I believe that this program was aired on the BBC's "HORIZON" program,and thus will be available from BBC Enterprises, but I haven't checkedthis out yet - AEM[Raymond] (Ed.)The New Hackers Dictionary/Online Jargon FileA mish-mash of history and dictionary definitions which explains why itis so wonderful to be a hacker, and why those crackers who aren'thackers want to be called "hackers".  The Jargon File version isavailable online - check an archie database for retails.  Latestrevision: 2.99.[Gasser]Building a Secure Computer System.By Morrie Gasser, and van Nostrand Reinhold; explains what is requiredto build a secure computer system.[Rainbow Series] (Especially the "Orange Book")>From: epstein@trwacs.fp.trw.com (Jeremy Epstein)>The "Rainbow Series" consists of about 25 volumes.  Some of the>more interesting ones are:>>       The "Orange Book", or Trusted Computer Systems Evaluation>               Criteria, which describes functional and assurance>               requirements for computer systems>>       Trusted Database Interpretation, which talks both about>               trusted databases and building systems out of trusted>               components>>       Trusted Network Interpretation, which (obviously) talks>               about networked systems>>A (possibly) complete list is:>       -- Department of Defense Trusted Computer System Evaluation Criteria>          (TCSEC), aka the "Orange Book">       -- Computer Security Subsystem Interpretation of the TCSEC>       -- Trusted Data Base Management System Interpretation of the TCSEC>       -- Trusted Network Interpretation of the TCSEC>       -- Trusted Network Interpretation Environments Guideline -- Guidance>          for Applying the Trusted Network Interpretation>       -- Trusted Unix Working Group (TRUSIX) Rationale for Selecting>          Access Control List Features for the Unix System>       -- Trusted Product Evaulations -- A Guide for Vendors>       -- Computer Security Requirements -- Guidance for Applying the DoD>          TCSEC in Specific Environments>       -- Technical Rationale Behind CSC-STD-003-85: Computer Security>          Requirements>       -- Trusted Product Evaluation Questionnaire>       -- Rating Maintenance Phase -- Program Document>       -- Guidelines for Formal Verification Systems>       -- A Guide to Understanding Audit in Trusted Systems>       -- A Guide to Understanding Trusted Facility Management>       -- A Guide to Understanding Discretionary Access Control in Trusted>          Systems>       -- A Guide to Understanding Configuration Management in TrustedSystems>       -- A Guide to Understanding Design Documentation in Trusted Systems>       -- A Guide to Understanding Trusted Distribution in Trusted Systems>       -- A Guide to Understanding Data Remanence in Automated Information>          Systems>       -- Department of Defense Password Management Guideline>       -- Glossary of Computer Security Terms>       -- Integrity in Automated Information Systems>>You can get your own copy (free) of any or all of the books by>writing or calling:>>       INFOSEC Awareness Office>       National Computer Security Centre>       9800 Savage Road>       Fort George G. Meade, MD  20755-6000>       Tel +1 301 766-8729>>If you ask to be put on the mailing list, you'll get a copy of each new>book as it comes out (typically a couple a year).>From: kleine@fzi.de (Karl Kleine)>I was told that this offer is only valid for US citizens ("We only send>this stuff to a US postal address").  Non-US people have to PAY to get>hold of these documents.  They can be ordered from NTIS, the National>Technical Information Service:>       NTIS,>       5285 Port Royal Rd,>       Springfield VA 22151,>       USA>       order dept phone: +1-703-487-4650, fax +1-703-321-8547>From: Ulf Kieber <kieber@de.tu-dresden.inf.freia>>just today I got my set of the Rainbow Series.>>There are three new books:> -- A Guide to Understanding Trusted Recovery in Trusted Systems> -- A Guide to Understanding Identification and Authentication in Trusted>    Systems> -- A Guide to Writing the Security Features User's Guide for Trusted Systems>>They also shipped> -- Advisory Memorandum on Office Automation Security Guideline>issued by NTISS.  Most of the books (except three or four) can also be>purchased from>>       U.S. Government Printing Office>       Superintendent of Documents>       Washington, DC 20402            phone: (202) 783-3238>>>-- Integrity in Automated Information Systems>THIS book was NOT shipped to me--I'm not sure if it is still in>the distribution.>From: epstein@trwacs.fp.trw.com (Jeremy Epstein)>...>The ITSEC (Information Technology Security Evaluation Criteria) is a>harmonized document developed by the British, German, French, and>Netherlands governments.  It separates functional and assurance>requirements, and has many other differences from the TCSEC.>>You can get your copy (again, free/gratis) by writing:>>       Commission of the European Communities>       Directorate XIII/F>       SOG-IS Secretariat>       Rue de la Loi 200>       B-1049 BRUSSELS>       BelgiumAlso note that NCSC periodically publish an "Evaluated Products List"which is the definitive statement of which products have been approvedat what TCSEC level under which TCSEC interpretations.  This is usefulfor separating the output of marketdroids from the truth.Papers:[Morris & Thompson]Password Security, A Case HistoryA wonderful paper, first published in CACM in 1974, which is now oftento found in the Unix Programmer Docs supplied with many systems.