Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
In Risks V14, No 58, an anonymous person submitted a claim from another person, who also wished to remain anonymous, that a bulletin board calling itself AIS BBS and claiming to be an official activity of the US Treasury Department, exists and makes virus code available for downloads. Our anonymous poster apparently believes this - >I am dismayed that this type of activity is being condoned by an American >Governmental Agency. I can only hope that this operation is shut down and the >responsible parties are reprimanded. I am extremely disturbed by the thought >that my tax money is being used for, what I consider, unethical, immoral and >possibly illegal activities. I know that most of the people reading this list are a little paranoid about risks, but this is ridiculous. The anonymous submitter did not provide the phone number of the BBS so there is no way we can check the claims, but, even if it exists, does anyone seriously believe that it is being run by the Treasury Department? I fully believe that our government sometimes does things that are stupid, immoral, and illegal, but this isn't the kind of stupidity that they do. In short, we need to be critical thinkers. In addition, we need to think about the way in which anonymous posting lets things like this get widely disseminated without exposing the original poster to embarrassment and ridicule. The next hoax, lie, or distortion from an anonymous source may not be this obvious. Is the ability to anonymously make this kind of claim a risk?
ACM Council issued the following statement on computer games a couple of years ago. I believe that, unfortunately, there has been no follow-up. Barbara The pool of potential female and minority scientists and engineers remains virtually untapped, despite demographic trends pointing to the urgent need to train substantial new talent from these sectors. There are products, such as computer games, which are the first significant introduction to technology for most young people. Many girls and minority children do not identify with most of these products which are currently on the market. It is in society's best interest that these products attract and be accessible to these children. Through the appropriate mechanisms, ACM will form a proactive interest group which will address these concerns.
In regard to the questions about the value of space travel and pyramids,
nobody has mentioned the definitive words of the great engineer ( graphite and
pencil manufacturing) and philosopher H. Thoreau. They are:
As for the Pyramids, there is nothing to wonder at in them so much
as the fact that so many men could be found degraded enough to spend
their lives constructing a tomb for some ambitious booby, whom it
would have been wiser and manlier to have drowned in the Nile, and
then given his body to the dogs. (from Walden)
In fact, the whole chapter called "Economy" is filled with such gems. One
more I just have to quote:
Many are concerned about the monuments of the West and the East, -
to know who built them. For my part, I should like to know who in
those days did not build them, - who were above such trifling. But
to proceed with my statistics.
yodaiken@chelm.cs.umass.edu
[An ATM Trojan Horse of a Different Feather. More on the fragmentary
report of Eric's... PGN]
Excerpted from the Boston _Globe_ 12May93. Yankee 24 is a New England ATM
network.
"Fake ATM plays gotcha with users"
[AP] MANCHESTER, Conn. — Some computer-literate thieves stole thousands of
dollars by setting up a bogus automatic teller machine in a mall and using it
to make counterfeit bank cards, authorities said. The mobile machine, rolled
into the Buckland Hills Mall about two weeks ago dispensed money for a time,
but eventually ran out, said Manchester police spokesman Gary Wood.
While customers were using the machine, the ATM recorded their account numbers
and personal identification codes, authorities said. The thieves then made
counterfeit band cards encoded with account information and used them to
withdraw money from ATMs in New York City operated by Citibank and Chemical
Bank.
About $3,000 in fraudulent withdrawals from the ATMs were discovered by late
Monday, said Richard L. Yanak, president of the Yankee 23 ATM network. The
withdrawals were made from accounts based at three Hartford area banks. ...
The bogus machine was once an authentic ATM that the thieves either stole of
acquired on the used market, Yanak said. Unsuspecting customers were forced
to use the 5-foot machine after at least one of the mall's two legitimate ATMs
was sabotaged with glue-covered plastic cards.
The scam was uncovered when a local bank found that someone had tried seven or
eight times to use one of its bank cards at a New York ATM — either because
of a problem with the card or because the thief tried to withdraw more than
the account's limit, Yanak said.
Officials never gave their direct permission to install the machine,
[Margaret] Steeves [Yankee 24's marketing director] said. Police believe the
thieves returned to the mall on Sunday night or early Monday morning to
retrieve the machine. Steeves said ATM customers are protected under federal
banking regulations, which limit their liability to $50 if their loss is
reported within 48 hours.
K. M. Peterson Systems/Network Management Group, Computervision Corp.
The new twist on the scam was that this "ATM machine" dispensed money. According to the radio news report I heard yesterday, it gave out "some cash to forestall suspicion that something was wrong."
