Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
I'd be interested in comments on its accuracy.
I won't comment on the larger issues of the "if it moves, shoot it" mentality.
But as a systems designer I can understand the compromises made to meet the
specs, but two small points stick in my mind.
One is the image of a technician madly scanning through a dog-eared issue of
the OAG (the article didn't mention a brand name) to find the Iranian flight.
It's hard enough to not miss an entry when in a quiet airport in a single time
zone. I realize that tracking civilian flights was not part of the normal
battle plan, but I presume that the system has still not been updated to link
to the civilian airline reservation systems or other such sources of
information. One change in warfare, which I think the Gulf War illustrated, is
how the commercial technology has, in many ways, surpassed the military. Of
course, the online airline info might not be accurate which means a delayed
flight could still have been missed.
The other is that the tagging of the plane as an F-14 provided for no level
of ambiguity. Even in the heat of battle, can the system cope with multiple
interpretations of data or does it mindless lock in on a worst case and then
present it to the befuddled user as fact?
Of course, dealing with ambiguous information from many sources is a very
difficult problem and, as this incident illustrates, neither the system nor
the users are up to task. Conversely, what good is SDI if the incoming
missiles all follow commercial airline schedules?
[The article was based on a new report produced jointly by Newsweek and
the ABC "Nightline" (and scheduled to be broadcast on ABC on 1 July). The
report challenges the official U.S. account, claiming that U.S. forces had
"provoked the episode". It also cites Admiral Crowe as confirming that the
Vincennes was in Iranian waters at the time. The Pentagon replied that
that was true, but only in self-defense. Source: NYTimes, 2 July 1992.
For those of you who don't remember the technological aspects of the
Aegis system, see my item recounting a discussion with Matt Jaffe in
RISKS-8.74 (and a follow-on in 8.75). For anyone seriously interested
in this bit of technohistory, I recommend your rereading the lead item
in RISKS-8.74. PGN]
[I just returned from Paris, where I read the following article in the
"European" newspaper. Hmm...]
PIN Money for Thieves"
Italian thieves have managed to pull off the world's most ingenious cash card
fraud. A perfect replica of a bank cash dispenser was glued on top of the real
thing and swallowed cards inserted by unsuspecting customers when they tried to
withdraw money.
Police say that the thieves collected 104 cards before staff at the bank, in
Busto Arsizio, near Milan, were alerted.
Normally a stolen bank card is useless without the owner's Personal
Identification Number. But the thieves programmed their fake machine to request
the customers' PIN numbers before telling them the card had been accidentally
demagnetized and was being retained.
After collecting the cards, the thieves then spent the night withdrawing money
from genuine cash dispensers.
A police spokesman said: "The thieves have been having a spree, withdrawing
money with the credit cards and the right PIN numbers. They were obviously
electronics experts."
Andre Bacard, POBox 3009, Stanford, California 94309-3009
abacard@well.sf.ca.us (e-mail) (415) 897-6067 (voice)
[Another variant on the old spoofing attack. PGN]
My mother-in-law is a sales clerk at a Sears store in Everett Washington. I saw 25 new CompuAdd point-of-sale terminals in the back room. They're super techie, with a small CRT, ASCII keyboard, fancy strip printer, and mag card stripe reader. They were supposed to be installed months ago, but apparently they have a dose of the Michaelangelo virus. "Michaelangelo? On a terminal? Are you sure?" I asked. Needless to say, the answer was not too specific. She said it might also have been on a PC that configures the terminals, rather than the terminals themselves. Doesn't Michaelangelo only strike on one day of the year? All she knew was that they were "full of viruses" and could not be installed. Sears has its share of troubles these days, and apparently it is running so lean and mean that there is no one in the store with enough computer smarts to get things cleared up in the intervening months. So there they sit, depreciating. But they'll *sell* you a computer...If you dare...bwah ha ha! And you thought people who knew what viruses are were scared...
The Data Protection & Data Security Task Force of the German Gesellschaft fuer
Informatik (GI) has again published a "Statement of Observations" concerning
the IT Security Evaluation initiative driven by the Commission of the European
Communities.
