Conference 7.286::digital

    Most notes that I've seen or heard of that gave examples of
    ways to create security violations have been hidden and then
    deleted. Believe it or not there are people who will take
    advantage of such things. Even at DEC. The proper way to handle
    such things is to report them to the appropriate development
    group so that they can patch it. Posting them in notes conferences
    is, in my opinion and that of others who are far more expert than
    I, is too great a risk.

    		Alfred

    PS: This has been discussed in some of the security conferences for
    people who are interested in seeing some previously expressed opinions
    from DECs security experts.

Security topics                 HUMAN::SECURITY_INFORMATION               809  
Software Security Policies	HUMAN::SECURITY_POLICY			  782
System Security                 GIDDAY::SITES_AT_RISK                    2298 

    On the other hand, how many users today are vulnerable to attack
    because the note which would have warned them has been set hidden?
    
    In the case to which I think the base note refers, there was nothing
    to "patch".
    
    

    Did anyone catch the "First Person" episode last night about company
    security?
    
    Is anyone watching over your shoulder?  
    
    To tie this into this notesfile, I'll say, I'm glad we don't have that
    kind of thing going on here!!!???
    
    -sandy
    

    Overall, my gut reaction to all this alleged corporate snooping is that
    if "Big Brother" is watching, "Big Brother" is bored out of his mind! 
    :-}
    
    However, don't be so sure that we don't have that sort of thing going
    on here. 
    
    I used to be a system manager, and the policy is that your account is
    treated like a locked desk. Your manager _can_ get access. This request
    is supposed to be documented in writing though.
    
    Mostly this was used to get at a particular "work in progress" file
    when someone was on vacation, and a deadline had suddenly been moved
    closer. I never saw it abused by a manager.
    
    Also, system managers have complete access to everything, including
    people's personal files, or company confidential files on the system.
    The position of system manager involves a lot of trust. 
               
    System managers can and should, of course, keep from repeating anything
    seen in the line of duty. They can and should be fired if caught
    compromising Digital's information assets. Digital does have a policy
    for handling information that is "personal and confidential." 
    
    Best to be aware,
    
    	--Catherine--*
    
    

re Note 786.5 by NEST::WHITE:

>     System managers can and should, of course, keep from repeating anything
>     seen in the line of duty. They can and should be fired if caught
>     compromising Digital's information assets. Digital does have a policy
>     for handling information that is "personal and confidential." 
  
        Certainly system managers have a responsibility to protect
        Digital's information assets, but do system managers have ANY
        responsibility to take reasonable measures to protect and
        respect individuals' information?

        Bob

I've managed lots of systems and never accessed anyone's personal files, other
than, say, a document in someone's directory that was being worked on by a group
of people that needed to be accessed in the owner's absence.  Salary reviews,
personal mail, it was all there for the taking.

Anyone with particular priveleges, not just system managers, could also have
access to your files.

I don't know if there is anything in writing to enforce this, but to me, there
was never a question in my mind that I would never peek.

Paul

    RE:-1 Paul,
    
    I've managed lots of systems as well, and I know it is an easy ethical
    decision *if* you are an ethical person.  However, I have know system
    managers in this company that have gone into other's accounts and
    deleted mail, changed command procedures, etc....in other words,
    tampering with files that they have no business doing....
    
    For some the choice apparently isn't as easy.
    
    Keith R>

This is why I like running my own standalone workstation.  Its that much tougher for
someone to monkey with personal files this way.

    Anybody who would like to ensure their privacy should look into getting
    a copy of PGP.  PGP provides military-grade encryption suitable for
    implementing private mail over a public network or protecting personal
    files.  It runs on VMS, Ultrix, MS-DOS, and other systems.  It is free.
    
    A principal feature of PGP is that a user can distribute their public
    key freely, to be used by anybody who wishes to send that user private
    messages.  But only the user with the corresponding secret key can
    decode the messages.  PGP uses the RSA algorithm, which may be
    protected by patent, but the patent holder has a policy of allowing its
    use for personal, academic, and intellectual reasons for free.  Digital
    also has a corporate license, although I don't know the details.  The
    Department of Defense classifies PGP as a weapon and subject to export
    control, so don't export it from the United States.
    
