💾 Archived View for spam.works › mirrors › textfiles › hacking › issm202.hac captured on 2023-06-14 at 16:53:03.

View Raw

More Information

-=-=-=-=-=-=-

The Information Systems Security Monitor    
    
     _______     /--------\      /--------\     \          /|    
        |        |               |              | \       / |    
        |        |               |              |   \   /   |    
        |         \_______        \_______      |     \     |    
        |                 \               \     |           |    
        |                 |                |    |           |    
        |                 |                |    |           |    
        |        \________/       \________/    |           |    
      -------                                      
Dedicated to the pursuit of security awareness............    
================================================================= 
Volume 2 Number 2                                     April 1992  
=================================================================  
////////////////////// In this Issue \\\\\\\\\\\\\\\\\\\\\\\\\\\  
  
Choosing the Right Password  
  
Comptroller General Decision on EDI  
  
Security Hall of Fame  
  
OAIS Employees Judge Student Contest  
  
Cyberspace: A Hacker's Response 
  
Quick Fix Security  
  
Dear Clyde  
  
Computer Speak  
  
What's New  
---------------------------------------------------------------- 
 
 
Hacker Lists Passwords Hackers Look For  
Choosing the Right Password!  
  
Imagine a hacker entering a system with your id and password  
because you did not take the time to choose a good password,  this 
is something that can be completely prevented if people would take 
a few minutes to choose a good password.  You must be creative when 
choosing a password not lazy.  Since a password is usually the  
first line of defense against unauthorized access to a computer  
system, when the first line is broken the rest only take time.  The 
average user usually has a password that is easy to select and easy 
to remember.  Any word that is easy to select or is contained in 
a dictionary is a poor and insecure selection for a password.  The 
reason this makes a poor selection is because these words are the 
first ones an intruder will try when attempting to compromise your 
system.  For instance, if your name is Tom Smith and your logon id 
is TSMITH your password should not contain any variation of these 
two words (Tom & Smith).  A hacker will try TSMITH, SMITHT, 
TOMSMITH, SMITHTOM, TSMITH1, HTIMST, etc. before anything else.  
As far as the length of a password goes its definitely the longer 
the better.  To demonstrate this point I give you the following 
table:  
  
# of        Possible             Average Time   
Characters  Combinations         To Discover     Example  
  
1            36                   6 min           q  
2            1,300                4 hrs           bt  
3            47,000               5 days          tyu  
4            1,700,000            6 months        insw  
5            60,000,000           19 years        potnb  
etc...  
  
The greater the number of possibilities a hacker must sort through, 
the better the chances of a password remaining undiscovered.  
  
The best passwords are those that contain a combination of letters  
and numbers or are a combination of two or more unrelated words  
i.e. TREEFLOOR, TVBOOK, RADIOSHOE, etc.  Another possibility is to  
select the initials of your two grandmothers combined with the  
number of times you have seen your favorite movie to come up with  
a password that resembles PAWH07, 07WHPA, PA07WH, etc.    
  
