duvm.bitnet
   COMPUSERVE  : 71540,2726
        GEnie  : M.MEYSTEL
       DELPHI  : IMAS

-----------[000092][next][prev][last][first]----------------------------------------------------
Date:      18 Mar 90 08:07:43 GMT
From:      MATHRICH@umcvmb.BITNET ("Rich Winkel    UMC Math Department")
To:        misc.security
Subject:   re: national security archives

I have a blurb on them:
"The National Security Archive is an innovative non-profit research
institute and library facility which serves scholars, journalists, congress,
present and former policy makers, public interest organizations and the
american public by making available the internal government documentation
that is indispensable for reasearch and informed public debate on foreign,
intelligence, defense and international economic policy."
They get their info from unclassified govt documents, congressional
testimony, court records, presidential libraries, FOIA battles and other
sources.  They publish their documents and indices on microform which they
distribute to libraries for a fee.
This is where dangerous kooks who would question the wisdom of our national
leaders can stretch their first amendment rights to the limit, at least for
the time being.  But who really wants to know about US complicity in iranian
torture under the shah, or kissinger's deal with nixon to sabotage LBJ's
vietnam peace talks in exchange for his appointment in the nixon white house,
or the domestic propaganda ministry operating out of the US state department,
or the REAL reasons for our invasion of panama etc etc etc.
Their phone number is 202-797-0882.

Rich

-----------[000093][next][prev][last][first]----------------------------------------------------
From:      roeber@portia.caltech.edu  19-MAR-1990 23:14:01
To:        security@pyrite.rutgers.edu
An article in the Los Angeles Times, about some people who made phony ATM
cards from paper stock and audio magnetic tape, indicates that the PIN
code is not stored on the cards.  The people could program the cards with
bank account numbers, but the security hole that allowed them to steal
money was that one of them, an employee or ex-employee, could reprogram
the PINs in the bank database.  If the PIN was stored on the card, they
could have just picked any number.  However, my bank insists that to
change my PIN they must re-issue my card.  Perhaps there is some type of
encryption/verification going on?

Question: ATMs use phone lines.  Is there any sort of encryption on these
lines, to prevent wiretappers from gleaning valid account/PIN combinations?

Frederick Roeber
roeber@caltech.bitnet
roeber@caltech.edu
-----------[000094][next][prev][last][first]----------------------------------------------------
Date:      Sun, 18 Mar 90 21:39 EST
From:      "Rob Rothkopf -- CCR, CNS&M" <MASROB@ubvmsc.cc.buffalo.edu>
To:        security@pyrite.rutgers.edu
Subject:   Locks/Security in large institutions (e.g. Universities)
Two questions:

1) In institutions which have frequent room rotations, as in the
   dormitories of a University, what kinds of policies have been
   implemented to keep the rooms secure from year to year at your
   institution?  Cylinder rotations can be complicated and costly
   (institutional politics) if done on a yearly basis but without
   such actions it would seem that the new residents relatively
   unsafe.

2) Does anyone have an automated (no security people watching over
   constantly) and *secure* building entrance system (or have you
   seen any) in your living area (again, this is primarily focused
   at the dormitory setting)?  I've seen where all the buildings are
   locked and students are given the building key, but this policy
   is but a show to look good for parents; in most cases a stranger
   can simply wait for a key holder to gain entrance and call out
   to "hold the door for one sec!."

As some quick background, the reason for my questions (many thanks
to those who responded to my request for information on integrated
Card Systems!) is that the University of Buffalo has been selected
as the site for the 1993 World Universiad (University Olympic Games)
and is actively investigating new methods of securing the dorm area
which will serve many of the athletes (if not all) (not that current
methods are faulty.. only that additional/alternate methods are being
considered).

Either send replies to me personally or, preferably, post to this list if
you think the content will interest others.

Thanks for any help you can give!

				--Rob Rothkopf

-----------[000095][next][prev][last][first]----------------------------------------------------
From:      Craig Leres <leres@helios.ee.lbl.gov>  20-MAR-1990  4:30:19
To:        security@rutgers.edu
Quite some time ago, the transaction cards spawned by my bank's ATMs
were changed so that the last two digits of the account number are
printed as XX. This helps protect those people who leave them behind.
(It doesn't help them balance their checkbooks, though.)

		Craig
-----------[000096][next][prev][last][first]----------------------------------------------------
Date:      19 Mar 90 04:49:21 GMT
From:      root@grumbly.UUCP (Superuser)
To:        misc.security
Subject:   Re: thermal lances (was: vault doors)

->Anyone who hasn't seen one of these in action is advised to check out the
->movie "Thief" ...

Then after you've seen the movie - read the book 'the real story'.  The movie
doesn't follow it very well.  Book gives very detailed descriptions of a
pro burgler working for the mob.

				Richard Ducoty

-----------[000097][next][prev][last][first]----------------------------------------------------
Date:      19 Mar 90 04:49:21 GMT
From:      grumbly!root@uunet.uu.net (Superuser)
To:        misc-security@uunet.uu.net
Subject:   Re: thermal lances (was: vault doors)
->Anyone who hasn't seen one of these in action is advised to check out the
->movie "Thief" ...

Then after you've seen the movie - read the book 'the real story'.  The movie
doesn't follow it very well.  Book gives very detailed descriptions of a
pro burgler working for the mob.

				Richard Ducoty

-----------[000098][next][prev][last][first]----------------------------------------------------
Date:      Mon, 19 Mar 1990 11:23:59 CST
From:      MCDONALD@vax1.umkc.edu (Gary Lee McDonald)
To:        security@pyrite.rutgers.edu
Subject:   Network security problem?
NetFolk,

  My morning paper (The Kansas City Star, Monday, March 19, 1990) carried
a column from The New York Times concerning a new network problem.  Machines
at LNL DEC,  and several other places have been attacked by program to steal
password file.  Implied unix systems involved, but does anyone know exactly
which machines, which operating systems?  I'm sure *many* others will be
interested in any knowledgable responses!

UMKC					GaryM.  BITNET contact UMKCVAXn (n=1,3)
5100 Rockhill Road			Univ. of Mo. at K.C.
Cockefair Hall				MCDONALD @ UMKCVAX1.BITNET
Room 2, Gary Lee McDonald		MCDONALD @ VAX1.UMKC.EDU
Kansas City, Mo. 64110			POSTMASTER @ either domain

-----------[000099][next][prev][last][first]----------------------------------------------------
Date:      Mon, 19 Mar 90 12:47:31 EST
From:      ecl@mtgzy.att.com (Evelyn C Leeper)
To:        misc-security@att.att.com
Subject:   Debate on Computer Hacking
Harper's Magazine (March 1990 issue) has an on-line debate amongst 20 people
(including Clifford Stoll, the author of THE CUCKOO'S EGG) on the subject of
computer hacking.

I don't think I can summarize it well, so go to your local bookstore or library
and read it for yourself.

Evelyn C. Leeper  |  +1 201-957-2070  |  att!mtgzy!ecl or  ecl@mtgzy.att.com
--
The only thing necessary for the triumph of evil is for good men to do nothing. 
                                                            -Edmund Burke

-----------[000100][next][prev][last][first]----------------------------------------------------
Date:      19 Mar 90 17:47:31 GMT
From:      ecl@mtgzy.att.com (Evelyn C Leeper)
To:        misc.security
Subject:   Debate on Computer Hacking

Harper's Magazine (March 1990 issue) has an on-line debate amongst 20 people
(including Clifford Stoll, the author of THE CUCKOO'S EGG) on the subject of
computer hacking.

I don't think I can summarize it well, so go to your local bookstore or library
and read it for yourself.

Evelyn C. Leeper  |  +1 201-957-2070  |  att!mtgzy!ecl or  ecl@mtgzy.att.com
--
The only thing necessary for the triumph of evil is for good men to do nothing. 
                                                            -Edmund Burke

-----------[000101][next][prev][last][first]----------------------------------------------------
From:      hollombe%sdcsvax@ttidca.tti.com (The Polymath)  21-MAR-1990  7:56:01
To:        misc-security@sdcsvax.ucsd.edu
Many teller machines have cameras associated with them.  They can
photograph the person making every transaction.

}Does anyone know if the access code is, in fact, also on the mag
}stripe?