This time the statement had to be made on the Information Technology
Security Evaluation Manual (ITSEM) in its current Version 0.2.
The ITSEM shall give help to evaluators and sponsors working with
Information Technology Security Evaluation Criteria (ITSEC) and
therefore are related quite closely to them. The current version 1.2
of ITSEC was subject of the last "Statement of Observations" the
GI Task Force published in February 1992.
Discussion of Criticism on ITSEM shall take place in Brussels
(Belgium) from September 8th to September 10th 1992.
Observations, criticism and proposals on ITSEM V0.2 concentrate on the
following issues:
(1) Lack of Correction of ITSEC problems
(2) ITSEC needs much deeper and therefore more improvements than
admitted in chapter 1.5.
(3) Who oversees the Certification Bodies?
(4) Several Classes of potential attackers are not covered.
(5) Threats can not be enumerated and must be specified the other
way round.
(6) The discrimination between strength of mechanisms in only 3 classes
(basic, medium or high) is very poor and not adequate.
(7) Requirements for Tools and Techniques are missing.
The full statement is posted to alt.security, comp.security.misc and
probably comp.society.privacy.
Kai Rannenberg, Technische Universitaet Berlin, Informatics, FR 5-10,
Franklinstr. 28/29, D-W-1000 Berlin 10, Germany (+49 30) 314-73499
WORLD'S FIRST VOTING BY PHONE: JUNE 20 IN NOVA SCOTIA After an initial failure on June 6, the Liberal Party of Nova Scotia held a primary June 20 to elect its next leader: 94% of the 7416 delegates voted, all with touch-tone phones. Typical turnout for Canadian elections is 60-70%. The Liberals were issued Personal Identification Numbers by mail. For each of 2 ballots, voters called one of five 900 numbers corresponding to their choice of leader, and then keyed in their "PIN number". The computer then checked their number off so they couldn't vote again. John Savage won on the second ballot with almost 53% of the vote. The service was provided by Maritime Telephone & Telegraph and cost each voter 50 cents. The eight-digit PIN numbers enabled one to vote from any billable touch-tone phone: if you did't have touch- tone, you'd borrow your neighbor's. Absentee voting was as simple as picking up the phone, wherever you were. With this success, the Canadian government is considering a national referendum by phone on the results of their Constitutional Convention, within 6 months. The Federal Voter Assistance Program of the Pentagon is now considering voting by phone for servicemen, who had voting by fax from the Persian Gulf. But a $300 fax machine is overkill when a $10 touch-tone phone will do. The Program called the Voting by Phone Foundation of Boulder for their initial information. The Voting by Phone Foundation is now in a petition drive to put a charter amendment on November's Boulder City ballot. If passed Boulder would become the first city in the U.S. to offer the option of phone voting. Please call [Evan at] (303)444-3596 to help. The Foundation is holding a demonstration of voting by phone from now until the November 3rd election. Anyone may call (303)444-3596, 24 hours a day. If you are registered to vote in Boulder, you will be asked to enter your last name and birth date for identification. This limits you to one vote, although not as effectively as the random PIN number to be used for real elections. A different question will be asked every 2 weeks, and presidential [... rest truncated by Evan's mailer?]
