From: John Moore 22-JUN-1990 19:23:02 To: security@asuvax.eas.asu.edu Subj: [1001] Re: VideoCipher II Yes... the same monthly master key is (or at least was) used for all channels. Thus, if you can decrypt one, you can decrypt all. The VC-II uses non-crypto means to decide whether you can watch a particular channel. Thus, if you defeat this (by modifying the code), you can subscribe to one channel (which makes all the crypto possible) and then receive all. My understanding is that someone dissected the crypto chip, found a way to reconnect a factory test lead, and was able to get intermediate crypto products out that can be used to crack the key. This is from a hazy memory. [Disclaimer: I have a video-cipher II and haven't touched the insides. I don't want to go to jail!] -- John Moore HAM:NJ7E/CAP:T-Bird 381 {asuvax,mcdphx}!anasaz!john john@anasaz.UUCP Voice: (602) 951-9326 (day or eve) FAX:602-861-7642 Advice: Long palladium, USnail: 7525 Clearwater Pkwy, Scottsdale, AZ 85253 ......: Short petroleum Opinion: Support ALL of the bill of rights, INCLUDING the 2nd amendment! From: "Ned Freed, Postmaster" 22-JUN-1990 19:50:37 To: security@pyrite.rutgers.edu Subj: [1156] Re: Security and Masterkeys Don't expect the master to always be the lowest cut key. It is not in many cases, although the pins where it is the "high cut" tend to be ones reserved for zone master/grand master distinctions. However, I've never seen a system where the highest cut was used in more than a couple of pin positions, so the number of keys possible, even when working from a single lock as an information source, is not very large. Use of different grooves in the blank is the usual mechanism to differeniate grand masters from great grand masters. However, adding additional grooves to a key is pretty easy if you have access to a mill and a tool of the proper size. Making your own key from brass stock is also not too hard if you know what you're doing, and it makes complete hash out of all these foolish "registered blank" schemes. I mentioned making a key out of sheet metal in a previous posting. I once made one out of mild steel as a sort of joke for somebody; it wasn't even a master since that was not part of the joke (his key broke off in his lock on two different occasions and I thought I'd make one that would not suffer from this problem). Ned Freed From: Rick Schatzman 27-JUN-1990 23:21:03 To: security@pyrite.rutgers.edu Subj: [172] Word Perfect Decryption Does anyone know how to decrypt a Word Perfect 5.0 or 5.1 file when the key has been lost? I have heard that there is an article published that explains how to do this. From: Richard Hintz 27-JUN-1990 23:56:00 To: security@ohstvma Subj: [398] Authentication of electronic commercial documents We are interested in technology for authenticating electronic commercial documents, such as Purchase Orders. Can someone provide some pointers to references on this? Also, does it make sense to talk about using the RSA technology for this purpose? By the way, I'd like to get RSA's phone number,. if someone has it handy. Richard Hintz University of California (415) 987-0437 opsrjh@uccvma From: zeleznik@cs.utah.edu (Mike Zeleznik) 28-JUN-1990 0:22:41 To: security@rutgers.edu Subj: [921] Re: National Security Agency >You cannot, as a plain old, lowly American citizen, get anything from the > NSA. All requests are declined. But you CAN get all you want of their public info from their public arm, the National Computer Seurity Center (NCSC) (I'm sure this has been mentioned here before). You can also probably get an account on dockmaster to keep up with what is available on-line (Project OPENAIR). OPENAIR: NCSC Attn: OPENAIR Accounts Administrator 9800 Savage Rd Fort Meade, Maryland 20755-6000 (301) 850-4446 or maybe 859-4360 NCSC PUBS (single copies only): (301) 859-4450 And if you need other info, the people above will probably be more then willing to help point you in the right direction. Mike Michael Zeleznik Computer Science Dept. University of Utah zeleznik@cs.utah.edu Salt Lake City, UT 84112 (801) 581-5617 From: vancleef@fs01.nas.nasa.gov (Robert E. Van Cleef) 28-JUN-1990 0:54:44 To: security@pyrite.rutgers.edu Subj: [1246] Re: Expired passwords... Oh - Cute! That means YOU, or one of your staff, know all of the passwords. What we did is: 1 - Make the password program reject dumb passwords. 2 - Run a fast password cracker against all of our systems to insure the "root" hasn't given someone a dumb password. You are assuming that you and your staff will assign passwords that are safe and memorable. My experience is that, under the pressure of events, people will assign passwords to others that are as bad, or worse, that those others would have picked for themselves. Let your software do the work for you. Of course, you did say a "medium sized system". The problem with most solutions that I have seen, to all Unix system administration problems, are that they are not scalable. As systems grow, things break! Can you safely say that your current procedures would work if your system doubled in size or the number of users? Bob __ Bob Van Cleef - vancleef@nas.nasa.gov RNS Distributed Systems Team Leader NASA Ames Research Center (415) 604-4366 Mail Stop 258-6 FTS 464-4366 Moffet Field, CA 94035-5000 FAX (415) 604-4377 __ "If you're not a liberal at 20, you have no heart, and if you're not a conservative at 40, you have no head." Winston Churchill From: xrtnt@amarna.gsfc.nasa.gov (Nigel Tzeng) 28-JUN-1990 1:30:44 To: misc-security@ames.arc.nasa.gov Subj: [1308] Re: Expired passwords `change it there-and-back' problem ^ adminisister the password problem is to assign passwords and remove the ^ passwd program >From the users point of view this gets annoying after a while. For longish password of random variables they'll eventually just write them down. Now what does that buy you? Same for the preemptive password lengthening system. If they can't deal with a 8 char password limit in an intelligent sort of way how do you think they'll deal with a ten char password limit? This sort of behavior is a) confrontational b) non-productive. By doing this sort of thing you'll piss off users who know better and lead to the situation where they go out of their way to circumvent your protections leading to a further unprotected system. Of course I work in a development environment where most users here can be considered "power-users". As software professionals we (or at least I) insist on being treated as one and not as some hacker dude from the Chaos Klub. Users are as much part of a secure system as the protection schemes built into the native OS. NT -------------------------------------------------------------------------------- // | Nigel Tzeng - STX Inc - NASA/GSFC COBE Project \X/ | xrtnt@amarna.gsfc.nasa.gov | Amiga | Standard Disclaimer Applies: The opinions expressed are my own. From: Alex Kuhn <75016.1201@compuserve.com> 28-JUN-1990 22:09:53 To: Subj: [684] Locksmithing Hi. I'm new to this newsgroup, but I have a question I figure someone here can answer. How does someone become a locksmith? I've always had a great interest in keys and locks, and am interested in doing some locksmithing. Do you have to be licensed in the town/state? Or can you just set up shop with a key machine and call yourself a locksmith? Can someone order blanks from a distributor or manufacturer directly, or do you have to have a locksmith's license to get them? I'm interested in the whole field, but Best keys interest me particularly. Can these be gotten without a locksmith's license? Thanks for any help you can give- Alex Kuhn (75016.1201@compuserve.com) From: Bob Dixon 29-JUN-1990 12:04:03 To: security@pyrite.rutgers.edu Subj: [269] Re: DES routine for VMS We have DES software which is compatible across all common operating systems, including VMS. It is available to non-profit organizations for free. Bob Dixon Ohio State University From: "Howie McCausland (802)388_3711x5754" 29-JUN-1990 12:37:05 To: security@pyrite.rutgers.edu Subj: [651] RE: Expiring passwords I have heard the argument made that forcing frequent password changes is counterproductive--particularly in those systems where the user logs in, learns that her/his password has expired, and has to choose a new one IMMEDIATELY. The supposed flaw is that the user will pick a poor password, because there isn't enough time to think up a good one. Similarly, those password generator programs that impose a non-english password on the user are said to cause passwords to be written down. I'm not sure I subscribe to either argument, but wondered what others in the network thought... Howie McCausland (Middlebury College) From: EVERHART@arisia.dnet.ge.com 29-JUN-1990 13:11:40 To: security@pyrite.rutgers.edu Subj: [4318] Virus prevention Re Kees deGroot's posting. The DECUS library sells to anyone (membership in DECUS is free and nobody is that concerned whether you are or are not a member.) The software in it (multiple gigabytes of software) covers a great many machines, and is NOT, repeat NOT, limited to boxes DEC makes. You won't find much systems code for, say, Unisys boxes in the DECUS library, but applications that will run on Unisys boxes certainly abound. The library is run by a staff, who are DEC employees. It has two basic virus/trojan resistant attributes. First, the submitter is ALWAYS known and recorded, and everyone who gets software from the library (for which a production fee is charged; the cost is NOT paying for the software, but is covering part of the cost of running a fulltime library) has that name. What you get is a copy of what the submitter sent in. The production machines aren't on any nets or outside hookups; this makes them fairly resistant to penetration by ill-doers. Further, there's a central office with people who answer the phone. When covert behavior of a program is detected, here's what happens: 1. The program is pulled from further distribution. 2. People are notified by whatever means are available (which these days will include the net) about the nature of the problem and all specifics that are known. 3. Efforts are made if the program was otherwise useful to reset the covert behavior and distribute the cleaned-up one together with a complete analysis of what happened. Source code is usually available also. This happened only once so far where a program had a covert time-out. The damage to someone's reputation when he submits a program and suffers all the adverse publicity which we can and WILL produce is such that there's not much incentive to try putting covert behavior into programs going into the DECUS library. Besides this, a good many of us use the code and look for "funny" stuff. It's not organized so that there's 100% coverage, and we don't want to say there is coverage even where it exists in too strong a form; we are after all human and don't want lawsuits by someone who says we should have tested more. But there are paths for reporting odd behavior and reacting to it. This applies to the sig tapes also, which are produced and distributed outside the DECUS library as well as contributed to it. Most funny behavior that's been reported are version or site dependencies (which can be quite hard for an author to detect) and we try to tell what we find. In all, the path from author to recipient is probably shorter dealing with DECUS library stuff or SIG tape stuff than it is for most commercial software, and we won't and haven't concealed any reported covert behavior; we are best protected by publicizing any such as quickly and widely as possible. Be sure this list will get such reports, as well as info-vax/comp.os.vms and, if we find a worm orv virus, virus-l. We do ask that people using the code help by reporting any odd behavior. You can call the DECUS office (508 480 3418 will get you into the office, though you'll need probably another extension to which you can be transferred) or me (215 354 7610) (me for sig tape info; the DECUS office for any, by preference) or Ted Nieland (513 427 6355) for SIG tape info also. To the extent we watch one another's backs, we're all the safer. Funny behavior in this case means suspected covert behavior by a program. If you have a systems program written, say, for VMS V4.7 and try running it on VMS 5.3-1 symmetric multiprocessors, you should expect it to fail in many cases. We're more interested thee there in what succeeds. However, timeouts, odd use of privs, writing files or modifying files that aren't documented, and the like are of interest. I understand the concerns about trojans or viruses, but these are probably more likely in commercial software than people realize. Your path from the submitter to you is as short dealing with the DECUS library as it is buying direct from a commercial vendor, and shorter than if the software passes through a store or distributor. The DECUS record of NOT concealing any problems is also public, and that policy will ultimately protect you further. Glenn Everhart VAX SIG librarian (DECUS) Everhart@Arisia.dnet.ge.com From: antonyc@chamber.cco.caltech.edu (Bill T. Cat) 3-JUL-1990 20:21:28 To: security@rutgers.edu Subj: [78] Re: Security and Masterkeys but as the number of masters increases, so does the ease of picking the lock From: kuras@josef.enet.dec.com 3-JUL-1990 21:00:26 To: misc-security@decwrl.dec.com Subj: [311] Re: workshop The dates of the workshop are August 27 & 28, 1990. Sorry, I don't have location or other particulars at this time, other than it's in Portland, Oregon. The organizer of the workshop is Matt Bishop, Dept of Mathematics & Computer Science, Bradley Hall, Dartmouth College, Hanover, NH 03755 (603) 646-2415 From: optilink!cramer@uunet.uu.net (Clayton Cramer) 3-JUL-1990 21:37:46 To: misc-security@uunet.uu.net Subj: [898] Re: a new scam There's a much more low-tech version of this scam, that worked successfully in Culver City, CA, a few years ago. There was a bank heavily used by merchants in Fox Hills Mall. Of course, merchants usually make night deposits filled with cash and coin. A sign was placed on the night deposit box that said, "Out of order". An armed security guard, in uniform, stood next to it, with a large wooden box. Yup! You guessed it! Few merchants questioned it -- they just dropped their night deposits in the box. The next day at the bank must have been pandemonium. "There's nothing wrong with our night deposit box. What guard?" -- Clayton E. Cramer {pyramid,pixar,tekbspa}!optilink!cramer Amtrak subsidies: adults playing with choo-choos. ---------------------------------------------------------------------------- Disclaimer? You must be kidding! No company would hold opinions like mine! From: jearly@lehi3b15.csee.lehigh.edu (John Early) 3-JUL-1990 22:14:21 To: misc-security@rutgers.edu Subj: [1023] SPARCstation security The CC and CSEE here at Lehigh are going to set up a Sun SPACRstation *public* site (hopefully in time for the fall semester) and I'm trying to find out what is available as far as physical security systems. All we really need to do is bolt the CPU and monitor down (we will have both the 16 inch color and the 19 inch mono) and cable the keyboard and mouse to the CPU. (The optical mouse will be interesting...while there is no ball for people to steal the pad will certainly walk if not glued down, yet if I glue it down our left-handed users are screwed--and don't ask me to ask for money to buy two per station.) So if anybody knows of any systems for Suns please e-mail me. If people want I can let you know how things work out in the fall. Thanks, John. ---------------------------------------- John Early | jearly@lehi3b15.csee.lehigh.edu | I was just a child then; JPE1@Lehigh.Bitnet | now I'm only a man. [pf] LUJPE@VAX1.cc.lehigh.edu | From: *Hobbit* 3-JUL-1990 22:54:58 To: security Subj: [1460] Failed: attempt #1 at securing the vehicle It would be REALLY GREAT if makers of "real" locks made drop-in replacements for car doors, complete with reinforcing plates and good pin cylinders and a mechanism that works such that once you turn the key a certain way the little lever is locked toward one direction and won't move at all. This would prevent use of a slim-jim. Unfortunately for the kind of car-door latch that doesn't work when the lock is locked, it could also trap people inside the car. Given that one would have to explicitly lock the door from the outside with such a rig, I think that I'd personally rather have that small risk than what, for instance, I have now, which is a car that's frighteningly easy to break into. I recently tore my door apart to investigate the possibility of doing this. The cylinder has a limit stop which prevents motion much more than 60 degrees either way from center, and this stop is somewhere underneath the stupid press-fit front bezel, which if bent apart and then back again will probably be rather weakened. So for the moment I've given up on the idea of redoing it so it could be turned 180 degrees and then the key pulled. If someone knows of a type of car cylinder whose limit stops are on the *back*, where I could get at them and file them down, please holler, and I could go off to a junkyard and find that kind of car. Yes, even with all that glass sitting there saying "break me", I still want to do this just for hack value. _H* From: Doug Gwyn 3-JUL-1990 23:16:41 To: misc-security@rutgers.edu Subj: [3005] Re: Best Locks >... The two of us who confronted them were threatened with instant >expulsion if we were ever caught USING such knowledge; we didn't tell >them about the others... That seems to be fairly typical of administrations. Lock hackers can be quite concerned about perceived weaknesses in the institution's security systems, but the administration often prefers to act on the principle that knowledge is bliss, rather than tackling the objectively significant problem. Anyway, one generally meets with the sort of response that you reported, when trying to bring the attention of the authorities to a real problem. That's one of the reasons that vigilantes come into existence. At Rice, I sat in on SDS meetings just to keep an eye on the radicals, and when they planned to blow up a building on campus, some of us were ready to foil their plans by entering through the steam tunnels; we didn't want our school destroyed. (I heard that later the local SDS leader, Karolyn Kendrick, was wanted "to help the authorities with their investigations", as the British would put it, in connection with a similar attempt.) >The cores had those convenient holes for picking the core sleeve. Of course that's not what they were intended for; they're for a small pin punch to push the pins out of the columns in case they're sticky. (You can also drive out the pins, cap and all, but it spoils the spring.) If you file the end of a 1/8" (I think it was) pin punch to a 45-degree angle, it makes removing the caps without damage a breeze. >The locks, by the way, had a master key cut for the deepest pin, even >though the school didn't use it. (Maybe the police or Best co?) Best locks are pinned either by the factory or by a local Best rep. It is NOT standard practice to add any levels of masterkeying for use other than as part of the customer's masterkeying system. It may be that your school was indeed required to provide a master key to police etc. I don't think Best would dare build in a key for their own use. >Someone let themselves into the locksmith's shop and stole the key >machine the next year; very crude, they should have used it on >the premises so no one would have suspected. There's always someone who doesn't have any sense of judgement and steps beyond the bounds of harmless activity. Stealing equipment is certainly beyond the bounds. At Rice, our lock hacking had to be toned down because some idiot started stealing stuff through the steam tunnels, and the administration threatened to expel anyone found exploring the steam tunnels no matter what their intentions were. That pretty much ended a major hobby for several students. One wonders why the school's official educational practices are so stifling or boring that students find themselves turning to such hobbies instead. I've never heard of a technically-oriented college or university, Best-using or not, where lock hacking didn't occur. Too bad some sort of locksmithing course credit isn't normally offered. From: Doug Gwyn 5-JUL-1990 13:50:38 To: misc-security@rutgers.edu Subj: [252] Re: National Security Agency >The NSA produces several pamphlets describing what they do. They even have a Public Affairs office, and their non-classified documents are subject to the Freedom Of Information Act. However, I haven't heard of any guided tours for sightseers, yet. From: levine@csd4.csd.uwm.edu (Leonard P Levine) 5-JUL-1990 14:20:58 To: misc-security@uunet.uu.net Subj: [555] Re: Security and Masterkeys > Sorry Leonard. You must not be aware of any professionally designed > master keying systems that were set up according to common locksmithing > industry standards. Don't I wish. I spoke at length to our locking staff, as well as the building designers. They did not even believe that this really bad design was not the norm. I agree with Seth that this is dangerous, but never could get lock people to follow the problem. Seth, are you speaking from theory or do you have a high masterkey in your posession? I really want to know. len levine From: mlindsey@x102c.ess.harris.com (Lindsey MS 04396) 5-JUL-1990 14:48:08 To: misc-security@ucsd.edu Subj: [665] deadbolt locks Sorry if this is a dead horse ... I just bought a house and would like to put dead-bolts on every exterior door, and have all of them work from one key. Does anyone out there have any advice about which models/brands to buy or avoid. I'm looking for: - good security - easy installation - dependability (will it last a long time) - reasonable price Please email. If there is enough interest I will post a summary. Thanks. "Waste your brain, wax your board, and pray for waves!" Woody in E.G.A.E. /earth is 98% full! Please delete anyone you can! (anonymous) $teve Lindsey |-) uunet!x102a!mlindsey (407) 727-5893 :-) mlindsey@x102a.ess.harris.com From: mark%beowulf@ucsd.edu (Mark Anderson) 5-JUL-1990 15:32:00 To: misc-security@sdcc6.ucsd.edu Subj: [969] Re: Security and Masterkeys >A properly selected master key must be impossible to create by filing >a change key. That means it must contain at least one cut that is >taller than the corresponding cut in every change key. I don't know about "common locksmithing industry standards", but the Foley-Belsaw training course doesn't mention any such concern in their lessons. Almost everywhere I've ever been you could find a change key to convert to a master. I think you are overestimating the training/concerns of most locksmiths. Or perhaps is just that facilities outgrew the original "correct" design. And who really cares about the master key shear line, any old shear line will work, even for keys that don't exist. I've always had the best luck picking locks on a master key system. And if you are in a position where you can request legitimate keys, you can often order masterkeys through the same office just by knowing the code (which you get by watching a janitor). mark From: Carl DeFranco 5-JUL-1990 16:24:37 To: security@pyrite.rutgers.edu Subj: [1470] File Encryption on a Packet System Recently, someone asked how to put together a system to provide protection for a computer system operation through a packet switch using some type of "box" for encryption. It's not that easy. Remember how packet swtiching works? Each packet contains address information that directs it on its way to a destination. Since the packet switch expects clear text information, the "box" must have some method of extracting the address data from the packet, encrypting the remainder, then restoring the address data to the packet. This process cannot be done once at the establishment of a comm session - it must be done for each packet that will pass through the packet switch. The Government has invested a lot of money in accomplishing just this type of operation. I am not aware of any commercial sources of equipment that do what you want using commercial encryption methods such as DES. The problem comes from using the "connectionless" networking provided by packet switching. IF you modify your system to one which allows "nailed down" communication, the "connection-oriented" method, you can do just what you mention - establish the connection in the clear, then "go secure". You will also need some method of exchanging encryption keys and managing them on some periodic basis. SO, as you can see, the problem is solvable, but it isn't a simple one. Sorry to be the bearer of less than encouraging news. Carl DeFranco defranco@tops20.radc.af.mil ------- From: deronwal@tybalt.caltech.edu (Deron Walters) 10-JUL-1990 11:23:05 To: security@rutgers.edu Subj: [604] Medecos (was Re: Best Locks) >On a recent visit I noticed they had rekeyed with Medeco Bi-axial locks, but ^^^^^^^^^^^^^^^^^^^^^ Huh? Bi-axial? I'm familiar with regular Medeco locks, but I've never heard of these. Please describe them in more detail! Deron A. Walters [Moderator explanatory tack-on: Biaxial refers to Medeco's offset-chisel-tip pin design, in which the bottom edge of the pin is offset forward or back by .025". Thus the bottom of the keycut has to not only be at the right height and twist, it also has to be at the correct offset along the key bit. _H*] From: shz@packard.att.com (Seth Zirin) 10-JUL-1990 11:57:43 To: security@rutgers.edu Subj: [739] Re: Security and Masterkeys The Foley-Belsaw lesson plan is outdated. I say this from experience because I took the course a few years ago. Check with the NY School of Locksmithing or with Lockmasters. The Associated Locksmiths of America (ALOA) Proficiency Registration Program (PRP) in which I hold the certification of Certified Professional Locksmith (CPL, I'm one elective away from Certified Master Locksmith, CML) has sections on "Master-Keying" and "Advanced Master-Keying." Both of these sections and every book on master-keying repeatedly state that no key should be alterable to a higher level. You are correct about many improperly setup master-keying systems. There are way too many curbside commandos that call themselves locksmiths. Seth Zirin From: "Chuck Sechler" 11-JUL-1990 21:08:21 To: SECURITY@MARIST, BIG-LAN@SUVM Subj: [722] Password Checking Some breakins to a computer at a university in Ohio has prompted us at Ohio State to look into enforcing use of more obscure passwords on our systems. Basically, Iwould like to know if there has been any work on MVS and/or CMS platforms to keep users from picking obvious passwords, like their name, password same as userid, password is a word, etc. On MVS we are working on Top Secret software, and it has some interesting capabilities for restriction, including generating random passwords, when a user is forced to change their password, but it is not ready for full implementation yet. Some UNIX platfors check against large lists of restricted words(like 50000 or more). Any thoughts? Please respond to me. Thanks. From: "Jacques Beland (a.k.a. Mickey) Trent University" 11-JUL-1990 21:40:07 To: security@UBVM Subj: [337] Different security ratings Can someone please show me what the different "security levels" mean in terms of operating system. What I mean is one sees that "xxx's o/s is a B2 rating". What is B2 and what are the different availale levels? And is there somewhere one can look up what o/s are rated at what level? For example, VMS is B1, Novell is K9 etc?? Thanks. From: "Kees de Groot, Information Systems Security" 11-JUL-1990 22:01:27 To: security@pyrite.rutgers.edu Subj: [841] Re: Off the wall...ROM security? Bob, Intel's micro-controllers in the MCS-51-series have a feature in which you can program a sort of hashing or mask. The effect is that it is impossible to read directly from the EPROM, but you can erase the whole device and reprogram it. This is al from between my ears. if you want more detailed information I can try to find some docs. Tel. +31-8370- .KeesdeGroot (DEGROOT@RCL.WAU.NL) o\/o THERE AINT NO (8)3557/ Computer Systems Security [] SUCH THING AS 4030 Inform. & Datacomm. Dreijenplein 2 .==. A FREE LUNCH! 6703 HB Wageningen, the Netherlands X25: PSI%(+204)18802031937::DEGROOT disclaimer: I always speak for myself - if you go too far to the east, you find yourself in the west .. - From: David Haimson 11-JUL-1990 22:27:55 To: security@pyrite.rutgers.edu Subj: [4041] Quantum Security from Science News, June 2, 1990 Bits of Uncertainty: Quantum Security, by I. Peterson The trouble with sending a secret message is that the recipient must have a key for deciphering it. This means the two parties must initially either meet in person or risk sending the key by some less secure communications channel, and that invites interception. Inspired by an idea first proposed nearly a decade ago, a group of researchers has now designed and constructed a device that uses the uncertainty principle of quantum physics to provide a safe but public means for transmitting vital, secret information. The device uses extremely faint flashes of light -- only one photon per flash -- to carry messages. Each photon has a certain linear polarization (whether the electric field associated with the light is oscillating horizontally or vertically) and a certain circular polarization (whether the electric field is rotating in a right-handed or left-handed sense about its direction of travel). According to the uncertainty principle, there's no way to measure a photon's linear and circular polarizations simultaneously. Measuring one disturbs the other. A sender can use the polarizations of individual photons to send a sequence of signals to the receiver, randomly choosing whether to encode a bit of information as a specific linear or circular polarization. For each photon detected, the receiver chooses randomly which type of polarization to measure. About half the polarization measurements would match the values the sender transmitted. By ascertaining which photons were correctly measured, the sender and receiver could derive a code, known only to them, which would serve as a key for encrypting and deciphering messages. Because any measurement attempted by a third party would unpredictably alter a photon's polarization, an eavesdropper couldn't intercept the transmission without irrevocably scrambling the message and alerting both the sender and receiver to the surreptitious surveillance. To check for eavesdropping, the receiver would simply compare notes with the sender, ascertaining what the results for a number of selected measurements should have been. Statistical deviations from the expected results would signal an eavesdropper's presence. This so-called "quantum public key distribution system" is the first communications system ever built to depend on the uncertainty principle to ensure secrecy, say its inventors, Charles H. Bennett of the IBM Thomas J. Watson Research Center in Yorktown Heights, N.Y., and Gilles Brassard of the University of Montreal. "The system relies on the uncertainty principle to enable its users to detect eavesdropping on the quantum channel, even by an opponent