This varies by bank.  While the ANSI standard does give a format for each
of the three tracks on the magnetic strip, in practice each issuing
organization uses proprietary systems.  Putting the card number on track
two is pretty universal.  Track one often includes a repeat of the card
number and the card holder's name, among other things.  Track three is
writable and may include up to date account information.  A few banks are
foolish enough to put the cardholder's PIN on the card -- sometimes
encrypted, sometimes not.  Many systems only look at track two.

I'm not sure what you mean by "access code." The card number includes
fields that identify the issuing bank.

-- 
The Polymath (aka: Jerry Hollombe, M.A., CDP, aka: hollombe@ttidca.tti.com)
Citicorp(+)TTI                                    Illegitimis non
3100 Ocean Park Blvd.   (213) 450-9111, x2483       Carborundum
Santa Monica, CA  90405 {csun | philabs | psivax}!ttidca!hollombe
-----------[000102][next][prev][last][first]----------------------------------------------------
Date:      Tue, 20 Mar 90 10:38:03 -0500
From:      James M Galvin <galvin@tis.com>
To:        Doug Gwyn <gwyn@smoke.brl.mil>
Cc:        misc-security@rutgers.edu
Subject:   Re: Answerbacks / Vendor Liability
   I've never seen any claims by DEC, Sun, or more to the point, UCB that
   their UNIX-based operating systems were secure; have you?  What is the
   point of making innocent manufacturers responsible for some person's
   malicious abuse of their products?

I am sorry, but I just do not agree with you.  While I could accept the fact
that UCB is a research institution providing a warrantless service to a
community, Sun and DEC do not fall into that category.  They are commercial
institutions selling a service to the same community.  They are not completely
innocent by any stretch of the imagination.

Oh, they might argue they make no claims as to the suitability of their
product for any particular purpose, but distributing a product with DEBUG
enabled demonstrates a blatant lack of concern for the community in which they
sell their services.  They should be held accountable.

I do not believe this has anything to do with being secure.  It is a question
of good programming practices and acceptable software distribution
practices.

And just to be fair, almost every hardware and software vendor today is guilty
of the same crime.  I only wish the justice system would see it that way.

We can go back and forth about whether or not they should have noticed the
DEBUG option being set, but, if I were Robert Morris, and really did not have
any bad intentions (but then again with our legal system it doesn't really
matter), I would have immediately counter sued Sun and DEC.  Wishful thinking
suggests every one who was infected by the problem should join the cause.

Jim

-----------[000103][next][prev][last][first]----------------------------------------------------
Date:      Tue, 20 Mar 90 08:50 CST
From:      "Assistant Director (Academic)" <BELL@uwpg02.uwinnipeg.ca>
To:        security <@ohstvma.ircc.ohio-state.edu:security@pyrite.rutgers.edu>
Subject:   Hardwired Home Security systems
I need some info on hardwired home security systems.  I have a home
which has been pre-wired with the contacts in place for the windows
and doors.  What I now need to get is the electronics (wire-panel, control
panel, siren, etc) .  Any good suggestions of companies that supply
these instruments would be much appreciated.  Many thanks.
-dave-

-----------[000104][next][prev][last][first]----------------------------------------------------
Date:      Tue, 20 Mar 90 08:55 EST
From:      JBH technical                        <JBHTECH@irishmvs.bitnet>
To:        Security Digest                      <Security@ohstvma.bitnet>
Subject:   New superhacker at work?
     Has anyone heard or seen anything anywhere about a new
'superhacker' breaking into various sites on the Internet
recently?  I just caught the tail end of a mention of it on
ABC-TV's World News Tonight with Peter Jennings last night
(Mon, 19 March).  Having just finished reading The Cuckoo's
Egg, and hearing that Harvard was one of the places this
person apparently tried to get into, my first thought was to
wonder if Cliff Stoll is being diverted from astronomy again
to go after this person :-)

                                                 John

-----------[000105][next][prev][last][first]----------------------------------------------------
Date:      Tue, 20 Mar 90 17:53 EST
From:      DXB4769@ritvax.bitnet
To:        security@pyrite.rutgers.edu
Subject:   Re: cordless privacy
>...just because people have reasonable expectations of a right of
>privacy against government eavesdropping, that doesnt mean that the
>*government* respects those rights...

 Government "bashing" statements like this are unsupported in fact,
and really uncalled for. Granted, maybe in the Hoover days gov't
intrusion was definately questionable, but in our current society,
government respects individual rights.  The courts support
the government in "eavesdropping" cases - surveillance, that is -
because given probable cause, it is absolutely permittable, and I
would argue the *responsibility* of the government to take
advantage of the technological resources they control in order
to conduct an investigation and bring criminals to justice.
 There is no question that power of this kind must be checked to
avoid a "Big Brother" society, and it is checked - by other branches
of government (I hope we all remember this from Elementary School).
To make unfounded accusations against our government is in effect
condemning our entire system.

- Dave Bafumo

Rochester Insitute of Technology
Criminal Justice (Student)

BITNET: dxb4769@ritvax
INTERNET: dxb4769@ultb.isc.rit.edu
CIS   : 73147,3026

*********************************************************************
Disclaimer: All opinions are my own.
*********************************************************************

-----------[000106][next][prev][last][first]----------------------------------------------------
Date:      20 Mar 90 14:50:00 GMT
From:      BELL@uwpg02.uwinnipeg.ca ("Assistant Director ", Academic)
To:        misc.security
Subject:   Hardwired Home Security systems

I need some info on hardwired home security systems.  I have a home
which has been pre-wired with the contacts in place for the windows
and doors.  What I now need to get is the electronics (wire-panel, control
panel, siren, etc) .  Any good suggestions of companies that supply
these instruments would be much appreciated.  Many thanks.
-dave-

-----------[000107][next][prev][last][first]----------------------------------------------------
Date:      20 Mar 90 15:38:03 GMT
From:      galvin@TIS.COM (James M Galvin)
To:        misc.security
Subject:   Re: Answerbacks / Vendor Liability


   I've never seen any claims by DEC, Sun, or more to the point, UCB that
   their UNIX-based operating systems were secure; have you?  What is the
   point of making innocent manufacturers responsible for some person's
   malicious abuse of their products?

I am sorry, but I just do not agree with you.  While I could accept the fact
that UCB is a research institution providing a warrantless service to a
community, Sun and DEC do not fall into that category.  They are commercial
institutions selling a service to the same community.  They are not completely
innocent by any stretch of the imagination.

Oh, they might argue they make no claims as to the suitability of their
product for any particular purpose, but distributing a product with DEBUG
enabled demonstrates a blatant lack of concern for the community in which they
sell their services.  They should be held accountable.

I do not believe this has anything to do with being secure.  It is a question
of good programming practices and acceptable software distribution
practices.

And just to be fair, almost every hardware and software vendor today is guilty
of the same crime.  I only wish the justice system would see it that way.

We can go back and forth about whether or not they should have noticed the
DEBUG option being set, but, if I were Robert Morris, and really did not have
any bad intentions (but then again with our legal system it doesn't really
matter), I would have immediately counter sued Sun and DEC.  Wishful thinking
suggests every one who was infected by the problem should join the cause.

Jim

-----------[000108][next][prev][last][first]----------------------------------------------------
Date:      21 Mar 90 08:12:00 EST
From:      "MCCREA, SAM" <mccrea@ecf.ncsl.nist.gov>
To:        "security" <security@pyrite.rutgers.edu>
Subject:   glossaries
The National Institute of Standards and Technology (NIST, formerly NBS)
will be replacing its outdated FIPS PUB 39 (Computer Security Glossary)
with a FIPS PUB that will be a bibliography of computer security
glossaries from both the private sector and federal government agencies.
If anyone knows of any existing computer security glossaries please
send netmail to:
 
      mccrea@ecf.ncsl.nist.gov  (Internet)
                 or
      mccrea%ecf.ncsl.nist.gov@cunyvm.cuny.edu  (Bitnet)

Thank you very much,
Sam

-----------[000109][next][prev][last][first]----------------------------------------------------
From:      "Don't have a cow, man!" <AEWALSH@fordmurh.bitnet>  23-MAR-1990 16:25:55
To:        security@ohstvma
A large commercial bank at which I used to bank had a system for "initializing"
and changing one's PIN as follows:
        1.  An administrator's card was swiped into a medium-sized device
            that had an LED screen and numeric keypad.  After entering his/her
            code, the customer's card was "swiped".
        2.  The administrator entered the card/account number.
        3.  The customer entered the desired PIN twice.