If you think that you have chosen a password that is hard to guess  
or would take too much time to guess keep in mind that hackers have 
automated the process.  There have been programs written for the  
sole purpose of guessing passwords, they take a list similar to the 
one in this article and try each and every one of them  
These are the types of passwords that are hard to guess and will  
most likely not be found in any dictionary or word list.  I am  
enclosing a list of common passwords that most hackers have a  
variation of, under no circumstances should you ever use a word  
contained in this list.  All forms of profanity should also be 
included in this list.100  
666  
6969  
aaa  
abc  
abel  
academia  
academic  
academie  
access  
ada  
adele  
adeline  
adelphe  
admin  
adrian  
aerobic  
aerobics  
agathe  
agnes  
aide  
aime  
aimee  
airplane  
alain  
alban  
albanie  
albany  
albatros  
albatross  
albert  
alex  
alexander  
alexandre  
alf  
algebra  
algebre  
alias  
aliases  
alice  
alida  
alix  
alpha  
alphabet  
alphonse  
ama  
amadeus  
amandine  
ambroise  
amedee  
ami  
amorphe  
amorphous  
amour  
amy  
an  
analog  
analogue  
ananas  
anchor  
ancre  
andre  
andromache  
andy  
angele  
angerine  
anicet  
animals  
animaux  
anne  
annie  
annonciation  
anselme  
answer  
anthelme  
antoine  
antoine-marie  
anvils  
anything  
aout  
apollinaire  
apolline  
apotre  
aquin  
arc  
aria  
ariane  
aristide  
armand  
armel  
arnaud  
arrow  
arsene  
arthur  
ascension  
asd  
asm  
assise  
assomption  
athena  
athenes  
atmosphere  
aubin  
aude  
audrey  
augustin  
automne  
autoroute  
avent  
avila  
avion  
avril  
aymar  
aymard  
aztecs  
aztecs  
azur  
azure  
bacchus  
badass  
bailey  
balance  
banana  
bananas  
banane  
bande  
bandit  
banks  
banque  
baptiste  
barbara  
barber  
barbier  
bariton  
baritone  
barnabe  
barnard  
bart  
barthelemy  
bartman  
basic  
basile  
bass  
basse  
basson  
bassoon  
batch  
batman  
baudouin  
beach  
beater  
beaute  
beauty  
beaver  
beethoven  
belier  
beloved  
benedicte  
benoit  
benz  
beowulf  
berkeley  
berlin  
berline  
berliner  
bernadette  
bernard  
bernardin  
bertille  
bertrand  
beryl  
beta  
everly  
bicameral  
bienheureux  
bienvenue  
bishop  
bitch  
blaise  
bob  
boris  
bradley  
brian  
brice  
brigitte  
broadway  
bruno  
bsd  
bumbling  
burgess  
cad  
cafe  
calude  
camarade  
campanile  
cancer  
cantor  
capricorne  
cardinal  
careme  
carine  
carmel  
carmen  
carole  
carolina  
caroline  
carson  
cartouche  
cascades  
casimir  
cassis  
castle  
castle  
cat  
catherine  
cayuga  
cecile  
celine  
celtics  
cendres  
cerulean  
challenger  
change  
chantal  
charles  
charlotte  
charmant  
charming  
charon  
chat  
chateau  
chem  
chemin  
chemistry  
chess  
chester  
cheval  
chevalier  
chien  
chou  
christ  
christian  
christine  
christophe  
cible  
cigar  
cigare  
citroen  
claire  
clarisse  
class  
classic  
classique  
claude  
clemence  
clement  
clotilde  
cluster  
clusters  
code  
coeur  
coffee  
coke  
colette  
collins  
come  
computer  
comrade  
comrades  
conception  
condo  
condom  
connect  
console  
constant  
constantin  
conversion  
cookie  
cooper  
corinne  
cornelius  
couscous  
create  
creation  
creosote  
crepin  
cretin  
criminal  
croix  
cshrc  
cyrille  
daemon  
dame  
damien  
dancer  
daniel  
danny  
dapper  
data  
dave  
davy  
deb  
debbie  
deborah  
december  
decembre  
default  
defoe  
defunts  
delphine  
deluge  
denis  
denise  
desperate  
develop  
device  
dial  
diane  
didier  
diet  
dieter  
dieu  
digital  
dimanche  
dimitri  
disc  
discovery  
disk  
disney  
dog  
dominique  
donald  
donatien  
dos  
drought  
duncan  
dupond  
dupont  
durand  
dwladys  
eager  
earth  
easier  
easy  
eatme  
eau  
edges  
edinbourg  
edinburgh  
edith  
edmond  
edouard  
edwige  
edwin  
egghead  
eiderdown  
einstein  
elephant  
elisabeth  
elisee  
elizabeth  
ella  
ellen  
email  
emeline  
emerald  
emeraude  
emile  
emilie  
emma  
enclumes  
endeavour  
enemy  
engin  
engine  
engineer  
entreprise  
enzyme  
epiphanie  
erenity  
eric  
ersatz  
establish  
estate  
estelle  
ete  
eternity  
etienne  
euclid  
euclide  
eudes  
eugenie  
evelyn  
evrard  
extension  
eymard  
fabrice  
facile  
fairway  
famille  
felicia  
felicie  
felicite  
fender  
ferdinand  
fermat  
fernand  
ferrari  
fete  
fevrier  
fiacre  
fidele  
fidelite  
fidelity  
field  
file  
filet  
fini  
finite  
firmin  
fishers  
flakes  
fleche  
fleur  
fleurs  
float  
flocon  
flocons  
florent  
florentin  
flower  
flowers  
foolproof  
football  
foresight  
format  
forsythe  
fourier  
fraise  
framboise  
francine  
francois  
francoise  
fred  
frederic  
friend  
frighten  
fulbert  
fun  
function  
fungible  
gabin  
gabriel  
gaetan  
games  
gardner  
garfield  
gaston  
gateau  
gatien  
gatt  
gauss  
gautier  
gemeaux  
genevieve  
geoffroy  
george  
georges  
gerard  
geraud  
germain  
germaine  
gertrude  
ghislain  
gibson  
gilbert  
gildas  
gilles  
ginger  
gisele  
glacier  
gnu  
golf  
golfer  
gontran  
gorgeous  
gorges  
gosling  
gouge  
goutte  
graham  
grahm  
gras  
gregoire  
group  
gryphon  
gucci  
guenole  
guess  
guest  
guillaume  
guitar  
guitare  
gumption  
guntis  
guy  
gwladys  
habib  
hack  
hacker  
hal  
hamlet  
handily  
happening  
harmonie  
harmony  
harold  
harvey  
hawaii  
hebrides  
heinlein  
helene  
hello  
help  
henri  
herbert  
hermann  
hermes  
herve  
hiawatha  
hibernia  
hidden  
hippolyte  
hiver  
homework  
honey  
honore  
honorine  
horse  
horus  
hubert  
hugues  
humbert  
hutchins  