with superior technology, and reject the compromised transmissions." After playing with the idea for several years, Bennett and a colleague constructed a working model of the system last summer. The device consists of tiny diode lasers for generating faint light flashes and detectors for picking up the signals. The entire apparatus sits within a light-tight box about 13 inches long. A computer program controls the apparatus, tallies the signals sent, received and intercepted, and displays the results. Because it is relatively slow and can be used only for communicating random bits, the apparatus is best suited for transmitting cryptographic keys. Once the two users establish a key, they can exchange secret messages by way of a faster, conventional communications channel. However, the device's present size severely limits its usefulness. Bennett, who described his demonstration model at last week's Eurocrypt conference in Aarhus, Denmark, now plans to build an improved device using an optical-fiber cable for transmitting light pulses over distances up to 500 meters. Going to greater lengths is tricky because the light pulses must necessarily be weak, which means they travel only a limited distance along optical fibers before fading away. From: Pete Nielsen 15-JUL-1990 4:14:09 To: security@pyrite.rutgers.edu Subj: [264] Re: Authentication of electronic commercial documents I'd ask a bank, I believe wired funds include an authentication code. RSA is an interesting question. I heard that some mathematician recently factored a 155 digit number, and that they are consequently recommending at least 200 digit primes for the RSA stuff. From: owen blevins 15-JUL-1990 4:48:39 To: security@ohstvma.bitnet Subj: [366] criminal record Need to find out if it is possible to obtain copy of YOUR record. i.e. if i've been accused,convicted, etc. of a federal (or for that matter state) crime.....I assume the FBI keeps it online somewhere-- is it possible (it probably is) to get a copy, and logically, how/who do I contact to get a copy of my criminal record. thanks! blevinso@silver.ucs.indiana.edu From: 09nilles%cuavax.dnet@netcon.cua.edu (Fiver Toadflax) 15-JUL-1990 5:23:52 To: security@netcon.cua.edu Subj: [320] re: SPARCstation Security What you might try doing is to take and glue/fasten the pad to a steel sheet. This sheet is then secured via cable to the same thing as the monitor or CPU. The pad is now moviable, and yet is unlikely to walk out the door. Dave 09nilles@cua.bitnet Documentation Assistant Catholic University of America From: smb@ulysses.att.com (Steven Bellovin) 15-JUL-1990 5:57:20 To: misc-security@att.att.com Subj: [446] Re: Word Perfect Decryption There was a paper published in Cryptologia Vol 11, no. 4, on cracking Word Perfect 4.2; I have no idea if they changed the encryption algorithm. It was reprinted in ``Cryptology: Machines, History, and Methods''. That same volume has a another reprint ``Survey of Data Insecurity Packages'' that doesn't include Word Perfect; however, the same author did a followup report on some other bad encryption programs that you may want to look for. From: Stacey Son 377_4965 15-JUL-1990 6:25:36 To: misc-security@ucbvax.berkeley.edu Subj: [1052] Re: Word Perfect Decryption I have a friend who has a company that specializes in data recovery. He markets a program that will recover crypted Word Perfect documents. He also decrypts other programs such as Lotus, Microsoft Excel, etc. You can reach him at the following address: Access Data Recovery % Eric Thompson 87 E 600 S Orem, UT 84058 (801) 224-6970 ----------------------------------------------------------------------------- Stacey D. Son | "I think there is a world market for Network Manager, Supercomputer Center | about five computers" -- Thomas J. Brigham Young University | Watson, CEO, IBM Corporation, 1947 Dept. of Electrical/Computer Eng. | 459 Clyde Building | "The number of UNIX installations has Provo, UT 84602 | grown to ten, with more expected." Voice:(801)378-5950 FAX:(801)378-6586 | -- UNIX Programmers Manual, 2nd Email: sson@ee.byu.edu | Edition, June, 1972 ----------------------------------------------------------------------------- From: mii@philabs.philips.com (Melik I. Isbara) 15-JUL-1990 6:59:19 To: misc-security@uunet.uu.net Subj: [1763] ATM machines , electronic transactions , Citibank I am posting this article to inform the netters about a problem with Citibank ATM machines and to ask for any information and suggestions. Please bear with me. When I received my last bank statement, I have noticed three transactions in which $900 dollars were withdrawn from my accounts from a Citibank ATM machine at a downtown NYC branch which I have never used. FACTS: 1. I did not do those transactions. 2. When they took place I was at work out of NYC. 3. I did not lose my bankcard or give it to anyone. 4. I did not write down my password or tell it to anyone. After I received my statement I went to my branch and talked to a customer representative. After a couple of days I got two letters from Citibank saying that results of their investigation (which consists only of looking at the ATM machine records for those specific transactions) showed that for those transactions my bankcard and my password were used therefore they could not honor my claim. Now my guess is that this is most probably a software problem because last weekend I went to the branch where money was withdrawn and there was a sign on the door saying that the ATM machines there were out of order. I also learned that they have been out of order for about a week. I am goig to take a legal action against to Citibank therefore I would like to know if anybody is aware of a similar situation or if anyone has any ideas on how this might have happened. I would appreciate any information and suggestions that can help me to fight Citibank to recover my money and to explain how this event might have happened. Please e-mail to mii@briar.philips.com isbara@cs.columbia.edu Thanks in advance. Melik Isbara Columbia University Dept. of Electrical Eng. From: GREENY 15-JUL-1990 7:30:46 To: Subj: [2352] re: Failed: attempt #1 at securing the vehicle Forget it. Just put a decent alarm system on the car, with an ignition kill and jack-up/motion sensor (and maybe an audio discriminator in case the glass breaks), and a nice loud siren (maybe the traditional "flashing" LED), and park in a lighted area. For the most part, reinforcing the locks, and making them "slim-jim" proof is next to impossible. There isn't a car around, that a qualified locksmith (or car repo. man, or car thief) cant get into quickly. And the tools are widely available, as are the instructions for the individual cars. Besides, you sorta want your car to be slim-jim-able so that when you lock your keys in it, or lose the things, then a locksmith can get you in! If you really wanna go nuts, get a 4 channel programmable voice driver from Oregon Scientific (no # readily available...), and use the different inputs from the alarm to trigger different voice outputs...). My car says "ILLEGAL TOWING IN PROGRESS" when jacked up/towed, yells "I'M BEING STOLEN" when the door/trunk/hook is being opened, yells "YOU BROKE MY WINDOW" when the glass gets broken....the 4th one I havent used...Also, I have a remote control (RF) to arm/disarm, have capabilities for passive arming, and have a pager linked into the alarm that will find me within 2 miles when the alarm goes off..... So far, it has saved me at least once. I had a crook trying to break into the car on campus during the summer, when not too many people would hear the siren, and my pager went off. I went off after the damn guy with a baseball bat. He didnt get in, and I didnt get any whacks in, but the cops found him shortly (seems that they heard the siren and were on the way...). at any rate, had he gotten in, I have purposely used multi-colored wires wrapped in seemingly insane configurations to confuse a crook, hidden the relays that trigger the pager/ign. cutout in a radio shack project box labeled HIGH VOLTAGE. CAUTION. under the dash. So it would take this "genius" of crime a longggggg time to start my car, and steal it. At most he would get the radio, and being a standard Ford install, he could have it with my compliments.... bye for now but not for long Greeny BITNET: MISS026@ECNCDC Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU GEnie: GREENY AOL: GREENY1 Compu$erve: 72567,457 Disclaimer: U use it, U B responsible fer it! From: shz@packard.att.com (Seth Zirin) 17-JUL-1990 1:51:30 To: security@rutgers.edu Subj: [411] Re: Security and Masterkeys >but as the number of masters increases, so does the ease of picking the lock This is not necessarily correct. It depends on the master keying algorithm used. I've rekeyed locks, changing them from a 2 level (1 level of MK) to a 3 level (GMK, MK) and wound up with fewer pins in each lock. Some would say that with fewer pins in some of the stacks, the lock was more difficult to pick... Seth Zirin, CPL From: levine@csd4.csd.uwm.edu (Leonard P Levine) 17-JUL-1990 2:26:38 To: misc-security@uunet.uu.net Subj: [1659] Re: Best Locks The reason for the low cut master is simply laziness on the part of the locksmith, I believe. When a lock is assembled, does not the locksmith build up the pins in the rotating part by dropping in pieces and then slide the assembly together? If so, then there must be a key in the lock to make the top of the pins level with the top of the rotating part in order to let the system slide easily. Similarly, removal is done by the same method. Put in a key, and remove the part with the key in place. If the Master is not the lowest key, a separate key would have to be made for each lock assembled. If the Master is the lowest, it may be used for the assembly of each lock in turn. Thus any locksmith paid by the month will set up a Masterkey that is the lowest key in the system. Not good, but surely easy to work with. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail levine@cs.uwm.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. FAX (414) 229-6958 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + [Moderator tack-on: Not necessarily. You don't need a key present to *assemble* a lock at all; the plug can be inserted slightly offset and everything will just drop into place when it's turned to locked position. Also, any valid key will allow disassembly; you just have to retain all the other parts in the shell with a thing referred to as a "following tool". You can pick the rest of the parts out one by one afterward. _H*] From: "Larry Margolis" 17-JUL-1990 2:59:28 To: security@pyrite.rutgers.edu Subj: [1565] Re: Security and Masterkeys > as the number of masters increases, so does the ease of picking the lock Not necessarily. You can have a sectional master section, where each pin chamber has at the most one master pin. Assume a 7-pin lock. Pins 1 and 2 could be the site-wide master, pins 3 and 4 the building master, and pins 5 to 7 the floor master. So, on each floor, all the change keys will have pins 1 - 4 the same, and pins 5 - 7 different. A floor master key would have cuts 1 - 4 the same as the change keys for that floor, with cuts 5 - 7 cut to the master levels. Each floor in the building be done similarly, with pins 1 and 2 the same and pins 3 and 4 differing by floor. The building master then has cuts 1 and 2 the same as all the other keys for that building, with cuts 3 to 7 cut to the master levels. Finally, each building has pins 1 and 2 different, and the grand master key has all cuts cut to the master levels. The one thing you *don't* want to do is put too many master pins in a lock. I once came across some Best padlocks that were meant to be opened by any serviceman in the state. The locks had 2 or 3 master pins in the first and last chambers, and chambers 2 - 6 had master pins for *every level* !!! The things practically fell open in my hands. And, of course, once I had one in my posession, it was trivial to make a control key for it so I could have gained access to any of their buildings. (What surprised me was that their locksmiths told them this couldn't be done.) Larry Margolis, MARGOLI@YKTVMV (bitnet), MARGOLI@IBM.COM (csnet) From: shz@packard.att.com (Seth Zirin) 17-JUL-1990 3:36:30 To: security@rutgers.edu Subj: [1823] Re: Security and Masterkeys >Seth, are you speaking from theory or do you have a high masterkey in >your posession? I really want to know. Both. My home is master-keyed with Medeco Biaxial removable core locks. The locks are D-10 and D-11 deadbolts and Embassy cylindrical locksets. The layout is four level: GGMK, GMK, MK & CK. 1) Each core has a separate combination (CK). 2) There is a MK per side of each door (i.e., deadbolt and lockset) and the MK that fits the inside cores on a door does not fit the outside. This prevents a delivery person from stealing an "exit" key and using it to obtain entry. 3) The outside cores are grouped under GMKs to provide "entry via the front", "entry via the garage" or a "entry via the back" keys. 4) All inside cores are grouped under a "fire egress" GMK so a single key may be used to exit via any path. 5) Every core opens with the Great Grand Master Key. This system allows the change key (CK) for the front door lockset to be left with a neighbor in case of a lockout, prevents a visitor from gaining entry with a stolen "inside" key, and allows someone to enter to water plants without letting them into the garage. I set-up the master-keying system myself, including the calculations, installation of the locks, pinning of the cores and cutting of the keys. It turns out that only a few different keys were cut: the GGMK and several GMKs, MKs and CKs. No key in the system can be altered into a higher level key and each key (including the GGMK and every GMK and MK) has a wide range of cuts. Each key has at least two cuts that differ by the MACS (Maximum Adjacent Cut Separation) which varies from cut to cut because of the fore and aft biaxial Medeco pins. Seth Zirin, CPL Member Associated Locksmiths of America Member Safe and Vault Technicians Association From: mark%beowulf@ucsd.edu (Mark Anderson) 17-JUL-1990 4:11:24 To: misc-security@sdcc6.ucsd.edu Subj: [2263] Re: Locksmithing Chapter 8.5 of the California "Business and Professions Code" is the section relevant to Locksmiths. You'll have to check your city charter for any local rules. It is really most interested in people who work for hire to the general public. Some general definitions from the code "Key duplicator" means an operator of a key duplicating machine who merely duplicates keys for retail customers and who does not perform an other functions of a locksmith. "Locksmith" means a person, other than a key duplicator, who installs, repairs, opens and modifies locks and who makes keys for locks. Some relevant rules: Permits. On and after April 1, 1988, it is unlawful for any person to practice as a locksmith without first obtaining a permit from the bureau. Locksmiths working for hire; person exempt (a) This chapter applies only to locksmiths working for hire. (b) This chapter does not apply to the following persons: (1) Any person, or his or her agent or employee, who is the manufacturer of a product, other than locks and keys, and who installs, repairs, opens or modifies locks or who makes keys for the locks of that product as a normal incident to its marketing. (2) Key duplicators. (3) Employees who are industrial or institutional locksmiths and whose services are provided only to an employer who does not provide locksmith services for hire to the public. ------- You should be able to set