The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: Rutgers 'Security List' (incl. - Archives (1990)
DOCUMENT: Rutgers 'Security List' for October 1990 (31 messages, 16065 bytes)
NOTICE: recognises the rights of all third-party works.


Date:      2 Oct 90 01:55:52 GMT
From:      [email protected] (*Hobbit*)
Subject:   Another long hiatus
I have been very busy moving my entire life and stuff to Boston, and have had
utterly *no* time to deal with the list for the last few weeks.  I now intend
to shovel out all the back messages, but I wanted to ping the readership at
large first and get a few opinions about the relative worth of keeping this
list going.

I have often toyed with the idea of just taking it down completely.  I seem
to be perpetually too busy to get things out on what you'd call a timely
basis.  More importantly, most of the recent submissions seem to either be
about things that have been discussed in the past, or are questions about
very specific and narrow fields of interest that often serve to only confuse
the readers who don't know anything about it.  Many questions could be
answered by digging around through the archives, which are all still online
from the lists's inception.  Over the years a fairly useful body of knowledge
has been captured there, and it's been my suspicion that we've just sort of
reached our horizon of getting new knowledge into there.  I could be quite
wrong about this since new security topics are always coming out, but I
see definite repeating patterns here.

The other thing is that there is now this newsgroup.  This is a
completely unmoderated instant-turnaround group, which sort of flies in the
face of this list's original philosophy.  Any clown could send in "gee, I
found this really cute hole under Buglix 5.2 and here's how to reproduce it",
raising a certain flame war as well as possible liability issues or at least
the wrath of local system folks.  Moderation, it was hoped way back when, was
one way to avoid this sort of thing.  I even took pains to run the list in
such a way that someone couldn't just "VRFY security-outbound" or some such
and obtain the distribution list for themselves.  Of course anyone could send
this sort of message to just about any group, so the question here is: Just
what does a moderated list do for people?  Should it remain moderated?  I have
noticed that the signal-to-noise ratio on is at the typically
low Usenet-like level.  I do reject a good proportion of mangled, irrelevant,
stupid, or redundant messages, but being such a filter is a rather tedious
job even with a multitude of tools at one's disposal.

So I solicit opinions from the readership.  Should the security list become an
unmoderated reflector?  Should it just shrivel under the onslaught of and just vanish, leaving only its archives?  Should the task [and
I don't use the word lightly] of moderation pass on to someone else with more
time to do it?  I do wish I had the time to do as thorough a job as, say, PGN
with RISKS; but with new locations and new jobs and scads of loose ends to wrap
up such is not to be the case.

Suggestions and such will be accepted at my address, security, security-
request, etc; it all points to my mailbox anyway.


Date:      9 Oct 90 16:33:46 GMT
From:      [email protected] (Brian L. Kahn)
Subject:   Burglar resistance
I am interested in making my house resistant to breaking and entering,
as opposed to detecting the same with an alarm system.  

* I am considering burglar bars on the basement casement windows.  The
main drawback seems to be fire exit.  These bars swing open, and are
secured with a lock (on the inside).  I'm not too concerned about fire
exit in this case because the windows would be very difficult to use
due to small size and height from the floor, so an extra 30 seconds to
unlock seems minor.  I'm not sure how strong the wood casement that
holds the bars is, however, so this might be more show than effect.

* Traditional wood frame doors seem pretty wimpy.  Our main doors are
kind of drafty in the winter, too.  I think I'll put in steel
doors/frames with deadbolts.  Might pay for themselves after a few

* What about the windows?  I just saw a reference to mylar security
film - anyone know what this is?  I don't want bars on the real
windows, and plastic plates (lucite?) with explosive bolts for fire
exit sounds like too much trouble.  The first floor windows on this
house are about six feet up from the ground - how vulnerable is this
in reality?

B<   Brian Kahn   [email protected]   "may the farce be with you"

From:      *Hobbit* <[email protected]>  12-OCT-1990 22:25:19
To:        security
I got a lot of answers to my ping.  Surprise!

	55 for keeping the list going, moderated or not [!!]
	4  for punting
	maybe half a dozen "undecided"

... and several vague alternative suggestions, such as "occasional" moderating,
finding another moderator, etc.  I am quite frankly utterly bowled over -- I
didn't really think there was that much support out there!  This, coupled with
feeling more "settled in" at this point and actually having some time to read
my mail and deal with it, tells me that it's to everyone's benefit to continue
the list as is.  Those of you who felt I should hang it up can always ask to
be removed.