Antonella Dalessandro asks for recent citations on pathological conditions
induced by playing video games. Most of the articles I found in a Medline
search were about the use of video games as therapy (e.g. for schizophrenics
or the developmentally disabled) or in experimental use (e.g. assessing
reaction time or attention). However, I did find two major articles on
video game pathology from 1990, and some followups and letters since.
TI - Reflex seizures induced by calculation, card or board games, and
spatial tasks: a review of 25 patients and delineation of the
epileptic syndrome.
SO - Neurology 1990 Aug;40(8):1171-6
AB - Nine patients had reflex activation of seizures by calculation,
card and board games, or spatial tasks. The common denominator
for these and the 16 others reported in the literature appears to
be activity related to function of the parietal lobe. The
clinical and EEG findings in all 25 patients support the
diagnosis of primary generalized epilepsy. Seizures usually start
during adolescence and consist of myoclonus, absences, and
generalized convulsions. Specific inquiry about reflex activation
should be carried out in patients with generalized epilepsy since
this is rarely provided spontaneously. Attacks could be
controlled satisfactorily in 89% of our patients. The genetic
features are those of a primary generalized epileptic disorder
without evidence for a specific inheritance of reflex
sensitivity. Neuropsychological analysis of the stimuli points to
parietal cortical dysfunction. These stimuli lead to activation
of a generalized epileptic process analogous to the occipital
cortical participation in the activation of generalized epileptic
abnormality occurring in patients with photosensitive epilepsy.
TI - Electroclinical study of video-game epilepsy.
SO - Dev Med Child Neurol 1990 Jun;32(6):493-500
AB - Seven patients (five boys, two girls) with video-game epilepsy
(VGE) are reported, which reflects the fact that these games have
increased in popularity recently among Japanese children. Their
ages at onset ranged from four to 13 years. The seizure phenomena
were of three types: generalised tonic-clonic, partial seizure
and headache. Interictal physical and neurological examinations
were within normal limits. EEGs taken while they played
video-games confirmed the diagnosis of VGE and revealed three
triggers of seizures: flashing lights, special figure patterns
and scene-changing. They were recommended to avoid playing
video-games, but sodium valproate was effective if seizures
persisted even after such avoidance.
TI - Video games: benign or malignant?
SO - J Dev Behav Pediatr 1992 Feb;13(1):53-4
TI - Nintendo surgery [letter]
SO - JAMA 1992 May 6;267(17):2329-30
TI - Nintendo elbow [letter]
SO - West J Med 1992 Jun;156(6):667-8
TI - Nintendo neck [letter]
SO - Can Med Assoc J 1991 Nov 15;145(10):1202
TI - Nintendo enuresis [letter]
SO - Am J Dis Child 1991 Oct;145(10):1094
TI - Nintendo power [letter]
SO - Am J Dis Child 1990 Sep;144(9):959
TI - Nintendo epilepsy [letter]
SO - N Engl J Med 1990 May 17;322(20):1473
Lawrence Hunter, PhD., National Library of Medicine, Bldg. 38A, MS-54
Bethesda. MD 20894 USA tel: +1 (301) 496-9300 fax: +1 (301) 496-0673
A quick scan of the Ziff-Davis Computer Database Plus, available on CompuServe,
using the text words "epilep* AND seizure*" revealed the following references:
1 Australia - video games cleared in epilepsy scare., Newsbytes, March 4, 1993
pNEW03040007. Reference # A13669571 Text: Yes (1234 chars) Abstract: No
2 Japan: Nintendo to research epilepsy & video games., Newsbytes, Feb 17, 1993
pNEW02170003. Reference # A13668827 Text: Yes (1314 chars) Abstract: No
3 Trivial pursuits. ('Cyberzone' television program) (Technology)(Virtual
Reality), Computer Weekly, Jan 28, 1993 p28(1). Reference # A13428978 Text:
Yes (5116 chars) Abstract: Yes
4 Military contractor converts to more civilian production. (Israel Aircraft
Industries), Industrial Engineering, Jan 1993 v25 n1 p28(2). Reference #
A13472137 Text: Yes (5019 chars) Abstract: Yes
5 User interfaces: where the rubber meets the road. (Cover Story), Computers
in Healthcare, Feb 1993 v14 n2 p16(5). Reference # A13394186 Text: Yes (12409
chars) Abstract: Yes
6 Is TV game harmful to children? British boy dead. (television-based video
games), Newsbytes, Jan 11, 1993 pNEW01110003. Reference # A13355402 Text: Yes
(1920 chars) Abstract: No
7 Wandering through the brain: the power of a "magic wand" helps neurosurgeons
prepare for complicated procedures. (Applications), Computer Graphics World,
Oct 1992 v15 n10 p71(2). Reference # A12816647 Text: Yes (8554 chars)
Abstract: Yes
8 The Epilog System: automated long-term EEG monitoring for epilepsy.
(electroencephalogram)(includes related articles on valid data keys and the
volume of data generated by EEGs), Computer, Sept 1992 v25 n9 p5(10).
