From owner-freebsd-security Sun Aug 13 17:31:52 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id RAA14766 for security-outgoing; Sun, 13 Aug 1995 17:31:52 -0700 Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id RAA14749 ; Sun, 13 Aug 1995 17:31:49 -0700 Received: from localhost (localhost [127.0.0.1]) by precipice.shockwave.com (8.6.11/8.6.9) with SMTP id RAA02215; Sun, 13 Aug 1995 17:31:05 -0700 Message-Id: <199508140031.RAA02215@precipice.shockwave.com> To: "Greg Rowe" cc: freebsd-security@FreeBSD.org, questions@FreeBSD.org Subject: Re: S/key and WU-FTPD In-reply-to: Your message of "Thu, 10 Aug 1995 14:03:27 CDT." <9508101403.ZM12038@nevis.oss.uswest.net> Date: Sun, 13 Aug 1995 17:31:04 -0700 From: Paul Traina Sender: security-owner@FreeBSD.org Precedence: bulk Greg, I've found and fixed the problem with wu-ftpd and S/key. All you need to do is edit src/Makefile (or files/Makefile.fb2) and add " -lmd" after "-lskey" in that file and rebuild. I've also fixed the ports distribution, and I'd suggest simply re-supping and rebuilding as your simplest alternative. Regards, Paul p.s. sorry for the delay From: "Greg Rowe" Subject: S/key and WU-FTPD S/Key works fine, WU-FTPD works fine. Just not together...I get the following >>: 220 kits FTP server (Version wu-2.4(1) Thu Aug 10 10:37:20 CDT 1995) ready. Name (kits:root): greg2 331 s/key 93 fi66239 Password: 421 Service not available, remote server has closed connection Login failed. S/key does work correctly with the "stock" FreeBSD FTPD. I'm using 2.0.5 Release with the CERT patches for S/key and WU-FTPD from the CD/ROM. Any idea >>s would be appreciated. -- Greg Rowe | US West - Interact Services | INTERNET greg@uswest.net 111 Washington Ave. South | Fax: (612) 672-8537 Minneapolis, MN USA 55401 | Voice: (612) 672-8535 To err is human, to really foul up requires the root password. From owner-freebsd-security Thu Aug 17 05:44:06 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id FAA07903 for security-outgoing; Thu, 17 Aug 1995 05:44:06 -0700 Received: from eikon.e-technik.tu-muenchen.de (eikon.regent.e-technik.tu-muenchen.de [129.187.42.3]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id FAA07872 for ; Thu, 17 Aug 1995 05:43:51 -0700 Received: from vector.eikon.e-technik.tu-muenchen.de (vector.eikon.e-technik.tu-muenchen.de [129.187.142.36]) by eikon.e-technik.tu-muenchen.de (8.6.12/8.6.9) with ESMTP id OAA14054 for ; Thu, 17 Aug 1995 14:42:22 +0200 Received: (from terry@localhost) by vector.eikon.e-technik.tu-muenchen.de (8.6.11/8.6.9) id OAA08020 for security@freebsd.org; Thu, 17 Aug 1995 14:42:30 +0200 Date: Thu, 17 Aug 1995 14:42:30 +0200 From: Terry Carroll Message-Id: <199508171242.OAA08020@vector.eikon.e-technik.tu-muenchen.de> To: security@freebsd.org Subject: Login hole Sender: security-owner@freebsd.org Precedence: bulk Login with no home directory should be denied for normal user. Should not drop one into /. From owner-freebsd-security Thu Aug 17 06:14:19 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id GAA09296 for security-outgoing; Thu, 17 Aug 1995 06:14:19 -0700 Received: from fslg8.fsl.noaa.gov (fslg8.fsl.noaa.gov [137.75.131.171]) by freefall.FreeBSD.org (8.6.11/8.6.6) with SMTP id GAA09288 for ; Thu, 17 Aug 1995 06:14:17 -0700 Received: by fslg8.fsl.noaa.gov (5.57/Ultrix3.0-C) id AA04890; Thu, 17 Aug 95 13:14:15 GMT Received: by emu.fsl.noaa.gov (1.38.193.4/SMI-4.1 (1.38.193.4)) id AA03564; Thu, 17 Aug 1995 07:14:13 -0600 Date: Thu, 17 Aug 1995 07:14:13 -0600 From: kelly@fsl.noaa.gov (Sean Kelly) Message-Id: <9508171314.AA03564@emu.fsl.noaa.gov> To: terry@vector.eikon.e-technik.tu-muenchen.de Cc: security@freebsd.org In-Reply-To: <199508171242.OAA08020@vector.eikon.e-technik.tu-muenchen.de> (terry@vector.eikon.e-technik.tu-muenchen.de) Subject: Re: Login hole Sender: security-owner@freebsd.org Precedence: bulk >>>>> "Terry" == Terry Carroll writes: Terry> Login with no home directory should be denied for normal Terry> user. Should not drop one into /. I realize precedent isn't necessarily a good reason for inaction, but on every SysV and BSD system I've used, no