So things will start flowing again; you'll see a lot of old msgs at first.  I
may have to fake out the dates on them to get them through various peoples'
news systems.

Thanks, folks!

From:      [email protected]  16-OCT-1990 23:06:44
To:        SECURITY Digest <[email protected]>
>[Moderator tack-on:  Speculation is fine, but that's all anyone has sent
>in so far.  Does anyone have *FACTS* about this?   _H*]

FACT: They are required by law to respond to a Freedom of Information request.
From:      [email protected] (John G. DeArmond)  16-OCT-1990 23:44:21
To:        [email protected]
I'm looking for an implementation of a public key encryption system.
I'm not particular to RSA, though that would be fine.  Absolute
security is not an issue; I simply need to avoid administering a large
private key database for a project I'm working on.  Either PD or
commercial code is OK, though for commercial code, I will require a
source license.  Any pointers would be appreciated.

Thanks in advance
From:      [email protected] (Jonathan I. Kamens)  17-OCT-1990  0:19:09
To:        [email protected]
  A recent posting in this newsgroup claimed that AFS, as shipped by Transarc,
does not support Kerberos authentication.  In fact, AFS 3.0 *does* support
Kerberos authentication, although it can also run without it.

  For more details, contact Transcarc.

  (I am not affiliated with Transarc in any way, other than as a user of AFS.)

Jonathan Kamens			              USnail:
MIT Project Athena				11 Ashford Terrace
[email protected]				Allston, MA  02134
Office: 617-253-8495			      Home: 617-782-0710
From:      [email protected] (DOUGLAS B. HUNT)  17-OCT-1990  0:47:23
To:        <MISC-SECURITY%[email protected]>
Unfortunately, experience on the SPAN network, for example, shows that
most "break-ins"
 require no "breaking" to speak of.  They are the result of users 
with easily guessed account names and passwords, passwords the same
as account names, and system managers who leave the default maintenance
passwrods active after installing their systems.

Detecting these may be virtually impossible with a careful hacker.  Most
often you will see the trail of failed access attempts if they roam 
around the system trying to nose into files.

blessings and good luck --

Doug Hunt
Planning Research Corporation
From:      [email protected] (David Lesher)  18-OCT-1990 23:54:04
To:        [email protected]
If you want a real padlock, I recommend the GSA approved S&G 8770. This
a 3 digit combination lock, and each one comes with a change key. (BTW
anyone want a few, maybe more than a few?;_] )

ISTM that is presently the ONLY combo padlock approved for the storage
of classified.
A host is a host from coast to [email protected] 
& no one will talk to a host that's close............(305) 255-RTFM
Unless the host (that isn't close)......................pob 570-335
is busy, hung or dead....................................33257-0335
From:      [email protected] (Brian Katzung)  19-OCT-1990  0:24:18
To:        misc-security%[email protected]
Beware of these nasty little devils.  If the clamps that hold
the hood release cable sheath let the sheath slip, you can't
open your hood.

  -- Brian Katzung  [email protected]
From:      [email protected] (Mark R Horton)  19-OCT-1990  0:52:01
To:        [email protected]
It used to be that there were only 100 possible combinations for those
locks, relative to the final number which could be easily determined.
A skilled person (such as a typical high school student) could run
through all 100 in under 5 minutes, using a simple trick.  In high
school I saw this technique used to borrow a locked ladder to
retrieve an errant ball from the gym roof!  This was in the early 70's.

Did Master ever improve this?

From:      [email protected] (Kevin Dalley)  19-OCT-1990  1:19:01
To:        [email protected]
Try the following book:

Marwick, Christine M., _Your Right to Government Information_, New
York, NY: Bantam Books, 1985.

It an ACLU book; you can order it from them if you have their address.
The FBI address is 

Federal Bureau of Investigation
ATTN:  FOIA and Privacy Acts Branch
Washington, DC  20535
(202) 324-5520

Under the Freedom of Information Act, the government can charge you a
fee for the materials, but more information is available than under
the Privacy Act, which can only charge actual costs of copying
records.  And yes, some agencies will open a file on you if you
request information on yourself, though the information in this file
is probably limited to the request itself.

