Ŀ TRASH (C) v1.06 RELEASE DATE: 931225 - Trash Copyright (C) 1993, 1994 by Peter Laur - "Trashcan scanner for PCBoard v15.0" - SmartSec Copyright (C) 1993, 1994 by Peter Laur - "Extended Security for PCBoard v15.0" All work dune by: Peter Laur, Ulf Svanlund and Rikard Elofsson. The compilation by MicroSoft's C/C++ v7.0 is made by Peter Laur. The compilation by CDC's PPLC v1.0 & v2.00 is made by Ulf Svanlund. using REGISTRATION KEY SYSTEM FOR PROGRAMMERS Version 2.20 (C) Copyright 1992, Brian Pirie. All Rights Reserved Ŀ ARJ SECURITY ENVELOPE! When you unpack this archive it *MUST* display our ARJ Security Envelope! *** Verifying ARJ SECURITY envelope ... Valid envelope! *** Valid ARJ-SECURITY envelope signature: *** *M*U*R*P*H*Y*S* PCBoard BBS - Sweden R#0838 If not, the archive may be infected. Then call Salt Air and download the original archive please. If you have the Thunderbyte virus scanner you can also verify the trash.exe file via the supplied anti-vir.dat file. The file is named: TBAV608.* and distributed via SDN. Valid CRC's: Length32-bit CRC TRASH286.EXE 018E08 AA46FA96 <- Rename to TRASH.EXE if using a 80286 PC! TRASH_XT.EXE 018EE8 5638D434 <- Rename to TRASH.EXE if using a 8086 PC! TRASHREG.EXE 002E7A 5F5CFD2C <- Registration program in the Trash dir. TRASH_1.PPE <- Rename to TRASH.PPE if using PCB 15.0 TRASH_2.PPE <- Rename to TRASH.PPE if using PCB 15.1 Note: When you have renamed the desired EXE file, make it "Read-Only" if running in a multi-user environment like a network. Use the DOS command: ATTRIB TRASH.EXE R+ Ŀ WHAT'S IT DOING? These small programs, the TRASH.PPE + TRASH.EXE is a Trashcan scanner to be used together with PCBoard v15.0 to force users to select desent passwords. This scanner uses it's own PWDCAN, USERDATA & HISTORY files with strings to be searched for using wildcards, then last the TCAN file for exact string matching. Both forward and reverse search everywhere + DUPLICATE words. Also the possibility to generate AUTO-PASSWORDS by request or demand (if to many failed password attempts). For SysOp's who wants a real secure system, where users aren't permitted to use their names as passwords or other silly strings - Trash is a excellent solution to the problem. (UNREGISTERED) versions of Trash & SmartSec can be evaluated for 90 days. After this period, to continue use the program(s) you must decide IF or NOT you should spend $10 US dollar on registering the software. We hope You like our programs wich helps make PCBoard and Your system getting better overall security. Please have a look in REGISTER.TXT on how to get registered... 1: First searches the USERDATA filed wich contains the users: NAME, CITY1, ALIAS (if installed), PWD, PHONE1, PHONE2, CITY2, ADDRESS1, ADDRESS2, ZIPCODE, COUNTRY, STATE, OLDPWD1, OLDPWD2, OLDPWD3. Using a 3 character Wildcard search on all userdata fields to make it almost unimpossible to use similar passwords as whats in these fields. 2: Secondly searches the \pcb\main\PWDCAN file for any Wildcard match of strings. Be careful when adding new strings so the scanner doesn't stop every password attempt :-) No limits on the number of lines... 3: Thirdly searches the \pcb\main\TCAN file for Exact string matches. 4: The user has 6 retry attempts to choose a desent password. If failed, the system logs him off. (configurable) 5: Fast searching. At my system with 2 x 2000 names it takes less than 1 second on a 80386-40Mhz PC via our LAN. The code is 8086 optimized. Use trash286.exe and rename it to trash.exe if you want 80286 optimized code. 6: The valid user input is restrained to normal ascii characters + numbers, "1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" Spaces are not allowed on line 2 in TRASH.CFG. Please don't add it yourself, because then isn't Trash working as expected. 7: All prompts used are in language specific PROMPTS files. If you have other languages than the supplied ones, you *must* make a prompts file for it and add the needed lines. 