Futhermore, American Express offers a program called "Cash Now".  Essentially,
it enables you to withdrawl cash or purchase travelers checks at almost any
ATM around the world.  On more than one occasion, I have forgotten my PIN number
for my AMEX card.  After calling the 800 number, and providing information
about my account (last purchase, etc.), I have been able to change the PIN
over the phone.  Scary, isn't it?

My *guess* is that the PIN is not stored on the Mag strip.  Rather, it is
accessed into the bank/institution's computer.  Just a guess.

Jeffrey Walsh
AEWALSH@FORDMURH
-----------[000110][next][prev][last][first]----------------------------------------------------
Date:      Thu, 22 Mar 90 22:38:43 CDT
From:      phil@wubios.wustl.edu (J. Philip Miller)
To:        security@pyrite.rutgers.edu
Subject:   Caller ID (fwd)
That is fine, I will then program my BBS to not accept any call which is
blocked.  As long as it is not possible to forge the calling number, this is
rather effective.

-phil

-- 
     J. Philip Miller, Professor, Division of Biostatistics, Box 8067
	 Washington University Medical School, St. Louis MO 63110
phil@wubios.WUstl.edu - Internet  (314) 362-3617   phil@wubios.wustl - bitnet
uunet!wuarchive!wubios!phil-UUCP (314) 362-2693(FAX)  C90562JM@WUVMD - bitnet

-----------[000111][next][prev][last][first]----------------------------------------------------
Date:      22 Mar 90 23:25:19 GMT
From:      rop@neabbs.UUCP (HACK-TIC)
To:        misc.security
Subject:   Re: Computer Abuse / Product Liability / Criminal Statutes / ECPA

Maybe a good definition of a hacker:
 
A hacker is someone who is too busy doing weird things using
technology to concern him/herself with defining the term 'hacker'.
 
I don't mean to kill a good discussion here, I just feel that
discussions about the definition of the term 'hacker' tend to get
boring and predictable after two or three messages. Much more
interesting (reffering to the 2nd of March message) is the question
wether playing a game on a computer 20.000 miles away isn't a much
more efficient way of learning something than going to school in the
first place.
 
Rop Gonggrijp, editor of Hack-Tic, a magazine for Dutch hackers....

-----------[000112][next][prev][last][first]----------------------------------------------------
Date:      23 Mar 90 08:44:33 GMT
From:      gwyn@SMOKE.BRL.MIL (Doug Gwyn)
To:        misc.security
Subject:   Re: Who (Specificly) has Morris' Worm Code?

>Just how easy do you think it is to disassemble a program from machine
>language into source code form?

I don't know a suitable metric for this.  (I know it's easy, though
tedious, for me.)  However, some indication can be gained by observing
that certainly hundreds, possibly thousands, of "crackers" routinely
disassemble copy-protected applications in order to understand the (often
deliberately convoluted) code well enough to strip off copy protection.
Don Lancaster explained several of the tricks of the trade in one of his
Apple II enhancement books.

> I'd say it takes more "reverse-engineering" than most system
> administrators have the knowledge, time or desire to put into it.

Judging by "The Cuckoo's Egg" and personal experience, I'd say that
most system administrators aren't very competent, period.  I certainly
wouldn't ask one of them to disassemble object code; there are many
other people with skill in that area who would be a better choice.

To give you a small taste of what is involved, let's consider a binary
executable image (without symbol table, to make it harder) from, say, a
PDP-11 UNIX system and some of the initial steps one might take to
disassemble it.

1.  Devise plausible environmental hypotheses, which can be checked and
revised as the work proceeds.  E.g. probably the source language was C
and the standard C library was linked into the image after all the
application-specific object code.

2.  Print out a dump of the code.  If it's UNIX, you can tell code from
data because they're in different load segments that are clearly
spelled out by a small initial header attached to the load image.
If you can't figure out where the code is, dump it all as instructions
as well as hex words and characters; clear character strings must be
data (as well as important operational clues), and gobbledegook
instruction sequences must be either data or correct instructions
decoded with the wrong starting offset (with variable-length instructions
it will converge to correct synchronization within a few instructions).

3.  Mark subroutine boundaries.  These are easy to spot by their
characteristic instructions.  Also mark (in a different color)
subroutine calls.

4.  Using knowledge of how the compiler generates code, identify
automatic variables, statics, etc. used within a given function as
guidelines in decoding it.  E.g. registers 0&1 are temporaries,
2-5 are used for "register" autos, and 6&7 are reserved for SP and PC.
You can generally recognize when a long int is being accessed from
the characteristic code, and similarly for other situations.

5.  Figure out what some of the small subroutines do, give them
meaningful names (e.g. ring_bell()), and write these labels beside
all calls to them.

6.  Now iterate to somewhat larger functions that use several of the
smaller ones you've already decoded and assigned names.  As you figure
them out treat them as in step 5 and iterate with yet larger functions.

7.  Occasionally, it can be useful to extract the instructions for
some mysterious function into a genuine assembly-language or even C
source file, assemble it, and call it from a test program you write to
explore the behavior of the function in question.

8.  Persistence is rewarded.

-----------[000113][next][prev][last][first]----------------------------------------------------
Date:      23 Mar 90 08:44:33 GMT
From:      Doug Gwyn <gwyn@smoke.brl.mil>
To:        misc-security@rutgers.edu
Subject:   Re: Who (Specificly) has Morris' Worm Code?
>Just how easy do you think it is to disassemble a program from machine
>language into source code form?

I don't know a suitable metric for this.  (I know it's easy, though
tedious, for me.)  However, some indication can be gained by observing
that certainly hundreds, possibly thousands, of "crackers" routinely
disassemble copy-protected applications in order to understand the (often
deliberately convoluted) code well enough to strip off copy protection.
Don Lancaster explained several of the tricks of the trade in one of his
Apple II enhancement books.

> I'd say it takes more "reverse-engineering" than most system
> administrators have the knowledge, time or desire to put into it.

Judging by "The Cuckoo's Egg" and personal experience, I'd say that
most system administrators aren't very competent, period.  I certainly
wouldn't ask one of them to disassemble object code; there are many
other people with skill in that area who would be a better choice.

To give you a small taste of what is involved, let's consider a binary
executable image (without symbol table, to make it harder) from, say, a
PDP-11 UNIX system and some of the initial steps one might take to
disassemble it.

1.  Devise plausible environmental hypotheses, which can be checked and
revised as the work proceeds.  E.g. probably the source language was C
and the standard C library was linked into the image after all the
application-specific object code.

2.  Print out a dump of the code.  If it's UNIX, you can tell code from
data because they're in different load segments that are clearly
spelled out by a small initial header attached to the load image.
If you can't figure out where the code is, dump it all as instructions
as well as hex words and characters; clear character strings must be
data (as well as important operational clues), and gobbledegook
instruction sequences must be either data or correct instructions
decoded with the wrong starting offset (with variable-length instructions
it will converge to correct synchronization within a few instructions).

3.  Mark subroutine boundaries.  These are easy to spot by their
characteristic instructions.  Also mark (in a different color)
subroutine calls.

4.  Using knowledge of how the compiler generates code, identify
automatic variables, statics, etc. used within a given function as
guidelines in decoding it.  E.g. registers 0&1 are temporaries,
2-5 are used for "register" autos, and 6&7 are reserved for SP and PC.
You can generally recognize when a long int is being accessed from
the characteristic code, and similarly for other situations.

5.  Figure out what some of the small subroutines do, give them
meaningful names (e.g. ring_bell()), and write these labels beside
all calls to them.

6.  Now iterate to somewhat larger functions that use several of the
smaller ones you've already decoded and assigned names.  As you figure
them out treat them as in step 5 and iterate with yet larger functions.

7.  Occasionally, it can be useful to extract the instructions for
some mysterious function into a genuine assembly-language or even C
source file, assemble it, and call it from a test program you write to
explore the behavior of the function in question.

