Human-Nets-Request%rutgers@brl-bmd.UUCP (12/07/83)
HUMAN-NETS Digest Tuesday, 6 Dec 1983 Volume 6 : Issue 80
Today's Topics:
Query - arpanet/usenet/bitnet to compuserve/delphi/source mail,
Responce to Query - Input Devices,
Computers and People - Big Computer is Watching you &
Hackers,
Computers on TV - Whiz Kids,
News Article - Computer aided manufactuing,
Computer Security - Password Security &
Key Distribution in Encryption Systems
----------------------------------------------------------------------
Date: Thu, 1 Dec 83 19:35:44 EST
From: Pierre duPont <pdupont@BBN-UNIX>
Subject: arpanet/usenet/bitnet to compuserve/delphi/source mail
Does anyone know of an automatic link between Arpanet (and/or
usenet,bitnet,etc.,) and such services as CompuServe and
The Source for the purpose of mail forwarding, etc?
Delphi (General Videotex) has already partly answered the question -
They transfer all mail from/to CompuServe manually each day.
One possible solution would be to rig up my computer to check
the services regularly and transfer mail for me, and I do plan to
implement such a system someday. (This will undoubtedly be a very
challenging task!) But has it already been done? Is there any Arpanet
address that is really a gateway to CompuServe or The Source?
Any ideas would be appreciated!
- Pierre <pdupont@BBN-UNIX>
------------------------------
From: sdcsvax!davidson@Nosc (Greg Davidson)
Date: 2 Dec 1983 2325-PST (Friday)
Subject: Re: Input Devices
I believe that the question of how to support non-standard keyboards,
such as DSK keyboards and chord keyboards, has a simple answer: Make a
standard interface which is independent of which one is used. People
should be able to plug their favorite keyboard into any system.
I have a similar answer for the support of various pointing devices,
including mice, tablets with pens, tablets with pucks, touch screeens
and light pens. A standard port on terminals and workstations should
accommodate any such system, even if something else is built in.
Function buttons, whether on pointing devices or keyboards, need not
be treated separately by the software which responds to them being
pressed. Whether such codes are received from the keyboard or from
the pointing device should not matter. All that the software needs to
know is what code was sent. The codes should be an ISO standard.
Like many people, I have my own favorite input devices. I prefer a
chord keyboard for my left hand, and a choice of either a three button
mouse or a second chord keyboard for my right hand. The lesson taught
by the unsuccessful struggle to introduce DSK keyboards is that
non-standard devices require the freedom to choose our input devices
independently from the rest of our hardware. Otherwise inertia wins.
-Greg
------------------------------
Date: Friday, 2 Dec 1983 10:47-PST
From: Steven Tepper <greep@SU-DSN>
Subject: Re: Big Brother and Block Modeling, Warning
A possible defense against such blatant out-and-out spying on
employees is to publicize such practices. Employees who are not so
outraged as to quit on the spot can at least hope to foil the method
by flooding the system with no-op messages to the point where it
collapses, either because of system overload or because other users
refuse to wade through all the nuisance mail. At that point
communications might revert to forms which are harder (or more
expensive) to trace.
By the way, the "guilt by association problem" -- not in the specific
case you mention of automatic copies in messages, but in the more
general case of assuming certain tendencies in people who exhibit
particular similarities of behavior -- has been around a long time in
the form of psychological tests. As far as I know, these are not
based on any kind of theories about why the behavior might account for
the attributed tendency. Rather, they are completely statistical and
are just as prone to make wrong predictions as statistical analyses of
correlations between behavior and hair color, between shoe size and
astrological sign, or between company loyalty and mail usage.
------------------------------
Date: 2 Dec 1983 1331-EST
From: Roger H. Goun <VLSI at DEC-MARLBORO>
Subject: Re: Are we getting old in our old age?
I can certainly sympathize with Brian Reid's explanation for his
actions in pursuit of the young "cracker" on his system. In similar
circumstances, I might have done the same thing.
I think Brian's last point is most telling, though:
Had I known that the reaction was going to be this strong I
would have offered to buy the kid a beer or a joint or
whatever it is that 17-year-olds want these days....
Brian is to be excused for lacking 20/20 hindsight. However, at this
point we are all painfully aware that public and law enforcement
reactions to computer penetration incidents are likely to be
inflamatory, to say the least.
Computer professionals should take the lead in bringing this sort of
"crime" back into prospective. We can start by sticking with our
normal reaction to a break-in, and do our best to turn a young cracker
to more healthy pursuits, before we resort to calling in the law.
By the way, Brian, HUMAN-NETS Digest is probably not a good forum in
which to express your willingness to purchase controlled substances
for a minor. Some agency's computer somewhere may have just started a
file on you.... :-)
-- Roger Goun
Digital Equipment Corp.