Reference # A12717601 Text: No Abstract: Yes
9 Picture this: wide-ranging developments in data acquisition methods add a
new dimension to computer-based medical imaging. (includes related articles
on medical image terminology, digital video fluoroscopy and one-dimensional
magnetic resonance imaging), Computer Graphics World, Sept 1992 v15 n9 p43(8).
Reference # A12672713 Text: Yes (32524 chars) Abstract: Yes
10 Letters. (Letter to the Editor), PC Magazine, August 1992 v11 n14 p19(4).
Reference # A12436301 Text: Yes (10284 chars) Abstract: No
11 No-Squint II. (SkiSoft Publishing Corp.'s No-Squint II 1.0 utility program
to enhance cursor size on portable computers) (Software Review), Home Office
Computing, Sept 1991 v9 n9 p58(1). Reference # A11203289 Text: Yes (1550
chars) Abstract: No
12 Fascinating rhythm: we can reap more from computers that respond to our
rhythmical nature., Computer Graphics World, August 1990 v13 n8 p117(4).
Reference # A8733680 Text: Yes (7735 chars) Abstract: Yes
13 Are we having fun yet? (ennui among programmers) (Bit by Bit) (column),
Computer Language, August 1990 v7 n8 p113(4). Reference # A8761856 Text: Yes
(8946 chars) Abstract: Yes
14 Word processing. (Real Time), Personal Computing, August 1990 v14 n8
p49(2). Reference # A8719958 Text: Yes (4262 chars) Abstract: Yes
15 This SkiSoft word processor is a welcome sight for sore eyes.,
PC-Computing, March 1990 v3 n3 p56(1). Reference # A8171802 Text: Yes (1448
chars) Abstract: No
16 IBM's research division at work on diverse projects., InfoWorld, July 3,
1989 v11 n27 p37(1). Reference # A7412002 Text: No Abstract: Yes
Michel E. Kabay, Ph.D., Director of Education, National Computer Security
Association Carlisle, PA.
Stimulated by the "Cripple Clipper" Chip discussions, I invested some time to
investigate the European approach in this area. Mobile communication security
is practically available, since some time, in Western Europe based on some
technology which will now alsp be applied in Australia [see Roger Clarke: Risk
Forum 14.56). In contacts with people from producers, carriers and Telecom
research, I collected the following facts:
- Dominated by Western European telecommunications enterprises, a
CCITT subsidiary (CEPT=Conference Europeenne des Administrations des
Postes et des Telecommunications; founded 1959, presently 26 European
countries, mainly from Western/Northern Europe) formed a subgroup
(ETSI=European Telecommunications Standards Institute) which specified,
in a special Memorandum of Understanding (MoU) the GSM standard (=Groupe
Special Mobile). Presently, ETSI (planned as EEC's Standardisation
Institute in this area) has 250 members from industry (63%), carrier
(14%), government (10%), appliers and research (together 10%). Research
here means essentially Telecom and related "research" institutes.
- GSM documents specify roughly the functional characteristics including
secure encryption of transmitted digital messages (see "European digital
cellular telecommunication system (phase 2): Security Related Network
Functions"). Apart from protocols, details of algorithms are secret.
- GSM contains 3 secret algorithms (only given to experts with established
need-to-know, esp. carriers or manufacturers):
Algorithm A3: Authentication algorithm,
Algorithm A8: Cipher Key Generator (essentially a 1-way function),
and
Algorithm A5: Ciphering/Deciphering algorithm (presently A5/1,A5/2).
Used in proper sequence, this set of algorithms shall guarantee that
NOBODY can break the encrypted communication.
- Mobile stations are equipped with a chipcard containing A3 and A8, plus
an ASIC containing A5; the (non-mobile) base stations (from where the
communication flows into the land-based lines) is equipped with an ASIC
realising A5 encryption, and it is connected with an "authentication
center" using (ASIC, potentially software based) A3 and A8 algorithms to
authenticate the mobile participant and generate a session key.
- When a secure communication is started (with the chipcard inserted in
the mobile station), authentication of the mobile participant is
performed by encrypting the individual subscriber key Ki (and some
random seed exchanged between the mobile and base station) with A3 and
sending this to the base station where it is checked against the stored
identity. Length of Ki: 128 bit.