When Cryptography is Outlawed, Only Outlaws Will Have Cryptography The really difficult-to-understand part about the Federal Government's recent assault on cryptographic privacy is how the Feds think they'll keep cryptography out of the hands of criminals and Evil Foreign Governments. Now that the Feds have admitted that they have trouble decoding encrypted messages, any criminal or Evil Spy with a brain will be rushing to purchase the equipment. Criminals are hardly worried about breaking any law that says they can't keep their deeds a secret, and smuggling the technology into the country will hardly pose a problem to a reasonably proficient Drug Lord. Perhaps what the Feds are looking for is a new weapon of prosecution; use of cryptography is by definition a felony, and widespread use of cryptography is then by definition racketeering as defined by RICO. It's like bagging Capone for tax evasion, when he was too slippery to be caught breaking the law. I find this sloppiness unacceptable as a taxpayer. It's just like illegal weapons. The crooks have the Uzis and MAC-10s, and the cops have .38s. And the streets are nevertheless protected. I see a future where the world class criminals profit from breaking our insecure-by- legal-decree comm systems, preying on us law abiding citizens, while carrying out their business in unlawful security. Why can't the spies get wise? Technology is not static. If the phone becomes secure, there must be improvements in bugging or some other spook-versus-crook technology that could replace this information gathering avenue. How typical of our freedom-loving government to make keeping a secret felonious. [By the way, see the July issue of the CACM, which contains material some of which has appeared earlier in RISKS, plus a piece by John Perry Barlow and a a response to letters from Rivest, Hellman, and Anderson from John Lyons of NIST. PGN]
That same 15-year-old can see some pretty steamy R-rated movies on his family's cable TV movie channels, or over at his friends. He can trade videotapes. Many mainstream magazines, such as Vogue, purchasable over the counter by anyone, contain photographs of partially nude women. It would be tragic if heavy legal restrictions placed on "computer porn", when it is so difficult to police users' actions and impossible to monitor all activity on any moderately large BBS in any case, and when "pornography" is so readily available to everyone through so many other channels, for many of which no attempt is made to validate the recipient's age at all. With the ongoing fusion of communications technologies such as computers, telephones and television, the restrictions' boundaries would broaden to encompass more and more of the technologies available to us to communicate with. Further, since the technology for copying and forwarding images (video, PC, etc) is so pervasive, enforcement would be spotty and selective, with many innocent people, for example those whose systems were unknowingly used to further these peoples' purposes, caught in the net.
Please find enclosed the preliminary ESORICS 92 programme
in its ASCII English version. PostScript versions of
the full programme can be accessed by ftp at
"laas.laas.fr" (140.93.0.15), in files :
~ftp/pub/esorics/PGM.PS : PostScript file without laserprep
~ftp/pub/esorics/PGM.PS.Z : idem in compressed form (binary)
~ftp/pub/esorics/PGM.PS.long : PostScript file with laserprep
~ftp/pub/esorics/PGM.PS.long.Z : idem in compressed form (binary)
If you wish to receive a paper copy, drop me mail. Yves
===== Yves Deswarte - LAAS-CNRS & INRIA - 31077 Toulouse (France) =====
==== E-mail:deswarte@laas.fr - Tel:+33/61336288 - Fax:+33/61336411 ====
ESORICS 92
Preliminary Programme
European Symposium on Research in Computer Security
November 23-25, 1992, Toulouse, France
Computer security is concerned with the protection of information in
environments where there is a possibility of intrusion or malicious action. The
aim of ESORICS is to further the progress of research in computer security by
establishing a European forum for bringing together researchers in this area,
by promoting the exchange of ideas with system developers and by encouraging
links with researchers in related areas. To achieve this aim under the best
conditions, ESORICS 92 will be a single track symposium and the selected papers
will be presented in a conference hall whose capacity is 290 attendees. ESORICS
92 is the second symposium of a series started with ESORICS 90 held in Toulouse
in October, 1990.