yourself up as a key duplicator without any problem. You might stop by some key duplicating center and find someone who will tell you how they go about ordering keys. If you are interested in just a few blanks, I'm sure you can find a key duplication place that will sell them to you uncut. Another route is to take a mail correspondence locksmithing course. At the time I took mine, the cost was $400. In the deal I got to keep a key making machine and can order locksmithing supplies (picks, blanks, cutting machines, code books, etc) thru the mail order company. I wouldn't recommend it unless you don't really care about the money. The first lesson was something like match like keys together in pairs. From experience I know you can buy stuff and subscribe to trade journals as a "student of locksmithing". mark anderson ~ From: "Michael J. Chinni, SMCAR_CCS_E" 17-JUL-1990 5:41:33 To: security@pyrite.rutgers.edu Subj: [8327] [Theodore Lee: The F9 factoring result] FYI ... (this is a long message: 155+ lines) Date: Wed, 27 Jun 90 22:19:44 -0400 From: Theodore Lee Subject: The F9 factoring result MESSAGE FROM RON RIVEST VIA JIM BIDZOS VIA STEVE KENT VIA STEVE CROCKER: Thanks to Robert Silverman for keeping many people honest. As an additional effort to that end, I attach an analysis of the recent factoring effort, done by Ron Rivest. The early reports of RSA's demise have been greatly exaggerated... Note: Be sure and read the end of Rivest's note. Jim Bidzos, RSA Data Security To: Whom It May Interest (Feel free to distribute further...) From: Ronald L. Rivest Date: June 21, 1990 Re: Recent Factoring Achievement (Preliminary draft; may contain typos or other inaccuracies. Please send corrections to rivest@theory.lcs.mit.edu) This note is in response to the numerous inquiries I've received regarding the recent factoring of a 155-digit number by A. Lenstra, M. Manasse, and others. (See the New York Times article of 6/20/1990 by G. Kolata.) This note attempts specifically to correct some of the misimpressions that may arise from a reading of such popular press articles. Using an ingenious new algorithm, Lenstra, Manasse, and others have factored the 155-digit number known as "F9", the ninth Fermat number: F9 = 2^(2^9) + 1 = 2^(512) + 1 . In binary, this number has the form 100000....000000001 where there are 511 zeros altogether. (F9 is a 513-bit number.) This is a fascinating development, and the researchers involved are to be congratulated for this accomplishment. The algorithm used is known as the "number field sieve", or "NFS" (not to be confused with a network protocol of the same acronym!). The NFS algorithm is described in the Proceedings of the 1990 ACM STOC Conference. The NFS algorithm is based on an idea due to Pollard, as developed further by Arjen Lenstra, Hendrik W. Lenstra, and Mark S. Manasse. The NFS algorithm is specifically designed to factor numbers that, like F9, have a very simple structure: they are of the form a^b + c where c is relatively small. (For F9, we have a=2, b=512, and c=1.) Some simple extensions of this algorithm are also possible, to handle numbers whose binary representation has many zeros, and related kinds of numbers (ternary, etc.) Numbers that have such a special structure are extremely rare and are unlikely to be encountered by chance. That is, the NFS algorithm does not apply to the kind of "ordinary" numbers that arise in practical cryptography, such as using RSA. They only apply to numbers with "sparse" representations having few nonzero components. (Let us call such numbers "rarefied".) When working on a rarefied number, the NFS algorithm has an estimated running time of the form (for an input number n): exp(1.56 (ln n)^1/3 (ln ln n)^2/3) (1) For n = F9, this evaluates to 4.1 x 10^15 operations, which, at 3.15 x 10^13 operations/year for a 1 MIP/sec machine (i.e. a MIP-year), gives a workload estimate of 130 MIP-years, only off by a factor of two from the actual work of 275 MIP-years. (That is, formula (1) may be roughly too low by a factor of two.) It is instructive to see the effect of doubling the size of the number being dealt with. A 1024-bit (332-digit) rarefied number requires an estimated 1.54 x 10^21 operations = 4.9 x 10^7 MIP-years, a dramatic increase in difficulty. The NFS algorithm algorithm is not a "polynomial-time" algorithm; the difficulty of factoring still grows **exponentially** with a polynomial function of the length of the input. What has this to do with RSA and cryptography? I think there are three basic points: -- This development indicates that the status of factoring is still subject to further developments, and it is wise to be conservative in one's choice of key-length. -- The NFS algorithm may yet be generalized to handle "ordinary" numbers, and the potential impact of this should be considered. -- Factoring is still a very hard problem, despite everyone's best efforts to master it. Regarding the further extensions of NFS to handle ordinary numbers, this is judged to be a reasonable possibility by those working on NFS, so it is helpful to consider what impact this may have. It is conjectured (see the ACM STOC paper referenced above) that a successful extension of the NFS algorithm to ordinary numbers would have a running time of the form: exp(2.08 (ln n)^1/3 (ln ln n)^2/3) (2) This is similar to equation (1) except that the constant 1.56 is replaced by the constant 2.08. Note that a practical version of such an extension does NOT yet currently exist (to the best of my knowledge), but even granting its plausibility we arrive at an estimate of the tie required to factor a 512-bit number of 6.5 x 10^20 operations = 2 x 10^7 MIP-years which (in my opinion) is a substantial degree of security. It is interesting to note that this work factor is actually GREATER than that required by the ``standard'' factoring algorithms (e.g., the quadratic sieve), which have a running time of exp((ln n)^1/2 (ln ln n)^1/2); for a 512-bit number, this gives a work-factor estimate of only 6.7 x 10^19 operations. Indeed, the NFS algorithm (when extended) will be asymptotically superior than the quadratic sieve algorithm, but will be slower for numbers with less than about 200 digits. That is, assuming that (2) is indeed the correct running-time estimate for any extension of NFS, then NFS will not affect the security of any numbers of less than about 215 digits. So any "standards" that have been considered using 512-bit RSA moduli are not likely to be affected by any NFS extensions. (At most, one could imagine that the RSA key-generation process might be extended to check that the resulting modulus n is not a rarefied number.) In the truly worst-case scenario, we would have that an extension of NFS would be found that allows ordinary numbers to be factored with a work-factor that is governed by equation (1); in this case one would need to adjust the sizes of moduli used by RSA upwards by a factor of less than two to more than offset the new algorithm. A factor of two in size affects the running time of public-key encryption (or signature verification) by a factor of four and the running time of private-key encryption (or signature generation) by a factor of eight. Noting that the speed of workstations has increased by a factor of over 100 in the last decade (indeed, such factors have been the technological advance that made the successful implementation of NFS possible!), such performance penalties, if necessary, seem to be easily absorbed by expected technological advances in the speeds of the underlying RSA implementation technologies. That is, the NFS-like factoring algorithms do not, even in this worst-case scenario, prevent successful implementations of the RSA cryptosystem. As a cryptographer, I am actually very happy with all the effort that is being spent trying to determine the exact level of difficulty of factoring. Achievements such as the recent development of NFS help to pin down the best-possible rate of growth of the difficulty of factoring, so that users of cryptographic schemes can pick key sizes with an increased degree of confidence that unforeseen developments are unlikely to occur. The best way to ensure confidence in a cryptographic system is to have it attacked vigorously and continuously (but unsuccessfully) by well-qualified attackers. If, despite their best efforts, the difficulty of cracking the system remains intrinsically exponential, then one can have a reasonably high degree of confidence that the system is actually secure. This is the process we have been seeing at work in the recent work on factoring. The results of the attacks can be used to guide the selection of the necessary key size for a desired level of security (with an appropriate margin of safety built in, of course). (As a closing note, here's a prediction: I expect that the 128-digit ``challenge RSA cipher'' published in the August 1977 issue of Scientific American to be cracked (probably by the quadratic sieve algorithm or a variant, not NFS) during the next 1-3 years. This accomplishment will require substantially more computer time than the 275 MIP-years required to factor F9.) From: simsong@next.cambridge.ma.us (Simson L. Garfinkel) 22-JUL-1990 1:42:32 To: security@pyrite.rutgers.edu Subj: [100] "Secure NFS" Has anybody heard about this, Sun's new NFS authentication system that uses public key encryption? From: lorence@sctc.com (Len Lorence) 22-JUL-1990 10:55:42 To: misc-security@uunet.uu.net Subj: [874] Re: Different security ratings >Can someone please show me what the different "security levels" mean in >terms of operating system. What I mean is one sees that "xxx's o/s is a >B2 rating". What is B2 and what are the different availale levels? What you want is a copy of the DOD Trusted Computer System Evaluation Criteria (DOD 5200.28-STD) from the National Computer Security Center. It sets the criteria for a system to meet each of the evaluation ratings (D, C1, C2, B1-3, and A1.) You also want a copy of the Evaluated Products List, available from the same people. You may be disappointed to find that there are not many products which have successfully made it through the evaluation process, and some that have are no longer available. Ask your librarian if they can get you copies, ask a friend who has a Dockmaster account, or write to NCSC. Len Lorence Secure Computing Technology Corp. From: srt@grad19.cs.duke.edu (Stephen R. Tate) 22-JUL-1990 11:19:51 To: misc-security@mcnc.org Subj: [969] Re: Authentication of electronic commercial documents > RSA is an interesting question. I heard that some mathematician > recently factored a 155 digit number, and that they are consequently > recommending at least 200 digit primes for the RSA stuff. AARRGGHH!!! You would not believe how many people I have heard say this lately, and is proof that a little information is a dangerous thing. The "popular press" (Washington Post, New York Times,...) ran a story saying exactly the above, so it's no wonder that people have this impression. Now the REAL story: the number factored was of a very special form, and the algorithm used excelled for numbers of that form (in fact, the algorithm was originally developed *only* for numbers of that form). The RSA algorithm does not use numbers of this form (it uses the product of two randomly generated large primes), and so public keys of the form used by RSA are in NO DANGER from the new algorithm. Steve Tate ARPA: srt@duke.cs.duke.edu UUCP: ..!decvax!duke!srt From: nagle@well.sf.ca.us (John Nagle) 22-JUL-1990 11:49:15 To: misc-security@uunet.uu.net Subj: [1104] Re: Password Checking >Basically, Iwould like to know if there has been any work on MVS and/or CMS >platforms to keep users from picking obvious passwords, like their name, I first posted a simple solution to this problem back in 1984. The technique used does not require any dictionary or large tables; it relies on some statistics of letter sequence usage in English which allow one to determine whether something is a likely English word. The code can be obtained from the comp.sources.unix archive, or I can send a copy to interested parties. The code is in C, but there is no UNIX dependency; in fact, I wrote the original code on a DECsystem 2060, in C. The archive reference appears below. John Nagle Newsgroups: comp.sources.unix Subject: v16i060: Tell if a password is "obvious" Date: 10 Nov 88 14:47:09 GMT Submitted-by: "John B. Nagle" Posting-number: Volume 16, Issue 60 Archive-name: obvious-pw [ This program does NOT try brute-force methods to guess passwords, but instead tells if a password is an "obvious" one likely to be guessed by such a program. ] From: Will Martin 22-JUL-1990 12:13:13 To: owen blevins Subj: [997] Re: criminal record Cc: security@pyrite.rutgers.edu Here in St. Louis, getting a copy of your "criminal record" or police record is part of the pistol-permit process. It appears there is no restriction on any individual getting a copy; it costs $10 and I suppose it is a nice source of extra income for the city or the department. All you need is $10 cash or money order (no checks) and ID, like a drivers license. You go to an office at the main downtown police station and fill out a short request form, and hand over your ID & money. They keep the money and give back the ID. :-) You wait 10 minutes or so. If you have no record, all you get in return is a form with a big purple stamp on it that says something like "NO RECORD FOUND". If you have a record, you get some sort of printout with the data on it. (All I got back was the stamped form, so I can't offer details on what a record-printout is like... :-) Most of the other people there getting records seemed to be getting them for security-guard job applications. Regards, Will Martin From: fitz@wang.com (Tom Fitzgerald) 22-JUL-1990 12:38:39 To: misc-security@uunet.uu.net Subj: [1205] Re: Quantum Security > Because any measurement attempted by a third party would > unpredictably alter a photon's polarization, an eavesdropper couldn't > intercept the transmission without irrevocably scrambling the message I don't see how this really gains you anything. An eavesdropper can still get in by cutting the line and putting in a complete receiver/transmitter station. The legitimate receiver will never see any tapped bits because they can all be completely regenerated by the eavesdropper's transmitter. Under some circumstances, the eavesdropper might have to receive a complete message and do whatever ECC is necessary to compensate for the 50% error rate on the line before forwarding the message on, but the legitimate receiver should never know the difference. > To check for eavesdropping, the receiver would simply > compare notes with the sender This implies an out-of-band communication. If you have such a thing in the first place, why use quantum signalling? If the comparisons are going over the quantum link, the eavesdropper can modify them in transit to hide his own presence. --- Tom Fitzgerald Wang Labs fitz@wang.com 1-508-967-5278 Lowell MA, USA ...!uunet!wang!fitz From: mccurley@cs.sandia.gov (Kevin McCurley) 22-JUL-1990 13:01:13 To: security@pyrite.rutgers.edu Subj: [1390] Re: Authentication of electronic commercial documents The recent factorization of a 155 digit number was a remarkable feat, but it holds less interest for RSA than meets the eye. The number that was factored was 2^512+1. This number has binary representation 100000000000000000000000 ... 