hyacinthe  
hydrogen  
ibm  
ida  
ignace  
igor  
imbroglio  
imbroglio  
immaculee  
imperial  
include  
inconnue  
ines  
info  
ingres  
ingress  
ingrid  
inna  
innocent  
innocuous  
internet  
invite  
irene  
irenee  
irishman  
irlande  
isabelle  
isidore  
isis  
jacqueline  
jacques  
janvier  
japan  
japon  
jean  
jean-baptiste  
jean-claude  
jean-francois  
jean-michel  
jean-pierre  
jean-yves  
jeanclaude  
jeanfrancois  
jeanmichel  
jeanne  
jeanpierre  
jeanyves  
jerome  
jessica  
jester  
jeudi  
jixian  
joel  
johnny  
joseph  
joshua  
jour  
judas  
judicael  
judith  
juggle  
juillet  
juin  
jules  
julia  
julien  
julienne  
juliette  
jumeaux  
jupiter  
juste  
justin  
justine  
kathleen  
kermit  
kernel  
kevin  
key  
kirkland  
kiwi  
knight  
ladle  
lambda  
lamination  
landry  
lapin  
larissa  
larkin  
larry  
laurent  
lazare  
lazarus  
lea  
lebesgue  
lee  
leger  
leland  
leon  
leonce  
leroy  
lewis  
library  
licorne  
light  
lion  
lisa  
lisp  
loch  
lock  
lockout  
louis  
louise  
lourdes  
love  
luc  
lucie  
lucien  
lumiere  
lundi  
lune  
lydie  
macintosh  
mack  
madeleine  
madelene  
maggot  
magic  
magique  
mai  
mail  
maint  
malcolm  
malcom  
manager  
mangue  
marc  
marcel  
marcelle  
marcellin  
mardi  
marguerite  
marie  
marie-madeleine  
marietta  
mariette  
marina  
marius  
mark  
markus  
mars  
marthe  
martial  
martin  
martine  
martinien  
marty  
marvin  
master  
math  
mathilde  
matthias  
matthieu  
maurice  
maxime  
medard  
melaine  
mellon  
memory  
mercredi  
mercure  
mercury  
meres  
merlin  
metro  
mets  
mgr  
michael  
michel  
michelle  
mike  
minimum  
minsky  
mit  
modem  
modeste  
mogul  
moguls  
monique  
mont  
moose  
morley  
morts  
mouse  
mozart  
mutant  
nadege  
nagel  
naissance  
nancy  
napoleon  
narcisse  
nasa  
natacha  
nathalie  
nationale  
nativite  
navette  
nepenthes  
neptune  
ness  
nestor  
net  
network  
new  
news  
newton  
next  
nicolas  
nina  
ninon  
nobody  
noel  
norbert  
notre  
novembre  
noxious  
nuclear  
nutrition  
nyquist  
oceanography  
ocelot  
october  
octobre  
odette  
odile  
odilon  
office  
olive  
olivetti  
olivia  
olivier  
open  
operator  
oracle  
orca  
orwell  
osiris  
outlaw  
oxford  
pacific  
pacifique  
pad  
padoue  
painless  
pakistan  
pam  
paper  
papers  
papiers  
paques  
parfait  
pascal  
pass  
password  
pat  
paterne  
patrice  
patricia  
patrick  
paul  
paule  
paulin  
peche  
pecheur  
pecheurs  
peggy  
pelagie  
pencil  
penguin  
penis  
pentecote  
peoria  
percolate  
peres  
persimmon  
persona  
pete  
peter  
peugeot  
peur  
philip  
philippe  
phoenix  
phone  
pierre  
pizza  
plane  
playboy  
plover  
pluto  
pluton  
plymouth  
poire  
poisson  
poissons  
polynomial  
pomme  
pondering  
porc  
pork  
porsche  
poster  
power  
praise  
precious  
prelude  
presence  
presto  
prevision  
prince  
princeton  
printemps  
prisca  
priv  
private  
privs  
professor  
profile  
program  
prosper  
protect  
protozoa  
prudence  
pub  
public  
pumpkin  
puppet  
quentin  
qwerty  
rabbit  
rainbow  
raindrop  
raissa  
raleigh  
rameaux  
random  
raoul  
rap  
rascal  
raymond  
reagan  
really  
rebecca  
regional  
reine  
remi  
remote  
renaud  
renault  
rene  
reponse  
requin  
reseau  
richard  
rick  
ripple  
risc  
rje  
robert  
robot  
robotics  
rochester  
rodent  
rodolphe  
rodrigue  
roger  
roi  
roland  
rolande  
rolex  
romain  
romano  
romaric  
romeo  
romuald  
ronald  
root  
rosalie  
rose  
rosebud  
roseline  
rosemary  
roses  
rosine  
ruben  
rules  
ruth  
sabine  
sacre  
sade  
sagittaire  
sainte  
sal  
sales  
salome  
samedi  
samson  
sandrine  
saturn  
saturne  
saturnin  
saxon  
scamper  
scheme  
school  
scorpion  
scott  
scotty  
sebastien  
secret  
security  
seigneur  
sensor  
septembre  
serenity  
serge  
service  
sesame  
severin  
sex  
sharc  
shark  
sharks  
sharon  
sheffield  
sheldon  
shell  
shiva  
shivers  
shuttle  
sidoine  
signature  
silvere  
simon  
simple  
simpsons  
singer  
single  
smile  
smiles  
smooch  
smother  
snatch  
snoopy  
soap  
socrate  
socrates  
solange  
somebody  
sophie  
sossina  
sourire  
souris  
souvenir  
sparrows  
spit  
spring  
springer  
squires  
stanislas  
strangle  
stratford  
student  
stuttgart  
subway  
succes  
success  
summer  
sun  
super  
superuser  
support  
supported  
surfer  
suzanne  
swearer  
sylvain  
sylvere  
sylvestre  
sylvie  
symmetry  
sys  
sysadmin  
system  
tangerine  
tanguy  
tape  
target  
tarragon  
tatiana  
taureau  
taylor  
tech  
telephone  
temptation  
tennis  
tentation  
terminal  
terre  
test  
thailand  
thailande  
thecle  
theodore  
theophile  
therese  
thibault  
thibaut  
thierry  
thomas  
tiger  
tigre  
toggle  
tomate  
tomato  
topography  
tortoise  
tortue  
toussaint  
toxic  
toyota  
trails  
transfer  
transfiguration  
travail  
trivial  
trombone  
tty  
tuba  
tubas  
tuttle  
ulrich  
umesh  
unhappy  
unicorn  
unix  
unknown  
uranus  
urbain  
urchin  
util  
utility  
uucp  
valentin  
vasant  
venceslas  
vendredi  
venus  
ver  
veronique  
verseau  
vertige  
vertigo  
vianney  
vicky  
victoire  
victor  
victorien  
vierge  
village  
vincent  
virgin  
virginia  
virginie  
virus  
visitation  
visitor  
viviane  
vivien  
volvo  
wargames  
warren  
water  
weenie  
whatever  
whatnot  
whiting  
whitney  
wholesale  
wilfried  
will  
william  
willie  
winston  
wisconsin  
wizard  
wombat  
woodwind  
word  
work  
wormwood  
wyoming  
xavier  
xaviere  
xfer  
xmodem  
xyz  
yaco  
yang  
yin  
yosemite  
yves  
yvette  
zap  
zimmerman  
zita  
zmodem  
zzz  
 