- If authenticated, the individual subscriber key Ki (plus some random
seed exchanged between mobile and basis station) is used to generate a
session key Kc; length of Kc: 64 bit. Different from Clipper, a session
key may be used for more than one session, dependent on the setting of
a flag at generation time; evidently, this feature allows to minimize
communication delays from the authentication process.
- Using session key (Kc), the data stream (e.g. digitized voice) is en-
crypted using the A5 algorithm and properly decrypted at base station.
- A more complex authentication procedure including exchange of IMSI
(International Mobile Subscriber Identity) may be used to authenticate
the subscriber and at the same time to generate the session key (using
a combined "A38" algorithm) and transmit it back to the mobile station.
Comparing the European A5 approach with US' "Cripple Clipper Chip", I find
some surprising basic similarities (apart from minor technical differences,
such as key lengths and using ASICs only versus Chipcard in the mobile
station):
1) Both approaches apply the "SbO Principle" (Security by Obscurity): "what
outsiders don't know, is secure!" Or formulated differently: only
insiders can know whether it contains built-in trapdoors or whether it
is really secure!
2) Both approaches aim at protecting their hemisphere (in the European
case, including some interest spheres such as "down-under", to serve
the distinguished British taste:-) from other hemispheres' competition.
The most significant differences are:
A) that US government tries to masquerade the economic arguments with some
legalistic phrases ("protect citizen's privacy AND protect them against
criminal misuse") whereas Western Europeans must not argue as everybody
knows the dominance of EEC's economic arguments (and the sad situation
of privacy in most EEC countries :-)
B) that US government must produce the rather complex "escrow agencies"
where European law enforcers must only deal with ETSI (manufacturers and
carriers!) about reduced safety in "A5/n" algorithms (n=1,2,...).
Presently, different "A5/n" algorithms are discussed. Apart from the "secure"
original algorithm A5 (now labeled A5/1), a "less secure, export oriented
A5/2" has been specified (according to my source which may not be fully
informed, this will go to "down-under" :-). One argument for such "A5/n"
multiplicity is that availability of more A5/n algorithms may even allow to
select, during authentication, one algorithm from the set thus improving
security of communication; at the same time, as these algorithms are secret,
the secret automatic selection (e.g. triggered by some obscure function
similar to the random exchange in the authentication process) may allow to
crack the encrypted message.
My (contemporary) conclusion is that security of both A5 and CC is
questionable as long as their security cannot be assessed by independent
experts. In both cases, economic interests seem to play a dominant role; there
are clear indications of forthcoming economic "competition", and I wonder
which side Japan will take (maybe they decide to start their own crippled
SecureCom standard?)
Klaus Brunnstein (Univ Hamburg; May 3, 1993)
SECURITY AND CONTROL OF INFORMATION TECHNOLOGY IN SOCIETY
An IFIP WG 9.6 Working Conference to explore the issues:
August 12 - 17, 1993
Venue: the conference ship M/S Ilich between Stockholm and St.Petersburg
Dependence on information technology (IT) is widespread. IT is used for the
option and control of a range of social, industrial, commercial, governmental
and regulatory processes, yet it introduces new potential threats to personal
privacy and freedom, and new opportunities for criminal activity. These
dangers have to be countered and controlled in a manner that balances the
benefits of IT. Therefore careful consideration has to be given to determine
what constitutes the most effective control and regulation of IT. Such topics
should be high on national agendas.
IFIP's Working Group on Information Technology Misuse and the Law (WG 9.6) is
holding a working conference to explore these issues, from 12 to 17 August,
aboard the conference ship M/S Ilich between Stockholm and St.Petersburg. On
the Saturday of the conference week the conference will convene in
St.Petersburg for meetings with Russian representatives, providing a valuable
opportunity to discuss some of the problems of IT in an emerging capitalist
economy.
The conference, Security and Control of Information Technology, will explore
major issues, including particular reference to Eastern European Economies.
The organisers are keen to attract people representing a wide range of
interests, including central government, regulatory bodies, information system
users, relevant public interest groups, the legal profession, and academics.
Participants from all parts of Europe and beyond will be welcome. In addition
to full conference papers there will be discussion groups and shorter
presentations.
Eur. Ing. Richard Sizer (UK), chairman of WG 9.6, is conference chairman, Dr.
Louise Yngstrom (Sweden) is in charge of local organisation and Prof. Martin
Wasik is chairman of the International Programme Committee. The proceedings
will be published by Elsevier North Holland and edited by Ing. Sizer, Prof. M.
Wasik and Prof. R. Kaspersen (Netherlands).
