The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 14 Issue 60

Wednesday 12 May 1993


o Risks of anonymity and credulity
Michael Friedman
o IFIP resolution on demeaning games
Barbara B. Simons
o Thoreau on Pyramids and Space
Victor Yodaiken
o Re: Fake ATM Machine Steals PINs
K. M. Peterson
Al Donaldson
o Re: Epilepsy and video games
Larry Hunter
Mich Kabay
o Mobile ComSec in Europe (A5)
Klaus Brunnstein
o Security&Control of IT in Society
Klaus Brunnstein

Risks of anonymity and credulity

Michael Friedman <>
Tue, 11 May 93 11:13:39 PDT

In Risks V14, No 58, an anonymous person submitted a claim from another
person, who also wished to remain anonymous, that a bulletin board calling
itself AIS BBS and claiming to be an official activity of the US Treasury
Department, exists and makes virus code available for downloads.  Our
anonymous poster apparently believes this -

>I am dismayed that this type of activity is being condoned by an American
>Governmental Agency. I can only hope that this operation is shut down and the
>responsible parties are reprimanded.  I am extremely disturbed by the thought
>that my tax money is being used for, what I consider, unethical, immoral and
>possibly illegal activities.

I know that most of the people reading this list are a little paranoid about
risks, but this is ridiculous.  The anonymous submitter did not provide the
phone number of the BBS so there is no way we can check the claims, but, even
if it exists, does anyone seriously believe that it is being run by the
Treasury Department?  I fully believe that our government sometimes does
things that are stupid, immoral, and illegal, but this isn't the kind of
stupidity that they do.

In short, we need to be critical thinkers.  In addition, we need to think
about the way in which anonymous posting lets things like this get widely
disseminated without exposing the original poster to embarrassment and
ridicule.  The next hoax, lie, or distortion from an anonymous source may not
be this obvious.  Is the ability to anonymously make this kind of claim a

IFIP resolution on demeaning games

"Barbara B. Simons" <>
Tue, 11 May 93 15:58:04 PDT

ACM Council issued the following statement on computer games a couple of
years ago.  I believe that, unfortunately, there has been no follow-up.


  The pool of potential female and minority scientists and engineers
  remains virtually untapped, despite demographic trends pointing to the
  urgent need to train substantial new talent from these sectors.  There are
  products, such as computer games, which are the first significant
  introduction to technology for most young people.  Many girls and minority
  children do not identify with most of these products which are currently on
  the market.

  It is in society's best interest that these products attract and be
  accessible to these children.

  Through the appropriate mechanisms, ACM will form a proactive
  interest group which will address these concerns.

Thoreau on Pyramids and Space (Re: RISKS-14.58)

victor yodaiken <>
Mon, 10 May 1993 20:48:20 -0400

In regard to the questions about the value of space travel and pyramids,
nobody has mentioned the definitive words of the great engineer ( graphite and
pencil manufacturing) and philosopher H. Thoreau. They are:

        As for the Pyramids, there is nothing to wonder at in them so much
        as the fact that so many men could be found degraded enough to spend
        their lives constructing a tomb for some ambitious booby, whom it
        would have been wiser and manlier to have drowned in the Nile, and
        then given his body to the dogs. (from Walden)

In fact, the whole chapter called "Economy" is filled with such gems. One
more I just have to quote:
        Many are concerned about the monuments of the West and the East, -
        to know who built them. For my part, I should like to know who in
        those days did not build them, - who were above such trifling. But
        to proceed with my statistics.

Fake ATM Machine Steals PINs (Eric, RISKS-14.59)

K. M. Peterson <KMP@Logos.Prime.COM>
12 May 1993 11:57:08 EDT

[An ATM Trojan Horse of a Different Feather.  More on the fragmentary
report of Eric's...  PGN]

Excerpted from the Boston _Globe_ 12May93.  Yankee 24 is a New England ATM

                  "Fake ATM plays gotcha with users"

[AP] MANCHESTER, Conn. -- Some computer-literate thieves stole thousands of
dollars by setting up a bogus automatic teller machine in a mall and using it
to make counterfeit bank cards, authorities said.  The mobile machine, rolled
into the Buckland Hills Mall about two weeks ago dispensed money for a time,
but eventually ran out, said Manchester police spokesman Gary Wood.