8: Added a TRASH.CFG file for the program. 9: At TRASH.CFG line 1 you can select how many password retry attempts that shall be allowed before the user is logged off. 10: At TRASH.CFG line 2 you can place Extended Ascii characters/symbols wich should be accepted as input from the user. 11: To override the DOS max line-lenght limitation we are now writing these new userdata output to a file in the trash PPE path as "userdata.xxx" where xxx = pcbnode. The "userdata.xxx" file is deleted when trash is finished. 12: Stripped the PWDCAN file a bit, to many false triggers. So if you have been using a previous version - please change to this new one. 13: Added a line 3 in the TRASH.CFG to specify the path for USERDATA.xxx Can be a RAM drive for faster access. Default to C:\ 14: Added line 4 in the TRASH.CFG to specify (as in PCBSETUP), the minimum number of required password characters/symbols. Can be 4 characters minimum and 12 characters maximum. (Default 6 characters) 15: Added line 3 in the PROMPTS file for message about to short passwords. 16: Added better logging of WICH file that triggers Trash - so you easily can adjust the words if wanted. Looks like this: ************************************************************** 10-14-93 (23:26) (10) PETER LAUR (Local) (G) * SYSTEM OPERATOR Password is less than 6 chrs : (123) TCAN file - exact string match : (YUPPIE) PWDCAN file - wildcard string : (ABUSED) USERDATA file - wildcard 3 chrs: (VILBER) Accepted password by Trash was : (SOLLEFTEA) Minutes Used: 1 10-14-93 (23:27) (10) PETER LAUR Off Normally ************************************************************** 17: Found a bug in PCBoard wich doesn't allow High Ascii characters above Ascii 127 if the "Disable Registration Edits" in PCBsetup is set to "N". It works okay when logging on the first time as a new user, but not when updating the passwords with (W) or at regular intervals or with the Password PSA installed. Because of this I have disabled the Swedish "" characters and instead added in SMART.CFG "!"#%&/()=?@${[]}\<>+-" as valid extended characters. You can delete whatever character you don't want the users to use in their passwords. 18: Fixed Trash so it also works okay when using the (W) command in PCBoard. To let Trash know the user are inside PCBoard, I have made a small PPE called W_DUMMY.PPE wich shall be started in a Security Specific menu by the user when he logs on. At my system I have all these files in a dir called: C:\PCB\SECURITY and they are named to the security levels I have, like 101, 102, 103 and so on. Here is how I run my PPE's: !C:\PCB\PPE\SMART\SMART.PPE !C:\PCB\PPE\SMART\FREEMEM.PPE !C:\PCB\PPE\TRASH\W_DUMMY.PPE When a user inside PCBoard uses the (W) command, Trash see's the dummy file W_DUMMY.xxx (xxx = PCB nodenumber) in the \PCB\PPE\TRASH directory and reacts different. Normally it doesn't acccepts as a valid input, but with this dummy file it does. It's very good to have this trashcan scanning here too so the users cannot change to another strange password when inside the BBS. Note: You must have it in the TRASH dir! Don't forget to *DELETE* the W_DUMMY.xxx file. I have the PCBNODE variable set on all our 13 nodes in each PC's autoexec.bat file. (SET PCBNODE=1) Make a $$logoff.bat file and place it in your PCB's directory so you are sure the W_DUMMY.xxx is deleted properly. Put the following string in it: DEL C:\PCB\PPE\TRASH\W_DUMMY.%PCBNODE% This was the only way I could get Trash to operate with the (W) command and at the same time keep it not accepting as input when used elsewhere. Tricky but works good... :-) 19: Added logging of the selected non accepted passwords by the users. 20: Better logging of eventual errors if Trash is not configured okay. 21: Added Line 5 in TRASH.CFG for the paths to TCAN & PWDCAN so you can run it on a RAM-drive. 22: Added logging of final accepted password. Configurable in TRASH.CFG Line 6 to YES/NO if you don't want it to be written to the userlog. 