    To get a copy of PGP, use FTP to get one of the following files:
    
    	pgp23.zip	(MS-DOS executable and documentation),
    	pgp23src.zip	(all source code, using ZIP), or
    	pgp23src.tar.Z	(compressed and tarred source kit)
    
    from one of the following places:
    
    	/pub/unix/security/crypt at nic.funet.fi,
    	/pub/security at ghost.dsi.unimi.it, or
    	/computing/security/software/PGP at src.doc.ic.ac.uk.
    
    If you do not have FTP access, you can get a uuencoded copy by mail. 
    Send the following message to DECWRL::"[email protected]":
    
    	ENCODER uuencode
    	SEND pub/unix/security/crypt/pgp23.zip
    
    (or other file name, if you prefer).
    
    I trust anybody on an Ultrix system will be able to do one of the
    above.  If you're on a VMS system in the United States and can't get
    PGP any other way, I'll copy it to a directory you make writable.  Send
    me mail to make arrangements.
    
    
    				-- edp
    
    
    My public key is:
    
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.3

mQCNAiwbMBMAAAEEANLGM3THlEqduJfgnKcjjDx5LW4NLJnUAGOMHJ6ufConPq8s
FhvZr06eNn2SzpNFG+a4Hc0eyyZj58ixQAF2VkgLHXVUywWexPzpJjjHe7JVBKSc
CrTWJ2lJcvDR5OEdCL+SqbMtoU6SM78qjxjxa1GrJrcGm23Gtqb6xOJIA93PAAUR
tBBFcmljIFBvc3RwaXNjaGlsiQCXAgUQLCJXQ9Fm56KgtJDhAQEqLAQLBhrOa41B
+Q539E++D8qZV0JkB5yRSIqr3G0kLu8U2MpFZyHiwTsKUCI58VUq+DDJEBqLI0fv
GI1s1wAguFV71lW3dCdWl1eSwBW7d8P3IjY/RHT4tr4BhjW0eUA/OsxvXzDna0GB
5P2/1l84r1cTjUAbjbTLEhsKUDdALugEnksVhIkAjQIFECwfNylC8KX8lynUmwEB
jNUDv0CqInJNItTydvGdZ0vhalX6aW7eMMuN7ev049IFHw0Ynug1fzDglHp0qoUI
Qy96w/znUmHlFdzgTGPqgO7vq6rr3ICf17FOGmV6aGZeundCCWQS1M55//+39UuG
yR9d+yF77besd3Na9BnuP01OyZq04MwPsj8Dtw==
=+CzY
-----END PGP PUBLIC KEY BLOCK-----
                                                                           

    The other thing to keep in mind is that even though authorized access
    is pretty well covered by policy, UNAUTHORIZED access is also a
    concern.
    
    Security is no joke, A privileged unauthorized "hacker" can also
    potentially gain access to personal or confidential info. Frequently,
    those people do have nothing "better" to do than be infinitely patient
    until the "right" piece of information presents the appropriate
    temptation.
    
    I never intentionally gained access to stuff I wasn't supposed to see,
    but I did frequently come across things that users had "left wide open"
    to access by anyone, authorized or not, on the network. People
    frequently need to be reminded that "world" access could really be
    WORLD access! (Do you really want that engineering design to be W:RWED?)
    
    It is virtually impossible not to see some things as a privileged user
    that require "protection." For instance, if a disk is failing, you may
    be recovering files and some files get "anonymously" placed in a
    recovery directory. A system manager may have to read these files to
    return them to their rightful owners. You may also learn things from
    filenames when cleaning disks that you ought not to disclose to the
    Boston Globe. Sometimes you'll be looking through accounting
    information and someone will have made a mistake typing in a password
    in the "username" field that tells you something that you don't want to
    know. Lots of information "appears" serendipitously. 
    
    Your system manager clearly has an ethical and legal obligation to be
    sensitive to the policies governing information security, but
    unauthorized "users" could be out there too. Most system managers are
    in the business of protecting the information you have on the system.
    But some modest paranoia is probably healthy!
    