Symposium Chair: Gerard Eizenberg (ONERA/CERT, France)
Organized by AFCET
In Cooperation with
BCS The British Computer Society
CNRS Centre National de la Recherche Scientifique
DISSI Delegation Interministerielle pour la Securite des
Systemes d'Information
DRET Direction des Recherches Etudes et Techniques
ERCIM European Research Consortium for Informatics and
Mathematics
GI Gesellschaft fur Informatik
IEE Institute of Electrical Engineers
INRIA Institut National de Recherche en Informatique et
Automatique
NGI Nederlands Genootschap voor Informatica
PROGRAMME
Monday, November 23, 1992
9:00-10:30 Registration and welcome coffee
10:30-11:00 Introduction to ESORICS 92
11:00-12:30 Session: Access Control
Towards security in an open systems federation
(John A. Bull, Li Gong, Karen R. Sollins)
Type-level access controls for distributed structurally object-oriented
database systems (Udo Kelter)
On the Chinese wall model (Volker Kessler)
12:30-14:15 Lunch
14:15-15:45 Session: Formal Methods
Formal methods and automated tool for timing-channel identification in TCB
source code (Jingsha He, Virgil D. Gligor)
Separating the specification and implementation phases in cryptography
(Marie-Jeanne Toussaint)
Formal specification of security requirements using the theory of
normative positions (Andrew J. I. Jones, Marek Sergot)
15:45-16:15 Break
16:15-17:45 Invited Talks
Roger Needham: Key management (to be confirmed)
Yvo Desmedt: Different views on security
18:00-... Buffet
18:30-... Poster Session
[ESORICS 92 will include Poster Sessions devoted to presentations on work in
progress, recent research results and innovative proposals. These poster
sessions will be held in rooms with paperboards and poster supports, these
rooms being available at any time from the beginning to the end of the
symposium. If you are interested in posting a presentation, please submit a
short description of your presentation with your registration before September
30, 1992. Notification of acceptance or rejection will be sent by October 25,
1992].
PROGRAMME
Tuesday, November 24, 1992
8:30- 9:00 Welcome coffee
9:00-10:30 Session: Authentication I
Verification and modelling of authentication protocols
(Ralf C. Hauser, E. Stewart Lee)
KryptoKnight authentication and key distribution system
(Refik Molva, Gene Tsudik, Els Van Herreweghen, Stefano Zatti)
Associating metrics to certification paths (Anas Tarah, Christian Huitema)
11:00-12:30 Session: Distributed Systems
An object-oriented view of fragmented data processing for fault and
intrusion tolerance in distributed systems
(Jean-Charles Fabre, Brian Randell)
The development and testing of the identity-based conference key
distribution system for the RHODOS distributed system
(M. Wang, A. Goscinski)
Policy enforcement in stub autonomous domains (Gene Tsudik)
14:15-15:45 Session: Authentication II
Freshness assurance of authentication protocols
(Kwok-Yan Lam, Dieter Gollmann)
A formal framework for authentication (Colin Boyd)
Timely authentication in distributed systems (Kwok-Yan Lam, Thomas Beth)
16:15-17:00 Invited Talk
Yvon Klein: What research for security evaluation ?
17:00-18:15 Panel: Availability and Integrity
18:30-... Poster Session
20:00-... Banquet
PROGRAMME
Wednesday, November 25, 1992
8:30- 9:00 Welcome coffee
9:00-10:30 Session: Database Security
Polyinstantiation for cover stories (Ravi S. Sandhu, Sushil Jajodia)
On transaction processing for multilevel secure replicated databases
(I. E. Kang, T. F. Keefe)
Security constraint processing in multilevel secure AMAC schemata
(G. Pernul)
11:00-12:00 Session: System Architectures
M2S: A machine for multilevel security
(Bruno d'Ausbourg, Jean-Henri Llareus)
GDoM, a multilevel document manager (Christel Calas)
13:45-15:15 Session: Applications
UEPS - A second generation electronic wallet (Ross J. Anderson)
A hardware design model for cryptographic algorithms
(Joan Daemen, Rene Govaerts, Joos Vandewalle)
ASAX: Software architecture and rule-based language for universal audit
trail analysis (Naji Habra, B. Le Charlier, A. Mounji, I. Mathieu)
15:15-15:30 Closing Remarks
Programme Committee:
Jean-Jacques Quisquater (UCL, Belgium), Chair
Bruno d'Ausbourg (ONERA-CERT, France)
