Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
>One risk that I don't think I saw mentioned in the discussion of >"Dial-A-Vote" systems relates to the identity of voters. To the contrary, it has been dealt with ad nauseam, usually erroneously. >Such a system, by definition, would need to know the identity of each caller >to check registration and avoid duplications. This statement is patently false. While an identity-based system would be one way to accomplish these objectives, a voucher system would serve just as well. Such voucher systems are well described in the literature, but the same issue of RISKS which carried the above assertion, contained two descriptions of such systems for voting by mail. The problem of disassociating the vote from its origin, i.e. location of the phone, is much more resistant to solution. All voting systems are subject to abuse, not the least are those systems currently in use. All voting systems have some problems of equity. In many of our current systems, these problems were deliberately engineered in for political motives. These problems resist solution precisely because any change will shift the political balance, however slightly. To the extent that we can move to systems that are more secure, more equitable, and more economic, we should do so. Such systems clearly exist. My personal preference is for more equity. While I have difficulty in believing that any new system can be any more subject to abuse than most of those in use, I would be prepared to sacrifice some security for more equity, as long as the lower security would not result in a loss of confidence in the results. Any new systems and the move to them will be fraught with problems. Much dialogue will have to precede any such moves. However, over-stating the problems of the new systems, preferring the faults of the old ones, and pandering to the fears of the ignorant are not productive. William Hugh Murray, Executive Consultant, Information System Security 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 203 966 4769
I would like to propose a new voting system that will benefit from electronic and/or cryptographic techniques. Before going too public with this, I hope to get additional suggestions and pitfall information from you readers. The voting system that I would like to see simply weights your vote by the number of tax dollars that you pay. We have often heard that the super wealthy use tax loopholes to lower their tax to zero while manipulating laws to make this possible. On the other end of the scale, the poor are accused of using tax supported services far in excess of their tax payments; the poor tend to vote for candidates that promise to keep up the handouts. Of course, it is the middle income people that support all of this. So, my scheme has the appropriate negative feedback built into it. A major problem with the system is that it require a constitutional amendment. In other words we would no longer have "One man, one vote." But I argue that the Constitution was written before income tax and local taxes etc. In a sense everybody was taxed equally back then. All this new system does is to restore the equality of the voting power. Implementing this system is tricky unless you want to trust "the government" to correctly credit your voting power. I think the ability to check one's own account is desired, but you really don't want it to become public knowledge; worse than busybodies and neighbors would the the targeted marketing concerns and the politicians spending their resources where the voting power is. So, a secret ballot is still a must. The ballot must be unforgeable and not modifiable. One idea that is almost right is to use public key crypto technology. The IRS would issue voting stickers which have the number of votes encrypted such that only the vote counters could read them. I would use my stickers by sticking them to a paper ballot; they could not be removed without destroying them. This fails because I cannot check that the sticker is worth the number of votes that I think it should be. Making the stickers have duplicate information, one that the vote counters can read and one that I can read, is also almost right. It's a little impractical since it requires that I keep a decryption key around so that I can decode my half of the sticker. So, everybody has to be assigned a key and everybody has to avoid losing it. Does anybody out there know how to do this? Thanks. William W. Plummer Work: 508-967-4870 plummer@wang.com Home: 508-256-9570
> [...] computer intruders have stolen some $12 million in free telephone
> service through Johnson Space Center... That figure was calculated from costs
> of similar break-ins described by law enforcement agents specializing in
> computer crime.
There *must* be some kind of mistake or error here, right? Imagine this
principle applied to better-understood areas of criminal jurisprudence: "Little
Johnny Nogood has stolen some $2000 worth of goods from the corner store
today... That figure was calculated from costs of similar thefts described by
law enforcement agents specializing in shoplifting." Right. The whole thing
is especially ludicrous in light of NASA's recent report that their whole
yearly phone bill is only on the order of $12 million...
The computer-related risk, IMHO, is that because the law-enforcement community
doesn't understand computer crime, it may be made to seem much more harmful to
its victims and to society than it actually is, and resources that would be
better spent elsewhere will be devoted to stopping it. This risk is especially
severe in light of the "computer crime experts" who have made a name for
themselves because of the imputed significance of these kinds of cases, and
thus have a vested interest in exaggerating their significance.