login directory leaves you in /. Some of my users find this behavior convenient ... if the NFS server for their home directories is down, they can still read mail. -- Sean Kelly NOAA Forecast Systems Lab, Boulder Colorado USA It's sad that a family can be torn apart by something as simple as a pack of wild dogs. -- Jack Handey From owner-freebsd-security Thu Aug 17 06:58:16 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id GAA12786 for security-outgoing; Thu, 17 Aug 1995 06:58:16 -0700 Received: from pain.csrv.uidaho.edu (pain.csrv.uidaho.edu [129.101.114.109]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id GAA12780 for ; Thu, 17 Aug 1995 06:58:14 -0700 Received: from pain.csrv.uidaho.edu (localhost [127.0.0.1]) by pain.csrv.uidaho.edu (8.6.11/8.6.9) with ESMTP id GAA22209; Thu, 17 Aug 1995 06:46:59 -0700 Message-Id: <199508171346.GAA22209@pain.csrv.uidaho.edu> To: kelly@fsl.noaa.gov (Sean Kelly) cc: terry@vector.eikon.e-technik.tu-muenchen.de, security@freebsd.org Subject: Re: Login hole In-reply-to: Your message of "Thu, 17 Aug 1995 07:14:13 MDT." <9508171314.AA03564@emu.fsl.noaa.gov> X-Web: <"http://www.cs.uidaho.edu:8000/"> X-OS: 4.4BSD derivatives Date: Thu, 17 Aug 1995 06:46:58 -0700 From: Faried Nawaz Sender: security-owner@freebsd.org Precedence: bulk Sean Kelly wrote... >>>>> "Terry" == Terry Carroll writes: Terry> Login with no home directory should be denied for normal Terry> user. Should not drop one into /. edit /usr/src/usr.bin/login/login.c and play with lines 349-354. I realize precedent isn't necessarily a good reason for inaction, but on every SysV and BSD system I've used, no login directory leaves you in /. Some of my users find this behavior convenient ... if the NFS server for their home directories is down, they can still read mail. i believe hp-ux 9.x doesn't let you on if you have no ~. i think that happens only if your passwd entry is managed by nis, though. From owner-freebsd-security Thu Aug 17 07:59:11 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id HAA16983 for security-outgoing; Thu, 17 Aug 1995 07:59:11 -0700 Received: from strider.ibenet.it ([194.179.130.1]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id HAA16956 for ; Thu, 17 Aug 1995 07:58:58 -0700 Received: (from piero@localhost) by strider.ibenet.it (8.6.12/8.6.12) id QAA00714; Thu, 17 Aug 1995 16:59:15 +0200 From: Piero Serini Message-Id: <199508171459.QAA00714@strider.ibenet.it> Subject: Re: Login hole To: kelly@fsl.noaa.gov (Sean Kelly) Date: Thu, 17 Aug 1995 16:59:14 +0200 (MET DST) Cc: terry@vector.eikon.e-technik.tu-muenchen.de, security@freebsd.org In-Reply-To: <9508171314.AA03564@emu.fsl.noaa.gov> from "Sean Kelly" at Aug 17, 95 07:14:13 am Reply-To: Piero@strider.ibenet.it Operating-System: FreeBSD 1.1.5.1 X-Phone-Number: +39 (2) 58113562 X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 575 Sender: security-owner@freebsd.org Precedence: bulk Hello. Quoting from Sean Kelly (Thu Aug 17 15:14:13 1995): ... > in /. Some of my users find this behavior convenient ... if the NFS > server for their home directories is down, they can still read mail. Yes, it's ok, it's not a security hole, as a normal user can do no more harm this way than (s)he can do loggin in with his/her usual home. Bye, -- # $Id: .signature,v 1.12 1995/08/14 12:10:54 piero Exp $ Piero Serini Via Giambologna, 1 I 20136 Milano - ITALY From owner-freebsd-security Thu Aug 17 09:57:01 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id JAA24516 for security-outgoing; Thu, 17 Aug 1995 09:57:01 -0700 Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id JAA24510 for ; Thu, 17 Aug 1995 09:57:00 -0700 Received: from localhost (localhost [127.0.0.1]) by precipice.shockwave.com (8.6.11/8.6.9) with SMTP id JAA01386; Thu, 17 Aug 1995 09:35:49 -0700 Message-Id: <199508171635.JAA01386@precipice.shockwave.com> To: Terry Carroll cc: security@freebsd.org Subject: Re: Login hole In-reply-to: Your message of "Thu, 17 Aug 1995 14:42:30 +0200." <199508171242.OAA08020@vector.eikon.e-technik.tu-muenchen.de> Date: Thu, 17 Aug 1995 09:35:48 -0700 From: Paul Traina Sender: security-owner@freebsd.org Precedence: bulk From: Terry Carroll Subject: Login hole Login with no home directory should be denied for normal user. Should not drop one into /. I disagree. This would deny access to a user who has a remote directory that is temporarily inaccessible. State why you believe this should be the case? From owner-freebsd-security Thu Aug 17 11:34:29 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id LAA01045 for security-outgoing; Thu, 17 Aug 1995 11:34:29 -0700 Received: from mpp.minn.net (mpp.Minn.Net [204.157.201.242]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id LAA01039 for ; Thu, 17 Aug 1995 11:34:26 -0700 Received: (from mpp@localhost) by mpp.minn.net (8.6.11/8.6.9) id NAA05161; Thu, 17 Aug 1995 13:31:23 -0500 From: Mike Pritchard Message-Id: <199508171831.NAA05161@mpp.minn.net> Subject: Re: Login hole To: terry@vector.eikon.e-technik.tu-muenchen.de (Terry Carroll) Date: Thu, 17 Aug 1995 13:31:22 -0500 (CDT) Cc: security@freebsd.org In-Reply-To: <199508171242.OAA08020@vector.eikon.e-technik.tu-muenchen.de> from "Terry Carroll" at Aug 17, 95 02:42:30 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 615 Sender: security-owner@freebsd.org Precedence: bulk Terry Carroll wrote: > > Login with no home directory should be denied for normal user. > Should not drop one into /. Yes it should. A very good example is if the file system that contains the home directories could not be mounted or is inaccessable for some reason. Normally I can just login via dial up and su to fix it. If login didn't let me in, I would have to drive into work and login as root on the console to fix it. You can also make the argument that users in group wheel are not "normal users". -- Mike Pritchard mpp@mpp.minn.net "Go that way. Really fast. If something gets in your way, turn" From owner-freebsd-security Thu Aug 17 19:07:49 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id TAA23565 for security-outgoing; Thu, 17 Aug 1995 19:07:49 -0700 Received: from beta.wsl.sinica.edu.tw (beta.wsl.sinica.edu.tw [140.109.7.2]) by freefall.FreeBSD.org (8.6.11/8.6.6) with SMTP id TAA23558 for ; Thu, 17 Aug 1995 19:07:42 -0700 From: ywliu@beta.wsl.sinica.edu.tw Message-Id: <199508180207.TAA23558@freefall.FreeBSD.org> Received: by beta.wsl.sinica.edu.tw (1.37.109.8/16.2) id AA13155; Fri, 18 Aug 1995 09:56:21 +0800 Date: Fri, 18 Aug 1995 09:56:21 +0800 To: freebsd-security@freebsd.org Subject: (fwd) CERT Advisory CA-95:08 - Sendmail v.5 Vulnerability Newsgroups: comp.security.announce Sender: security-owner@freebsd.org Precedence: bulk :Newsgroups: comp.security.announce : :============================================================================= :CA-95:08 CERT Advisory : August 17, 1995 : Sendmail v.5 Vulnerability :----------------------------------------------------------------------------- [snipped] : Public domain: : Users of the public domain operating systems Linux (systems using : sendmail rather than smail), NetBSD, and FreeBSD should upgrade to : sendmail 8.6.12. I just wonder I am using 2.05R, do I need to switch to sendmail 8.6.12 ? BSDI provides a sendmail patch for their BSD/OS 2.0, if FreeBSD 2.05 uses the same sendmail, should we need patch too ? -- Yen-Wei Liu Internet e-mail address:ywliu@beta.wsl.sinica.edu.tw ywliu@gate.sinica.edu.tw FAX: +886-2-783-6444 How to make home-brewing Win95 : Get yourself a new box and put your DOS 5.0 and Win 3.1 inside. From owner-freebsd-security Thu Aug 17 19:46:01 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id TAA24769 for security-outgoing; Thu, 17 Aug 1995 19:46:01 -0700 Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id TAA24763 for ; Thu, 17 Aug 1995 19:45:57 -0700 Received: from localhost (localhost [127.0.0.1]) by precipice.shockwave.com (8.6.11/8.6.9) with SMTP id TAA03398; Thu, 17 Aug 1995 19:44:29 -0700 Message-Id: <199508180244.TAA03398@precipice.shockwave.com> To: ywliu@beta.wsl.sinica.edu.tw cc: freebsd-security@freebsd.org Subject: Re: (fwd) CERT Advisory CA-95:08 - Sendmail v.5 Vulnerability In-reply-to: Your message of "Fri, 18 Aug 1995 09:56:21 +0800." <199508180207.TAA23558@freefall.FreeBSD.org> Date: Thu, 17 Aug 1995 19:44:28 -0700 From: Paul Traina Sender: security-owner@freebsd.org Precedence: bulk We're 8.6.12 based in -current. From owner-freebsd-security Thu Aug 17 20:59:30 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id UAA27700 for security-outgoing; Thu, 17 Aug 1995 20:59:30 -0700 Received: from palmer.demon.co.uk (palmer.demon.co.uk [158.152.50.150]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id UAA27693 for ; Thu, 17 Aug 1995 20:59:18 -0700 Received: from localhost (localhost [127.0.0.1]) by palmer.demon.co.uk (8.6.11/8.6.11) with SMTP id EAA08629 ; Fri, 18 Aug 1995 04:58:53 +0100 X-Message: This is a dial-up site. Quick responses to e-mails should not be relied upon. Thanks! To: ywliu@beta.wsl.sinica.edu.tw cc: freebsd-security@freebsd.org Subject: Re: (fwd) CERT Advisory CA-95:08 - Sendmail v.5 Vulnerability In-reply-to: Your message of "Fri, 18 Aug 1995 09:56:21 +0800." <199508180207.TAA23558@freefall.FreeBSD.org> Date: Fri, 18 Aug 1995 04:58:51 +0100 Message-ID: <8627.808718331@palmer.demon.co.uk> From: Gary Palmer Sender: security-owner@freebsd.org Precedence: bulk In message <199508180207.TAA23558@freefall.FreeBSD.org>, ywliu@beta.wsl.sinica. edu.tw writes: >I just wonder I am using 2.05R, do I need to switch to sendmail 8.6.12 ? FreeBSD 2.0.5 or later will not be vunerable to the described attack, as it ships with sendmail 8.6.11 or later (which, according to the CERT posting, are `safe' versions). If you are particularly paranoid, you can grab sendmail 8.6.12 from ftp://ftp.cs.berkeley.edu/pub/src/sendmail (I think). It should compile under FreeBSD without trouble (I've done it before a couple of times). Alternatively, 8.6.12 is also in the -current FreeBSD source tree, available from all good SUP servers and FTP mirrors. Gary From owner-freebsd-security Thu Aug 17 23:33:36 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id XAA04016 for security-outgoing; Thu, 17 Aug 1995 23:33:36 -0700 Received: from aries.ibms.sinica.edu.tw ([140.109.40.248]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id XAA04002 for ; Thu, 17 Aug 1995 23:33:24 -0700 Received: (from taob@localhost) by aries.ibms.sinica.edu.tw (8.6.11/8.6.9) id OAA19258; Fri, 18 Aug 1995 14:31:56 +0800 Date: Fri, 18 Aug 1995 14:31:56 +0800 (CST) From: Brian Tao To: FREEBSD-SECURITY-L Subject: npasswd 2.0 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: security-owner@freebsd.org Precedence: bulk Any FreeBSD folks involved in the npasswd 2.0 beta cycle? -- Brian ("Though this be madness, yet there is method in't") Tao taob@gate.sinica.edu.tw <-- work ........ play --> taob@io.org From owner-freebsd-security Fri Aug 18 00:57:33 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id AAA07098 for security-outgoing; Fri, 18 Aug 1995 00:57:33 -0700 Received: from gndrsh.aac.dev.com (gndrsh.aac.dev.com [198.145.92.241]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id AAA07092 for ; Fri, 18 Aug 1995 00:57:29 -0700 Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.6.11/8.6.9) id AAA24803; Fri, 18 Aug 1995 00:50:41 -0700 From: "Rodney W. Grimes" Message-Id: <199508180750.AAA24803@gndrsh.aac.dev.com> Subject: Re: (fwd) CERT Advisory CA-95:08 - Sendmail v.5 Vulnerability To: pst@shockwave.com (Paul Traina) Date: Fri, 18 Aug 1995 00:50:41 -0700 (PDT) Cc: ywliu@beta.wsl.sinica.edu.tw, freebsd-security@freebsd.org In-Reply-To: <199508180244.TAA03398@precipice.shockwave.com> from "Paul Traina" at Aug 17, 95 07:44:28 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 264 Sender: security-owner@freebsd.org Precedence: bulk > > We're 8.6.12 based in -current. And after a brief ringing out period will be 8.6.12 based in -stable. -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation Company Reliable computers for FreeBSD From owner-freebsd-security Sat Aug 19 03:06:33 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id DAA23972 for security-outgoing; Sat, 19 Aug 1995 03:06:33 -0700 Received: from gndrsh.aac.dev.com (gndrsh.aac.dev.com [198.145.92.241]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id DAA23957 