UUCP: ...decvax!decwrl!rhea!elmer!goun
ARPA: decvax!decwrl!rhea!elmer!goun@Berkeley (best)
VLSI@DEC-Marlboro (put "ELMER::GOUN" in Subject)
------------------------------
Date: 1 December 1983 00:20 EST
From: Robert Elton Maas <REM @ MIT-MC>
Subject: how public perceives computers - Whiz Kids
Well, in tonite's episode of Whiz Kids the dialup-access security for
a company computer was a little better than in previous episodes.
After twelve bad guesses at the password it would disconnect the
telephone, requiring redialing, thus slowing up the automatic
password-cracker program to an effective guessrate of about one guess
per second. But after many hours of guessing the 6-character password
in alphabetical order from AAAAAA upward and redialing after each
disconnect, the correct password was hit, and it turned out to be a
common word PRETTY (gee, now if the program had just tried the English
words first, huh?). So it looks like the writer for that program has
consulted somebody who knows a little bit about security, or has been
reading this mailing list?
------------------------------
Date: Sat 3 Dec 83 13:59:55-PST
From: William "Chops" Westfield <BILLW@SRI-AI.ARPA>
Subject: Computer aided manufactuing of consumer products
Intersting develoment. Some of you may recall a prediction of this
sort of thing (using computers to create a product line where each
item is unique) in John Brunner's "Shockwave Rider". It should be
interesting if this catches on for other products - these particular
dolls are selling like hotcakes!
Extract from NYT newswire story:
The basic attraction for the dolls seems to begin with their
puckish smiles, yarn hair and outstreched arms that are ready for
a hug. And unlike most modern dolls, which are stamped out of
identical molds in cold plastic or rubber, Cabbage Patch Kids are
mostly soft, squeezeable and individually unique.
Coleco claims with computer assisted design, no doll is the
exactly the same as another. The color of the yarn hair is
different, as are the eyes and outfits.
''Some have one dimple, two dimples or none,'' explained
Coleco's director of Corporate Communciations, Barbara C. Wruck,
''and there are eight or a dozen diffent head molds that change
the facial design in large and subtle ways.''
BillW
------------------------------
Date: Fri 2 Dec 83 10:35:20-PST
From: Ken Laws <Laws@SRI-AI.ARPA>
Subject: Password Security
Any system that allows users to choose their own unconstrained
passwords will be vulnerable. Morris and Thompson's case history
(supplied with the Unix Programmer's Manual) is an eye-opener; it was
summarized on this list about two years ago.
Many of the attack methods presume that passwords will be single
words. Suppose that system software checked a dictionary to detect
and disallow all such passwords? Would we have reasonable security if
people chose phrases or word pairs having at least eight letters, or
would systems still be vulnerable to attacks using Markov letter-tuple
frequency statistics? (If this is not sufficient, I advise system
administrators to use "user-unfriendly" methods that reject
pronounceable passwords. One could either insist on mixtures of
letters and numbers or could use letter-pair statistics to score the
"entropy" or "security" of proposed passwords.)
-- Ken Laws
------------------------------
Date: Sat, 3 Dec 83 16:10:13 PST
From: Peter Reiher <reiher@UCLA-CS>
Subject: key distribution in encryption systems
You don't even have to encrypt the key announcement messages.
A good public-key scheme, like RSA, allows for authentication
of the messages.
- Ralph Hyre
Regardless of whether or not public key methods are used, it
is necessary to encrypt key announcement messages by some means. If
they are plaintext, anyone can introduce them. Also, it seems to me
that it is a mistake to announce a new key by encrypting it under the
key it is intended to replace. The whole point of changing the key,
after all, is that you fear that the old key has been used too much
and is subject to compromise. If a key has been compromised, then the
key announcement message you get from someone else may actually be
from a villain masquerading as the announcer. The fact that he has
also encrypted the new key using your public key does ensure that only
you can read it, but, since your public key is, after all, public, it
does nothing to authenticate the sender.
The dispatcher system does, indeed, have some features which
make public key cryptography look attractive, especially due to its
star configuration. However, if new public keys are to be distributed
over the network itself, precautions must be taken. Having each site
hold two key pairs, one for conventional messages and one for key
announcements, will work fine. Having each site announce its new key
by encrypting with its old key either greatly decreases the lifetime
of keys (the announcement must occur when the old key is still judged
absolutley secure) or exposes the system to imposters who have
determined the old key and fraudulently announced a new one. (One
interesting possibility which avoids two separate key pairs: the first
message sent with a new key is the announcement of the next key. When
a key is judged insecure, a message goes out telling other sites to
switch to the previously announced key, without including that key in
the message. An imposter who figured out the old key can thus force a
switch to the new key, but he can't choose that key, and, assuming
that the old key was ever secure, the imposter doesn't know what the
new key is.)
Peter Reiher
reiher@ucla-cs
------------------------------
End of HUMAN-NETS Digest
************************