23: Bugfix of 12 characters password input. Because of a extra Trash did only send 11 characters hereby making PCBoard's verify option not accepting the 12 it should have been. Fixed. 24: Trash now displays (UNREGISTERED) when not registered, but are not in any way crippled. In future versions when we convert more over to MSC7.0, we might make some features avalable only to our registered customers. If you want to register, please have a look in the supplied file REGISTER.TXT 25: Fixed so Trash now deletes the USERDATA.xxx file always. In the previous version we forgot it sometimes. 26: Changed the TRASH.CFG a bit and now has the sysop name at Line 1. Please make sure you either change or update the one you are using. 27: 2 versions supplied with TRASH. The TRASH_1.PPE is using PPLC v1.00 for sysops still using PCBoard v15.0 TRASH_2.PPE is using PPLC v2.00 for PCBoard v15.1 beta and the coming release. Rename the file you want to use to TRASH.PPE 28: Delete (if exist) the USERDATA.xxx file when starting TRASH. Could be left when a newuser suddenly hangs-up. You can also in board.bat at the end put: "if exist c:\userdata.%node% del c:\userdata.%node%" to be sure it's never left. (or on whatever drive you stated on line 4 in TRASH.CFG) 29: Showing a info menu about how and why to select passwords. Language specific. If a menu for a certain language is missing, the english version of PWD1INFO & PWD2INFO will be displayed instead. 30: Increased password detection. Now a "double" word is NOT accepted, like "BEARBEAR". When I looked at my system, around 15% of all users had a password like this. You can switch on/off this cruel option in TRASH.CFG line 7. 31: Reversed check of all words in TCAN, PWDCAN, USERDATA. For example, the word "BOARD" in TCAN is not accepted - neither the reverse "DRAOB". Using a 4 character Wildcard search for this, a lower number gives too many false alarms on the input strings. 32: If a user has failed the Nr of times to enter a valid password, he is either forced to use the Auto-Generated password by Trash - OR logged off. Added line 8 in TRASH.CFG to disable or enable the Auto-Generation of passwords (YES or NO) The password generated is always displayed in small letters + numbers to make it easier for the user to understand it. An example: GHI05I can be missunderstood, but not ghi05i - thats the reason. 33: Added line 4 in the PROMPTS file for the message displayed when a Auto-Generated password is made. Language specific. 34: Added a TRASH.DBF database wich will log every users pwd HISTORY. This is necessary because PCBoard doesn't update the PWDHISTORY as expected when manually changing password with the (W) command several times after each other. So by using a DBase format Trash History file is better and it's working in parallell with PCB's own history (if any). You can configure the path for the DFB & NDX files in TRASH.CFG line 9. 35: Added in TRASH.CFG a LOWSEC at Line 10 and HIGSEC at Line 11 wich shall not be logged to the DBase HISTORY file. This because some systems might only want their HISTORY to be updated and logged by members. This not to fill up the DBase with lot's of history never being used. 36: Added in TRASH.CFG at Line 12 and 13 two Security levels wich shall be BYPASSED by the TRASH program. Line 12 is equal or lower than security, line 13 is equal or higher than security. 37: Added a DATE logging to the DBAse file for easier packing. You can now use a PACK commandline with the stated nr of DAYS OLD wich shall be removed. For example: PACK 365 removes all users who hasn't been on for 1 year. 38: Added Line 15 in the PROMPTS file to display a message when using the (W) command. "@FIRST@, press (Enter) for `no change' to any item..." To make use of this - clear PCBTEXT Line 99 and let Trash handle it. 39: A user can now select "AUTO" to make Trash AUTO-GENERATE the password at once. If you have configured in TRASH.CFG that AUTO-PWD (after nr failed) should not generate a password but