Joachim Biskup (Universitat Hildesheim, Germany)
Peter Bottomley (RSRE, United Kingdom)
Yvo Desmedt (University of Wisconsin-Milwaukee, USA)
Yves Deswarte (LAAS-CNRS & INRIA, France)
Gerard Eizenberg (ONERA-CERT, France)
Amos Fiat (University of Tel-Aviv, Israel)
Dieter Gollmann (University of London, United Kingdom)
Franz-Peter Heider (GEI, Germany)
Jeremy Jacob (Oxford University, United Kingdom)
Helmut Kurth (IABG, Germany)
Jean-Claude Laprie (LAAS-CNRS, France)
Peter Landrock (Aarhus University, Denmark)
Teresa Lunt (SRI, USA)
John McDermid (University of York, United Kingdom)
John McLean (NRL, USA)
Catherine Meadows (NRL, USA)
Jonathan Millen (MITRE, USA)
Emilio Montolivo (Fondazione Ugo Bordoni, Italy)
Roger Needham (University of Cambridge, United Kingdom)
Alfredo de Santis (Universita di Salerno, Italy)
Einar Snekkenes (NDRE, Norway)
Marie-Jeanne Toussaint (Universite de Liege, Belgium)
Kioumars Yazdanian (ONERA-CERT, France)
Organization Committee:
Yves Deswarte (LAAS-CNRS & INRIA, France), Chair
Laurent Cabirol (SCSSI, France)
Jean-Francois Cornet (Consultant, France)
Michel Dupuy (ENST, France)
Marie-Therese Ippolito (LAAS-CNRS, France)
Marie-France Kalogera (AFCET, France)
Paul Richy (CNET, France)
Pierre Rolin (ENSTA, France)
Kioumars Yazdanian (ONERA-CERT, France)
GENERAL INFORMATION
Symposium Location: Hotel Palladia
271 avenue de Grande Bretagne, 31300 Toulouse, France
telephone: +33 62 120 120, fax: +33 62 120 121
Hotel Palladia is located in the west district of Toulouse,
5 km from city centre.
Access to Toulouse:
- By plane: Toulouse-Blagnac International Airport
(telephone: +33 61 42 44 00). Hotel Palladia is 4 km from the
airport. Approximate taxi fare is 50 FF.
- By train: Toulouse-Matabiau railway station (telephone:
+33 61 62 50 50). Bus 14 from railway station to "Chardonnet"
stop (in front of Hotel Palladia). Approximate taxi fare is 70FF.
- By car: Toulouse is linked to the main European road networks.
On the Toulouse ring, direction Auch, exit 1 to Casselardit-Purpan.
Tourist Information: Office du Tourisme, Donjon du Capitole,
31000 Toulouse, telephone: +33 61 11 02 22
Visa: For non European Community citizens, please check with the
French Consulate in your home country if you need a visa. Visa
applications take approximately 4 weeks to process.
Registration Procedure:
- Advance: Please complete the registration form and send it to
AFCET. About 15 days before the beginning of the symposium,
registered participants will receive their pass, which is to be
presented at the registration desk to receive symposium documents.
- On-Site: Registration desk and welcome service will be available
from 8:30 am to 8:00 pm on Monday 23, to 7:30 pm on Tuesday 24 and
to 4:00 pm on Wednesday 25.
- Fellowships: Applications for half-rate registrations can be sent
to AFCET with due justification. Students wishing to apply for
these fellowships should join a recommendation letter from their
professor.
- Fees: Registrations fees include admission to the technical ses-
sions, one copy of the proceedings, breaks, lunches, Monday buffet
and Tuesday banquet.
Payments: Payments are accepted in French Francs only:
- by credit cards (Visa International or MasterCard only): complete
the charge authorization on the registration form.
- by banker's draft (with indication of your name and ESORICS 92),
to the order of AFCET, bank account 502 650 009-02 at BIMP,
22 rue Pasquier, 75008 Paris, France. Please ask your bank to
arrange the transfer at no cost for the beneficiary. Bank charges,
if any, are at the participant's expense. To guarantee your regis-
tration, enclose a copy of your bank transfer.
Cancellations: Refunds of 50% will be made if a written request is
received before October 23, 1992. No refunds will be made for
cancellations received after this date. In case of symposium
cancellation for reasons beyond its control, AFCET limits its
liability to the registration fees already paid.
Proceedings: ESORICS 92 proceedings will be distributed on-site to
registered participants. Extra copies of ESORICS 92 and ESORICS 90
proceedings will be sold on-site.
Languages: English and French, with simultaneous translation.