This book includes sample letters and much more information than I am
willing to type in at this time.  Of course many agencies other than
the FBI may also have information on you.  Happy searching. 
Kevin Dalley
[email protected]  -or- ...{ ames | apple | sun }!vsi1!dalley 
From:      [email protected]  19-OCT-1990  1:42:43
To:        [email protected], [email protected]
Cc:        [email protected], [email protected]
A recent message in this newsgroup regarding Kerberos support in AFS 3.0
was recently brought to my attention.  Though I don't regularly read
this group I thought it would be helpful to post a correction.

I wrote the Authentication Server which is contained in version 3.0 of AFS.
The server is RPC based and thus does not look exactly like a Kerberos
server; perhaps this is the source of the confusion.  However, inter-
operability with Kerberos from MIT's Project Athena was one of our primary
concerns.  To this end, our server uses the Kerberos V4 ticket format
and exports the same UDP interface for the authentication and ticket
granting services.  The admin services are only available via RPC and
so these do not match the usual Kerberos semantics.

The file servers use Kerberos tickets which can come from either our
Auth Server or from a standard Kerberos server.  What MIT has done is
write a program which copies a ticket for the afs server obtained from
their Kerberos server and copies it into the kernel.  This allows the
cache manager (client side of the file server) to use it when fetching
files from the file server.

As far as I am aware, MtXinu is distributing a Mach version of AFS 3.0
which has the same behavior WRT Kerberos.  Indeed, AFS 4.0 will use
Kerberos V5 tickets.

I hope this clears up any confusion regarding this issue, without being
too long winded.

Ted Anderson
Transarc Corporation
From:      [email protected] (Wolfgang S. Rupprecht)  19-OCT-1990  2:10:37
To:        [email protected]
>Use the hacksaw.  If it's a cheap Master lock you should be able to cut
>through it in under five minutes.

Five minutes?  You can pick a Master (keyed) padlock in 1/5 that time.
They are only 4 pin locks, and the pins are so sloppy that they make a
great "learning" lock.

The reason that Master's pick so easily is that they made an
interesting (but poor, in my opinion) design decision.  The Master's
I've seen have a two diameter top pin.

	cylinder split end

		 | |
		|   |
		|   |
		|   |
		|   |

	      Spring end

The reduced diameter section makes you pick the pins twice.  This
means that for a four pin lock you must pick the equivalent of an
eight pins lock.  This is good.

The problem is that the first stage picking is trivial - the reduced
diameter section is so tall compared to the normal tolerance of a
split.  The second stage picking is aided by the pin itself.  It stops
moving up when you get to the right place.  Good grief.

The moral, buy a real lock for anything you want to secure.  Often one
can re-pin a cheap lock with mushroom pins or pins with a set of kerfs
cut in them to thwart picking.  If customers stop buying junk like
master padlocks, then we will see a growing trend towards locks that
really work.


Wolfgang Rupprecht    uunet!{nancy,usaos,media!ka3ovk}!wsrcc!wolfgang
Snail Mail Address:   Box 6524, Alexandria, VA 22306-0524
From:      "Roger D. Parish" <U9505RP%[email protected]>  19-OCT-1990  2:38:07
To:        [email protected]
Cc:        [email protected]
In response to the infamous CHISTMAS CARD exec, IBM developed and has now made
available as a PRPQ what they term the File Safestor Facility, PRPQ# P81061.
Its a no-cost PRPQ that "is a file receipt discipline which guards a user's
environment from being changed inadvertently.  As such it provides some
protection against computer virus-type attacks. (It) flags a file's entrance
into a given system (while still in the VM RDR) and "safely" stores it onto
disk with the filetype inverted (spelled backwards).  Inverting the filetype
renders the file non-executable and protects the user against the inadvertent
execution of that file and possible propagation of the file to other systems."

Another free PRPQ is number P81067, the Gateway Security Modifications.
"The Gateway Security Modifications system ... force it (RSCS) to consult a
security table for every attempted transaction.  The only transactions that
are not checked for security are commands issued from the RSCS console, and
commands and messages from other RSCS operators to the local RSCS operator
console.  An RSCS Operator is a user who has an AUTH statement in the RSCS
CONFIG file of the Gateway Security Modifications.