8.  Persistence is rewarded.

-----------[000114][next][prev][last][first]----------------------------------------------------
Date:      24 Mar 90 00:43:57 GMT
From:      "William K. McFadden" <bill@videovax.tv.tek.com>
To:        misc-security@tektronix.tek.com
Subject:   Re: Caller ID
How about: You give me your phone number, or I won't answer the phone.
Programming a BBS to enforce this policy should be pretty simple, assuming you
can get a Caller ID box with a serial port.  In fact, I can see a programmable
phone offering this feature (don't ring if caller blocks number) as being a hot
item.  Of course, it should also contain a list of numbers you don't like and
check any incoming calls against the list.  And a big red button (labeled
"BOZO") that instantly hangs up on the caller and adds his number to the list.
Yeah, that's the ticket!
-- 
Bill McFadden    Tektronix, Inc.  P.O. Box 500  MS 58-639  Beaverton, OR  97077
bill@videovax.tv.tek.com,     {hplabs,uw-beaver,decvax}!tektronix!videovax!bill
Phone: (503) 627-6920       "The biggest difference between developing a missle
component and a toy is the 'cost constraint.'" -- John Anderson, Engineer, TI

-----------[000115][next][prev][last][first]----------------------------------------------------
Date:      24 Mar 90 06:52:43 GMT
From:      dmr@alice.att.com
To:        misc-security@uunet.uu.net
Subject:   Re: Contest announcement
My own contest is "Most appalling display of classlessness in dealing with
a serious subject."  The nominees are:

1) National Center for Computer Crime Data, Security Magazine, and
   Gene Spafford, for their "How High Shall We Hang Robert Morris?"
   contest.

2) Gene Spafford, for the most tasteless article ever to appear in CACM
   (special credits for the Jodie Foster joke).

		Dennis Ritchie

-----------[000116][next][prev][last][first]----------------------------------------------------
Date:      25 MAR 90 00:55:41 CDT
From:      MARK KINSLER <KINSLER@usmcp6.bitnet>
To:        <SECURITY@TCSVM>
Subject:   Opening an old safe
Re the locksmith in the little Ohio town who could open up an old
safe by feel:  Since it's a small town and probably doesn't have
a lot of safes in it, doesn't it seem likely that the guy knew
the combination and just said that he'd done it by feel?  He probably
knows every safe in the surrounding area.  Change the combination.

<kinsler@usmcp6.bitnet>, U of Southern Mississippi, Gulf Coast

-----------[000117][next][prev][last][first]----------------------------------------------------
Date:      25 Mar 90 05:55:41 GMT
From:      KINSLER@usmcp6.BITNET (MARK KINSLER)
To:        misc.security
Subject:   Opening an old safe

Re the locksmith in the little Ohio town who could open up an old
safe by feel:  Since it's a small town and probably doesn't have
a lot of safes in it, doesn't it seem likely that the guy knew
the combination and just said that he'd done it by feel?  He probably
knows every safe in the surrounding area.  Change the combination.

<kinsler@usmcp6.bitnet>, U of Southern Mississippi, Gulf Coast

-----------[000118][next][prev][last][first]----------------------------------------------------
Date:      Sun, 25 Mar 1990 14:13:19 EST
From:      *Hobbit* <hobbit@pyrite.rutgers.edu>
To:        security
Subject:   WARNING -- change in how "security" is delivered
I have changed my remailing method slightly, such that the return-path is
"/dev/null@localhost" instead of "security@pyrite.rutgers.edu".  Note that if
your mailer reads the return-path: header [as it should] when you reply to a
message, you will lose, so you may have to explicitly send to the list address
or who you intended to reply to.  This is actually a good thing, since simply
"replying" would sometimes send your reply to the incoming list feed instead of
the sender.  Then I'd get the message and wouldn't be able to tell where you
wanted to put it.  I get many of these, i.e. messages that look like the
person was trying to reply to a sender and wound up sending it to the list.  I
will grant you that this "unixish" syntax may not do the right thing on all
kinds of hosts, but it will still generate an invalid address and die where it
stands under any mailer that tries to return errors to return-path:.  Some
mailers return to Sender: which is also present; this I can't do much about.

This is in a weak attempt to reduce the large number of mailer failures I
get back every day.  It is very rare that all the addresses on the list
actually work at the same time -- there's always one losing host out there
someplace that ate its aliases file or can't find another machine farther
down the line.  This should make the errors die at the source.  I will
periodically send a message with the "real" return-path, just so I can update
my list and make sure things are still working.

This should also help me unload this perpetual backlog.  One thing that delays
resending is wading through all these mail failures and trying to deal with
them before I send out more messages.  I really wish people would keep their
mailers in better operating condition!

_H*

-----------[000119][next][prev][last][first]----------------------------------------------------
Date:      Sun, 25 Mar 90 17:38 CST
From:      MCDILDA_WA%ZOO <@utadnx.cc.utexas.edu:MCDILDA_WA@ZOO.decnet>
To:        security@pyrite.rutgers.edu
Subject:   Re: Opening an old safe?
   You also might try using a 'Black Light (UV)' to shine on the exterior
of the safe.  I tried this on an old safe, and found the combination written
in pencil on the back panel.  

Wayne McDilda
Network Specialist
Texas SP&GSC
Austin, Texas    (512) 475-2452   or mcdilda_wa@spgsc.decnet.utexas.edu

Disclaimer: I'm not paid enough to have my own opinions
            [ This is not my father's VAXmobile ]

-----------[000120][next][prev][last][first]----------------------------------------------------
Date:      25 Mar 90 18:05:12 GMT
From:      nagle@well.sf.ca.us (John Nagle)
To:        misc.security
Subject:   Re: "National Center for Computer Crime Data"

>All essays must be received by the National Center for Computer Crime
>Data, 1222-B 17th Avenue, Santa Cruz, CA, 95062 by March 28, 1990.

     Who are these guys?  Are they government, law enforcement, or are they
selling something?

					John Nagle

-----------[000121][next][prev][last][first]----------------------------------------------------
Date:      25 Mar 90 19:13:19 GMT
From:      hobbit@PYRITE.RUTGERS.EDU (*Hobbit*)
To:        misc.security
Subject:   WARNING -- change in how "security" is delivered

I have changed my remailing method slightly, such that the return-path is
"/dev/null@localhost" instead of "security@pyrite.rutgers.edu".  Note that if
your mailer reads the return-path: header [as it should] when you reply to a
message, you will lose, so you may have to explicitly send to the list address
or who you intended to reply to.  This is actually a good thing, since simply
"replying" would sometimes send your reply to the incoming list feed instead of
the sender.  Then I'd get the message and wouldn't be able to tell where you
wanted to put it.  I get many of these, i.e. messages that look like the
person was trying to reply to a sender and wound up sending it to the list.  I
will grant you that this "unixish" syntax may not do the right thing on all
kinds of hosts, but it will still generate an invalid address and die where it
stands under any mailer that tries to return errors to return-path:.  Some
mailers return to Sender: which is also present; this I can't do much about.

This is in a weak attempt to reduce the large number of mailer failures I
get back every day.  It is very rare that all the addresses on the list
actually work at the same time -- there's always one losing host out there
someplace that ate its aliases file or can't find another machine farther
down the line.  This should make the errors die at the source.  I will
periodically send a message with the "real" return-path, just so I can update
my list and make sure things are still working.

This should also help me unload this perpetual backlog.  One thing that delays
resending is wading through all these mail failures and trying to deal with
them before I send out more messages.  I really wish people would keep their
mailers in better operating condition!

_H*

-----------[000122][next][prev][last][first]----------------------------------------------------
Date:      25 Mar 90 23:38:00 GMT
From:      MCDILDA_WA@ZOO.decnet (MCDILDA_WA%ZOO)
To:        misc.security
Subject:   Re: Opening an old safe?


   You also might try using a 'Black Light (UV)' to shine on the exterior
of the safe.  I tried this on an old safe, and found the combination written
in pencil on the back panel.  

Wayne McDilda
Network Specialist
Texas SP&GSC
Austin, Texas    (512) 475-2452   or mcdilda_wa@spgsc.decnet.utexas.edu

Disclaimer: I'm not paid enough to have my own opinions
            [ This is not my father's VAXmobile ]

-----------[000123][next][prev][last][first]----------------------------------------------------
Date:      26 Mar 90 07:41:28 GMT
From:      annala@neuro.usc.edu (A J Annala)
To:        misc-security@ucbvax.berkeley.edu
Subject:   Re:  Opening an old safe?
Many people have the misconception (largely propagated by the media) that
safes can be opened by people using sensitive stethescopes.  However, by
and large no competent professional safecracker relies on sound.  Instead,
at least at the "agency" school, they teach students to rely on developing
a sensitive touch.  Many safes (particularly old crakerjack boxes) are not
built to particularly tight tolerances.  As a consequence, you can simply
feel the tumblers behind the dial when them impact each other.  By turning
the dial back and forth (let's not get too specific here) one can build up
a chart of where the tumblers impact each other and where the indentation
for the locking mechanism exists on each wheel.  More modern "spy proof" &
"manipulation proof" locks resist such penetration attempts.  However, if
you have a reasonably long period of time just about any safe can be opened.