for ; Sat, 19 Aug 1995 03:06:30 -0700 Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.6.11/8.6.9) id DAA29151; Sat, 19 Aug 1995 03:04:47 -0700 From: "Rodney W. Grimes" Message-Id: <199508191004.DAA29151@gndrsh.aac.dev.com> Subject: Re: security list To: mark@grondar.za (Mark Murray) Date: Sat, 19 Aug 1995 03:04:47 -0700 (PDT) Cc: jkh@time.cdrom.com, mark@grondar.za, ache@astral.msk.su, jkh@freefall.FreeBSD.org, rgrimes@freefall.FreeBSD.org, security@freebsd.org, freebsd-foreign-secure@grondar.za In-Reply-To: <199507282147.XAA10036@grumble.grondar.za> from "Mark Murray" at Jul 28, 95 11:47:33 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1289 Sender: security-owner@freebsd.org Precedence: bulk > > > > I've got a lawyer friend who knows this crap. She's an import/export/patent > > > specialist, and an Advocate too. (British: Advocate=Barrister) (American: > > > Advocate=Big Cheese Lawyer qualified to argue in supreme court) > > > > > > She'll do this Pro Amico... > > > > That's very kind of her. So, maybe we should make sure we've got all > > of our questions in order before we take her up on this generous offer? > > Just what issues are we trying to clarify here, exactly? > > (Sorry Jordan - you missed a long discussion concerning the legality of > _importing_ crypto code into the USA. Rod feels that this is dangerous > and a couple of others feel that these fears are unfounded. I thought > that I would find out for sure. I am sick of the argument :-) :-) ) > > [Would you like copies of the discussion?] > > Before we get all excited... > > She is doing this as a favour for me, and her name will be on whatever she > gives me. BUT - what she will give me is LEGAL OPINION. It is not law, > and she is not American. ... Any news on this front? Haven't heard anything for a bit and was just proding. -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation Company Reliable computers for FreeBSD From owner-freebsd-security Sat Aug 19 03:33:04 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id DAA26433 for security-outgoing; Sat, 19 Aug 1995 03:33:04 -0700 Received: from grunt.grondar.za (grunt.grondar.za [196.7.18.129]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id DAA26237 for ; Sat, 19 Aug 1995 03:32:46 -0700 Received: from grumble.grondar.za (grumble.grondar.za [196.7.18.130]) by grunt.grondar.za (8.6.11/8.6.9) with ESMTP id MAA29819; Sat, 19 Aug 1995 12:32:22 +0200 Received: from localhost (localhost [127.0.0.1]) by grumble.grondar.za (8.6.11/8.6.9) with SMTP id MAA17750; Sat, 19 Aug 1995 12:32:17 +0200 Message-Id: <199508191032.MAA17750@grumble.grondar.za> X-Authentication-Warning: grumble.grondar.za: Host localhost didn't use HELO protocol To: "Rodney W. Grimes" cc: mark@grondar.za (Mark Murray), jkh@time.cdrom.com, ache@astral.msk.su, jkh@freefall.FreeBSD.org, rgrimes@freefall.FreeBSD.org, security@freebsd.org, freebsd-foreign-secure@grondar.za Subject: Re: security list Date: Sat, 19 Aug 1995 12:32:16 +0200 From: Mark Murray Sender: security-owner@freebsd.org Precedence: bulk > > > > I've got a lawyer friend who knows this crap. She's an import/export/pa tent > > > > specialist, and an Advocate too. (British: Advocate=Barrister) (America n: > > > > Advocate=Big Cheese Lawyer qualified to argue in supreme court) > > > > > > > > She'll do this Pro Amico... > > > > > > That's very kind of her. So, maybe we should make sure we've got all > > > of our questions in order before we take her up on this generous offer? > > > Just what issues are we trying to clarify here, exactly? > > > > (Sorry Jordan - you missed a long discussion concerning the legality of > > _importing_ crypto code into the USA. Rod feels that this is dangerous > > and a couple of others feel that these fears are unfounded. I thought > > that I would find out for sure. I am sick of the argument :-) :-) ) > > > > [Would you like copies of the discussion?] > > > > Before we get all excited... > > > > She is doing this as a favour for me, and her name will be on whatever she > > gives me. BUT - what she will give me is LEGAL OPINION. It is not law, > > and she is not