    :-)
    
    	--Catherine--*
    
                            

    Along the lines of Edp's note, if you have files that you want to be
    sure aren't read by anyone (including those with privs), encrypt them.
    
    	BD�

It would be convenient if VMSmail had "hooks" to allow automatic
encryption/decryption of stored messages. Is this feasible?

>It would be convenient if VMSmail had "hooks" to allow automatic
>encryption/decryption of stored messages. Is this feasible?
    
    Yes, it's feasible. See the notes conference at:
    
Privacy Enhanced Mail           VARDAF::AMAILTPU                            3047
    
    			Alfred

    Your freedom to Copy and use the PGP software only exists in the USA. 
    Outside the USA you need a Dept of Commerce Export Licence.  Worse
    still, if you're located in France you need an import licence from the
    French Minstry of Defence, as encryption software is a Class II weapon
    of war.
    
    Nick

    What was that story about in the Boston Globe on Saturday about Digital
    taking two of its computers off the net because of fears they could be
    accessed through the Internet by foreign intruders?
     

    Had very little to do with fears for foreign intruders, but with export
    restrictions.
    Aparently one was worried that data obtained from those machines by
    customers outside the USA could not be exported.
    
    Charles

 Digital - Pulls computers off global network
	{The Nashua Telegraph, 24-Jul-93, p. 23}
   Digital abruptly pulled two powerful new computers off a global computer
 network out of concerns about possible export violations, even though the
 computers never left the country.
   The result of Digital's action was to deny U.S. computer users access to
 U.S. computers operating in the United States.
   Critics said the episode demonstrates how export laws intended to regulate
 weapons technology are not only infringing on American civil liberties, but
 also stifling innovation and hurting American businesses.
   Digital said its concern was the foreigners could connect to the computers
 from abroad, generate data, and illegally export it over the Internet computer
 network, which carries data and electronic mail around the world.
   The computers were reconnected to the computer network on July 7, but access
 is now limited to people who are screened by the company, Mark Fredrickson, a
 Digital spokesman, said Friday.
   A former Commerce Department official who is now a trade consultant in
 Washington said the connection of a supercomputer to a global network could
 lead to violations of federal export regulations.
   "If it was available overseas and they allowed people overseas to use it,
 then technically they were allowing access to a supercomputer to people they
 didn't know," said Paul Freedenberg, who was the Commerce Department's
 undersecretary for export administration at the end of the Reagan
 administration.
   Freedenberg is an international trade consultant at Baker and Botts in
 Washington, the law firm of former Secretary of State James Baker.
   He emphasized that he had no personal knowledge of the Digital computer
 hookup and that he was speaking of the regulations generally.  "I can't say
 Digital violated the law, because I don't know what Digital did," he said.
   Lee Mercer, Digital's corporate export manager, said making the computer
 available was not a violation.  A Commerce Department official, speaking on
 condition that he name not be used, agreed that making the computer available
 was not a violation, but that export of data generated on the computer would
 be a violation of regulations.
   The computer hookup was in place for five weeks in April and May, said
 Fredrickson.  It was intended to give potential customers the opportunity to
 test-drive the computers.  It was terminated by company executives who wanted
 to avoid any appearance of violating export regulations, he said.
   Digital, the nation's No. 2 computer maker after IBM, said 65% of its annual
 $14 billion are overseas.  In December 1991, the Commerce Department charged
 the company with 62 violations of export laws and fined it $2.4 million.
 It was the largest fine the department had imposed for export violations.
 Digital agreed to pay without admitting or denying guilt.
   The Digital computers connected to the network were two of Digital's new AXP
 4000 computers, operating in a Digital laboratory operating in Palo Alto,
 Calif.  The computers, which cost from $77,000 to $100,000, are considered
 mid-sized computers by industry standards.
   Freedenberg said that the government would probably soon revise its outmoded
 standards that define those models as supercomputers and bring them under
 export regulations.
   Critics called for speedy revision of the export laws, which date from the
 Cold War.
  "Export control policies are shutting us directly out of certain markets,"
 costing U.S. businesses at least $10 billion a year in lost exports, said
 Howard Lewis, VP of the National Association of Manufacturers.
   "It's harmful to innovation, but we think it's also very harmful to the
 privacy interests of American citizens," said the Electronic Frontier
 Foundation, a group concerned with computers and civil-liberties issues.

    re: .15 Freedom to copy and use PGP software only exists in the USA.
    