Written by "The Butler", a hacker at heart, a Systems Administrator 
in real life who enjoys learning as much as possible about any 
given system including how to circumvent its security measures. He 
has written articles for various hacker magazines that deal with 
computer security. He currently administers a PC Network for a 
medium size business (250 people). He also lectures to various 
groups including Local EDP Auditors Association, User Groups, and 
Private Corporations on how to protect their systems from hackers 
like himself but who use their knowledge for mischievous purposes.  
 
  
========================end of article========================  
  
  
Dear Clyde                          Responses to   
                                    questions for  
                                    those who are  
                                    searching for  
                                    the truth.  
   
Send your comments or questions to Clyde c/o the AIS Security 
Branch in Parkersburg, Room 1011, or leave them in Clyde's mailbox 
located on the Security bulletin boards throughout the Parkersburg 
office.  
  
Dear Clyde,   
What is the proper way to dispose of diskettes which are no longer 
able to be used? Are there security concerns here?  
                       Peggy  
Dear Peggy,   
Yes there are security concerns as the data stored on the diskettes 
may still be readable, if someone wants to take the effort to 
retrieve it. Therefore the diskettes should be disposed of 
properly. Any method of destroying the diskette can be used. 
Cutting it up as you do a credit card that is no longer to be used 
is one method. However the important thing is to make certain the 
disk surface, that is the inner contents of the envelope or plastic 
case, is destroyed.  
  
(Note: I personally prefer giving the disk several good whacks with 
my sword and lance to render it unusable.)   
  
  
Clyde ....... Sir Clyde?  
Rumor has it that Clyde is to be recognized for his continuing 
efforts in the arena of computer security by being knighted. There 
will be more on this in the next issue, stay tuned.  
  
========================end of article========================  
            
...........................................................   
             A Journey Behind (further behind)  .       .       .  
  .   
             .   .         .       .         .           ..       
    .   
              .   The Dark Side of CYBERSPACE  .     .       ..   
.  .   
                  .     .           .      .       .       .      
  .   
             Hackers in Their Illusive World:  .  A Response .   
.    .   
             
...........................................................   
   
             A Response by: Dispater   
             Editor in Chief of Phrack Inc. Magazine   
             InterNet: phracksub@stormking.com   
   
First of all, I would like to thank Kim Clancy for providing me 
with the opportunity to reply to her article in the previous issue 
of the ISSM.  I find myself agreeing with her on more issues than 
not.  I read her piece on Cyberspace... Most of the article was 
good, but I felt unclear about what she was saying in the section 
titled "The Dark Side."  So I have attempted to present a few 
things from this hacker's viewpoint and make a few points where I 
have disagreed with her.  The ">" indicates Kim's previous 
writings.   
   
>...What is scary to me in regard to some of the avenues is   
>the ability for individuals to get to so many different   
>types of information...   
   
What scares me are the kinds of people who have access to   
the most personal parts of our lives compiled into data   
bases (like Information America) that are for sale to anyone   
who wants to pay the money or has the "power" to access it.   
Why does the government need to know my unlisted phone number?  Is 
it really any insurance agency's right to know that I have a son 
or daughter that is about to turn age 16, and will soon need to buy 
auto insurance?  I think I have the right not to be bothered by an 
onslaught of people that think they have something I want to 
purchase from them. If you really enjoy junk mail and computerized 
telephone sales calls you can thank these kinds of databases.   
   
>I am not stating that I think information should be   
>shielded from individuals.   
   
The more diverse sources of information we can all access, the 
better off society will become.  If we look at the past we can see 
how accuracy in books was improved drastically by the creation of 
the printing press.  The scribes of kings and church figures were 
no longer relied upon as authorities of various subject matter.  
Information was made cheap and easily possessed by the common man.  
Therefore if someone disagreed with some book that was printed, he 
and his guild could write their version of what THEY found to be 
true.  This promoted truth, accuracy, a deluge of human 
interaction, and free thought.   
   
>...I once went to a presentation about hackers.  The   
>presenter told a story about a mother who took her child's   
>computer modem out into the driveway and ran over it after   
>her son had been arrested for hacking...   
   
What was the parent doing while her child was hacking?   
Another thing we need to clarify is the use of the word   
"child."  These are not often children.  There is a certain   
level of mental development that must occur first.  I don't   
know much about child psychology, but I'd say that most kids   
under the age of 13 would have a bit of difficult time   
understanding computer networking.  Most people in the   
computer underground are at least 16.  If they are not   
16 years old almost every sysop I know, kicks them off the   
system.  The young person should be allowed to explore in areas the  
parent might not agree with as long as he/she is willing to   
talk about it with the parent afterward. Why are required to   
water down and censor all information so that is safe and   
easily understandable to the "little children?"  If there is   
a 12 year old that has network access and is reading USENET's 
ALT.SEX.BONDAGE, I think there is a greater problem involved than 
the type of information the nets carry!!   
   
>While hackers spend time developing their skills and   
>learning how to master cyberspace they also use cyberspace   
>to share information about what they have learned.   
 
This is the great benefit of getting involved.  Everyone   
should own a computer because of this reason.   
   
>Information has been found on how to steal long distance   
>phone calls from the phone company, how to make a pipe bomb   
>and how to perform satanic rituals before sitting down to   
>hack.   
   
It is not illegal to know how to do any of the previously   
mentioned things.  As you mention later the information can   
also be found in such places like libraries.  We need to   
keep a few things in perspective here.  MOST of the   
information readily available on phone phreaking is so out   
dated, one couldn't hope to implement the use of such   
knowledge without most surely getting caught in an ESS(Electronic  
Switching System environment.  Most of the United State's 
telephones are on such a system.   
   