American. > ... > > Any news on this front? Haven't heard anything for a bit and was just > proding. Yehbo. I just called her. I have given her an account at work, and shown her how to browse the web - the initial info I gave her was _much_ too sparse. (ITAR and the arms control act) In a nutshell, this is where we are: ITAR states that crypto is a munition. We know this. Export of `munitions' is a no-no (ITAR gives us this). We know this. Temporary import of `munitions' is also a no-no. (ITAR). We know this. Import of `munitions' is none of the State department's business. (Stated in ITAR) This is the jurisdiction of the Treasury department. Treasury department has 12 sub-deparments (Offices?) Included are Customs and Bureau of Alcohol, Tobacco and Firearms(BATF). (gulp), ande the Bureau of Economic Crimes(? Something like that). Any import that is not specifically controlled by some other department is covered by a "general import thingy(?!)" administered by the Customs folks. This includes PD software coming in via the internet, or for that matter, anything crossing the border into the US. The only folks having any vague interest in crypto/munitions that she could find are the BATF boys. And a (not complete) search has so far shown up NADA. Anything else she found (and this is repeated all over the place) has to do with _export_. Her guess _at_this_stage_ is that import is unregulated unless you are importing items with commercial value, in which case import duties _may_ apply. -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 Finger mark@grumble.grondar.za for PGP key From owner-freebsd-security Sat Aug 19 03:45:40 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id DAA28398 for security-outgoing; Sat, 19 Aug 1995 03:45:40 -0700 Received: from time.cdrom.com (time.cdrom.com [192.216.222.226]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id DAA28375 for ; Sat, 19 Aug 1995 03:45:36 -0700 Received: from localhost (localhost [127.0.0.1]) by time.cdrom.com (8.6.11/8.6.9) with SMTP id DAA04501; Sat, 19 Aug 1995 03:43:53 -0700 To: Mark Murray cc: "Rodney W. Grimes" , ache@astral.msk.su, jkh@freefall.FreeBSD.org, security@freebsd.org, freebsd-foreign-secure@grondar.za Subject: Re: security list In-reply-to: Your message of "Sat, 19 Aug 1995 12:32:16 +0200." <199508191032.MAA17750@grumble.grondar.za> Date: Sat, 19 Aug 1995 03:43:53 -0700 Message-ID: <4499.808829033@time.cdrom.com> From: "Jordan K. Hubbard" Sender: security-owner@freebsd.org Precedence: bulk > Treasury department has 12 sub-deparments (Offices?) > Included are Customs and Bureau of Alcohol, Tobacco and Firearms(BATF). > (gulp), ande the Bureau of Economic Crimes(? Something like that). > > Any import that is not specifically controlled by some other department > is covered by a "general import thingy(?!)" administered by the Customs > folks. This includes PD software coming in via the internet, or for that > matter, anything crossing the border into the US. > > The only folks having any vague interest in crypto/munitions that she > could find are the BATF boys. And a (not complete) search has so far > shown up NADA. Perhaps we should simply wait a couple of months. By then the senate hearings will be over and the BATF (now simply the ATF) will be a dismantled hulk with the various other departmental vultures picking over its budget.. I don't think that the ATF is long for this world - too many people blame it for WACO, among other things, and it's made some powerful enemies. It's sort of strange. I've always wanted the ATF dismantled and thrown to the dogs, but now that it's finally happening I can't help but notice that it's happening largely due to the FBI's own collosal screwups, not theirs! The right thing is happening, but for the wrong reasons. It sort of puts a damper on one's ability to gloat properly.. :-) In any case, my essential point is that we might want to wait just a bit longer. Things are in a state of flux and I wouldn't necessarily trust any information received just now. Even if it's correct, it may only be correct for a relatively short period of time. Jordan