Those desiring to attend the conference and requiring further
information may contact Prof. Wasik at:
Faculty of Law, Manchester University, Manchester M13 9PL, U.K.,
Tel. +44 61 275 3594, Fax +44 61 275 3579.
or for local arrangements, contact Ann-Marie Bodor at:
Dept of Computer ans Systems Sciences, Stockholm University/KTH,
Electrum 230, Sweden, Tel +46 8 162000, Fax +46 8 7039025.
CONFERENCE PROGRAMME
Thursday Evening, August 12
Opening presentation: "The law cannot help"
A debate led by K.Brunnstein (Germany) and R.Kaspersen (Netherlands)
Chairman: Eur. Ing. Richard Sizer (U.K.)
Friday Morning, August 13
Paper 1: "Privacy and Computing: a Cultural Perspective"
R.Lundheim, G.Sindre (Norway)
Paper 2: "Is International Law on Security of Information Systems Emerging ?"
B.Spruyt, B.de Schutter (Belgium)
Paper 3: "On the cutting edge between Privacy and Security"
J.Holvast, R.Ketelaar (Netherlands),
S.Fischer-Huebner (Germany)
Paper 4: "Protection of the Information of Organisations in the
Asia-Pacific region"
M.Jackson (Australia)
Friday Afternoon: Two Discussion Streams
Stream 1: International cultural perspectives on IT, privacy and security
(led by J.Holvast)
Stream 2: Priorities for IT in emerging economies (led by R.Kaspersen)
Saturday August 14
Part I: "IT and Security in Russia. Experts view"
"IT and Security in Russia"
E.V. Evtyushin (Russian Agency for New Information)
"IT vs. Security in Russia"
E.A. Musaev (Russian Academy of Sciences)
"Problems of information protection in the Northwestern region of Russia"
P.A. Kuznetsov (Association for Information Protection)
Part II: "IT and Security in Russia - Commercial sector"
TBD (Sberbank of Russia)
TBD (St Petersburg Chamber of Commerce)
Part III: "It and Security in Russia - Public Sector"
TBD (Public Sector)
Part IV: "Western Developments in IT-Security"
R.Hackworth (U.K.): "The OECD Guidelines on IT Security"
M.Abrams (USA): "From Orange Book to new US Criteria"
P.White (U.K.): "Drafting Security Policies"
TBD "INFOSEC Security Issues in the EC"
Sunday August 15: Tour of St.Petersburg
Monday Morning, August 16
Paper 5: "Recent development in IT security evaluation"
K.Rannenberg (Germany)
Paper 6: "On the formal specification of security requirements"
A.Jones, M.Sergot (Norway)
Paper 7: "Symbiosis of IT security standards"
M.Abrams (USA)
Paper 8: "An Academic Programme for IT Security"
L.Yngstrom (Sweden)
Monday Afternoon: Two workshops based on:
Workshop 1:
Paper 9: "Are US Computer Crime Laws Adequate ?"
L.Young (USA)
Paper 10:"Computer Crime in Slovakia ?"
J.Dragonev, J.Vyskoc (Slovakia)
Paper 11:"Computer Crime Coroners for an IT Society"
S.Kowalski (Sweden)
Workshop 2:
Paper 12:"Computer supported security intelligence"
I.Orci (Sweden)
Paper 13:"Design for security functions of chipcard software"
K.Dippel (Germany)
Paper 14: "Court ordered wiretapping in USA"
G.Turner (USA)
CLOSING DISCUSSION AND CONCLUSIONS, Chairman: R.Sizer (U.K)
(TBD: Speakers to be decided. Details of conference sessions are
subject to change)
The costs of attending the conference are now set as follows:
One delegate: 4175 Swedish Krona
Two delegates sharing one cabin: 3275 Swedish Krona (per person)
Accompanying person: 3175 Swedish Krona (no conference proceedings)
These prices include accommodation, all meals on board of the M/S Ilich and
while in St.Petersburg, an excursion on Sunday and, for delegates, a copy of
all conference papers. Cabins on the ship each have a window and a shower.
Cheques or money orders (in Swedish Krona) should be made payable to the
account: "Foriningen for Sakerhetsinformatik: IFIP WG 9.6" and sent as soon as
possible and, in any event, not later than June 11, to:
Ann-Marie Bodor, Dept. of Computer and Systems Sciences
Stockholm University/KTH, Electrum 230, S-164 40 Kista, Sweden
All registrations are responsible for making their own arrangements for travel
to and from Stockholm, and for their visas and insurance. Registrations most
probably cannot be accepted after June 11 due to the booking deadline for the
cabins on board.
Please report problems with the web pages to the maintainer