    Um, no.  Pretty Good Privacy started in the United States, but its
    central distribution point is now in Finland.  The original developer
    turned it over to non-U.S. people for further work for two reasons:
    fear of export controls and fear of prosecution on a "public key"
    encryption patent issued only in the United States.
    
    Much comment in the trade press sees this as paralleling commercial
    cryptography efforts, where the effect of "munitions controls" on
    cryptography is mainly to restrict American companies from full
    competition with their counterparts around the world.
    
    So if any noter uses PGP, he/she is importing crypto software from a
    non-NATO country.  Sorry to extend the rathole, and no political
    comment is implied.
    
    Wes

    Wes
    
    Um, yes... the freedom doesn't exist, because we work for (are employed
    by) a company with its HQ in the US.
    
    So as a UK citizen, working in France, for a US company, I cannot copy
    PGP software from Finland because of US DoC regulations, and because of
    French MoD regulations.
    
    Nick

    It is not clear that PGP is export controlled.  In addition to the fact
    that nobody has asked the Department of Defense or the Department of
    Commerce, to my knowledge, at least one copy of PGP has been deposited
    in a public library, which may make it exempt from certain export
    restrictions.
    
    
    				-- edp

    Given that it can do confidentiality (privacy) protection, it's the
    Department of State that determines PGP's exportability, not the DoD or
    the Commerce Department.
    
    There is supposed to be an exemption for "public domain" material, but
    I doubt that simply placing something in a library qualifies it as PD.
    
    Also, RSADSI hold a US patent on the RSA encryption algorithm, so you
    may be infringing their patent if you build or use PGP within the US. 
    The existence of this patent also would weigh against a claim that PGP
    is in the public domain.
    
    John

    Re: .18
    
    I was told today that any outside inquiries regarding the AP newswire
    story about the Internet Alpha systems should be directed to
    Mark Fredrickson (ASABET::FREDRICKSON, Mark.Fredrickson@MLO,
    DTN 223-4930, 508-493-4930).  Work is underway to resume this
    service with the necessary controls.
    
    						Steve

    Re .22:
    
    > Given that it can do confidentiality (privacy) protection, it's the
    > Department of State that determines PGP's exportability, not the DoD or
    > the Commerce Department.
    
    All of them get involved.
    
    > There is supposed to be an exemption for "public domain" material, but
    > I doubt that simply placing something in a library qualifies it as PD.

    The regulations/laws in question do refer to whether material is
    available from public libraries.  The sources and binaries of PGP are
    available from the Canadian Broadcasting Corporation library, which is
    open to the public.
    
    > Also, RSADSI hold a US patent on the RSA encryption algorithm, so you
    > may be infringing their patent if you build or use PGP within the US. 

    MIT owns the patent but has licensed commercial rights to Public Key
    Partners, which is associated with RSA Data Security, Incorporated.  I
    contacted them, and they responded with a prepared list of questions
    and answers that include the statement that they have a policy of
    allowing free use of PGP for personal, educational, or intellectual
    reasons.  In addition, Digital has a license.
    
    I wrote all that back in .10, when I first mentioned PGP.  In addition,
    the algorithm was developed with _our_ money (taxes), so private
    institutions don't deserve to benefit commercially from it at
    additional expense from us.
    
    
    				-- edp

    re: last few replies, is PGP banned, OK or what?
    
    Maybe this tangent IS directly related to the title of this note.
    
    Wes

>    re: last few replies, is PGP banned, OK or what?

    PGP isn't "banned".  However, it is an implementation of a cyptographic
    algorithm which provides privacy protection, and which hasn't been
    explicitly ruled by the DoS as "non-strategic".  Therefore its export
    is automatically controlled under the ITAR regulations, which require
    an individual export licence for each export destination (customer). 

    If you have a copy, it's your responsibility to ensure that it isn't
    exported (which includes transfer to anyone who isn't a US or Canadian
    citizen, or a US permanent resident).  Whether or not it should be
    present on the Easynet (and the conditions under which it can be here)
    should probably be referred to corporate legal.
    