Bart Massey
I, too, am opposed to uninvited access to others' computers. In RISKS-10.65, we have >Sorry. I don't buy it. If I leave my keys in my car with the windows open, >and you get in and drive off, you're still just as guilty of stealing the car That is true. But it is also a crime in some states for you to have left the keys in the car. It is written in many insurance contracts, too, that the insurer will not have to pay you if you have encouraged the theft in this way. Thus, in this other area of life that you drew an analogy to, your "asking for trouble" by making it easy and attractive does indeed reduce or eliminate your protection under the law or constitute a punishable minor crime itself. > [several posters drew analogies to the crime of "breaking and entering"] Breaking and entering is a crime that has two parts: "breaking" and "entering." If you leave your front door ajar, one need not "break" to "enter." If a company leaves the door to its office ajar, it cannot accuse an outsider found walking down its hallway (doing no harm) of any crime, it can only tell him to leave. Since people here seem so fond of analogies, I'll suggest that to the extent that a company leaves the door to its computer system ajar, the breaking and entering analogy fails, and the mere entry of an outsider would not constitute a crime. These analogies are silly. If we are to have a law in this area, it should be simple: Attempting to log into a computer system or otherwise access it without having been explicitly invited should be a crime whether or not the attempt succeeds and whether or not any damage was done. Probably using a normally-public area like an ftp or anonymous uucp directory should be explicitly excepted, as should a small number of attempts to log into a system accidentally, provided no hacker-type activities (systematically guessing passwords, taking advantage of system defects to gain privileged access, etc.) were involved. But if this is to be a crime, it is fundamentally unrelated to old-time crimes like breaking and entering or car theft. We are making it a crime because we'd like to discourage it, not because there's a clear moral issue or any harm being done. There may or may not be. The law is for our convenience, and has no moral side, and the violator is not to be punished for his evil character, but merely for having violated a well-known law carrying a well-known penalty. irv@happym.wa.com (Irving_Wolfe) Happy Man Corp. 206/463-9399 ext.101 4410 SW Point Robinson Road, Vashon Island, WA 98070-7399 fax ext.116 SOLID VALUE, the investment letter for Benj. Graham's intelligent investors Information free (sample $20 check or credit card): email patty@happym.wa.com
In the discussions of the Legion of Doom a few points are raised but
not taken to fruition seeing as how we are talking about a new
technology (relatively new that is). Allow me to paraphrase:
1. "The company left its' doors open and that was a criminal act...".
Response: "Leaving your garage door unlocked isn't".
Having a phone line into your company is definitely not a criminal
act. However, if you leave a pile of money on the street and someone steals
it, there isn't a judge in the world who would convict because you did
something a reasonable person wouldn't have done. The problem crops up when
you come with a new technology that has inherent risks. What the heck is
a reasonable person...the two guys that invented it? On hacking, we have
a case where technology allows extremely easy access to computers over phone
lines. The fact that a company uses this technology does not relieve it of
responsibility to behave as reasonable persons. The problem is that the
hackers are perceived as a bunch of teenage hoods and they do not suffer from
this technology. If every time one of them called they got electrocuted, I
assure you that the company would be held liable.
2. "Leaving my keys in my car is not...". In most states, leaving the keys
in your car is definitely considered criminal as you are inviting a crime.
Doesn't then hooking an easy access phone line also invite a crime?
3. "We are in business to do business...". True, but businesses have a
responsibility to society to ensure their business does not invite criminal
behaviour.
4. "We shouldn't have to spend time closing known holes...". If I talked to
your security department they might disagree. If there are known holes, is
management adequately apprised of the potential for business loss and have they
made a knowledgeable decision to not close them, or do the system managers just
say, "The boss wouldn't understand so I'm not going to tell him"? Companies
devote massive resources to security and this hacking thing is a new threat.
So is the idea that your competitor could get in and muck about too. It would
seem that a business shouldn't have to spend a lot of time closing security
holes opened by a product they bought, so me thinks I would complain LOUDLY to
whomever supplied this product to close up the holes.
5. Finally, let's try and define a reasonable person on this matter:
1. When you hook-up a phone line to your computer, a reasonable person
would expect to get calls from unauthorized users.