The last PRPQ is P81068, Selective File Filter.
"Upon identifying undesirable files on a selective file filter node, an
authorized operator or support programmer can create and update a lookup
table containing file name and file type of files deemed undesirable.  The
lookup table will be updated via a new RSCS command BADFILE.

The lookup table is searched every time a file arrives in the RSCS' reader.
If the file name and file type are found in the table, the file will be
either purged or trandferred to the security machine, and a file counter,
identified as potential virus files, will be incremented."

It wasn't mentioned in the original request, but there is also a PRPQ for
Passthru, #P81070, Access Security Exits.

I hope this helps.
Date:      17 Oct 90 17:51:00 GMT
From:      [email protected]
Subject:   RE: break-in detection
This is too true.  At my site, users often go without passwords
if they are not installed... but I am in my own group and have my
umask set too 077, so...

A user shouldn't be entrusted with the security of a site, that is to say
more sites need more usage of groups etc.

C'est la vie... some sites just aren't secure, and never will be.

From:      [email protected]  19-OCT-1990 23:13:58
To:        [email protected]
Does anyone have any views: good, bad, or indifferent, on a product
made by the PYRAMID Development Corp named PC/DACS?

I just got an evaluation copy and was wondering what other people had to

Karen Pichnarczyk
[email protected]

(Please send all replies to me, I'll repost to the list if there's enuf
 interest.  Thanks)
From:      [email protected] (Karl Denninger)  19-OCT-1990 23:34:46
To:        [email protected]
>The situation you are talking about where your equipment was 
>confiscated because it "should not be in the hands of the general public" is 
>totaly disgusting.


Talk to Rich Andrews, of the former Jolnet. 

He has been charged with no crime.

His gear has been gone for about 6 months at this point, with no hope of
it's return.  All taken, from his house, by the SS.

Yes, we have a government which does this kind of thing.  Yes, it's wrong.
When are we going to put a stop to it?

Karl Denninger ([email protected], <well-connected>!ddsw1!karl)
Public Access Data Line: [+1 708 808-7300], Voice: [+1 708 808-7200]
Macro Computer Solutions, Inc.   "Quality Solutions at a Fair Price"
From:      [email protected] (Brian L. Kahn)  19-OCT-1990 23:49:31
To:        [email protected]
I am interested in making my house resistant to breaking and entering,
as opposed to detecting the same with an alarm system.  

* I am considering burglar bars on the basement casement windows.  The
main drawback seems to be fire exit.  These bars swing open, and are
secured with a lock (on the inside).  I'm not too concerned about fire
exit in this case because the windows would be very difficult to use
due to small size and height from the floor, so an extra 30 seconds to
unlock seems minor.  I'm not sure how strong the wood casement that
holds the bars is, however, so this might be more show than effect.

* Traditional wood frame doors seem pretty wimpy.  Our main doors are
kind of drafty in the winter, too.  I think I'll put in steel
doors/frames with deadbolts.  Might pay for themselves after a few

* What about the windows?  I just saw a reference to mylar security
film - anyone know what this is?  I don't want bars on the real
windows, and plastic plates (lucite?) with explosive bolts for fire
exit sounds like too much trouble.  The first floor windows on this
house are about six feet up from the ground - how vulnerable is this
in reality?

B<   Brian Kahn   [email protected]   "may the farce be with you"
From:      "Kees de Groot, Information Systems Security" <[email protected]>  20-OCT-1990  0:06:24
To:        [email protected]
I post the following on behalf of a colleague:

Subject: Information derived from SYSUAF

I am in an almost desperate search for tools, utilities,
examples, anything to derive information from the User
Authorization File in various combinations (users versus their
UAF-user-record-fields), instead of the standard output provided
by Authorize Utility commands like: list/full or list/brief.

Combination examples:
        - All (or selection of) users with CMKRNL privilege
        - Users versus privileges and their pwdminimum
        - Users versus LGICMD and Login Flag "Captive"
        - All users with identifier "xxxxxxx"
        - Users with Network Access versus their Proxies
        - etc. etc. etc. (all combinations you can come up

I know there are ways with System Services as $GETUAI or with
DATATRIEVE but the fact is that I am not a programmer and
moreover I haven't got the time to explore right now.
So what I need is a well tested, reliable solution capable of
running under VMS 5.2.