A thermal lance is typically a hollow fuel rod with a high pressure oxygen
source in the center (2000-4000 psi gas tank) used to usually used to burn
through the exterior of a safe.  Unfortunately, they are very messy, loud,
emit a lot of light, and often burn up the contents of the safe.  You would
most often be better off getting inside knowledge about where to drill the
safe door, set up a jig with some low speed high torque drill and a set of
cobalt drill bits.  By the way, beware of alarm sensors and tear gas bottles
that may be hidden inside the door of the safe.

Apart from military operations, no one is fool enough to try to "blow" a
safe these days.  However, if you're in a hurry, spend a little time to
learn how to make shaped cutting charges to slice through the bolts in
the door of the safe.  Plastique will do the job in a pinch ... but some
time spend casting more uniform charges with metal liners will reduce the
amount of explosive and consequent mess to clean up.

If you want to do it right check out some old "It Takes A Thief" and the
more recent "Die Hard" movies.  They both illustrate appropriate methods
for opening the most resistant safes.

-----------[000124][next][prev][last][first]----------------------------------------------------
Date:      26 Mar 90 07:44:04 GMT
From:      annala@NEURO.USC.EDU (A J Annala)
To:        misc.security
Subject:   Re:  Opening an old safe?

One final note:  It is often easier to go through the walls of a safe or a
vault than it is to try to penentrate the door of the device.  This point
is often missed by the amateur who takes the challenge of opening the safe
head on.  

-----------[000125][next][prev][last][first]----------------------------------------------------
Date:      Mon, 26 Mar 90 17:15 EST
From:      "Don't have a cow, man!" <AEWALSH@fordmurh.bitnet>
To:        security@ohstvma
Subject:   Ink for Currency (was Computer Forged Documents -
While we're on the subject of paper for American currency, allow me to pose
a question on *ink*.

I was told that one of the ways (not THE way, if there is one) to double-check
for authenticity of a bill is to rub the face side on a piece of white paper.
In every case, a green smudge was produced.  One of my former managers told me
that this is a technique to weed out counterfeit currency, because the ink used
by the US Mint never "dries" - it will always yield a smudge.

Is this true?

Jeffrey
Fordham University
AEWALSH@FORDMURH

-----------[000126][next][prev][last][first]----------------------------------------------------
Date:      26 Mar 90 18:47:19 GMT
From:      nagle@well.sf.ca.us (John Nagle)
To:        misc-security@uunet.uu.net
Subject:   Re: What IS a thermal lance (Re:  vault doors, was:  locks)
>Exactly what is a thermal lance? 

     It's a cutting torch that burns steel as fuel.  A simple form is seven
steel rods arranged in a hexagonal array inside a steel tube.  Oxygen is
pumped in one end of the tube and the other end is ignited, usually by
first lighting a wood block, which will burn nicely in oxygen, and using
it to ignite the steel.  One of these will cut through a railroad rail in
a few tens of seconds.

     There are several major drawbacks to the thermal lance.  The type of
steel used is critical, and there are hazards if a poor type is chosen.
The amount of oxygen used is very high; you tend to need many cylinders
to get any real work done.  The lance itself is consumed rapidly, so you need 
plenty of lance sections.  This makes it a very expensive tool to use.
It's not used much by criminals, since the amount of equipment you have to
bring along is high.  Typical uses include clearing railroad wrecks.

					John Nagle

-----------[000127][next][prev][last][first]----------------------------------------------------
Date:      26 Mar 90 19:19:28 GMT
From:      hollombe%sdcsvax@ttidca.tti.com (The Polymath)
To:        misc-security@sdcsvax.ucsd.edu
Subject:   Re: Re: Computer Forged Documents - money
}I read in the Boston Globe recently that the U.S. Treasury puts small
}red and blue threads in its paper money.  The item mentioned the paper is
}so difficult to make, that many counterfeiters bleach small denominations 
}and re-print larger denominations onto the bleached bills.

Not only is it difficult to make, it's difficult to get.  A few years ago
we wanted to print up some "funny money" to use for testing automatic
teller machines.  The paper used had to be the same density and thickness
as that used for real money (also the same width and length, of course),
since modern ATMs are very sophisticated about such things.

We suddenly found ourselves explaining to some very interested Treasury
officials exactly why we wanted this particular paper and what we intended
to do with it.

We eventually got it, without the red and blue threads (ATMs aren't _that_
sophisticated -- yet).

-- 
The Polymath (aka: Jerry Hollombe, M.A., CDP, aka: hollombe@ttidca.tti.com)
Citicorp(+)TTI                                    Illegitimis non
3100 Ocean Park Blvd.   (213) 450-9111, x2483       Carborundum
Santa Monica, CA  90405 {csun | philabs | psivax}!ttidca!hollombe

-----------[000128][next][prev][last][first]----------------------------------------------------
Date:      Tue, 27 Mar 90 03:24 CST
From:      GREENY <MISS026@ecncdc.bitnet>
To:        <security@pyrite.rutgers.edu>
Subject:   re^3: money....
> took out a one dollar bill and sure enough there were tiny little red and
> blue threads...

uh huh....there sure are, but have you forgotten that the colors of the USA are
Red, WHITE, and Blue? There are some clear threads in there as well that are
supposed to show up under UV light....also, the ink contains certain amounts
of magnetic particles...

Bye for now but not for long
Greeny
BITNET: MISS026@ECNCDC
Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU
GEnie: GREENY
MacNet: GREENY

-----------[000129][next][prev][last][first]----------------------------------------------------
Date:      Tue, 27 Mar 90 08:13:00 EST
From:      34AEJ7D@cmuvm.bitnet
To:        SECURITY Digest <SECURITY@OHSTVMA>
Subject:   Re: car keys
>They did not ask for proof of ownership, or anything else

I have personally seen police departments unlock a locked vehicle (mine)
with a device they have for that purpose. They didn't ask me for ID or
proof of ownership, either - just took my word that it was my car
and that I was locked out. OK, so maybe they ran the plate, but
I *could* have known the owner's name and been using it to
bluff such a check (if I were either stupid or desperate).

-----------[000130][next][prev][last][first]----------------------------------------------------
Date:      Tue, 27 Mar 90 08:28:00 EST
From:      edelheit@smiley.mitre.org (Jeff Edelheit x7586)
To:        topper%a1.relay@upenn.edu
Cc:        security@pyrite.rutgers.edu
Subject:   Re:  Report on a Security Conference
An alternative conference is the NIST/NCSC annual conference.  It
provides civil, military and commercial sector perspective on
security.  It addresses real live security issues of today plus a fair
amount of what is going on in the research community.  You will also
get presentations from non-US nationals.  There is virtually no
commercial hype.

It's usually a 2.5 day conference with a day of tutorials preceding the
first day.  The conference will be held in Washington, DC in the
September/ October timeframe.  There are usually several thousand
attendees and the cost is minimal (e.g., ~$300).

Regards,

Jeff Edelheit           (edelheit%smiley@gateway.mitre.org)
The MITRE Corporation   7525 Colshire Drive
McLean, VA   22102     

-----------[000131][next][prev][last][first]----------------------------------------------------
Date:      Tue, 27 Mar 90 13:56 EST
From:      WHMurray@dockmaster.ncsc.mil
To:        VIRUS-L@lehiibm1.bitnet, security@rutgers.edu
Subject:   Announcement IFIPSEC '91
            Seventh International Conference on
                    Information Security

      "Creating Confidence in Information Processing"

           First Announcement and Call for Papers

LOCATION

The conference will  be held  in  Brighton, a large  coastal
town in southern England.  One of Britain's premier resorts,
Brighton  is one hour from London by rail, and convenient to
both London Airports,

The  conference will be held  at the  Metropole  Hotel.  The
hotel is located on the ocean near the town centre.

DATES

15-17 May, 1991

ORGANIZERS

The  conference  is  being  organized   by   IFIP  Technical
Committee on Security (TC11) in cooperation with the British
Computer Society  and the European Region of the  EDPAA.  It
is being sponsored by Digital Equipment Company, Ltd.

LANGUAGE

The official language of the conference will be English.