00000000000000000000001 which is of course rather special. In fact, the method at present works only for numbers of a very special form, and a much better gauge of current factoring progress is provided by the RSA challenge number that was published in Scientific American years ago. This number has "only" 129 decimal digits, but it has never been factored, in spite of the obvious publicity that would result from this. It is estimated that the RSA challenge number might take 10 times as much work to factor as the 155 digit number factored recently. The moral of the story is that as a result of many people working on the problem, we have seen a steady improvement in what numbers can be factored. We are NOT yet to a point where generic 155 digit numbers can be factored, but future advances may allow us to do so. If it's a question of adopting a system for which the modulus must be good for ten years, then I might be skeptical about a 155 digit modulus. For a 200 digit modulus, we will need a significant new idea to be able to factor those. We stand a far greater risk from a total collapse of the banking system! Kevin McCurley From: UCCXNCS@osucc.bitnet 26-JUL-1990 6:45:00 To: security@ohstvma.bitnet Subj: [1307] Userid maintenance Automation Since userid maintenance and security seem to go hand-in-hand, I thought I might be able to get some ideas on how to go about attacking a problem we are facing here at OSU. If you know of a list that addresses this sort of thing, please let me know. Userid creation and maintenance is one of our biggest headaches. We have an IBM 3090 on which we run VM/SP with MVS running as a guest under it. The MVS system is used mainly by our administrative users. We have only had VM a few months and are wanting to open it up to our academic users who, for the most part, abhor MVS and JCL. The idea is for the VM system to be "friendlier", not requiring password changes, etc. So, we are looking for ideas on how to automate the setup and maintenance of permanent (faculty) and temporary (student) userids on the VM system. Right now we are managing the few VM userids that we have set up through DIRMAINT. However, we do have VMSECURE setting on the shelf. It seems to me that DIRMAINT is rather cumbersome, and I'm not sure how we could set up an automated process that would create several hundred userids using DIRMAINT. Anyone that has dealt with this problem and would be willing to give us some suggestions is welcome to respond. Nancy C. Stevens (405) 744-6301 uccxncs@osucc.bitnet From: Hoffman.es@xerox.com 26-JUL-1990 7:13:40 To: SECURITY@rutgers.edu Subj: [4332] Computers and Civil Liberties [Moderator injection: Apologies to those who have already seen this sixteen times, but there might be folks out there who haven't yet. Use your D key or local equivalent. _H*] COMPUTER PROFESSIONALS FOR SOCIAL RESPONSIBILITY PRESS RELEASE Embargoed for release on July 10, 1990 CPSR TO UNDERTAKE EXPANDED CIVIL LIBERTIES PROGRAM CPSR, a national computing organization, announced today that it would receive a two-year grant in the amount of $275,000 for its Computing and Civil Liberties Project. The Electronic Frontier Foundation, founded by Mitchell Kapor and John Barlow, made the grant to expand ongoing CPSR work on civil liberties protections for computer users. At a press conference in Washington today, Mr. Kapor praised CPSR's work. "CPSR plays an important role in the computer community. For the last several years, it has sought to extend civil liberties protections to new information technologies. Now we want to help CPSR expand that work." Marc Rotenberg, director of the CPSR Washington Office said, "We are obviously very happy about the grant from the EFF. There is a lot of work that needs to be done to ensure that our civil liberties protections are not lost amidst policy confusion about the use of new computer technologies." CPSR said that it will host a series of policy round tables in Washington, DC, during the next two years with lawmakers, computer users including "hackers," the FBI, industry representatives, and members of the computer security community. Mr. Rotenberg said that the purpose of the meetings will be to "begin a dialogue about the new uses of electronic media and the protection of the public interest." CPSR also plans to develop policy papers on computers and civil liberties, to oversee the Government's handling of computer crime investigations, and to act as an information resource for organizations and individuals interested in civil liberties issues. The CPSR Computing and Civil Liberties project began in 1985 after President Reagan attempted to restrict access to government computer systems through the creation of new classification authority. In 1988 CPSR prepared a report on the proposed expansion of the FBI's computer system, the National Crime Information Center. The report found serious threats to privacy and civil liberties. Shortly after the report was issued, the FBI announced that it would drop a proposed computer feature to track the movements of people across the country who had not been charged with any crime. "We need to build bridges between the technical community and the policy community," said Dr. Eric Roberts, CPSR President and a research scientist at Digital Equipment Corporation in Palo Alto, California. "There is simply too much misinformation about how computer networks operate. This could produce terribly misguided public policy." CPSR representatives have testified several times before Congressional committees on matters involving civil liberties and computer policy. Last year CPSR urged a House Committee to avoid poorly conceived computer crime laws that could criminalize a wide range of computer activity. "In the rush to criminalize the malicious acts of the few we may discourage the beneficial acts of the many," warned CPSR. A House subcommittee recently followed CPSR's recommendations on computer crime amendments. Dr. Ronni Rosenberg, an expert on the role of computer scientists and public policy, praised the new initiative. She said, "It's clear that there is an information gap that needs to be filled. This an important opportunity for computer scientists to help fill that gap." CPSR is a national membership organization of computer professionals, based in Palo Alto, California. CPSR has over 2,000 members and 21 chapters across the country. In addition to the civil liberties project, CPSR conducts research, advises policy makers and educates the public about computers in the workplace, computer risk and reliability, and international security. For more information contact: Marc Rotenberg CPSR Washington Office 1025 Connecticut Avenue NW Suite 1015 Washington, DC 20036 (202) 775-1588 Gary Chapman CPSR National Office P.O. Box 717 Palo Alto, CA 94302 (415) 322-3778 From: corey@esl.com (Corey Yee) 27-JUL-1990 12:17:55 To: misc-security@ames.arc.nasa.gov Subj: [144] Re: Different security ratings There's an article titled "Certifying A System's Security" in the June 25th edition of "Unix Today!" that discusses the NCSC security ratings. From: Don Irmiger 27-JUL-1990 12:42:23 To: SECURITY@ohstvma.ircc.ohio-state.edu Subj: [490] Re: Different security ratings These are rating systems per the DOD as defined in "the Orange Book". UNIX Sys V is classified at a C2 rating (poor). Some O/S extensions can improve this to about B2-B1. I've not heard of an out-of-the-box implementation in the A classification... -- Donald K. Irmiger III UUCP: uunet!delta.com!don Data Systems Coordinator Internet: don@delta.com Michiana Rehabilitation Institute's Data Systems Center \ Altos 2086/Xenix 3.4b From: Matt Bishop 27-JUL-1990 13:06:22 To: security@marist.bitnet Subj: [4509] UNIX Security Workshop I don't read this list, but the following message was pointed out to me: > The organizer of the workshop is Matt Bishop, Dept of Mathematics & > Computer Science, Bradley Hall, Dartmouth College, Hanover, NH 03755 (603) > 646-2415 Here is the complete blurb, with the program and other relevant information. If you have any questions, please contact me (Matt.Bishop@dartmouth.edu) or the USENIX office. I'm handling the technical end (program, panels, etc.); they are doing everything else (thank goodness!) Matt ----- UNIX Security Workshop Marriott Hotel, Portland, OR, August 27-28, 1990 The Second USENIX UNIX Security Workshop will be held in Portland, Oregon on Monday and Tuesday, August 27-28, 1990. The workshop is organized to bring researchers, system administrators and others together to discuss their needs and interests in the many aspects of computer security as they relate to the UNIX Operating System. This meeting will have elements of both a conference and a workshop; the former in that there will be presentations, the latter in that discussion and audience participation are expected. Speakers will discuss work in progress and/or work that is planned and will solicit opinions, comments and sugges- tions from other participants. There will be at least three panel sessions. Tentative Program Monday, August 27 9-10:30 Authentication I David Goldberg, MITRE The MITRE User Authentication System Daniel Klein, Software Engineering Institute, CMU A Survey of, and Improvements to, Password Security Matt Bishop, Dartmouth College An Extensible Password Changing Program Michele Crabb, NASA Ames Research Center Password Security in a Large Distributed Environment 11-12 Potpourri I Maria Pozzo, UCLA Computer Science Dept. An Automatic Policy Checker for Controlling Undesirable Program Behaviors John Linn, DEC Generic Security Service Application Program Interface Henry Teng, DEC, and David Brown, Worchester Polytechnic Institute An Expert Systems Approach to Security Inspection of UNIX 1:30-2:30 Secure Systems and Tools Raymond Wong, Oracle A Survey of Secure UNIX Operating Systems David Gill, MITRE Roles for Users and Privileges for System Processes: High Trust Mechanisms for Low Trust Systems Pat Bahn, GTE Beyond Bell-LaPadula: A Security Model for Real Applications 3:00-5:00 Access Control Marshall Abrams, Leonard LaPadula, & Ingrid Olson, MITRE Building Generalized Access Control on UNIX David Wichers, ARCA Systems, and Douglas Cook, Ronald Olsson, John Crossley, Paul Kerchen, Karl Levitt, & Raymond Lo, University of California at Davis An Access Control List Approach to Anti-Viral Security Frank Kardel, Friedrich Alexander University Frozen Files Hermann Strack, University of Karlsruhe to be arranged Panel and discussion on access control Tuesday, August 28 9-10:30 Authentication II Ana Maria De Alvare, Lawrence Livermore National Laboratory How Crackers Crack Passwords Steven Lunt, Bellcore Experiences with Kerberos Joe Tardo, Kannan Alagappan, & Richard Pitkin, DEC Public Key-based Authentication using Internet Certificates Panel and discussion on authentication 11-12 Security Considerations and the Environment Richard Neely, Ford Aerospace System Design and Verification for Secure Applications Under UNIX Gary Christoph, Los Alamos National Laboratory Security Considerations of Going to a UNIX Based Supercomputer Operating System Bjorn Satdeva, /sys/admin, inc. to be arranged 1:30-3:15 Networked Systems Mark Carson, Janet Cugini, Sohail Malik, Mythili Kannan, & Wen-Der Jiang, IBM Networked UNIX without the Superuser Jeffrey Roth, Defense Logistics Agency Hardening Anonymous FTP Jerry Carlin, Pacific Bell Gateway Security Measures Eugene Schultz, Lawrence Livermore National Laboratory UNIX Network Naivete Panel and discussion on network security 3:45-5 Potpourri II Fuat Baran, Howard Kaye, & Margarita Suarez, Columbia University Security Breaches: Five Recent Incidents at Columbia University Panel and discussion on security in Large installations ______________________________ Program Chair: Matt Bishop, Dept. of Mathematics & Computer Science, Dart- mouth College Full-time students please note: a limited number of scholarships are avail- able. For an application form contact office@usenix.org For registration information, contact: USENIX Conference Office 22672 Lambert Street, Suite 613 El Toro, CA 92630 (714) 588-8649 (714) 588-9706 (FAX) From: "Richard B. August" 28-JUL-1990 10:11:24 To: SECURITY-REQUEST@pyrite.rutgers.edu Subj: [596] Information DES in Soviet Press In a posting, sometime within the last couple of years, there was mention of the existence of an article purported to have been published in the Soviet Academy of Applied Sciences. The posting went on to describe how someone at this Academy had developed a "table" with which one could break DES. This subject came up recently and I "quoted" the posting. Naturaly those skeptics in the audience want "proof". If anyone out there remembers the posting or (even better) the publication in which this appeared, please let me know. Thanks in advance. Richard B. August august@vlsi.jpl.nasa.gov From: nitrex!rbl@uunet.uu.net ( Dr. Robin Lake ) 1-AUG-1990 22:22:09 To: misc-security@uunet.uu.net Subj: [157] Re: criminal record It is possible to write to the FBI and ask them if they have a folder on you and to send you a copy of the contents of the folder if the folder does exist. From: *Hobbit* 1-AUG-1990 23:43:16 To: security@pyrite.rutgers.edu Subj: [7231] Leftover msgs about password expiration [Crunched into a "digest" to save a little network bandwidth. _H*] -*-*-*-*-*-*-*-*-*-*-*-*-*-*- Date: 19 Jun 90 11:49:49 GMT From: Doug Gwyn To: misc-security@rutgers.edu The solution is so obvious that I wonder that you don't see it -- Stop gratuitously requiring people to change their passwords. If the password is not thought to have been compromised, there is more reason to continue using it than to change it. -*-*-*-*-*-*-*-*-*-*-*-*-*-*- Date: 19 Jun 90 20:08:41 GMT From: levine@csd4.csd.uwm.edu (Leonard P Levine) To: misc-security@uunet.uu.net I carefully examied the material on making Unix more secure (Improving the security of your Unix System by David Curry, SRI International) in hopes of finding just why changing the password makes a system secure. Curry's well thought out work has many good suggestions but he says about changing passwords only the following: (page 7) "Finally it is important to establish a policy that users must change their passwords from time to time, say twice a year." He gives no reason for such a need, although all of the other problems he discusses are couched in terms of speed of cracking and methods of penetration. He (correctly) points out that users should never write down their passwords, should not use easy to guess words, and the like, but somehow feels that a user who has a good password, who never allows him/herself to be observed logging in, who sees no history of problems, should nevertheless change the password fairly often. Why twice a year? Why not twice a day? I think it would be better to have a good password that you do not have to write down because you know it (from long and careful use) than to have a password that you write down because you easily forget it, or to have a password that is easy to crack because you do not want to write it down. -*-*-*-*-*-*-*-*-*-*-*-*-*-*- Date: Wed, 20 Jun 1990 10:19:42 +0200 From: "UFOBI2::RMEYER" To: security@pyrite.rutgers.edu I know some people, who change their password like: blahmmyy blah = 4 character unique password mm = month yy = year ( or blmmyyyy, yymmblah, ........) I think it's better, if they changed the password sometimes to a "really new" password. Password lifetime must be long. A user should have a chance to use an old password again, if she/he thinks that it is not known to other people. If the expiring period is short an you cannot use the same password again, people will write their password on a piece of paper.... This is the real problem. -*-*-*-*-*-*-*-*-*-*-*-*-*-*- Date: Thu, 21 Jun 90 13:05 EDT From: Kilgallen@dockmaster.ncsc.mil To: hobbit@pyrite.rutgers.edu Well I am not in an environment which requires dealing with academic freedom, but it would seem simply a matter of offering the alternative of signing a form in which they agree to financial liability to any damage to the computer system (including time and effort to repair) due to break-ins over their account. By the way DEC says they have fixed this problem (with a password history file consulted by the Set Password command) in VMS V5.4. For those who use Unix, presumably the answer is to write your own modifications to Unix following that model. As a security practice, I would say you should *never* tolerate people changing their password back to the same thing. If you think keeping a password for a long period of time is permissible, then change your permissible password lifetime parameter. To set a short lifetime and then permit people getting around it (look for two successive password changes in the pre-V5.4 VMS audit alarms), just sends the message that system administrators are not serious about the rules they lay down. It is better to change the rules. Larry Kilgallen -*-*-*-*-*-*-*-*-*-*-*-*-*-*- Date: Sun, 1 Jul 90 21:17:44 EST From: Don Irmiger To: SECURITY@ohstvma.ircc.ohio-state.edu > I have heard the argument made that forcing frequent password changes is > counterproductive I agree with the counterproductive argument. I'm running a Unix box which allows the user to reset their own passwords. If I were more sensitive, this would be restricted to system administrator use. I've used two methods of password generation: 1) alternating series of consonants and vowels. This produces only marginally pronouncable passwords, but served its purposes. Most users made written copies which is frowned upon as a whole. 