If you have anything for me meeting the above description then
please help me out!
Thanks for your cooperation anyway.

Kees Noppen

Please use [email protected] or [email protected] to contact me,
because I am not on the net.
From:      __Robby__ <[email protected]>  20-OCT-1990  0:21:13
To:        securit[email protected]
A little ways back I posed the question to the net as to what may cause
spuratic, seemingrandom triggers of an armed alarm on a still day, the alarm
being compmosed of two simple loops with only two contact switches and the
rest vibration sensors.  The responses were quite helpful in pinpointing the
problem; it was suggested that resistance was accumulating in the circuit
perhaps due to a staple through a wire or a bad switcleading to the eventual
threshhold exceedance.

Well, after two years with this problem, I narrowed the problem down to a
defect inherant in the part!  I don't have the catelog no. handy, but a phone
conversation with Tandy's engineers in Texas confirmed that the silver mixture
used in the contacts of the switch oxidize extremely rapidly.  His solution
was to either file the contacts every 3-5 months with emery cloth, spray them
with a conducting oil (only a temporary solution) or wait till they come up
with a replacement part for it (and we all know how long THAT can take)

Isn't it comforting to know that defective parts that people rely on for
safety and protection remain on the shelves going unnoticed by the consumer
AND the dealers? (detect sarcasm)

Does anyone know of any good manufactures of vibration-type switches??  Any
help would be greatly appreciated.
Date:      21 Oct 90 17:44:35 GMT
From:      [email protected] (Mike Zeleznik)
Subject:   Re: Burglar resistance
I lived in Manhattan (NYC) for back in the late 70's, and had some pretty
heavy duty bars on my apartment windows that had fire escape access (they
had an internal lock that was pretty easy to open form inside, but would be
a bit tuff from outside).

HOWEVER, the burglars simply pried them right out of the brick they were
anchored in.  Perhaps they could have been anchored better, but as they
were, they offered little resistance.  BUT, the noise of the crowbar and
such caused my neighbor to look outside, and on seeing them he yelled, and
they fled.  So the bars DID work! 


  Michael Zeleznik              Computer Science Dept.
                                University of Utah
  [email protected]          Salt Lake City, UT  84112
                                (801) 581-5617

Date:      21 Oct 90 19:10:12 GMT
From:      [email protected] (Peter Rowell)
Subject:   Request for Risk Assessment
My wife is the publications editor for a charitable organization.
In connection with a journal they are working on, they will be
receiving floppies from authors all over the U.S. (and possibly
elsewhere).  They may also be sending out floppies for review by
content editors, etc.

I expressed concern that they might very well be laying themselves wide
open to god-knows-what in the way of viruses/worms/whatever.  I also
thought that they could act as a very efficient spreader of these same
nasties to other unsuspecting victims.  Their local "expert" told them
that they had nothing to worry about, but that if "something happened"
to call him and he would "fix it".

    Is my concern valid, even if they only read/write files in MS Word
	format (or Wordperfect or ??)?

    If it is valid:
	What is out there that they need to look out for?
	How do they detect it?
	How do they fix it?
	Can they (should they?) perform checking/sanitizing on a
	    machine on the net or on an isolated machine?
	Is there a source of information on this (book/mag/etc)?

The environment in question is a network of machines (mostly HP Vectras
+ some others) connected by ethernet, running DOS and applications such
as Word, Wordperfect, Lotus 1-2-3, some-sort-of-e-mail, etc.

Please e-mail any help you can offer.

Peter Rowell				[email protected]
Third Eye Software, Inc.		...!{apple,pyramid,sun}!thirdi!peter
750 Menlo Avenue, Suite 300		(415) 321-0967
Menlo Park, CA  94025

From:      Richard H. Miller <[email protected]>  23-OCT-1990 21:57:43
To:        [email protected]
Also, [as far as evaluated systems go], OS-1100 for Unisys 1100/2200 
machines has been evaluated and certified at the B2 level. 