2. A reasonable person would not expect the simple userid/passwd to
foil everyone, however the same person should expect that a concerted
effort not be made to overcome it. i.e. If you have userid "root"
with no password, that's unreasonable, most anything else migrates
toward reasonableness.
3. A reasonable person would assume that one who finally got in would
do most anything.
I propose the following:
1. All dial-up's contain a warning about the penalties of unauthorized
entry. (virtually none do, how 'bout a trespass warning people?)
2. Entry into such a system would be a misdemeanor. Retrieval of
info would be the same.
3. Damage caused would upgrade eventually to a felony depending on
lost business, time to recover, etc. The trick here is the need to
prove the hacker was proximate cause to the damage beyond reasonable
doubt.
P.S. I personally do not support "hacking".
: usenet: black@beno.CSS.GOV : land line: 407-494-5853 : I want a computer:
: real home: Melbourne, FL : home line: 407-242-8619 : that does it all!:
I would like to gather any *hard* evidence that viruses have been used for political/military purposes. It is possible that the Jerusalem virus was first set off to commemorate a Palestinian event but has there been any way to verify this? Are there other viruses that have been specifically distributed or directed to harm a political foe? It is important to differentiate this type of attack from someone setting off a virus that contains a political statement but which is not directed against a particular target. I know that this differentiation is soft but I am trying to develop an appropriate categorization. Any help on this is appreciated. What got me thinking about this is my work on developing a model of computer crime trends and development stages. The current situation in the Persian Gulf made me wonder about the use of the virus as a political weapon. Is the virus a potential "small nation's weapon"? Can viruses become terrorist surrogates, disrupting an enemy nation without leaving direct fingerprints (strings?) traceable back to the ultimate sponsor? What roles could viruses play in future small scale intensive conflicts as well as major wars? Have viruses been considered in war scenarios that military commands have developed? The flap earlier this year about the availability of a small business contract to develop a virus for the U.S. military may well be part of a larger picture of computerized warfare joining other threats such as biological and chemical warfare. Comments can be posted to me on Risks or sent directly to me at MCI MAIL: SSHERIZEN (396-5782). This message has also been posted to Virus-L. Thanks, Sandy
We are requesting information from any and all colleges about Computer
Security courses offered as part of the undergraduate Computer Science
program. This information is needed as part of a research project on
teaching Computer Security. The goal is to produce a summary of available
courses, to be included in a paper we are writing.
The researchers involved are:
Alfred Arsenault, Visiting Professor of Computer Science,
and
Captain Gregory White, Instructor of Computer Science,
both at the U. S. Air Force Academy.
Specifically, we are seeking answers to the following questions:
(1) Does your school offer a course in Computer Security as part
of its undergraduate Computer Science curriculum? If so, what is the
title of that course?
(2) If so, is the course required or an elective for Computer
Science majors?
(3) What textbook is being used, if any?
(4) What are the prerequisites for the Computer Security course?
(Please use descriptive titles, e.g., Operating Systems, rather than
course numbers or designators.)
(5) Is the course offered once a year, or every semester?
(6) Approximately how many students typically enroll in the course?
(7) If your institution does not offer an undergraduate Computer
Security course, is there a particular reason? (e.g., no faculty interest
in teaching such a course; not enough students interested in taking such
a course; no room in the undergraduate Computer Science curriculum for
another course)
(8) Who is a point of contact that we can get in touch with if
we need further information?
As previously stated, we are requesting this information to assist us with
a research effort on "Teaching Computer Security in an Undergraduate Computer
Science Curriculum." The short-term goal is to develop reasonably accurate
statistics about how many institutions offer Computer Security courses.
Negative responses (i.e., 'my college does not offer a Computer Security
course') are welcome.
We would be happy to send summaries of the responses we receive to anyone
who requests one.
Please send responses to either:
Alfred Arsenault: arsenaul@usafa.af.mil or
AArsenault@Dockmaster.ncsc.mil
Greg White: white@usafa.af.mil
GWhite@Dockmaster.ncsc.mil
If you have questions, or want more information, we can be reached on the net
at the above addresses; by telephone at (719) 472-3590; or by U. S. Mail at
Department of Computer Science
HQ USAFA/DFCS
U. S. A. F. Academy, CO 80840
Please report problems with the web pages to the maintainer