2) an english word of 3-4 characters in length, a digit(0-9), and another English word of 4-3 characters in length. My Unix box only allows 8 character max passwords and this satifies it. I choose the words randomly the the set of 3-4 character words in my spelling checker dictionaly (/usr/dict/words). I wrote a program that generated about 200 of them (40 users on my box) and I pick the topmost from the list, assign it and delete the line from the file (highly restricted access to the file, BTW). Particularly with naive users, you have to *stress* that these passwords are priviledged bits of information as they should not be distributed or shared in any way. I can't hold them responsible for security flaws if they don't know the rules... -- Donald K. Irmiger III UUCP: uunet!delta.com!don Data Systems Coordinator Internet: don@delta.com Michiana Rehabilitation Institute's Data Systems Center \ Altos 2086/Xenix 3.4b -*-*-*-*-*-*-*-*-*-*-*-*-*-*- Date: Tue, 3 Jul 90 22:08:48 EDT From: retants@rodan.acs.syr.edu Just to pass along my experience with the password generators, we had a lot of people writing things down. the ones that didn't would spend literally hours flipping through the password generator until it came up with something vaguely english (example being SUNNDUG...not a real world, but something easy to remember). THis was a waste of time in general, but which is worse...writing down passwords or spending an hour finding one that can be remembered. one suggestion made was that each time a person changed thier password, they were given a randomized number for the space they had to put a numeral into. example: place a number as the 6 character of a password. then the person could make up a password, and the system would check to make sure that 1) there was a number in the 6th position, and 2) it was not the same number as the position number. Passwords would look like DOGHO1USE which is easy to remember as a word that you add your number to, and a bit harder to break. any comments on that one? Becki Tants RETANTS@SUNRISE.BITNET RETANTS@RODAN.ACS.SYR.EDU -*-*-*-*-*-*-*-*-*-*-*-*-*-*- Date: Mon, 23 Jul 90 22:58:00 EST From: zik@bruce.cs.monash.oz.au (Michael Saleeba) To: misc-security@munnari.oz.au On the subject of passord checking, I am doing a project on password security for my honours comp. sci. unit "Security in Computing". I'd be grateful if anyone with password guessing or checking programs would sendfile them to me or direct me to the appropriate archives. Also, I'd welcome any general comments that people have on password security and its flaws. From: barmar@think.com (Barry Margolin) 5-AUG-1990 0:33:10 To: misc-security@husc6.harvard.edu Subj: [449] Re: "Secure NFS" It's described pretty well in the SunOS 4.1 documentation. There's a decent overview of it in one of the administration manuals (named something like "System & Network Administration". And there's a more precise description starting on p.156 of "Network Programming" (the chapter claims to be a copy of RFC-1050). Sun's secure RPC makes use of Diffie-Hellman public-key encryption and DES encryption. -- Barry Margolin, Thinking Machines Corp. From: EVERHART@arisia.dnet.ge.com 5-AUG-1990 0:51:24 To: security@pyrite.rutgers.edu Subj: [417] "secure nfs" If looking for a secure distributed file system, I'd suggest checking out AFS, from Transarc. It uses Kerebros authentication, and supplies tools for maintenance of large networks. It was designed for 10,000+ workstation environments and scales much better than NFS; also tends to avoid eating networks for lunch as NFS can and does. Transarc is in Pittsburgh; 412 338 4400; their domain name is transarc.com. Glenn From: DANCC@cunyvm.cuny.edu 5-AUG-1990 1:09:19 To: SECURITY@rutgers.edu Subj: [711] Request vendor info on CPU "cage" Sorry if this is too elementary for the group, but I'm at sea. I've seen what I want, but can't find it in any catalog. It's sheetmetal cage, open only on front. You bolt or glue it to a table, attach the CPU to a sliding deal which locks into the cage, and there you are. Thief can't walk away with the whole thing, and can't open cover to steal cards. With time, tools, knowledge, and some assurance the guard won't be by for 20 minutes . . . but it raises the threshhold. Saw one at a school in California, but my host didn't know the source. He had been using them for some kind of PC clone, but they fit his new Mac IIs also. I assume they come in different sizes. Much appreciate any pointers. From: de5@stc06.ctd.ornl.gov (SILL D E) 5-AUG-1990 1:25:38 To: misc-security@ucbvax.berkeley.edu Subj: [880] Re: Authentication of electronic commercial documents >Now the REAL story: the number factored was of a very special form, AARRGGHH!! Apparently you missed the recently posted article (comp.risks?) by Ron Rivest (the `R' in RSA) that gave the REAL story. Actually, both of the above posters are (in)correct. The number factored was of the form 10000...00001 (binary). Such numbers are used by RSA only by coincidence, that is to say very rarely. Rivest further conjectured that that and other developments in factoring would lead to the breaking of some short-key RSA within a couple years, I believe (this is from memory, I forget the numbers). He also said they were recommending longer keys for paranoids...er... folks wanting utmost security. Anybody save that article? How 'bout posting it or sending me a copy? -- -- Dave Sill (de5@ornl.gov) These are my opinions. Martin Marietta Energy Systems Workstation Support From: GREENY 5-AUG-1990 22:37:00 To: Subj: [521] re: Oregon Scientific Address/Phone# A lot of people have been asking me for the Oregon Sci. #, so I did some digging, and found it! Here it is: Oregon Scientific, Inc. 10950 S.W. 5th Street, Suite #275 Beaverton, OR 97005 1-503-646-9806 1-503-641-8015 FAX 1-800-869-7779 (according to a friend of mine....) Hiope this helps, and hope your cars, offices, boats, and homes are yelling soon! :-> Bye for now but not for long Greeny BITNET: MISS026@ECNCDC Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU GEnie: GREENY AOL: GREENY1 Compu$erve: 72567,457 From: pyron@skvax1.csc.ti.com (If Clayton's an Aggie, I'm not!) 5-AUG-1990 23:06:21 To: "CSMSPCN@oac.ucla.edu"@skvax1.csc.ti.com Subj: [650] Re: Authentication of electronic commercial documents Cc: "security@pyrite.rutgers.edu"@skvax1.csc.ti.com, PYRON@skvax1.csc.ti.com >recently factored a 155 digit number, and that they are consequently >recommending at least 200 digit primes for the RSA stuff. The original article in CACM recommended 200 digit numbers, but made note of the fact that factor these larges numbers was difficult, which is both a blessing and a curse. Of course, difficult in 1977 is a breeze in 1991? Dillon Pyron | The opinions are mine, the facts TI/DSEG VAX Systems Support | probably belong to the company. pyron@skvax1.ti.com | (214)575-3087 | Jim Henson - Now that was talent | From: annala@neuro.usc.edu (A J Annala) 12-AUG-1990 0:31:18 To: misc-security@ucbvax.berkeley.edu Subj: [534] Telephone Access Devices I do some data communications technician type contracting work from time to time (e.g. installing modems, analog line testing, protocol analysis, etc). There have been notes on the network about police confiscating equipment of the type I often use in my work. The police claim is that such devices are telephone access devices which should not be in the hands of the public. I am curious about whether any other technical people have been challenged by the police and what answer has satisfied them to go away without hassle. AJ From: WHMurray@dockmaster.ncsc.mil 12-AUG-1990 0:48:18 To: security@rutgers.edu Subj: [6573] ITSEC Observations and Comments on the ITSEC The ITSEC, Information Technology Security Evaluation Criteria, represents the harmonization of the evaluation criteria work done by the UK, Germany, France, and the Netherlands. The work is in part a response to the Trusted Computer Security Evaluation Criteria of the US Department of Defense, in part an attempt to update that work. For example, the use of the term "Information Technololgy" in place of computer recognizes that the issue is now broader than it was when the TCSEC was written. It is also a response to a concern on the part of these governments that the TCSEC was part of a DoD plot to exclude their products from the US market, a concern aggravated by the DoD's refusal, on national security grounds, to evaluate foreign built products. (I have never been certain whether the Europeans really believed in this conspiracy, or simply asserted it to get funding for what they intended to do anyway.) The ITSEC describes language and criteria to be used in the evaluation of security features, functions, and properties of computer products. It is independent of any program, commitment, or intent to do such evaluations. The use of the English language is excellent. The text is clear, precise, and well ordered. With a few exceptions English language words retain their normal meaning. (There do not appear to be any secret code words here; trusted means trusted, and secure means secure (rather than the reliable enforcement of the author's favorite policy). Likewise there are no reserved words; classified means classified, not CLASSIFIED.) It would be naive to believe that there are no politics or arguments reflected in a document that represents the "harmonisation" of the efforts of four nation states. However, the ones here are sufficiently subtle as to escape the notice of this practiced observer. The document is almost totally free of rhetoric. Important and useful distinctions are drawn, for example between product (that which a vendor offers), system (a product instance which someone uses), and target of evaluation (TOE) (that which is offered or sponsored for evaluation). Also, between assurance, correctness, and effectiveness. In drawing the distinction between product and system, the document acknowledges Courtney's first law, i.e. "Nothing useful can be said about the security of a product/system except in the context of a particular application and environment." (Courtney was never able to get the authors of the TCSEC to acknowledge the distinction.) It notes that a principal difference between products and systems is what is known about their environments (and applications); that one may only assume about products what one can know about systems. Having said that, the authors argue that for sake of consistency, the same evaluation criteria should be used for both. Perhaps the most important distinction that the ITSEC offers is that between functionality and assurance. Indeed, they employ separate scales for the evaluation of these. This is a concession to those of us who have complained about the lumping of these in the TCSEC. This results in a more granular set of criteria which permits a fairer comparison of products. It does so at the expense of a larger number of points on the scale. On the other hand, it does away with the need for the infamous digraph. As in the TCSEC, assurance levels are based upon the rigor of the applicable and applied methodology, rather than upon the requirements of the application and environment. The descriptions of the levels appears to be simpler and more granular than those in the TCSEC. However, the highest defined level, E6, does not seem to be as rigorous as that required for A1. Nonetheless, the scale is open at the top end; more rigorous methods could be specified as required. There is something to be said for resticting oneself to methods that are employed in the real world, rather than arguing for arbitrary rigor that has not ever before been employed. Another important distinction that the ITSEC draws is between the Corporate (institutional?) Security Policy and the System Security Policy. It is well known that the both the British and the Germans feel that the application of the DoD Mandatory Policy results in a tendency for data to migrate toward the highest classification. They were anxious to have criteria that were independent of this policy. Identification is lumped with Authentication and is applied only to users. No consideration is given to the identification of objects or other subjects such as processes. Likewise the term "attributes" is used for both object sensitivity labels and user credentials. While this is likely to be confusing to someone that does not already know what is intended, it is still better that using "classification" for both objects and subjects. Because the ITSEC is marginally more granular than the TCSEC, the classes of the TCSEC may be mapped on to the ITSEC. This is done and provided in an appendix. However, the converse is not true; that is, it is not possible to express the evaluation classes of the ITSEC in terms of the TCSEC. Security functionality for a product is expressed in claims. There are no requirements or design points set forth as in the TCSEC. However, the claims may be made by reference to a pre-defined set of functionality classes. The criteria define ten such classes. While the first five are derived from the functionality of the TCSEC classes C1 thru B3/A1, they are essentially arbitrary. Sub-classes, super-classes or alternate sets could be defined without doing damage to the structure. (For example, I have longed claimed that the commercial requirement looked something like C2 plus ACLs plus named transaction types. Since functionality classes in the ITSEC are arbitrary, not hierarchical, and not bound to assurance, it would be correct and proper to define a class that looked like that.) The more I read it, the better I like it. William Hugh Murray, Executive Consultant, Information System Security 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 203 966 4769, WHMurray at DOCKMASTER.NCSC.MIL From: Jim Pinson 15-AUG-1990 12:16:04 To: security@pyrite.rutgers.edu Subj: [327] On the subject of hard to guess passwords I make up my passwords based on the first letters of a phrase which has meaning only to me. Examples: My First Grade Teacher Was Miss Jones = MFGTWMJ I Hate Boiled Okra With A Passion = IHBOWAP These passwords are easy to remember, fairly random in nature, and very hard to guess. Jim Pinson University of Georgia. From: jpc@fctunl.rccn.pt (Jose Pina Coelho) 15-AUG-1990 12:36:50 To: security@pyrite.rutgers.edu Subj: [266] Re: criminal record > It is possible to write to the FBI and ask them if they have a folder on I doubt they would send you more than 10% of the folder. [Moderator tack-on: Speculation is fine, but that's all anyone has sent in so far. Does anyone have *FACTS* about this? _H*] From: jik@athena.mit.edu (Jonathan I. Kamens) 15-AUG-1990 12:53:24 To: security@pyrite.rutgers.edu Subj: [512] Re: criminal record |> It is possible to write to the FBI and ask them if they have a folder on |> you and to send you a copy of the contents of the folder if the folder does |> exist. And, of course, if they don't have a folder on you, then the fact that you wrote to them and asked if they did would most assuredly prompt them to open a new one. (1/2 :-) Jonathan Kamens USnail: MIT Project Athena 11 Ashford Terrace jik@Athena.MIT.EDU Allston, MA 02134 Office: 617-253-8495 Home: 617-782-0710 From: krfall@ucsd.edu 15-AUG-1990 13:10:53 To: EVERHART@arisia.dnet.ge.com Subj: [779] Re: "secure nfs" Cc: security@pyrite.rutgers.edu > If looking for a secure distributed file system, I'd suggest checking > out AFS, from Transarc. It uses Kerebros authentication The currently released version (3.0) does not yet use Kerberos (at least so I have been told). That would be the case for the AFS being released through Mt. Xinu as well. Project Athena has modified the authentication program (klog?) to produce one which scrawls a v4 Kerberos ticket inside the AFS tokens (aklog), and made corresponding changes for their server software. AFS 4 is evidently on the way from Transarc, as is v5 Kerberos from Athena. One might expect a merger of these systems in the future. These ideas are also being monitored by the Distributed File Systems working group of the IETF (dfs-wg-request@citi.umich.edu). - Kevin From: Harry Flowers 15-AUG-1990 13:26:18 To: security@pyrite.rutgers.edu Subj: [2309] Passwords It seems that most of the replies to requiring password changes came back against them, and some wondered why, if you have a good password, you should be required to change it. One of the computer operating systems here (not a VAX/VMS system) has recently added a password expiration feature. Because "the auditors" (cringe) wanted this, it was implemented. One surprising thing it turned up was there were a number of people who had been sharing accounts for years who were not aware of all the others using the same account... once the password changed, the others couldn't get in. These "good" passwords had been shared over time, and rather than go to the trouble of requesting another account (not much trouble), they shared accounts. This, of course, was a problem caused by bad password practices, not bad passwords. And, if someone should happen to learn a password by whatever means, be it a "good" or "bad" one, users may not notice that others are using their account (how many of us look carefully at the last login date?). The main advantage of frequent password changes is that if someone does happen to see you type in your password or learn it by capturing network traffic, etc., no matter how careful they are to work undetected, they will eventually be shut out of your account when you change the password. Those of us with privileged accounts have to be extra-careful, as other means of getting in can be set-up from privileged accounts. But your users are the ones least likely to realize that their accounts have been compromised. "A password is like a toothbrush: you never share it and you get a new one every three months." ._ _. .___. ._. ._. v------------------------------------------------+ | \ / | / ____\ | | | | | Harry Flowers Phone: (901)678-2663 | ||\v/|| \____ \ | |_| | | Bitnet: FLOWERS@MEMSTVX1 Systems Programmer | || v || \_____/ \_____/ | Internet: not yet :-(, but soon :-) VAX/VMS | Memphis State University | USmail: 112 Admin Bldg, MSU, Memphis, TN 38152 | ^------------------------------------------------+ P.S. We are going on the Internet soon using WIN TCP/IP. I'd appreciate any information as to security problems we might encounter. Thanks. From: "Andrew A. Houghton" 17-AUG-1990 2:25:15 To: security@rutgers.edu Subj: [298] locksmithing schools I know this subject has probably been run into the ground, but could people please send me the addresses for good locksmithing schools, along with any thoughts they have about them (like relative merits, etcetera) Please e-mail, no need to post on the net. Andrew Houghton (ah0i@andrew.cmu.edu) From: ctdonath@rodan.acs.syr.edu (Carl T. Donath) 17-AUG-1990 2:42:54 To: security@pyrite.rutgers.edu Subj: [313] Simple alarm Does anyone know where I could buy a simple alarm like this: a small box is attached onto/inside some hardware (a computer, VCR, whatever) that will sound an alarm when it detects motion (by tilting, acceleration, whatever). It must run off a battery and be quite hard to disable. Where can I buy one? - Carl From: tep@tots.logicon.com (Tom Perrine) 17-AUG-1990 3:13:15 To: security@pyrite.rutgers.edu Subj: [572] cheap Master combo lock I have one of those cheap Master combination locks that I need to remove, and the combination is long gone. The options I can think of are (in order of preference): get combination from Master (from serial number) bolt cutters hacksaw Of course, the cheaper the better, so a locksmith is out. I'm not in any hurry, can I just call (or write) to Master and get the combination? I really don't care about the lock, but if I can get the combo, thats easier than finding some bolt cutters or spending an hour? with a hacksaw.... Any recommendations? Tom Perrine (tep) From: Paul V Hardiman 18-AUG-1990 0:45:31 To: security-request@pyrite.rutgers.edu Subj: [168] Kerberos I need to get information on the Kerberos security system. Can you give me the Internet address of a group or individual who can send me this information? Thank you From: Abhik Biswas 18-AUG-1990 1:07:06 To: security@ohstvma.bitnet Subj: [139] Papers on computer security.... Are there any archives of papers related to computer security either at sites on Internet or Bitnet? Any information will be appreciated. From: brendan@world.std.com (Brendan P Kehoe) 18-AUG-1990 1:26:06 To: security@rutgers.edu Subj: [279] Re: Different security ratings You can get a copy of it (the "Orange Book") from gatekeeper.dec.com via anon ftp in the directory pub/misc (if I remember right). -- Brendan Kehoe | Soon: brendan@cs.widener.edu | temp: brendan@world.std.com Also: brendan@chinet.chi.il.us | Preferred: bkehoe@widener.bitnet From: Paul Goodwin 18-AUG-1990 1:46:50 To: MISC-SECURITY%LOCAL@gatech.edu Subj: [635] break-in detection The point at which you are most likely to identify that someone is breaking into a system is while that person is attempting to gain access to an account. Once he has an account USERID and PASSWORD, detection becomes much more difficult. Making the authorized users of a system periodically change their passwords may suddenly deny access to an unauthorized user, causing him to once again 'hack' at the system until he gains entry. This will make him much more visible, and much more likely to be caught. Disclaimer: I am, of course, speaking solely for myself. Paul Goodwin Office of Computing Services Ga. Inst. of Technology From: black@darkside.com (Black Death) 21-AUG-1990 15:44:53 To: misc-security@ucbvax.berkeley.edu Subj: [456] confiscations The only instance in which I have seen computer equipment confiscated is when the person in question is suspected of commiting some computer related crime. The situation you are talking about where your equipment was confiscated because it "should not be in the hands of the general public" is totaly disgusting. I do not know what it could be that you have that could pose such a huge threat to the telecommunications industry. What is it? bd/pha From: pmorriso@gara.une.oz.au (Perry Morrison MATH) 21-AUG-1990 16:12:24 To: misc-security%munnari.mu.oz@munnari.oz.au Subj: [911] Computer "Crime": Resources and Researchers I'm interested in researching the nature, history, extent and motivations behind computer "crime". I'm not sure how to define it at this stage (that should happen after I've digested a much larger range of views), however I'm interested in researching system break-ins, computer based fraud and monetary or property theft, the history and alternative viewpoints behind hacking, unauthorised copying of software, viruses and any other topic that (at least in the eyes of some) verges on criminality. Pointers to key articles, journals, summaries of the literature or even isolated opinions would be greatly appreciated. Please don't flame this rather naive request. My opinions are pretty much unformed (and uninformed) at the moment, so any information can only help. I'd be happy to post a summary of what I get. Pointers to key personalities or researchers would also be extremely useful. Perry Morrison From: 21-AUG-1990 16:40:56 To: security@pyrite.rutgers.edu Subj: [1000] FBI folder information. Actually I do know of a professor here at Xavier University that did request his FBI folder. As I recall he had the assistance of a lawyer and it took several weeks. What he got was a folder with newspaper clippings about him and things his is involved with, plus what looked liked memos and notes. Now not all of this was readable, somethings the FBI deemed 'classified' and had blackened out words or phrases or sometimes the whole document. So you could say he got the full folder, you just couldn't *read* it all. There was a funny side to some of this, it seemed the FBI was very curious about this 'women' that traveled with him. They said 'women' because while they are married, she did not take his name. They thought it might be worth noting that he traveled with 'another' women. That's about all I have. John John Bruggeman Programmer/Analyst bruggmnj@xavier.bitnet Xavier University Cincinnati, OH 'Cincinnati, the only city where the only sin allowed is in the name!' J.B. From: smb@ulysses.att.com (Steven Bellovin) 23-AUG-1990 10:18:01 To: misc-security@att.att.com Subj: [269] Re: criminal record > ... would most assuredly prompt them to open a > new one. (1/2 :-) It should be a zero smiley; the statement is quite literally and definitely true. They have a special category for Freedom of Information Act requests in their filing system. (Source: the ACLU.) From: dee@xait.xerox.com (Donald Eastlake) 23-AUG-1990 10:32:07 To: misc-security@linus.mitre.org Subj: [851] Re: criminal record I have not actually done this but, as I recall, there is a way to send a set of your own fingerprints along with a small fee to the FBI and have them send you back a listing of all the times your fingerprints have been filed/looked up through them. This document is traditinally called a "rap sheet" because for someone who has been frequently arrested it would mostly be a list of the arrests since you are usually fingerprinted when arrested. The info is sent back by Registered Mail, deliver to addressee only, so you have to show ID when the post office delivers it. I don't know if the last entry will be your query or if that's added after the query is processed. -- +1 617-969-9570 Donald E. Eastlake, III ARPA: dee@XAIT.Xerox.COM usenet: {cbosg,decvax,linus}!cca!dee AppleLink: D2002 Box N, MIT Branch PO, Cambridge, MA 02139 USA From: edelheit@smiley.mitre.org (Jeff Edelheit) 23-AUG-1990 10:51:06 To: don@delta.com Subj: [1029] Re: Different security ratings Cc: security@pyrite.rutgers.edu Gould's UNIX was evaluated and certified at the C2 level a long time ago. AT&T's System V/MLS was evaluated and certified at the B1 level last September. There are several other vendor's versions of UNIX that are in evaluation at the B1 level. I would not associate a C2 as a "poor" rating. Rather, C2 provides discretionary access control, audit and several other security services. The significance of B1 and above is that B1 systems provide mandatory access control. In most systems, mandatory access control is implemented on a label-based mechanism. This means if the user has a label attached to him/her at the "Unclassified" level, there are sufficient mechanisms and assurances that the user cannot access information (e.g., files, directories) at the "Secret" level. Honeywell's SCOMP was evaluated and certified at the A1 level and Honeywell's XTS-200 is under evaluation at the B3 level. Regards, Jeff Edelheit (edelheit@mitre.org) The MITRE Corporation 7525 Colshire Drive McLean, VA 22102 From: smb@ulysses.att.com 23-AUG-1990 11:03:53 To: security@rutgers.edu Subj: [1278] Re: criminal record Anyone can write to the FBI requesting a copy of their files under provisions of the Freedom of Information Act. With some exceptions, they are obligated to send the files to you. If they don't have a file on you when you send in your request, they'll open one, in the FOIA section. There's some mumbo-jumbo you're supposed to include to make sure they check all of the categories, but I don't recall what that is. They will delete names of other people if mention would violate their privacy. They're also entitled to delete material pertaining to active criminal investigations, or ``national security'' information. This info is from memory, but taken from a ACLU newsletter. As I recall, they also publish a booklet on the FOIA; if you're serious about getting your FBI files, I'd try to get the booklet first. In general, the government is entitled to collect a modest per-page charge for FOIA requests, but I'm not sure if that applies to requests of this nature. --Steve Bellovin P.S. No, I've never gotten around to asking for my own files, though I keep meaning to. I'm not even sure what I want to find out -- if there's no file on me, it would indicate that I didn't speak up loudly enough or forcefully enough during my activist days 20 years ago.... From: faigin@aerospace.aero.org 23-AUG-1990 11:17:32 To: security@rutgers.edu Subj: [1860] Re: Different security ratings Cc: don@delta.com Generic Unix has no rating, only specific implementations. The only UNIX systems on the evaluated products list are: System Evaluation Date Rating Gould UTX/32S rel 1.0 31 Dec 86 C2 AT&T System V/MLS v1.1.2 on UNIX SVR3.1.1 running on 3B2/500 or 3B2/600 07 Sep 89 B1 Standard UNIX System V has no rating. Also, C2 is not a "poor" rating by any means. C2 is the best rating that a UNIX system can get without adding support for Mandatory Access Control. Assuming an evaluation, operating system extensions can easily extend Unix to C2, by adding appropriate support for auditing, identification and authentication, and assurances such as documentation, and testing. B1 can also be reached easily by adding MAC support. B2 is much harder, because the assurance requirements state: The TCB shall be internally structured into well-defined largely independent modules. It shall make effective use of available hardware to separate those elements that are protection-critical from those that are not. The TCB modules shall be designed such that the principle of least privilege is enforced. Features in hardware, such as segmentation, shall be used to support logically distinct storage objects