CONFERENCE SECRETARIAT

IFIP/Sec '91
Elsevier Science Publishers Ltd.
Mayfield House
256 Banbury Road
Oxford OX2 7DH UK

Tel: +44 (0)865 512242
Fax: +44 (0)865 310981

Organizing Committee, David t. Lindsay, Chairman
Programme Committee, Wyn L. Price, Chairman

North American Members of the Programme Committee:

Jim H. Finch
Peter P. C. H. Kingston
Martin Kratz
William H. Murray (WHMurray@DOCKMASTER.NCSC.MIL)

CONFERENCE OBJECTIVES

The conference objectives are:

*   to emphasize the importance of information security as a
    critical management reuqirement

*   to  address  the  need  to  enhance  the  integrity  and
    security of computer based systems and data networks

*   to  share  knowledge  in  the  development  and  use  of
    information  security  management  methods  and  systems
    security and technical tools

*   to address  the differing, as well as common,  interests
    of management,  auditors, security practioners,  and the
    data processing community

*   to promote international co-operation in the advancement
    of  information  and  computer  security  practices  and
    technologies

CALL FOR PAPERS

Contributions  are invited describing  practical  experience
and  research  on  all aspects  of  computer,  network,  and
information  security  including   business,   professional,
legal,  research   and  educational   areas.  (Papers   with
over-emphasis  on  specific product  marketing will  not  be
accepted.)

Abstracts should be more  than 200 and less than 1000  words
in length, typed, double-spaced, on one side of the sheet.

The  Committee   will  select  papers  based   on  submitted
abstracts.  Abstracts are due 31 May 1990.  Authors will  be
notified of acceptance by 30 September 1990 and camera ready
copy of the papers will be due 28 February 1991.

ADDITIONAL INFORMATION

An  additional  announcement  including  the  programme  and
registration details will be available in December 1990.

For a copy of the official announcement please send name and
postal address to: WHMurray@DOCKMASTER.NCSC.MIL

-----------[000132][next][prev][last][first]----------------------------------------------------
Date:      27 Mar 90 17:20:43 PST (Tue)
From:      sagpd1!jharkins@ncr-sd.sandiego.ncr.com (Jim Harkins)
To:        security-request@rutgers.edu
Subject:   Clearing a building nightly
My company has just moved into a new facility, equipped with a security system
that we turn on at night.  The problem is, how do we make sure everyone is
out of the building before turning it on?  The current thinking is that if
anyone is working past 7 PM they go to the lobby and sign in, then the last
person to leave turns on the alarm.  However, when deadlines approach
people tend to get so involved in the current problem that several times they'll
look up and say "dang, it's 9:00.  I better sign in!".  Needless to say if
the alarm was already turned on then the cops, and our security officer get
called.  This is embarressing to say the least.  It happened last week (not
to me).

So we need to know how to ensure the building is empty before turning the
system on.  This silly building is layed out like a maze, thus a security
guard making a quick check stands a very good chance of missing an employee
visiting the litterbox.  We don't have a paging system and have no intention
of getting one.  We talked about installing buzzers throughout the building
to warn late workers to go sign in but this is very expensive.

I'm sure several other companies have been faced with this problem.  Any
ideas on what to do would be appreciated.

jim
jharkins@sagpd1

We are all aware of the high cost of alcohol abuse.  To help solve this problem
take this signature to your local liquor store for $1.00 off your next purchase.

-----------[000133][next][prev][last][first]----------------------------------------------------
Date:      27 Mar 90 09:24:00 GMT
From:      MISS026@ecncdc.BITNET (GREENY)
To:        misc.security
Subject:   re^3: money....

> took out a one dollar bill and sure enough there were tiny little red and
> blue threads...

uh huh....there sure are, but have you forgotten that the colors of the USA are
Red, WHITE, and Blue? There are some clear threads in there as well that are
supposed to show up under UV light....also, the ink contains certain amounts
of magnetic particles...

Bye for now but not for long
Greeny
BITNET: MISS026@ECNCDC
Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU
GEnie: GREENY
MacNet: GREENY

-----------[000134][next][prev][last][first]----------------------------------------------------
Date:      Tue Mar 27 20:22:10 1990
From:      guhsd000@crash.cts.com (Paula Ferris)
To:        misc-security@crash.cts.com
Subject:   Re: Video camera devices
   Visual Methods Inc.
   35 Charles Street
   Westwood, NJ  07675

They manufacture all types of video equipment for everything from ATM machines
video systems to dual image fiberoptic arrays, as well as the worlds smallest
full color TV camera.

As for legal aspects, I don't know.  I do know in a public place, such as a
store, or a wharehouse at a business, you can record without notifying people
in the area that they may be recorded so long as it's video only with no sound.

You might be able to use this in a private atmosphere, or try a understated
sign (near the driveway maybe) with someting to the extent that the property
maybe utilizing video survailence.  I think most people would interpret it as
the outside grounds are being watched rather than inside.

But, I'm not a lawyer, so take your own chances.

-----------[000135][next][prev][last][first]----------------------------------------------------
Date:      27 Mar 90 18:56:00 GMT
From:      WHMurray@DOCKMASTER.NCSC.MIL
To:        misc.security
Subject:   Announcement IFIPSEC '91


            Seventh International Conference on
                    Information Security

      "Creating Confidence in Information Processing"

           First Announcement and Call for Papers

LOCATION

The conference will  be held  in  Brighton, a large  coastal
town in southern England.  One of Britain's premier resorts,
Brighton  is one hour from London by rail, and convenient to
both London Airports,

The  conference will be held  at the  Metropole  Hotel.  The
hotel is located on the ocean near the town centre.

DATES

15-17 May, 1991

ORGANIZERS

The  conference  is  being  organized   by   IFIP  Technical
Committee on Security (TC11) in cooperation with the British
Computer Society  and the European Region of the  EDPAA.  It
is being sponsored by Digital Equipment Company, Ltd.

LANGUAGE

The official language of the conference will be English.

CONFERENCE SECRETARIAT

IFIP/Sec '91
Elsevier Science Publishers Ltd.
Mayfield House
256 Banbury Road
Oxford OX2 7DH UK

Tel: +44 (0)865 512242
Fax: +44 (0)865 310981

Organizing Committee, David t. Lindsay, Chairman
Programme Committee, Wyn L. Price, Chairman

North American Members of the Programme Committee:

Jim H. Finch
Peter P. C. H. Kingston
Martin Kratz
William H. Murray (WHMurray@DOCKMASTER.NCSC.MIL)

CONFERENCE OBJECTIVES

The conference objectives are:

*   to emphasize the importance of information security as a
    critical management reuqirement

*   to  address  the  need  to  enhance  the  integrity  and
    security of computer based systems and data networks

*   to  share  knowledge  in  the  development  and  use  of
    information  security  management  methods  and  systems
    security and technical tools

*   to address  the differing, as well as common,  interests
    of management,  auditors, security practioners,  and the
    data processing community

*   to promote international co-operation in the advancement
    of  information  and  computer  security  practices  and
    technologies

CALL FOR PAPERS

Contributions  are invited describing  practical  experience
and  research  on  all aspects  of  computer,  network,  and
information  security  including   business,   professional,
legal,  research   and  educational   areas.  (Papers   with
over-emphasis  on  specific product  marketing will  not  be
accepted.)

Abstracts should be more  than 200 and less than 1000  words
in length, typed, double-spaced, on one side of the sheet.

The  Committee   will  select  papers  based   on  submitted
abstracts.  Abstracts are due 31 May 1990.  Authors will  be
notified of acceptance by 30 September 1990 and camera ready
copy of the papers will be due 28 February 1991.

ADDITIONAL INFORMATION

An  additional  announcement  including  the  programme  and
registration details will be available in December 1990.

For a copy of the official announcement please send name and
postal address to: WHMurray@DOCKMASTER.NCSC.MIL

-----------[000136][next][prev][last][first]----------------------------------------------------
Date:      Tue, 27 Mar 90 23:44:38 EDT
From:      Iqbal Qazi <WQ956C@gwuvm.bitnet>
To:        security@pyrite.rutgers.edu
Subject:   Curious
A friend of mine had this question and I thought someone out there could
answer it.  What organizations were formed by the National Security
Act of 1947?  The CIA is one of them, anyone know any more?  I think
there are 5.