[Curry]Improving the Security of your Unix System.A marvellous paper detailing the basic security considerations everyUnix systems manager should know.  Available as "security-doc.tar.Z"from FTP sites (check an Archie database for your nearest site.)[Klein]Foiling the Cracker: A Survey of, and Improvements to, Password Security.A thorough and reasoned analysis of password cracking trends, and thereasoning behind techniques of password cracking.  Your nearest copyshould be easily found via Archie, searching for the keyword "Foiling".[Cheswick]The Design of a Secure Internet Gateway.Great stuff.  It's research.att.com:/dist/Secure_Internet_Gateway.ps[Cheswick]An Evening With Berferd: in which a Cracker is Lured, Endured and Studied.Funny and very readable, somewhat in the style of [Stoll] but morecondensed.  research.att.com:/dist/berferd.ps[Bellovin89]Security Problems in the TCP/TP Protocol Suite.A description of security problems in many of the protocols widely usedin the Internet.  Not all of the discussed protocols are officialInternet Protocols (i.e.  blessed by the IAB), but all are widely used.The paper originally appeared in ACM Computer Communications Review,Vol 19, No 2, April 1989.  research.att.com:/dist/ipext.ps.Z[Bellovin91]Limitations of the Kerberos Authentication SystemA discussion of the limitations and weaknesses of the KerberosAuthentication System.  Specific problems and solutions are presented.Very worthwhile reading.  Available on research.att.com via anonymousftp, originally appeared in ACM Computer Communications Review but therevised version (identical to the online version, I think) appeared inthe Winter 1991 USENIX Conference Proceedings.[Muffett]Crack documentation.The information which accompanies Crack contains a whimsical explanationof password cracking techniques and the optimisation thereof, as well asan incredibly long and silly diatribe on how to not choose a crackablepassword.  A good read for anyone who needs convincing that passwordcracking is _really easy_.[Farmer]COPSRead the documentation provided with COPS.  Lots of hints andphilosophy.  The where, why and how behind the piece of securitysoftware that started it all.[CERT]maillists/advisories/clippingsCERT maintains archives of useful bits of information that it gets fromUSENET and other sources.  Also archives of all the security"advisories" that it has posted (ie: little messages warning people thatthere is a hole in their operating system, and where to get a fix)[OpenSystemsSecurity]A notorious (but apparently quite good) document, which has been doggedby being in a weird postscript format.>From: amesml@monu1.cc.monash.edu.au (Mark L. Ames)>I've received many replies to my posting about Arlo Karila's paper,>including the news (that I and many others have missed) that a>manageable postscript file and text file are available via anonymous ftp>from ajk.tele.fi (131.177.5.20) in the directory PublicDocuments.These are all available for FTP browsing from "cert.sei.cmu.edu".[RFC-1244]Site Security HandbookRFC-1244 : JP Holbrook & JK Reynolds (Eds.) "The Site Security Handbook"covering incident handling and prevention.  July 1991; 101 pages(Format: TXT=259129 bytes), also called "FYI 8"[USENET]comp.virus: for discussions of virii and other nasties, with a PC bent.comp.unix.admin: for general administration issuescomp.unix.<platform>: for the hardware/software that YOU use.comp.protocols.tcp-ip: good for problems with NFS, etc.Q.20 How silly can people get?This section (which I hope to expand) is a forum for learning byexample; if people have a chance to read about real life (preferablysilly) security incidents, it will hopefully instill in readers some ofthe zen of computer security without the pain of experiencing it.If you have an experience that you wish to share, please send it to theeditors.  It'll boost your karma no end.---------------------------------------------------------------------------aem@aber.ac.uk: The best story I have is of a student friend of mine(call him Bob) who spent his industrial year at a major computermanufacturing company.  In his holidays, Bob would come back to collegeand play AberMUD on my system.Part of Bob's job at the company involved systems management, and thecompany was very hot on security, so all the passwords were randomstrings of letters, with no sensible order.  It was imperative that thepasswords were secure (this involved writing the random passwords downand locking them in big, heavy duty safes).One day, on a whim, I fed the MUD persona file passwords into Crack as adictionary (the passwords were stored plaintext) and then ran Crack onour systems password file.  A few student accounts came up, but nothingspecial.  I told the students concerned to change their passwords - thatwas the end of it.Being the lazy guy I am, I forgot to remove the passwords from the Crackdictionary, and when I posted the next version to USENET, the words wenttoo.  It went to the comp.sources.misc moderator, came back over USENET,and eventually wound up at Bob's company.  Round trip: ~10,000 miles.Being a cool kinda student sysadmin dude, Bob ran the new version ofCrack when it arrived.  When it immediately churned out the rootpassword on his machine, he damn near fainted...The moral of this story is: never use the same password in two differentplaces, and especially on untrusted systems (like MUDs).-- aem@aber.ac.uk aem@uk.ac.aber aem%aber@ukacrl.bitnet mcsun!uknet!aber!aem   - send (cryptographic) comp.sources.misc material to: aem@aber.ac.uk -