Secondly, most of the information available on explosives is   
very crude.  Most of it isn't worth the time it took to   
download.  Actually there is more information available in   
the library on that subject than in all the data bases in   
the world.  I personally think this kind of thing is simply   
stupid.  I will not print that kind of thing in Phrack.   
That kind of information is typed in from books, by people   
who don't have anything else to do.   
 
In regards to "satanic rituals", it is difficult to make any   
comments about this because in all my years of calling BBS's   
and talking to other hackers, I have never seen such an   
animal.  I have seen *THREE* articles on the Wiccan religion   
which is similar to white witchcraft, but it's not even   
close to anything satanic.  However, other than this   
minuscule tidbit in cyberspace, the only things I've seen   
were things that were written as pranks and for joke   
purposes.  It amazes me that if one person has written   
something or done something it is representative of the   
whole community.  This is definitely not a responsible   
conclusion.  If some people would just open their eyes to   
reality, they would not see a computer underground filled   
with "satanic, child molesting anarchists".   
  
>I hesitate to write the above because I don't want people   
>to avoid the technology.  Everything I have found is in   
>most libraries, but the accessibility of it through   
>computers makes it much easier to obtain.   
   
You hesitate with good reason and you are correct about all   
that information being already in your local library.  The   
problem boils down to "digital censorship."  Some people are   
saying it's OK for a library to have the aforementioned   
information, but it's NOT OK for it to be on my computer's   
hard drive.   
   
In regards to that argument I say it is much easier to get   
the information from a library than the computer.  Let's   
take a look at they facts. First of all, most libraries are   
FREE.  On the other hand the average computer system   
(386/33) costs around $1500.  Your typical 8th grader   
doesn't usually have that kind of cash.   
   
The problem is that reality and virtual reality is the same   
for some of us.  We will promptly ignore silly rules like   
"it's ok for some people to know certain things, but it's   
not ok for me to know the same bit of information."   
In the information age we are all becoming much more aware   
of each other's presence.  We are finding out that we are   
all very different.  We each have some ideas that can   
easily shock others.  These ideas can and are being   
challenged by the other people we interact with.  Therefore,   
we should NEVER take the step back into the "electronic dark   
age."   
   
The really funny thing about all this is, everyone in the   
United States IS a part of cyberspace, even though most of   
them don't want to recognize this fact.  If your name is on   
a computer somewhere, you are in cyberspace!  So you'd   
better become aware of your existence.  Use it to learn and   
question why its there!   
========================end of article========================    
 
OAIS Employees Volunteer to Judge Student Contest  
  
Every October, the Computer Learning Foundation, a non-profit 
educational foundation serving the United States and Canada, hosts 
Computer Learning Month. During that month, among other numerous 
activities, the foundation hosts numerous contests designed to 
encourage students, educators, and community members to explore new 
areas of using technology and to share their knowledge with others. 
These contests for students provide parents and teachers with an 
activity children can do today to begin thinking and learning about 
what it means to be a responsible user of technology. One of this 
year's contests was a student writing contest focusing on Adult 
Attitudes on the Value of Technology and Ethical Issues. Students 
were to interview one parent and one other adult, write a summary 
of their opinions on the value of technology in our lives and the 
ethical issues involved with using technology, then the students 
evaluated what they thought of the comments and opinions expressed 
by the adults they interviewed.   
  The Bureau of the Public Debt participated in this program with 
several OAIS employees, Gretchen Bergmann, Kim Clancy, Bill Dobson, 
Zephery Ellerson, Joe Kordella, Gary Smith, and Ed Alesius, 
volunteering their time to judge the students entries.  
  While the use of a computer was not required to create the 
critique many submissions showed an adept usage of various word 
processing, desktop publishing and graphics software.  
  This interchange between the professional environment and schools 
proved to be very enlightening.  It is refreshing to see a group 
dedicate its effort to a much needed task, keeping schools up with 
technology and its responsible use.  
 
========================end of article========================   
QUICK FIX SECURITY 
 
The following is a listing of some easy to do security controls 
that help a lot....  
  
 1. Set modem to answer after 4-5 rings.  
 2. Select a dial-up number from a different prefix or out of order 
    from the rest of your office.  
 3. Use call back features.  
 4. Use proprietary software for your communications e.g.,  
    PC Anywhere IV.  
 5. Use special modems for encryption and access control e.g.,  
    Leemah Datacom.  
 6. Disconnect after a certain period of inactivity.  
 7. Do not allow certain userids' to have dial-up access.  
 8. Use caller id and call tracking.  
 9. Display a blank screen when a connection is made so the user 
    has no clue what they have connected to.   
  
 ========================end of article========================   
  
COMPUTER SPEAK  
COMPUTER TERMS AND THEIR MEANINGS  
access  n.  The ability of a subject to view, change, or 
communicate with an object in a computer system. Typically, access 
involves a flow of information between the subject and the object 
(for example, a user reads a file, a program creates a directory). 
cyberspace  n.  The world that is created by the connection of 
computers. Travels thru this environment can be vast and undefined 
just as space travel can be. This is the environment Cyberpunks 
call home.  
database  n.  A collection of data items processible by one or more 
programs.  
 phreaking  v.  The art and science of cracking the phone network 
(so as, for example, to make free long-distance calls). By 
extension, security-cracking in any other context (especially, but 
not exclusively, on communications networks).  
virtual reality  n.  1. Computer simulations that use 3-D graphics 
and devices such as the Dataglove to allow the user to interact 
with the simulation. 2. A form of network interaction incorporating 
aspects of role-playing games, interactive theater, improvisational 
comedy, and "true confessions' magazines. In a virtual reality 
session, interaction between the participants is written like a 
shared novel.   
Phrack Inc. Magazine  n.  An electronically published and 
distributed magazine that focuses on technical issues.  
 
