**************************************************************************** >C O M P U T E R U N D E R G R O U N D< >D I G E S T< *** Volume 2, Issue #2.19 (December 31, 1990) ** **************************************************************************** MODERATORS: Jim Thomas / Gordon Meyer (TK0JUT2@NIU.bitnet) ARCHIVISTS: Bob Krause / Alex Smith / Bob Kusumoto RESIDENT RAPMASTER: Brendan Kehoe USENET readers can currently receive CuD as alt.society.cu-digest. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted as long as the source is cited. Some authors, however, do copyright their material, and those authors should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to the Computer Underground. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Contributors assume all responsibility for assuring that articles submitted do not violate copyright protections. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From: Various Subject: From the Mailbag Date: December 31, 1990 ******************************************************************** *** CuD #2.19: File 2 of 7: From the Mailbag *** ******************************************************************** From: Wes Morgan Subject: security checks from outside (In CuD 2.18) Date: Fri, 28 Dec 90 10:12:09 EST >From: gnu@TOAD.COM >Subject: Re: "strangers probing for security flaws" -- another view > >Suppose there was a free program, available in source code and scrutinized >by wizards all over the net, that you could run to test your security. If >you had the time, you might run it and fix up the things it found. If you >didn't have the time, those things would probably go unfixed. There are several packages available for UNIX sites. Two that come to mind are: - The suite of programs included in "UNIX System Security", by Kochan and Wood (published by Hayden Books). These programs will audit your system for such things as world-writable home directories, world-writable .profiles, and the like. They will also track down any setuid/setgid files outside of regular sys- tem directories. I've seen this package on several archive sites, but I don't know if it's legal to distribute them. If someone can contact Kochan, Wood, or Hayden Books, and check on this, I'll gladly get them into the CuD archive. - COPS, written by Dan Farmer of CERT. This package is EXCELLENT. The best feature of COPS is an expert system that pseudo-exploits any holes it finds. It uses /etc/passwd and /etc/group to learn what the users are capable of. It then looks for a way to assume the identity of a particular user. It then checks /etc/group to see what it can access as the new uid. The chain continues until it either becomes root or runs into a dead end. The output looks something like this: write /usr2/admin/morgan/.profile become morgan group staff write /bin become bin write /etc become root DO ANYTHING This is a SUPERIOR package for UNIX sites. It's available from cert.sei.cmu.edu. Both of these can be run via cron. I've been running them for several months now, with excellent results. >Sites all over the Internet *are* being probed by people who want to do >them harm. We know this as a fact. I would prefer if we had some >volunteer "cop on the beat"s who would walk by periodically and rattle the >door to make sure it's locked. I have no problems with this at all, *as long as* I know about it in advance. With the advent of sophisticated security tools such as those probably used by the group in Italy, it is awfully easy to claim "cop on the beat" status after being discovered. There was sufficient concern about the Italians for CERT to issue a Security Advisory about their activities. I'm not trying to make any allegations against the folks in Italy; as far as I know, they are exactly what they claim to be. In the future, however, I'm going to be EXTREMELY wary of people coming in "out of nowhere" claiming to be "remote security checkers". An ounce of paranoia, you know........ Wes Morgan ******************************* From: Thomas Neudecker Subject: Re: Cu Digest, #2.18 Date: Fri, 28 Dec 90 22:56:16 -0500 (EST) In a recent CuDigest it was argued copyright protection of user interface code should be eliminated. The author wrote in part: >While source code should generally be protected, there are times when it >may be more profitable to a company to release either the source code or >important information pertaining to it. A prime example is IBM and Apple. >Apple chose to keep their operating system under close wraps. IBM, in their >usual wisdom, chose to let some of it fly. This caused the market to be >flooded with "clone" PC's. Given a choice, most people bought PC's or >PC-compatibles. In fact IBM does not own DOS, ask Mr. Gates at Micro Soft he _sells_ licenses to the clones and sues those who try to steal his code (so does AT&T/U*ix) Bye the way the first series IBM-PCs came with PC-DOS and CP/M. IBM wanted Gates to write CP/M for the new machine but he said it was *owned* by Gary Kildall of Digital Research but he try to write something else just as good. IBM covered all of the bases and licensed both. Regarding Apple; the ][+ I bought came with copyrighted O/S in ROM. And a version of BASIC licensed from Micro Soft. (my 1979 version came with a complete listing of the code for the ROM). For the LISA and the Macintosh Apple licensed concepts from PARC for the GUI. They then licensed parts of their developments to Micro Soft for use in Windows. For more background on these I suggest a good book on the history of the personal computer written by Paul Freiberger and Michael Swain. It is "Fire in the Valley" ISBN# 0-88134-121-5. ***************************************** From: netcom!onymouse@APPLE.COM(John Debert) Subject: Encryption dangers in Seizures Date: Sat, 29 Dec 90 11:20 PST With all the concern about government seizure of someone's computer equipment for the purported intention of looking for some kind of criminal activity, encryption is being seriously considered in order to protect confidential information from Big Brother's prying eyes. There are various ways, of course, to encrypt files but one particularly comes to mind as being at least as much hazard as protection. The use of the "one-time" method of encryption has been considered the best way to keep information from those not entitled to it but it seems to me a two-edged sword, if you will, that can cause harm to whomever uses such a method to keep the government out of their business. The one time method uses a unique random key of equal length to the data to be encrypted which is then XOR'ed with the data to produce the encrypted result. Without the original key, the plaintext is not recoverable. Or is it? Now, suppose that someone has used this method to encrypt files on his/her system and then suppose that Big Brother comes waltzing in with a seizure warrant, taking the system along with all the files but does not take the code keys with them. Knowing Big Brother, he will really be determined to find evidence of a crime and is not necessarily beneath (or above) fudging just a bit to get that evidence. What's to keep him from fabricating such evidence by creating code keys that produce precisely the results that they want-evidence of a crime? Would it not be a relatively simple procedure to create false evidence by creating a new key using the encrypted files and a plaintext file that says what they want it to? Using that new key, they could, in court, decrypt the files and produce the desired result, however false it may be. How can one defend oneself against such a thing? By producing the original keys? Whom do you think a court would believe in such a case? One should have little trouble seeing the risks posed by encryption. jd / onymouse@netcom.UUCP netcom!onymouse@apple.com ******************************** From: Andy Jacobson Subject: Hackers as a software development tool Date: Wed, 02 Jan 91 03:49 PST I received one of those packs of postcards you get with comp. subscription magazines (Communications Week) that had an unbelievable claim in one of the ads. I quote from the advertisement, but I in no way promote, recommend, or endorse this. "GET DEFENSIVE! YOU CAN'S SEE THEM BUT YOU KNOW THEY'RE THERE. Hackers pose an invisible but serious threat to your information system. Let LeeMah DataCom protect your data with the only data security system proven impenetrable by over 10,000 hackers in LeeMah Hacker Challenges I and II. For more information on how to secure your dial-up networks send this card or call, today!" (Phone number and address deleted.) So it seems they're claiming that 10,000 hackers (assuming there are that many!) have hacked their system and failed. Somehow I doubt it. Maybe they got 10,000 attempts by a team of dedicated hackers, (perhaps employees?) but has anyone out there heard of the LeeMah Hacker Challenges I and II? ******************************************************************** >> END OF THIS FILE << ***************************************************************************  Downloaded From P-80 International Information Systems 304-744-2253 12yrs+