Richard H. Miller                 Email: [email protected]
Asst. Dir. for Technical Support  Voice: (713)798-3532
Baylor College of Medicine        US Mail: One Baylor Plaza, 302H
                                           Houston, Texas 77030
From:      [email protected] (W.L. Ware )  23-OCT-1990 22:40:38
To:        [email protected]
I am looking for a simple voice scrambler to use over standard us
The requirements are quite easily met as well (I hope) it beeds to
encrypt/decrypt both sides of the conversation at the same time. And I
would prefer not to have a clip-on type device, it would be great if it
could go between the handset and telephone, or phone and wall jack, or
internal to the handset.

References to books/magazine articles are welcome.         

From:      [email protected] (99700000)  23-OCT-1990 23:14:29
To:        [email protected]
We might note with satisfaction that this is a Good Thing resulting from
a Usenix workshop on Unix security held in Portland two years ago.  Sun
had a person there (Chuck McManis, maybe others), and asked the group
for recommendations.  At the time Sun had people in charge of each
software component, but nobody assigned to "security" over the whole
software system.  The group recommended that vendors should have a
single point-of-contact for security problem reports.
[email protected]
[email protected]

"Any clod can have the facts, but having opinions is an Art."
        Charles McCabe, San Francisco Chronicle
From:      [email protected]  23-OCT-1990 23:36:40
To:        [email protected]
The CMU undergrad who wrote of his troubles with AFS perhaps
was reacting to beta software because that lab last summer WAS
running beta AFS and until this year it was not stable on
Ultrix kernels (owing to the unusual Ultrix extensions for
networked files). Nevertheless, AFS does support large (thousands
of systems) nets sharing files transparently and globally. Internal
experience here is that it's death to try this with NFS even
operationally. Since cross-mounting over bridges is a problem, the
spoofing problem NFS is open to is not considered widely (a dead
network is perfectly secure...just perfectly useless also.)
From:      GREENY <[email protected]>  24-OCT-1990  0:03:02
To:        <[email protected]>
> Anyone got any ideas?


1) Check the ground again.  Make sure it is good.  If not, then fix the
   situation (longer copper rod in the ground, or if you are in a part of
    the country that has a problem getting a good ground, adding salt around
   the ground rod on a regular basis sometimes helps...

2) Open the CPU for the controllers.....has anything made it's/their home
   in there? You wouldn't believe what one spider can do

3) Are any pipes running over the CPU?  I once had condensation *SOMETIMES*
   drip from the damn pipe, into the air vent, and onto a chip.  The water
   droplet would temp. short out two legs on the chip, and cause telephones
   connected to the CPU (KSU) to ring non-stop until the water evaporated.
   Insulating the pipe corrected the problem.

4) Is your power goofy like everyone's?  Try a good quality surge supressor,
   and failing that, hook the thing up to a zero-transfer time UPS (try Best
   Power Systems...).  You'd be amazed at how many "glitches" disappear when
   the power is cleaned

5) A component is failing.  Try the usual freon blast to cool the suckers
   to see if it has an effect.

6) The CPU PC board has a cracked trace.  When the board is cool, the trace
    is making contact.  As the board heats, the crack in the trace expands,
    creating your problem.

Intermittants are hard to track down, but analyzing the surrounding
circumstances/environment/physical location help enormously....

Bye for now but not for long

BITNET: [email protected]
Internet: MISS026%[email protected]
Compu$erve: 72567,457

WARNING: The node "ECNCDC" will go super-nova on 9/30/90 and become a
        white dwarf star with node name "BOGECNVE".  Please make a note of it!
Date:      22 Oct 90 23:04:00 GMT
From:      [email protected]
Subject:   Serious VMS security bug
(cross posted to INFO-VAX)

This first came to my attention on the "for pay" DECUServe BBS of the U.S. 
Chapter of DECUS.  Seems to me that the most responsible thing to do is widely 
distribute it ASAP.  As usual, and with considerable justification, DEC is not 
volunteering this information.  If you want confirmation of its authentisity, 
call your DEC software support number and ask for it specifically since they 
will not volunteer it.