========================end of article========================   
  
Comptroller General Decision on EDI   
  
The Comptroller General of the United States has issued a decision 
that electronic data interchange (EDI) technologies, with 
enhancements such as message authentication and digital signatures, 
can create valid legal contractual obligations between the U.S. 
Government and the party with whom the agency contracts.  

Digest
   Contracts formed using Electronic Data Interchange technologies may
constitute valid obligations of the government for purposes of 31 U.S.C.
1501, so long as the technology used provides the same degree of
assurance and certainty as traditional "paper and ink" methods of
contract formation.

Decision
   By letter dated September 13, 1991, the Director, Computer Systems
Laboratory, National Institute of Standards and Technology (NIST), asked
whether federal agencies can use Electronic Data Interchange (EDI)
technologies, such as message authentication codes and digital
signatures, to create valid contractual obligations that can be recorded
consistent with 31 U.S.C.  1501.  For the reasons stated below, we
conclude that agencies can create valid obligations using properly
secured EDI systems.
 
Background  
  EDI is the electronic exchange of business information between 
parties, usually via a computer, using an agreed upon format.  EDI 
is being used to transmit shipping notices, invoices, bid requests, bid 
quotes and other messages.  Electronic contracting is the use of 
EDI technologies to create contractual obligations.  EDI allows the 
parties to examine the contract, usually on video monitors, but 
sometimes on paper facsimiles, store it electronically (for example on
magnetic tapes, on discs or in special memory chips), and recall 
it from storage to review it on video monitors, reproduce it on paper or
even mail it via electronic means.  Using EDI technologies, it is
possible for an agency to contract in a fraction of the time that
traditional practices take. 
  As NIST pointed out in its request, the "paperless" nature of the
technology has raised the question of whether electronic contracts
constitute obligations which may be recorded against the government. 
NIST is in the process of developing standards for electronic signatures
to be used in various applications,*1 including the formation of
contracts, but has been advised that section 1501 imposes a barrier to
the use of electronic technologies by federal agencies in this regard.

Discussion
   Section 1501 establishes the criteria for recording obligations
against the government.  The statute provides, in pertinent part, as
follows:
       "(a) An amount shall be recorded as an obligation of the United
        States Government only when supported by documentary evidence of-

             (1) a binding agreement between an agency and another person
             (including an agency) that is--

                  (A) in writing, in a way and form, and for a purpose
                  authorized by law. . . ."

31 U.S.C. 1501(a) (1) (A).

   Under this provision, two requirements must be satisfied:  first, the
agreement must bind both the agency and the party with whom the agency
contracts; second, the agreement must be in writing.

Binding Agreement
   The primary purpose of section 1501 (a) (1) is "to require that there
be an offer and an acceptance imposing liability on both parties."  39
Comp. Gen. 829, 831 (1960) (emphasis in original).  Hence the government
may record an obligation under section 1501 only upon evidence that both
parties to the contract willfully express the intent to be bound.  As
explained below, EDI technology provides both the agency and the
contractor the means to electronically "sign" a contract.
   A signature traditionally has provided such evidence.  See generally
65 Comp. Gen. 806, 810 (1986).  Because of its uniqueness, the
handwritten signature is probably the most universally accepted evidence
of an agreement to be bound by the terms of a contract.  See 65 Comp.
Gen. at 810.  Courts, however, have demonstrated a willingness to accept
other notations, not necessarily written by hand.  See, e.g., Ohl & Co.
v. Smith Iron Works, 288 U.S. 170, 176 (1932) (initials); Zacharie v.
Franklin, 37 U.S. (12 Pet.) 151, 161-62 (1838) (a mark);Benedict v.
Lebowitz, 346 F. 2d 120 (2nd Cir. 1965) (typed name); Tabas v. Emergency
Fleet Corporation, 9 F.2d 648, 649 (E.D. Penn. 1926) (typed, printed or
stamped signatures); Berryman v. Childs, 98 Neb. 450, 153 N.W. 486, 488
(1915) (a real estate brokerage used personalized listing contracts which
had the names of its brokers printed on the bottom of the contract in the
space where a handwritten signature usually appears).
   As early as 1951, we recognized that a signature does not have to be
handwritten and that "any symbol adopted as one's signature when affixed
with his knowledge and consent is a binding and legal signature.  B-
104590, Sept. 12, 1951.  Under this theory, we approved the use of
various signature machines ranging from rubber stamps to electronic
encryption devices.  See 33 Comp. Gen. 297 (1954); B-216035, Sept. 20,
1984.  For example, we held that a certifying officer may adopt and use
an electronic symbol generated by an electronic encryption device to sign
vouchers certifying payments.  B-216035, supra.  The electronic symbol
proposed for use by certifying officers, we concluded, embodied all of
the attributes of a valid, acceptable signature:  it was unique to the
certifying officer, capable of verification, and under his sole control
such that one might presume from its use that the certifying officer,
just as if he had written his name in his own hand, intended to be bound.
  EDI technology offers other evidence of an intent to be bound with the
same attributes as a handwritten signature.  We conclude that EDI systems
using message authentication codes which follow NIST's Computer Data
Authentication Standard (Federal Information Processing Standard (FIPS)
113*2 or digital signatures following NIST's Digital Signature Standard,
as currently proposed, can produce a form of evidence that is acceptable
under section 1501.
   Both the message authentication code and the digital signature are
designed to ensure the authenticity of the data transmitted.  They
consist of a series of characters that are cryptographically linked to
the message being transmitted and correspond to no other message.  There
are various ways in which a message authentication code or digital
signature might be generated.  For example, either could be generated
when the sender inserts something known as a "smart card"*3 into a system
and inputs the data he wants to transmit.  Encoded on a circuit chip
located on the smart card is the sender's private key.  The sender's
private key is a sequence of numbers or characters which identifies the
sender, and is constant regardless of the transmission.  The message
authentication code and the digital signature are functions of the
sender's private key and the data just loaded into the system.  The two
differ primarily in the cryptographic methodology used in their
generation and verification.
   After loading his data into the system, the sender notifies the system
that he wants to "sign" his transmission.  Systems using message
authentication codes send a copy of the data to the chip on the smart
card; the chip then generates the message authentication code by applying
a mathematical procedure known a cryptographic algorithm.  Systems using
digital signatures will send a condensed version of the data to the smart
card, which generates the digital signature by applying another
algorithm, as identified in NIST's proposed standard.  The card returns
the just-generated message authentication code or digital signature to
the system, which will transmit it and the data to the recipient.
   Under either approach, when an offeror or a contracting officer
notifies the system that he wants to "sign" a contract being transmitted,
he is initiating the procedure for generating a message authentication
code or digital signature with the intention of binding his company or 
agency, respectively, to the terms of the contract.*4 The code or the
digital signature evidences that intention, as would a handwritten or
other form of signature.  Both, generated using the sender's private key,
are unique to the sender; and, the sender controls access to and use of
his "smart card," where his key is stored.
   They are also verifiable.  When the recipient receives the contract,
either on his computer monitor or in paper facsimile, it will carry,
depending on which approach is used, a notation which constitutes the
message authentication code or the digital signature of the sender,
necessary information to validate the code or the signature and, usually,
the sender's name.  The recipient can confirm the authenticity of the
contract by entering the data that he just received and asking his system
to verify the code or the digital signature.  The system will then use
the information provided by the sender and either verify or reject it.*5
Both approaches use a key to verify the message just received; however,
the digital signature requires application of a different key from that
used to verify a message authentication code.  The change of any data
included in the message as transmitted will result in an unpredictable
change to the message authentication code or the digital signature. 
Therefore, when they are verified, the recipient is virtually certain to
detect any alteration.