Social Event: A dinner banquet will be offered to all registered
participants on Tuesday, November 24, 1992. For accompanying
persons, banquet price is 250 FF.
Post-Symposium Tour: A visit (by bus) of Toulouse, the medieval city
of Carcassonne and their region will be organized on Thursday,
November 26, 1992. If interested, please tick the corresponding
box on the registration form to receive tour information.
Travel Discounts: About 35% reduction for some Air Inter domestic
return flights can be obtained for the Symposium dates. Please
tick the appropriate box on the registration form to receive your
discount voucher.
Hotel Reservations: There are many hotels in Toulouse in every
category. A list of hotels, within walking distance from Hotel
Palladia and offering special prices to ESORICS 92 participants,
is given at the end of this message. For your reservation, please
contact DIRECTLY the hotel of your choice; do not forget to
mention ESORICS 92.
Local Organization: Marie-Therese Ippolito, LAAS-CNRS,
7 avenue du Colonel Roche, 31077 Toulouse (France),
telephone: +33 61 33 62 74, fax: +33 61 55 35 77,
E-mail: esorics@laas.fr.
REGISTRATION FORM
To be sent to: AFCET - ESORICS 92
156, boulevard Pereire
75017 Paris (France)
Fax : +33 1 42 67 93 12
Telephone: +33 1 47 66 24 19
(Please print)
Name:
First Name:
Company:
Address:
Country:
Telephone : Fax :
Nb of invoices requested:
Invoice(s) to be sent to:
Air Inter Discount
[] Please send me an Air Inter discount voucher
Post-Symposium Tour
[] Please send me tour information
Poster Session
[] I wish to present a poster and I enclose its description.
FEE (18.6% VAT included):
Member: AFCET [] BCS [] GI [] IEE [] NGI []
Before October 24, 1992 : 3000 FF []
After October 23, 1992 : 3500 FF []
Non member:
Before October 24, 1992 : 3300 FF []
After October 23, 1992 : 3800 FF []
Accompanying persons for banquet: x 250 FF
TOTAL : FF
PAYMENT (enclosed):
Banker's draft []
Purchase order []
Credit Card Authorization:
I duly authorize you to charge my Visa Intl []
MasterCard []
Expiration : Card Number:
Card holder name:
Signature: Date :
HOTEL LIST
For all reservations, contact DIRECTLY the hotel of your choice,
mentioning ESORICS 92, and confirm your reservation by fax or telex.
Palladia ****
271 avenue de Grande Bretagne, 31300 Toulouse
telephone : +33 62 120 120 fax : +33 62 120 121
single 490 FF, breakfast 70 FF
(Free shuttle available on request from the airport)
Dotel ***
Avenue des Arenes Romaines, 31300 Toulouse
telephone : +33 61 83 83 fax : +33 61 31 00 10
single 320 FF, breakfast included
(Free shuttle available on request from the airport)
Novotel Toulouse Purpan ***
23 Impasse Maubec, 31300 Toulouse
telephone : +33 61 49 34 10 fax : +33 61 49 63 37
single 430 FF, breakfast 47 FF
(Free shuttle available on request from the airport)
Le Grande Bretagne ***
300 avenue de Grande Bretagne, 31300 Toulouse
telephone : +33 61 31 84 85 fax : +33 61 31 87 12
single 390 FF, breakfast included
Campanile Purpan **
33 route de Bayonne, 31300 Toulouse
telephone : +33 61 31 09 09 fax : +33 61 31 09 10
single 240 FF, breakfast 29 FF
Gascogne **
25 allees Charles de Fitte, 31300 Toulouse
telephone : +33 61 59 27 44 telex : 521090F
single 230 FF, breakfast 35 FF
(3 km from Hotel Palladia, bus 14 "Saint-Cyprien" stop)
===== Yves Deswarte - LAAS-CNRS & INRIA - 31077 Toulouse (France) =====
==== E-mail:deswarte@laas.fr - Tel:+33/61336288 - Fax:+33/61336411 ====
Please report problems with the web pages to the maintainer