If this is a duplicate of previously distributed information, please accept my 
appologies.  As I said, I think that this deserves immediate action and wide 
disemination to the community.  Please tell everyone you know.
(since I can not contact the author of this particularly articulate summary 
for permission to post it, I have edited it to conceal his identity)

Summary::  Critical VMS Security Problem Facts
PROBLEM:  	VMS security problem with the ANALYZE/PROCESS_DUMP command
PLATFORM: 	DEC VMS systems (all versions 4.0 to 5.3 including MicroVMS)
DAMAGE: 	Allows system privileges to non-privileged users
		(including the user decnet on older VMS systems)
WORKAROUND: 	Disable ANALYZE/PROCESS_DUMP for non-privileged users
PATCH: 		Not currently available, but DEC is aware of the problem
SYSTEM IMPACT: 	The workaround will disallow the use of analyze/process_dump
		for non-privileged users.  Other program debuggers are
A serious security problem on Digital Equipment Corp. (DEC) VMS systems has
been detected.  The potential damage of this problem is that users may gain
unauthorized system privileges through the use of the ANALYZE/PROCESS_DUMP dcl
command.  In addition, systems that have set up the FAL and default DECNET
account to use the same directory have a potential to allow system access to
other VMS machines connected to the network. 
DEC is currently working on a permanent solution to this problem.  As
a interim measure, DEC recommends that this command be disabled for
all non-privileged users.  This may be accomplished using the
following procedure:
1.	Log into the system account.
3.	a) For VMS systems prior to V5.0,
	Modify SYS$MANAGER:SYSTARTUP.COM to include the following
	lines as the first two lines in the file:
	b) For VMS system V5.0 and later,
	Modify SYS$MANAGER:SYSTARTUP_V5.COM to include the following
	as the first two lines of the file:
	c) For MicroVMS systems,
	The image ANALIMDMP.EXE is not installed by default, but
	SYSTARTUP.COM contains a suggestion of installing the image if
	you have multiple users on your system.  You mus ensure that
	this image is not installed in SYSTARTUP.COM.  You can use the
	following command to verify that the image is not installed:
	If you receive the message similar to the following:
	%INSTALL-W-FAIL, failed to LIST entry for ANALIMDMP.EXE
	then you do not have the image installed.  Otherwise, proceed
	as step 3.a above.
	This command removes the installed image from the active system.
5.	(Optional) Restart your systems and verify that the image is
	not installed using the following command:
	If you receive the message similar to the following:
	%INSTALL-W-FAIL, failed to LIST entry for ANALIMDMP.EXE
	-INSTALL-E-NOKFEFND, Known File Entry not found
	then you do not have the image installed and your system does
	not have the security problem.

Please feel free to contact me with questions - but it would be better if you 
posted them here so everyone can learn from them.

	Ray 8-|)}

Ray Kaplan - I know what I don't know
W) Computer Center - University of Arizona - Tucson, AZ, 85751 - (602) 621-2857
H) P.O. Box 32647 - Tucson, Arizona  85751 - (602) 323-4606
BITNET:    [email protected] 
INTERNET:  [email protected]
>> THESE ARE MY VIEWS.  They do not necessarily reflect those of others ... >>

Date:      23 Oct 90 13:52:23 GMT
From:      [email protected] (Gregg Grosshans)
Subject:   Re: cheap Master combo lock
In our campus rec locker room, all lockers are required to have a campus
rec lock on them, they are the Master locks with the otional keyed facility
on back to allow a master key to unlock any of the locks.  Are these locks
just as vulnerable as to what was described above?  What are the name brands
of "GOOD" locks?

Gregg Grosshans
[email protected]

[Moderator tack-on: The administrators of my old high school were not
particularly amused to discover that my key to same worked better than
theirs did...   _H*]

Date:      25 Oct 90 00:04:00 GMT
From:      [email protected] (Dave Ferrise)
Subject:   Re: Information derived from SYSUAF

	I have taken a look at a few 3rd party offerings that do this (among
other things) most notably SECUREPAK from DEMAX (was DEMAC) and will soon be
looking at SECURITY TOOLKIT from Clyde Digital.  Coopers & Lybrand evaluated
several and posted their results recommending Security Toolkit.  There are
probably some utilities on the DECUS tapes, also.

					- davo -

[email protected]			Dave Ferrise

Date:      27 Oct 90 03:54:45 GMT
From:      [email protected]
Subject:   Re: Different security ratings

Do you know something about system 88? This is an IBM computer.

I'm looking for some information about fire, flood, storm etc.


For example:
   Halon Considerations
   Fire protection consideration

or information about
   national fire protections Association

References are welcome.

Juan Manuel Gonzalez Nava
Informatic Research Center
ITESM, Mexico