Writing
   To constitute a valid obligation under section 1501(a)(1)(A), a
contract must be supported by documentary evidence "in writing."  As NIST
pointed out, some have questioned whether EDI, because of the paperless
nature of the technology, fulfills this requirement.  We conclude that it
does.
   Prior to the enactment of section 1501, originally section 1311 of the
Supplemental Appropriations Act of 1955, *6 there was no "clean cut
definition of obligations."  H.R. Rep. No. 2266, 83rd Cong., 2d Sess. 50
(1954).  Some agencies had recorded questionable obligations, including
obligations based on oral contracts, in order to avoid withdrawal and
reversion of appropriated funds.  See 51 Comp. Gen. 631, 633 (1972). 
Section 1501 was enacted not to restrict agencies to paper and ink in the
formation of contracts, but because, as one court noted, "Congress was
concerned that the executive might avoid spending restrictions by
asserting oral contracts."  United States v. American Renaissance Lines,
494 F.2d 1059, 1062 (D.C. Cir. 1974), cert, denied, 419 U.S. 1020 (1974). 
The purpose of section 1501 was to require that agencies submit evidence
that affords a high degree of certainty and lessens the possibility of
abuse.  See H.R. Rep. No. 2266 at 50.
   While "paper and ink" offers a substantial degree of integrity, it is
not the only such evidence.  Some courts, applying commercial law (and
the Uniform Commercial Code in particular), have recognized audio tape
recordings, for example, as sufficient to create contracts.  See e.g.,
Ellis Canning Company v. Bernstein, 348 F. Supp. 1212 (D. Colo. 1972). 
The court, citing a Colorado statute, stated that the tape recording of
the terms of a contract is acceptable because it is a "reduction to
tangible form." *7  Id. at 1228.  In a subsequent case, a federal Court
of Appeals held that an audio tape recording of an agreement between the
Gainesville City Commission and a real estate developer was sufficient to
bind the Commission.  Londono v. City of Gainesville, 768 F.2d 1223 (11th
Cir. 1985).  The court held that the tape recording constituted a "signed
writing."  Id. at 1228.
   In our opinion, EDI technology, which allows the contract terms to be
examined in human readable form, as on a monitor, stored on electronic
media, recalled from storage and reviewed in human readable form, has an
integrity that is greater than an audio tape recording and equal to that
of a paper and ink contract.  Just as with paper and ink, EDI technology
provides a recitation of the precise terms of the contract and avoids the
risk of error inherent in oral testimony which is based on human
memory.*8  Indeed, courts, under an implied-in-fact contract theory, have
enforced contracts on far less documentation than would be available for
electronic contracts.  See Clark v. United States, 95 U.S. 539 (1877). 
See also Narva Harris Construction Corp. v. United States, 574 F.2d 508
(Ct. Cl. 1978).
   For the purpose of interpreting federal statutes, "writing" is defined
to include "printing and typewriting and reproductions of visual symbols
by photographing, multigraphing, mimeographing, manifolding, or
otherwise."  1 U.S.C. 1 (emphasis added).  Although the terms of
contracts formed using EDI are stored in a different manner than those of
paper and ink contracts, they ultimately take the form of visual symbols. 
We believe that it is sensible to interpret federal law in a manner to
accommodate technological advancements unless the law by its own terms
expressly precludes such an interpretation, or sound policy reasons exist
to do otherwise.  It is evident that EDI technology had not been
conceived nor, probably, was even anticipated at the times section 1501
and the statutory definition of "writing" were enacted.  Nevertheless, we
conclude that, given the legislative history of section 1501 and the
expansive definition of writing, section 1501 and 1 U.S.C. 1 encompass
EDI technology.
   Accordingly, agencies may create valid obligations using EDI systems
which meet NIST standards for security and privacy.