                                    Thanks,
                                    Iqbal Qazi
                                    WQ956C at GWUVM

-----------[000137][next][prev][last][first]----------------------------------------------------
Date:      Wed, 28 Mar 90 11:27:09 MST
From:      Bob Kaneshige <KHAAV@asuacad.bitnet>
To:        security@pyrite.rutgers.edu
Subject:   Re: Them Locks Are Easy
Are there  any vette owners  out there? If so,  do you supplement  the factory
alarm system  with a  brand 'X' security  alarm? I  have an '82  and I  do not
feel quite 'secure' with  what GM has installed in it.  I've looked at several
aftermarket  systems,  most notably  the  ones  offerred by  Alpine,  Kenwood,
Audiovox, plus UNGO  box, Enforcer, Viper, Sentry, and Autopage.  Most of them
have features for glass breakage, shock sensor, motion sensor, starter disable,
panic, automatic door lock, flashing LEDs, manual override, remote arming, and
just about  anything imaginable. By talking  to the salemen, what  you usually
hear is that their "brand 'X' is the best on the market"..if I bought everyone
they recommended and installed them, my battery  would be dead in a short time
:-).  I realize that if  someone really wanted to steal your  car, no alarm in
the world  will prevent  it, short of  having a doberman  sitting in  the seat
with the  windows open. If  anyone is satisfied  with their brand  'X' system,
I'd like to hear from them.  Thanks...
  Bob

-----------[000138][next][prev][last][first]----------------------------------------------------
Date:      28 Mar 90 04:49:37 GMT
From:      fantom@wam.umd.edu (Thomas Mark Swiss)
To:        misc.security
Subject:   Reading list wanted


     Hi, all. I've been looking around for some good texts on computer security
but haven't been able to find any good books on the subject. I would be quite
gratefull is anyone could recommend an introductory text. I'm mainly interested
in system security, but would also like to learn about data encryption and copy
protection.

     Thanks!

================================================================================
Tom Swiss               |  "The time will come when men such as I will look on
fantom@cscwam.umd.edu   | the murder of animals as they now look on the murder
 "I Think, therefore    | of men." - Leonardo da Vinci
    I'm Dangerous..."   |  

-----------[000139][next][prev][last][first]----------------------------------------------------
Date:      Wed, 28 Mar 90 10:46:36 EST
From:      ARDAVAN@carleton.ca
To:        security@pyrite.rutgers.edu
Subject:   Security Cameras
      I'm looking for some information which would lead to manufacturers
  of security equipment used for monitoring purposes (Closed Circuit TV).
  The idea is to use cameras (either hidden or obvious) which are connected
  to a VCR.  The VCR takes time-lapsed photos of an area which contains
  equipment (PC's mostly) so that anyone walking away with the stuff will
  be captured on tape.

     Any names and addresses of manufacturers of such equipment, past
  experiences with hidden/visible cameras would be appreciated.  If any
  of the addresses are in Canada, so much the better.

                              Ardavan <Ardavan_Tajbakhsh@Carleton.CA>

-----------[000140][next][prev][last][first]----------------------------------------------------
Date:      Wed, 28 Mar 90 20:22:51 PST
From:      Craig Leres <leres@helios.ee.lbl.gov>
To:        CJS@cwru.bitnet
Cc:        security@pyrite.rutgers.edu (*Hobbit*)
Subject:   Re: Car Locks -- They had great locks at Hertz in Belfast
> I never could find out who made the locks.

Too bad; I'd like to get a few sets to install in my cars.

Ever see a key for a late model Mercedes? There are wiggily little
channels along the side of the key. And I'm pretty sure that you can
set the alarm off by inserting the wrong key or trying to pick the
lock.

		Craig

-----------[000141][next][prev][last][first]----------------------------------------------------
Date:      Thu, 29 Mar 90 09:45:22 EST
From:      Mark.Leone@f.gp.cs.cmu.edu
To:        misc-security@rutgers.edu
Subject:   Re: datsun keys
>about datusn keys.  be VERY careful about testing your key in other peoples
>vehicles of the same make.

I'll second this for Honda keys.  My brother accidentally used his 
Honda Civic key to start my Mom's Civic.  The key jammed in the "start"
position, preventing the starter motor from disengaging even though
the engine had started.  The net result was an engine fire!

Luckily we always carry a fire extinguisher and managed to get the
fire out and the key unjammed before any serious damage to the engine
(or us) occurred.  The starter was completely destroyed, of course.

- Mark

-----------[000142][next][prev][last][first]----------------------------------------------------
Date:      Thu, 29 Mar 1990 15:56:12 EST
From:      *Hobbit* <hobbit@pyrite.rutgers.edu>
To:        security@localhost
Subject:   okay, okay
... so I haven't read RFC822/823 in a while.  My initial trials with this
configuration returned very few errors, so I had the mistaken impression
that it was actually working.  A verbose queue run tells me that mail is
still being delivered with an envelope address of "security", however,
so this isn't the correct method.  I've been informed that "correct" mailers
*will* reply to the From: field, but there are a lot of different mailers
out there, many of them incorrect, that will send replies to all kinds of
different places.  I have no control over these other than yelling at
postmasters, and you have NO IDEA how heartily sick of yelling at postmasters
I have become over the years.  Often enough there isn't even a "postmaster"
address at some sites, and I don't have to re-read RFC822 et al to know that
THAT is a bozo no-no.  If your mailer deals with the From: field then fine,
if it doesn't then you stand to lose unless you explicitly mail to the
sender.  It all depends on your site.

The fact remains that most mailers try to return errors to the *envelope*
address.  Over the next few days I will be playing with various configurations
until I find something that works, so if you see some odd-looking errors you'll
know why.

I didn't mean for this to turn into a mailer flame, which has nothing to do
with security.  But the volume of "Wrong!" replies I've gotten back has made
it into something of a debacle, so next time I go to change something I won't
WASTE YOUR TIME with any announcements at all, and just watch everything
quietly break.  Fair enough?

_H*

-----------[000143][next][prev][last][first]----------------------------------------------------
Date:      Thu, 29 Mar 90 19:06:18 EST
From:      jordan@morgan.com (Jordan Hayes)
To:        security@rutgers.edu
Subject:   Re: Them Locks Are Easy
	Pullout stereos, amplifiers in the trunk out of sight and a
	blinking LED are all good ideas.

Pullout stereos are only good if you pull them out *all* the time (as many
folks who had theirs "pulled out" will tell you).

Amplifier in the trunk *might* help.  I had mine taken anyway.  It took
8 hours to get installed.  It took a bit of time to get out, but they
got it out ... grrr ...

/jordan

-----------[000144][next][prev][last][first]----------------------------------------------------
Date:      29 Mar 90 14:45:22 GMT
From:      Mark.Leone@F.GP.CS.CMU.EDU
To:        misc.security
Subject:   Re: datsun keys

>about datusn keys.  be VERY careful about testing your key in other peoples
>vehicles of the same make.

I'll second this for Honda keys.  My brother accidentally used his 
Honda Civic key to start my Mom's Civic.  The key jammed in the "start"
position, preventing the starter motor from disengaging even though
the engine had started.  The net result was an engine fire!

Luckily we always carry a fire extinguisher and managed to get the
fire out and the key unjammed before any serious damage to the engine
(or us) occurred.  The starter was completely destroyed, of course.

- Mark

-----------[000145][next][prev][last][first]----------------------------------------------------
Date:      29 Mar 90 14:59:53 GMT
From:      guhsd000@crash.cts.com (Paula Ferris)
To:        misc.security
Subject:   investigative services

You may want to try to get a hold of IRSC, I think it stands for 
Information Resource Service Company.

I use to use them for Skip Tracing, and general investigative work on my own,
I do not know what their current signup fees, and per search fees are.

As I recall, they have some 700 databases, including a complete copy of the
CBI credit database, which is very handy, I think they renamed their cope the
y
something different.

I just found the price sheet, searches run from $3.75 for a driving record to
$125 for a "Business Factual Data Report."

Anyway, try reaching:

     Tom C. Bownes at IRSC at:

     3777 N. Harbor Blvd.
     Fullerton, CA 92635

CA 800/321-2278
US 800/841-1990
or 714/526-8485

-----------[000146][next][prev][last][first]----------------------------------------------------
Date:      Thu, 29 Mar 90 17:24:26 GMT
From:      jad@dayton.dhdsc.mn.org (J. Deters)
To:        security@rutgers.edu
Subject:   Re: Home security systems
I just installed an Ademco Vista 4140XM in my house, and it has the capacity
to cover all of the above sensors/accessories out of the box.  9 wired
loops, and can handle a 64 zone polled loop.  Has full support for
central station monitoring, and can be used with wireless systems, too (yuck.)
I also have a 5137 console with it.  32 character alphanumeric display, on-line
help/instructions, and custom programmable with your descriptions/words/etc.
I *really* like it.  