    Its use within the US isn't illegal, but it does use patented
    technology.  .24 says that RSADSI have said they don't mind personal
    use of PGP; I thought that RSADSI had only approved personal use of the
    RSAREF implementation, which I didn't think PGP used, but I guess I was
    mistaken about that (Eric - does PGP use RSAREF, or have RSADSI
    licensed PGP without RSAREF?)
    
    John

    Re .26:
    
    PGP Version 2.3 has RSAREF hooks in it, and may even include the
    sources, but I don't think it's built to use RSAREF yet.  I don't think
    it matters to users, because the information RSA sent to me didn't
    qualify what implementation of the algorithm was licensed; it was
    simply a blanket statement that anybody could use the algorithm for
    personal, intellectual, or educational reasons.
    
    
    				-- edp

    Here's some additional information about PGP.  For information on
    obtaining a copy, see .10.
    
    PGP is legal to use in the United States.  There's no law or regulation
    against you having it, and the patent holder says anybody may use the
    RSA algorithm (which is used in PGP) for personal, educational, or
    intellectual reasons.
    
    Other countries might regulate or prohibit encryption.  For example, a
    country might require you to register your decryption key with the
    government.
    
    PGP is fairly simple to use once it is set up.  You say "PGP -e
    filename users" and it encrypts that file so that only the listed users
    can decrypt it.  Decryption is similar.  Using "-ea" encrypts and puts
    in an ASCII form suitable for mailing.  Adding an "s" tells PGP to sign
    the document by using your decryption key, so recipients have proof the
    message came from you.  Decryption in all cases is automatic whether
    the message is ASCII armored or signed or any combination.
    
    There are also some "-k" parameters that let you add keys for new
    users, generate your own key, certify keys, and so on.  The kits
    include good documentation.
    
    The most difficult part of using PGP is:
    
    	Getting the kit if you haven't used FTP before.
    	Building the image (except the MS-DOS version, which is pre-built).
    	    (Note:  The Mips-Ultrix version requires a few minor edits if
    	    you do not have Gnu C.)
    	Setting up some environment variables or logical names.
    
    
    				-- edp

    re.10
    
    �	/pub/unix/security/crypt at nic.funet.fi,
    �	/pub/security at ghost.dsi.unimi.it, or
    �	/computing/security/software/PGP at src.doc.ic.ac.uk.
    
    	PGP is located at "/computing/security/pgp" at src.doc.ic.ac.uk
    
    	ps: note they're case-sensitive.

    re: .26 It's your responsibility, etc, regarding PGP.
    
    John, my point in .25 is that there's a lot of confusion and paranoia
    about Pretty Good Privacy.  My second point is that it's rather
    ludicrous to talk about controlling distribution of PGP when it's
    available for a few minutes' effort from a source completely outside
    the crypto export control community.  At last hearing, Finland was
    still a sovereign, neutral nation.  That confounded Internet, it just
    isn't patriotic!
    
    :-) for the irony-impaired.
    
    Wes

    If you would like to read a pretty interesting article about PGP pick
    up the Magazine "WIRED" from last month or the month before.  It's a
    new mag and pretty interesting,  Anyway, the article in there about PGP
    and some of the people behind the encryption movement.  
    
    Also did anyone hear the news blurb about the gov wanting to require
    all personal computers to have a chip installed that would allow them
    to decipher encryption?  I can't remember the specifics but the jest of
    the article was that they wanted to require PC Co's to install these
    chips and evidently they got shut down by the courts.....Did anyone get
    the whole thing?
    
    Shan

    The Government has announced a new Crypto chip it calls CLIPPER.
    This chip has a crypto algorithm called CAPSTONE (I think) this 
    algoritm is classified (for now anyway).
    
    This is supposed to replace the DES system in use since the late 70's.
    
    Thi CLIPPER chip will be available to manufacturers and I suppose to
    the general public for use.
    