Comptroller General
of the United States
Sept. 13, 1990

General Counsel
U.S. General Accounting Office
441 G. Street, N.W.
Washington, D.C.  20548

Dear Sir:

As you know, National Institute of Standards and Technology (NIST) has
cooperated with the Department of Treasury and the General Accounting
Office to develop an electronic certification system wherein a
cryptographic Message Authentication Code (MAC) is used in place of a
written signature to bind a certifying officer to a payment order. 
Several other agencies have expressed their interest in using this or a
similar system as a substitute for a written signature.  In fulfillment
of our responsibilities under the Computer Security Act of 1987, NIST is
now in the process of developing a public key based Digital Signature
Standard (DSS) which is specifically designed for electronic signature
applications and will provide at least the same degree of security as the
MAC approach.  We have attached the DSS Federal Register Announcement and
draft DSS which is now issued for public comment.

We have often been told that legal impairments exist which prevent
agencies from implementing electronic signatures to bind the federal
government.  The specific statute cited is 31 U.S.C. 1501.  Before
formally recommending these standards for contracting and financial
management applications, I would like to request a General Accounting
Office decision as to whether NIST standards such as Federal Information
Processing Standard (FIPS) 113 and a finalized DSS may be used throughout
the federal government to record obligations under 31 U.S.C. 1501.  If
you need any further information in order to make your decision please
feel free to contact Miles Smid, (301) 975-2938, of my staff.

Sincerely,

James H. Burrows
Director, Computer Systems Laboratory

Enclosures
    

Standards) establish minimum acceptable practices for the security and
privacy of sensitive information in federal computer systems.  Computer
Security Act of 1987, Pub. L. No. 100-235, section 2, 101 Stat. 1724
(1988).


X9.9 for message authentication.  It outlines the criteria for the
cryptographic authentication of electronically transmitted data and for
the detection of inadvertent and/or intentional modifications of the
data.  By adopting the ANSI standard, FIPS 113 encourages private sector
applications of cryptographic authentication; the same standard is being
adopted by many financial institutions for authenticating financial
transactions.


integrated circuit chips which function as a computer.


codes and digital signatures will be available to both contractors and
contracting officers for use in government contracting.


complicated system of controls used to ensure that (1) no human knows the
sender's private key and (2) the information received from the sender for
validating the message authentication code or digital signature is
correct and accurate.




tape recording is not acceptable.  See Sonders v. Roosevelt, 102 A.D.2d
701, 476 N.Y.S.2d 331 (1984); Roos v. Aloi, 127 Misc.2d 864, 487 N.Y.S.2d
637 (N.Y. Sup. Ct. 1985).


agency must take appropriate steps to ensure the security of the
document, for example, to prevent fraudulent modification of the terms. 
Agencies should refer to NIST standards in this regard.  See, e.g., FIPS
113 (regarding message authentication codes).  In addition, agencies
should refer to the GSA regulations regarding the maintenance of
electronic records, see 41 C.F.R. 201-45.2, and to the Federal Rules of
Evidence with regard to managing electronic records to ensure
admissibility, see generally Department of Justice Report, "Admissibility
of Electronically Filed Federal Records as Evidence," Systems Policy
Staff, Justice Management Division (October 1990).

   

========================end of article========================    
  
Security Hall of Fame Established  
 
Clyde's Computer Security Hall of Fame is being established to 
recognize those who contribute above and beyond the normal call of 
duty in their performance of contributing to the advancement and 
enhancement of Public Debt's computer security program.  
  The first inductee to this much sought honor is Bob Settles. Bob 
came to Public Debt immediately upon his graduation from college 
in 1964. Apart from a two year stint in Vietnam, his first 18 years 
were spent with the Internal Audit Staff. Then, in 1982, he was 
selected to manage the AIS Security Branch and has served in that 
capacity ever since. During his tenure as manager, the Branch's 
responsibilities have grown steadily to keep pace with the emphasis 
placed on information systems security throughout the Government. 
Public Debt's security program is now among the most highly 
regarded in the Treasury Department.  
  Bob has recently accepted a Computer Specialist position with the 
Treasury Department at its main office in Washington, D.C.  
  Bob epitomized the best in seasoned management and his departure 
will be keenly felt. We wish him the best in his new position!   
 
========================end of article========================    
  
What's New?  
 
ISSM's gain recognition in international publication  
The Public Debt Computer Security Program and the ISSM's received 
international recognition when an article written by Kim Clancy and 
Joe Kordella was published in ISPNews in the Jan/Feb 1992 edition.  
The article presented the role computer security plays in the 
protection of critical information assets of Public Debt in an 
environment of rapid technological change.  It stressed that the 
ISSM's are key players in the implementation of the security 
program.  
  
New Security Branch Manager Selected  
The selection of Kim Clancy as the Security Branch Manager 
completes the consolidation of the Branch in Parkersburg.  Kim was 
previously a security analyst in the AIS Security Branch.  Prior 
to that, she was a computer security analyst for the State of 
Arizona, for over three years.  She was also a computer systems 
security officer in the United States Air Force.  
 
========================end of article========================    
 
The AIS Security Branch runs an Electronic BBS. Give us a call at  
(304) 420-6083.  An electronic version of the ISSM is posted on the 
board and can be downloaded.  Articles in the electronic version 
may include more detail in that we are not limited by space 
constraints as we are in the paper copy.    
 
The ISSM is a quarterly publication of the Department of Treasury, 
Bureau of the Public Debt, AIS Security Branch, 200 3rd Street, 
Parkersburg, WV 26101  (304) 420-6368  
  
Editors:     Kim Clancy  
             Joe Kordella  
             Ed Alesius  
             Mary Clark


Downloaded From P-80 International Information Systems 304-744-2253