If anyone would like the name/number of the company I bought mine from, email
me.  Being in Mass., you probably will want to buy locally, however.

By the way, you really should include several fire/smoke sensors to your
above list.

-j
-- 
J. Deters
INTERNET:  jad@dayton.DHDSC.MN.ORG    .\ /.    "Smile -- Cthulu loathes you!"
UUCP:  ...!bungia!dayton!jad         \_____/
ICBM:  44^58'36"N by 93^16'12"W

-----------[000147][next][prev][last][first]----------------------------------------------------
Date:      29 Mar 90 20:56:12 GMT
From:      hobbit@PYRITE.RUTGERS.EDU (*Hobbit*)
To:        misc.security
Subject:   okay, okay

... so I haven't read RFC822/823 in a while.  My initial trials with this
configuration returned very few errors, so I had the mistaken impression
that it was actually working.  A verbose queue run tells me that mail is
still being delivered with an envelope address of "security", however,
so this isn't the correct method.  I've been informed that "correct" mailers
*will* reply to the From: field, but there are a lot of different mailers
out there, many of them incorrect, that will send replies to all kinds of
different places.  I have no control over these other than yelling at
postmasters, and you have NO IDEA how heartily sick of yelling at postmasters
I have become over the years.  Often enough there isn't even a "postmaster"
address at some sites, and I don't have to re-read RFC822 et al to know that
THAT is a bozo no-no.  If your mailer deals with the From: field then fine,
if it doesn't then you stand to lose unless you explicitly mail to the
sender.  It all depends on your site.

The fact remains that most mailers try to return errors to the *envelope*
address.  Over the next few days I will be playing with various configurations
until I find something that works, so if you see some odd-looking errors you'll
know why.

I didn't mean for this to turn into a mailer flame, which has nothing to do
with security.  But the volume of "Wrong!" replies I've gotten back has made
it into something of a debacle, so next time I go to change something I won't
WASTE YOUR TIME with any announcements at all, and just watch everything
quietly break.  Fair enough?

_H*

-----------[000148][next][prev][last][first]----------------------------------------------------
Date:      Fri, 30 Mar 90 11:38:55 CST
From:      Jonathon Simon <JSIMON@trinity.bitnet>
To:        SECURITY <security@TCSVM>
Subject:   MVS SECURITY ( password exit )
We our interested in increasing security for our:
   MVS/SP guest (JES2), and have considered
the idea of writing a small program to function in place of RACF -
essentially a "poor-man's" BATCH security EXIT.  We have been unable to get
funding for a full blown system like RACF, TOP SECRET, etc., and would
settle (for the time being) for a simple PASSWORD to USER/ACCOUNT cross
reference validation prior to job execution.  This wouldn't prevent unauthor-
ized file accesses, but it could help with our auditing by helping to
guarantee that batch job USERs are indeed who they say they are.

Q: Has anyone else written their own OS security module(s)?  If so, would
   you be willing to help us get started by sending us samples?  Or, are you
   aware of any user group tapes containing such security exits.

P.S. Please address me directly since I am not on the IBM-MAIN list.
     Thanks.

-----------[000149][next][prev][last][first]----------------------------------------------------
Date:      Fri Mar 30 11:29:53 1990
From:      guhsd000@crash.cts.com (Paula Ferris)
To:        misc-security@crash.cts.com
Subject:   investigative services
You may want to try to get a hold of IRSC, I think it stands for 
Information Resource Service Company.

I use to use them for Skip Tracing, and general investigative work on my own,
I do not know what their current signup fees, and per search fees are.

As I recall, they have some 700 databases, including a complete copy of the
CBI credit database, which is very handy, I think they renamed their cope the
y
something different.

I just found the price sheet, searches run from $3.75 for a driving record to
$125 for a "Business Factual Data Report."

Anyway, try reaching:

     Tom C. Bownes at IRSC at:

     3777 N. Harbor Blvd.
     Fullerton, CA 92635

CA 800/321-2278
US 800/841-1990
or 714/526-8485

-----------[000150][next][prev][last][first]----------------------------------------------------
Date:      Fri, 30 Mar 90 18:38 EST
From:      WHMurray@dockmaster.ncsc.mil
To:        security@rutgers.edu
Cc:        rsa@well.sf.ca.us
Subject:   Factoring Large Numbers
>I have received a report from an independent researcher,
>Giorgio Coraluppi, that claims to have developed an algorithm
>to factor large numbers in a relatively short amount of time.

This might have been of interest to the SECURITY list because the RSA
public key crypto system relies for its security, in part, upon the
fact that, while it is trivial to find the product of two large prime
numbers, it is difficult to find the two primes from the product.

However, it does not rely upon the elapsed time required, but rather
upon the cost.  There is a great deal of published work dealing with
trading off other cost against time.  There has even been on
demonstration using cooperating processors across the internet.  The
demonstration got the cost for large products down to days.  

The cost was not too high becasue the processors only applied otherwise
slack time to the effort.  However, it required a tremendous amount of
access and cooperation.

Perhaps more important, the RSA system does not rely upon large products
(say 2**32) or even upon astronomical numbers (say 2**56) but rather
upon super large astronomical numbers on the order of 2**400-800.  Even
this choice is arbitrary and keys of arbitrary length are possible.  The
cost or "work-factor" of attack, i.e., security, goes up exponentially
with the length of the product, but the effect on performance is linear.  

The man who comes up with an algorithm to factor arbitrarily large
numbers in linear time will not have to advertise.  Chances are one in ten
that he works for NSA, and one in twenty that he works for GBHQ.
Failing that, the chances are one in a hundred that one or the other of
those two agencies will bump him off in such a way as to cast suspicion
on the other.  Failing all of that he will certainly be famous for
fifteen minutes and may be as famous as Turing or VonNeumann, perhaps
even Einstein or Newton.

William Hugh Murray, Fellow, Information System Security, Ernst & Young
2000 National City Center Cleveland, Ohio 44114                          
21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840                

-----------[000151][next][prev][last][first]----------------------------------------------------
Date:      30 Mar 90 17:38:55 GMT
From:      JSIMON@trinity.BITNET (Jonathon Simon)
To:        misc.security
Subject:   MVS SECURITY ( password exit )

We our interested in increasing security for our:
   MVS/SP guest (JES2), and have considered
the idea of writing a small program to function in place of RACF -
essentially a "poor-man's" BATCH security EXIT.  We have been unable to get
funding for a full blown system like RACF, TOP SECRET, etc., and would
settle (for the time being) for a simple PASSWORD to USER/ACCOUNT cross
reference validation prior to job execution.  This wouldn't prevent unauthor-
ized file accesses, but it could help with our auditing by helping to
guarantee that batch job USERs are indeed who they say they are.

Q: Has anyone else written their own OS security module(s)?  If so, would
   you be willing to help us get started by sending us samples?  Or, are you
   aware of any user group tapes containing such security exits.

P.S. Please address me directly since I am not on the IBM-MAIN list.
     Thanks.

-----------[000152][next][prev][last][first]----------------------------------------------------
Date:      30 Mar 90 18:25:57 GMT
From:      optilink!cramer@uunet.uu.net (Clayton Cramer)
To:        misc-security@uunet.uu.net
Subject:   Re: Computer Forged Documents - money
> Old currency will only be legal for 5 years."  Take a real bite out of crime.

Someone posted a comparision of crime rates between Europe and the
U.S. recently, and surprisingly enough, European counterfeiting
rates were much higher than the U.S.  (Makes no sense to me either,
but that may explain why the Europeans put so much energy into
fancy printing jobs).

Recalling currency isn't without precedent.  In the last century,
the treasury replaced all of one denomination because of ONE 
counterfeiting ring producing exceptionally high quality work.

Of course, our bills used to be Hollerith-card sized, and were
replaced earlier in this century.

-- 
Clayton E. Cramer {pyramid,pixar,tekbspa}!optilink!cramer
Politicians prefer unarmed peasants.  Ask the Lithuanians.
----------------------------------------------------------------------------
Disclaimer?  You must be kidding!  No company would hold opinions like mine!

END OF DOCUMENT