    One feature of the chip is a key escrow setup where the keying material
    is kept in escrow by a an agency outside of the government. It would
    require a court order for police/government agencys to get at the
    keying material.  There also is a "law enforcement" field in the
    beginning of any message that is used to recover the message key, when
    used in conjunction with the keying elements held in escrow. The
    operation is somewhat long to describe here but a lot of comment has
    been gererated about the scheme.
    
    The upshot of all this is, the crypto system that would be implemented
    with CLIPPER would have a "hole" in it (the Law enforcement field) for
    police/government to decipher your traffic at will (supposedly with a
    court order).  In order for this to work, all the other cipher systems
    available to the general public would have to be banned, because right
    now it is taking the Government crypto people a long time to get into
    what is available (also the traffic in ciphered messages is
    increasing).
    
    The government has said that they wouldn't ban the older public cipher
    systems, but people don't believe this.
    
    I suppose if CLIPPER becomes the "standard" then the government
    wouldn't have to do anything about the older systems, and anyway the
    traffic in them would decrease.
    
    The people who wanted really secure messages could still use a one-time
    pad, and anyone but the intended message receiver would be locked out.
    
    The worry the government presents to the public, is that the criminals
    and drug dealers would use the cipher system for their traffic, and the
    government would be locked out if they didn't have the "law enforcement
    field" to get in with.  What the goveernment has not said is that at
    least the high level drug dealers are already using one time pads and
    other farely secure systems for their "classified" messages, and all
    the
     "law enforcement field" would do is allow access to the messages from
    those who didn't know about the hook, or the common person who didn't
    really care.
    
    There is a LOT of discussion on this subject, and the issus isn't
    settled yet.
    
    

    The Clipper chip has some serious flaws:
    
    	It was developed with illegal intervention from the National
    	Security Agency and hence is being challenged in court.
    
    	It is completely vulnerable to a "man in the middle" attack;
    	anybody (police or criminal or both) need merely put two
    	Clipper chips back-to-back in the middle of a connection between
    	two parties using Clipper chips, and the unencrypted conversation
    	will be available to the snooper between the two back-to-back
    	chips.
    
    	The proposal provides for no authentication of a police officer's
    	assertion that a given chip identification corresponds to the
    	chip used by the subject of a warrant, thus allowing a police
    	officer to illegally request the decryption key for any chip
    	they like.
    
    
    				-- edp

Re: -.1   edp missed out on one.


The NSA has also refused to allow any outsiders to see the algorythm(s) used,
so industry and mathematics specialists are not able to verify that the system
is indeed secure. This has created much distrust, and in many cases people
fear that the reason may be due to the NSA having a built-in "back-door" or
flaw to allow them to decode transmissions without the secondary key.
Typically, knowing the algorythm itself (unless there is a flaw in it) will
not compromise security, you still need the keys to use it to decode.


On another note...

The NSA/FBI are also trying to make it illegal to have scrambled cellular phone
transmissions where the "through the air" part of the transmission
(as opposed to the phone telco circuits) is scrambled. This is because the FCC
allows anyone to intercept a through-the-air broadcast without a court
order or warrant. Agencies CAN and do monitor cellular phone conversations of
people being investigated, and can currently do with without any permission or
notification as long as they are only receiving a broadcast transmission.
However, if the broadcast portion of the conversation itself is scrambled
(using unknown or unapproved methods) then they may need to tap into the telco
equipment as they currently do - requiring a warrant.

This is strong motivation for them to propose and control the scrambling
being used rather than let the commercial sector offer the alternatives.
Since the public is demanding secure cellular communications, and the NSA
currently enjoys this "free" evesdropping, this is another reason why some
people are distrustful.

    I believe the algorithm was developed by NSA for the purpose of this
    project.
    
    I think the system is crypto secure (at least for the intended use)
    I have a lot of info on how the system works but it is not on a disk
    file so I would have to type it in.
    
    

The NSA has invited 9 cryptography experts to review and comment on the 
security of the whole system and the softwaer in particular.  At last count 
5 had agreed to the terms, (doing the work in a secure area specified by 
the gov't, review of publishing and others.)  I have not yet seen the 
results of these reviews.  One of the reviewers is from U. of Maryland and 
did some very interesting work with combined keys and COMSEC/TRANSEC 
issues.

I will wait and see what she and the others do.

Matt