While customers were using the machine, the ATM recorded their account numbers
and personal identification codes, authorities said.  The thieves then made
counterfeit band cards encoded with account information and used them to
withdraw money from ATMs in New York City operated by Citibank and Chemical

About $3,000 in fraudulent withdrawals from the ATMs were discovered by late
Monday, said Richard L. Yanak, president of the Yankee 23 ATM network.  The
withdrawals were made from accounts based at three Hartford area banks.  ...

The bogus machine was once an authentic ATM that the thieves either stole of
acquired on the used market, Yanak said.  Unsuspecting customers were forced
to use the 5-foot machine after at least one of the mall's two legitimate ATMs
was sabotaged with glue-covered plastic cards.

The scam was uncovered when a local bank found that someone had tried seven or
eight times to use one of its bank cards at a New York ATM -- either because
of a problem with the card or because the thief tried to withdraw more than
the account's limit, Yanak said.

Officials never gave their direct permission to install the machine,
[Margaret] Steeves [Yankee 24's marketing director] said.  Police believe the
thieves returned to the mall on Sunday night or early Monday morning to
retrieve the machine.  Steeves said ATM customers are protected under federal
banking regulations, which limit their liability to $50 if their loss is
reported within 48 hours.

K. M. Peterson  Systems/Network Management Group, Computervision Corp.

Re: Fake ATM Machine Steals PINs (Eric, RISKS-14.59)

Al Donaldson <>
Wed, 12 May 93 11:24:53 EDT

The new twist on the scam was that this "ATM machine" dispensed money.
According to the radio news report I heard yesterday, it gave out
"some cash to forestall suspicion that something was wrong."

Re: Epilepsy and video games

Larry Hunter <>
11 May 93 10:19:26

Antonella Dalessandro asks for recent citations on pathological conditions
induced by playing video games.  Most of the articles I found in a Medline
search were about the use of video games as therapy (e.g. for schizophrenics
or the developmentally disabled) or in experimental use (e.g. assessing
reaction time or attention).  However, I did find two major articles on
video game pathology from 1990, and some followups and letters since.

TI  - Reflex seizures induced by calculation, card or board games, and
      spatial tasks: a review of 25 patients and delineation of the
      epileptic syndrome.
SO  - Neurology 1990 Aug;40(8):1171-6
AB  - Nine patients had reflex activation of seizures by calculation,
      card and board games, or spatial tasks. The common denominator
      for these and the 16 others reported in the literature appears to
      be activity related to function of the parietal lobe. The
      clinical and EEG findings in all 25 patients support the
      diagnosis of primary generalized epilepsy. Seizures usually start
      during adolescence and consist of myoclonus, absences, and
      generalized convulsions. Specific inquiry about reflex activation
      should be carried out in patients with generalized epilepsy since
      this is rarely provided spontaneously. Attacks could be
      controlled satisfactorily in 89% of our patients. The genetic
      features are those of a primary generalized epileptic disorder
      without evidence for a specific inheritance of reflex
      sensitivity. Neuropsychological analysis of the stimuli points to
      parietal cortical dysfunction. These stimuli lead to activation
      of a generalized epileptic process analogous to the occipital
      cortical participation in the activation of generalized epileptic
      abnormality occurring in patients with photosensitive epilepsy.

TI  - Electroclinical study of video-game epilepsy.
SO  - Dev Med Child Neurol 1990 Jun;32(6):493-500
AB  - Seven patients (five boys, two girls) with video-game epilepsy
      (VGE) are reported, which reflects the fact that these games have
      increased in popularity recently among Japanese children. Their
      ages at onset ranged from four to 13 years. The seizure phenomena
      were of three types: generalised tonic-clonic, partial seizure
      and headache. Interictal physical and neurological examinations
      were within normal limits. EEGs taken while they played
      video-games confirmed the diagnosis of VGE and revealed three
      triggers of seizures: flashing lights, special figure patterns
      and scene-changing. They were recommended to avoid playing
      video-games, but sodium valproate was effective if seizures
      persisted even after such avoidance.