with separate attributes (namely: readable, writeable). The user interface to the TCB shall be completely defined and all elements of the TCB identified. UNIX is not well structured internally; reworking a UNIX implementation to B2 would require rewriting major chunks of the kernel. >I've not heard of an out-of-the-box implementation in the A classification... First of all, there is only one A classification. On the EPL, there is only one A1 system, which was the first evaluated system, which is no longer marketed. If there were more A1 systems on the EPL, they would certainly be "out of the box" systems. Daniel From: guhsd000@crash.cts.com (Paula Ferris) 24-AUG-1990 0:02:01 To: misc-security@ucsd.edu Subj: [1841] Re: criminal record Someone stole my book on the subject, but under the Freedom of Information Act, federal agencys are required to release information gathered by the agency in anyform, in most circumstances. There are set time limits on when the information is released, (I think the time is started when you make a formal request for the documentation) and can take a long time to clean, and clear the red tape. I belive CBS just recived some information pertaininto Vietnam requested in the 70's only this year. I'm sorry I can't be more help, but basically, as I recall, you make a formal request on paper (Keep a copy) to the records center of the department, and demand the information, (this is important) including all pages, title pages, blank pages, markers, notes and tabs, fron and back. They do have a few exclusions they can hide behind, the FBI is the most frequent user of these. They are allowed to edit out any information that they deem may demonstrate internal workings or investigative operations of their department. Besure to request edited pages, and again, demand, an explanation of EACH edit. You can also ask that fees be waived, they usally are if the file is small. I don't recall the time limits and formalities of processing, but sooner or later it has to come out, but they are great at stalling, and don't expect much, in FOIA's from the FBI I've examined, they have often taken a page, Photocopied it, go over each line with a black marker, and re-copied it, and included it in the requested document as edited. Explanation and Justification of each edit can help you piece together what they edited out by looking up the section numbers under which they will give as justification, usally the one pertaining to the protection of information gathering techniques. Hale Telecommunications Incorperated - KKLR & KALE From: "Michael J. Chinni, SMCAR_CCS_E" 24-AUG-1990 0:24:27 To: security@pyrite.rutgers.edu Subj: [5895] F Y I ------------- To: cert-tools@cert.sei.cmu.edu Subject: Sun Microsystem's Warning System Date: Wed, 15 Aug 90 15:01:04 EDT From: Richard Pethia CERT Tools members, At the June 1990 Workshop on Computer Security Incident Handling, Sun Microsystems announced their intent to implement a Customer Warning System and described several of its characteristics. Yesterday, the CERT/CC at the SEI received the announcement below. The announcement, distributed internally to Sun employees, provides more information on the characteristics of the warning system, and, more importantly, describes the methods Sun Microsystem's customers should use to report problems and to sign up to receive warnings from Sun Microsystems. Beverly Ulbrich, Sun Product Manager, Software Security, has told us that a formal press release will probably be released by Sun, but has asked us to redistribute this announcement to the lists we maintain. We are doing so to provide people with information on Sun's action. Sun's Customer Warning System promises to be a significant step forward in dealing with computer security incidents and their prevention, and represents the type of action I would like to see other vendors take. Since the CERT/CC will be actively working with other vendors this fall and encouraging them to take similar steps, please let me know about any opinions you have regarding this type of vendor mechanism. Please direct any questions you have about the specifics of Sun's mechanism to one of the Sun employees listed below. Sincerely, Rich Pethia CERT Coordinator --------------------------------------------------------------------- To: All Sun Employees From: Beverly Ulbrich - Product Manager, Software Security Jack Collins - Director, Technical Support Services Subject: Announcing Sun Microsystem's Customer Warning System for Security Incident Handling Date: August 14, 1990 In order to best serve our customers' service needs, Sun has established a Customer Warning System (CWS) for handling security incidents. This is a formal process which includes: - Having a well advertised point of contact in Sun for reporting security problems. - Pro-actively alerting customers of worms, viruses or other security holes that could affect their systems. - Distributing the patch (and/or work-around) to our customers as quickly as possible. More specifically, the CWS is being set up as follows: We have created an email address ( security-alert@sun ) which will enable both internal and external people to have a single place to report security problems. We have provided a voice-mail back-up ( (415)-336-7205 ) for the cases where sending email is not possible. *ALL* SECURITY HOLES SHOULD BE REPORTED TO THIS ALIAS. We have filled the position of "Security Coordinator" in our Customer Service Organization. The Security Coordinator is responsible for manning the email and voice mail hotlines and evaluating the security problems. We have a Customer Warning System "SWAT Team" in place to address severe security incidents. The CWS SWAT Team consists of knowledgeable senior people within Sun Corporate who are committed to being available to meet whenever required and who are empowered to make all necessary decisions. We plan on publicizing the CWS bi-monthly to the allsun alias. It will also be announced (and supported) by the various Computer Emergency Response Teams Sun works with. Please pass this information along to whoever you feel is appropriate. Sales Representatives should be certain to send this information to all their security-conscious customers! Customers and Sun Field Offices may send us a "Security Contact" from their organizations. This is the person Sun should contact in the case of any new security problems. He or she will be sent information on the problem at hand, including work-arounds and how and when to obtain fixes. Preferably, your Security Contact should be technical. He or she should be your site's System Administrator (or System Security Administrator). The information we need for the Security Contact from the three geographies for customers is as follows: ---------------------- U.S. Security Contact Information -------------------- Company Name: Security Contact's Name: Customer Number (from Cullinet): Address ID (from Cullinet)*: Postal address: Email address: Phone number: Fax number: Preferred method of contact (from above: 1st, 2nd and 3rd choice): * If there is not an existing Address ID, we need the full address for the security contact. ----------------- Europe and ICON Security Contact Information --------- Company Name: Security Contact's Name: Customer Number: Address Id: If there is no customer number or Address ID, then we need the following information for each customer: Postal Address: Email Address: Phone Number: Fax Number: Preferred method of contact (from above: 1st, 2nd and 3rd choice): --------------- Sun Field Office Security Contact Information --------------- Office Location: Security Contact's Name*: Email address: *One per office ---------------------------------------------------------------------------- ***** PLEASE SEND THIS INFORMATION TO: ***** security-alert@sun.com or, if you prefer postal mail: Brad Powell c/o Sun Microsystems MTV18-04 2550 Garcia Ave. Mt. View, CA 94043 All questions should be sent to bju@sun.com. **CERT-Tools Information:**************************************************** * Submissions : cert-tools@cert.sei.cmu.edu * * Address additions/deletions/changes : cert-tools-request@cert.sei.cmu.edu * * Moderator : tools@cert.sei.cmu.edu * ***************************************************************************** From: Simon Travaglia 24-AUG-1990 14:57:43 To: security@rutgers.edu Subj: [664] Chubb Locks Hi There. We use a Chubb 8108 system controlling 3 Chub 8100 door controllers, and here's our problem. Every now and then (we've had them since December 1989) one of the 8100s will go haywire and start running (on the two doors it controls) through a cycle of ,,. During the unlock part, the door will be unlocked for about half a second. The cycling will continue until the unit has been reset. We would like to know if anyone else has had this problem, as it can be a real pain. The Chubb guys said it was bad earthing, then 2 months later it was back again, after the problem had apparently been fixed. Anyone got any ideas. From: "Larry Margolis" 24-AUG-1990 15:20:57 To: security@pyrite.rutgers.edu Subj: [1511] Userid maintenance Automation When I had to do something similar a few years ago, (we had students coming in for 1 to 3 month classes; we'd have to create a block of between 20 and 300 userids before the class, and delete them afterwards), I wrote an exec that would be given the class number (which determined the student prefix), and the number of IDs needed, and it would (1) Create that number of userids, from XYZ001 to XYZnnn; (2) Create a SCRIPT file that printed off a Welcome to the Computer letter, specifying their userid and randomly generated password; and (3) Printed out mailing labels for these letters. It could also be called to delete the userids en mass after the class was over. It's all pretty easy. The only time-consuming thing was tracing through DIRMAINT and all the stuff it calls until I located the DVH module that actually sent the DIRM ADD request to the DIRMAINT machine. I then called that routine directly. That way, my exec could ask for the privileged user's password once, and use it for all the calls to the lower-level module. (Eventually, I got fancy, and had the exec pass the arguments to a privileged service machine, which would do all the DIRM requests, and interpret the output and only bother me if anything went wrong. It would also by default (could be overridden) wait until 2:00 AM to issue the request, so that the DIRMAINT service machines wouldn't be tied up adding hundreds of users during prime shift.) Larry Margolis, MARGOLI@YKTVMV (bitnet), MARGOLI@IBM.COM (csnet) From: simsong@next.cambridge.ma.us (Simson L. Garfinkel) 28-AUG-1990 4:31:20 To: hardiman@csd4.csd.uwm.edu Subj: [57] Kerberos Cc: security-request@pyrite.rutgers.edu You can FTP papers on Kerberos from athena-dist.mit.edu From: Christopher Gene BeHanna 28-AUG-1990 5:04:08 To: security@pyrite.rutgers.edu Subj: [552] Re: "secure nfs" Someone suggested AFS from Transarc. AFS has all the production capability of beta-test software. Being an administrator for it is a hell of a headache because AFS loses track of the different states of volumes in memory and in the vldb and they frequently get out of synch. The backup program is trash. I'd suggest holding out until several sites get 4.0 and see how things work out. Chris BeHanna These opinions are my own, not those of Carnegie Mellon or Pittsburgh Supercomputing Center, formulated by administering AFS this summer on pmaxen. From: simsong@next.cambridge.ma.us (Simson L. Garfinkel) 28-AUG-1990 5:23:54 To: jpc@fctunl.rccn.pt Subj: [795] criminal record Cc: security@pyrite.rutgers.edu Under the Freedom of Information Act and the Privacy Act, they are required to send you the entire folder, with a few exceptions: 1. Ongoing investigations are exempt. 2. Information that could endanger field operatives may be censored. 3. Other "classified" information can be removed. Most people, turns out, don't have FBI folders on them. Unless you lived in the 1950s and 1960s and were an activist, that is. If you did, you can get your folder by contacting your local FBI office; they have an address that you can send a notorized letter to asking for your folder. You have to provide some personal information, but not a whole lot. I did it; I didn't have a folder (at the time), disproving the assertion that all MIT students automatically get FBI folders when they register. From: Bob Truel 29-AUG-1990 6:11:17 To: misc-security@rutgers.edu Subj: [269] Re: cheap Master combo lock Have you tried taking a shoe with a good hard rubber sole to it? Back in high school, I saw someone open a master lock like this. I never tried it on my own, nor anyone elses, and can't guarantee that it will still work, but I never lock anything valuable with one. From: pmartin@mcc.com 29-AUG-1990 6:32:27 To: tep@tots.logicon.com, security@pyrite.rutgers.edu Subj: [463] cheap Master combo lock For "locker" style Master combo locks, you can probably doe the combinatorics of the "soft spots" on it in under 10 minutes. Some of the newer ones seem to have an extra mechanism to make it harder to detect these points.... I've taken to actually writing down my combo with these as it is such a pain to discover the combo from experimentation... Even so, the right answer is to figure out the combo rather than use any of the cruder methods you listed. Paul From: joe jesson 29-AUG-1990 6:54:50 To: misc-security@uunet.uu.net Subj: [492] IBM RSCS-to-RSCS Communications Hole? I need to connect a large network to annother very large network through RSCS-to-RSCS and would like (no must) look at the exposure (read potential hackers sending worms, virus, etc.) of our network and business files (CMS). The infamous "Christmas Card" fiasco on the IBM network make me nervous. The overall intent of hooking-up the networks is to send mail (Interenterprise electronic mail project). Any ideas on how the system may be compromised? Risk Level???? -joe From: bgsuvax!denbeste@cis.ohio_state.edu (William C. DenBesten) 29-AUG-1990 7:17:50 To: osu-cis!misc-security@cis.ohio-state.edu Subj: [524] Re: cheap Master combo lock There exists a book that lists all of the combinations by serial number. Many locksmiths have this book. If you can demonstrate that you own the lock, they may look it up for you. I find it scary that the relationship exists. Personally, I prefer to use key locks with the serial/key number written in ink (I erase the number) or to use locks for which I set the combination. At least someone can't look up the number in a handy book. -- William C. DenBesten is denbeste@bgsu.edu or denbesten@bgsuopie.bitnet From: Homer 29-AUG-1990 7:41:24 To: "Security List." Subj: [735] Re: cheap Master combo lock When I was a kid, a fellow camper showed me how to crack the standard everywhere present master combo lock. Basically the idea was to find the first number by pulling the shank out and turning the knob. It would click or stick or feel different at the place that corresponded to the first number. The third number was easy to find, assuming you had the first and second number, all you had to do was turn the dial until the shank pulled open. Finding the second number was a matter of trying each one, not that many. It made it even easier in that the second number was 'accurate' only to 2 digits, so you only had to try every other position to get the right one. I opened many a master lock this way. From: "William F. Wurzbach" 29-AUG-1990 14:46:35 To: security@pyrite.rutgers.edu Subj: [697] RE: cheap Master combo lock I had the same problem about a year ago and the solution was painless. Go to the neares