simply log off the user, this function to select "AUTO" manually is something else and always default. It's one thing to force a user to use a random made password, another if he selects it freely. Besides, having this heavy password checking as Trash has, it could be problems for some users to come on something to use. Thats why we have the "AUTO" selection as default. Ŀ INSTALLATION The following files should be in the archive: ANTI-VIR.DAT <- Thunderbyte Anti-Virus CRC check file AUTOPWD <- The English Auto-Pwd menu FILE_ID.DIZ <- Brief description file INFO1PWD <- The English Info1-Pwd menu INFO2PWD <- The English Info2-pwd menu PACK_DB.BAT <- Bat file to Purge Users in the DBase after xxx-days PROMPTS <- English promp PWDCAN <- Trash Wildcard Match PWDCAN file REGISTER.TXT <- How to register Trash or SmartSec REGISTER.TNX <- A big *THANKS* to registered SysOp's! TCAN <- PCBoard Exact Match TCAN file TRASH286.EXE <- 80286 processor optimized TRASH.EXE code TRASH_XT.EXE <- 8086 processor optimized TRASH.EXE code TRASHREG.EXE <- Trash registration program TRASH.CFG <- The configuration file TRASH.DOC <- Documentation to Trash TRASH_1.PPE <- The interface PPE between PCBoard & Trash.exe (PPLC v1.00) TRASH_2.PPE <- The interface PPE between PCBoard & Trash.exe (PPLC v2.00) TRASHFRE.ARJ <- French set of menus & prompts TRASHSWE.ARJ <- Swedish set of menus & prompts UPDATE.TXT <- Update information W_DUMMY.PPE <- PPE to make the W_DUMMY.xxx file for Trash at (W) usage To install TRASH is easy. First make sure you ARE running PCBoard v15.0 :-) Make a new directory under PCB like: C:\PCB\PPE\TRASH and move all files in the archive to this new dir. (if you use say d:\pcb it's also okay) Move PWDCAN to C:\PCB\MAIN (the same location as TCAN must be at!) In PCBTEXT at line 152 add the following: !C:\PCB\PPE\TRASH\TRASH.PPE or the path to wherever you have your files. In PCBTEXT at line 709 add the following: Your password is not accepted, try again. In PCBTEXT at line 99 - simply CLEAR it because Trash uses that prompt itself in the PROMPTS file. If not doing this, when using the (W) command, the: "@FIRST@, press (Enter) for `no change' to any item..." will be displayed twice wich is unnecessary :-) You must do the same with all your PCBTEXT files for different languages! Also install the: VERIFICATION, ADRESS, & PASSWORD (PSA) via PCBSM. The program uses these fields to check if a password has any match of the users personal data. Without these PSA's installed TRASH will *NOT* start... This is it :-) Now everytime a NEW user logs on and is asked to select he's password, TRASH is handling this and giving him 6 retry attempts. The same if you have the Password PSA installed and force your users to change their passwords at regular intervals. TRASH also here takes care of the business. All suspicious password attempts + the final (hopefully) accepted one is logged. Ŀ WHATS NEXT? This is my first fumbling attempts to use MSC C/C++ 7.0 and without the help of Rikard Elofsson (Mr "C" of Karlstad!) I would still been working with the parenthesis. Bye the way, if you would like to develop your own PPE's for PCBoard, we can sure recommend the PPLC language from CDC! It's so *GREAT* that even we on this side the Ocean can make programs. (Far more easier that MSC7.0) All new versions of Trash will be uploaded quickly to Salt Air! If you want to get in touch with me, you can send a mail in either FidoNet or InterNet to the following addresses. You can also FREQ the latest versions of SmartSec & Trash from my FidoNet nodenumbers below 24hrs/day. Use the magic names: SMARTSEC or TRASH Netmail in FidoNet: Peter Laur at nodenumber 2:204/481@fidonet InterNet E-mail to: Peter_Laur@f481.n204.z2.fidonet.cd.chalmers.se Our Postal Address is: Murphys PCBoard BBS / NKAB Attn: Peter Laur P.O.Box: 13104 S - 60013 - Norrkoping Sweden, EUROPE Murphys PCBoard BBS reachable 24hrs/day at: Phone: +46 11-100312 / 100313 / 100314 / 100315 *** GOOD LUCK! *** Ŀ