TI  - Video games: benign or malignant?
SO  - J Dev Behav Pediatr 1992 Feb;13(1):53-4

TI  - Nintendo surgery [letter]
SO  - JAMA 1992 May 6;267(17):2329-30

TI  - Nintendo elbow [letter]
SO  - West J Med 1992 Jun;156(6):667-8

TI  - Nintendo neck [letter]
SO  - Can Med Assoc J 1991 Nov 15;145(10):1202

TI  - Nintendo enuresis [letter]
SO  - Am J Dis Child 1991 Oct;145(10):1094

TI  - Nintendo power [letter]
SO  - Am J Dis Child 1990 Sep;144(9):959

TI  - Nintendo epilepsy [letter]
SO  - N Engl J Med 1990 May 17;322(20):1473

Lawrence Hunter, PhD., National Library of Medicine, Bldg. 38A, MS-54
Bethesda. MD 20894 USA  tel: +1 (301) 496-9300 fax: +1 (301) 496-0673

Re: Epilepsy and video games (Dalessandro, RISKS-14.58)

"Mich Kabay / JINBU Corp." <>
11 May 93 22:56:41 EDT

A quick scan of the Ziff-Davis Computer Database Plus, available on CompuServe,
using the text words "epilep* AND seizure*" revealed the following references:

1 Australia - video games cleared in epilepsy scare., Newsbytes, March 4, 1993
pNEW03040007.  Reference # A13669571 Text: Yes (1234 chars) Abstract: No

2 Japan: Nintendo to research epilepsy & video games., Newsbytes, Feb 17, 1993
pNEW02170003.  Reference # A13668827 Text: Yes (1314 chars) Abstract: No

3 Trivial pursuits.  ('Cyberzone' television program) (Technology)(Virtual
Reality), Computer Weekly, Jan 28, 1993 p28(1).  Reference # A13428978 Text:
Yes (5116 chars) Abstract: Yes

4 Military contractor converts to more civilian production.  (Israel Aircraft
Industries), Industrial Engineering, Jan 1993 v25 n1 p28(2).  Reference #
A13472137 Text: Yes (5019 chars) Abstract: Yes

5 User interfaces: where the rubber meets the road.  (Cover Story), Computers
in Healthcare, Feb 1993 v14 n2 p16(5).  Reference # A13394186 Text: Yes (12409
chars) Abstract: Yes

6 Is TV game harmful to children?  British boy dead.  (television-based video
games), Newsbytes, Jan 11, 1993 pNEW01110003.  Reference # A13355402 Text: Yes
(1920 chars) Abstract: No

7 Wandering through the brain: the power of a "magic wand" helps neurosurgeons
prepare for complicated procedures.  (Applications), Computer Graphics World,
Oct 1992 v15 n10 p71(2).  Reference # A12816647 Text: Yes (8554 chars)
Abstract: Yes

8 The Epilog System: automated long-term EEG monitoring for epilepsy.
(electroencephalogram)(includes related articles on valid data keys and the
volume of data generated by EEGs), Computer, Sept 1992 v25 n9 p5(10).
Reference # A12717601 Text: No Abstract: Yes

9 Picture this: wide-ranging developments in data acquisition methods add a
new dimension to computer-based medical imaging.  (includes related articles
on medical image terminology, digital video fluoroscopy and one-dimensional
magnetic resonance imaging), Computer Graphics World, Sept 1992 v15 n9 p43(8).
Reference # A12672713 Text: Yes (32524 chars) Abstract: Yes

10 Letters.  (Letter to the Editor), PC Magazine, August 1992 v11 n14 p19(4).
Reference # A12436301 Text: Yes (10284 chars) Abstract: No

11 No-Squint II.  (SkiSoft Publishing Corp.'s No-Squint II 1.0 utility program
to enhance cursor size on portable computers) (Software Review), Home Office
Computing, Sept 1991 v9 n9 p58(1).  Reference # A11203289 Text: Yes (1550
chars) Abstract: No

12 Fascinating rhythm: we can reap more from computers that respond to our
rhythmical nature., Computer Graphics World, August 1990 v13 n8 p117(4).
Reference # A8733680 Text: Yes (7735 chars) Abstract: Yes

13 Are we having fun yet?  (ennui among programmers) (Bit by Bit) (column),
Computer Language, August 1990 v7 n8 p113(4).  Reference # A8761856 Text: Yes
(8946 chars) Abstract: Yes

14 Word processing.  (Real Time), Personal Computing, August 1990 v14 n8
p49(2).  Reference # A8719958 Text: Yes (4262 chars) Abstract: Yes

15 This SkiSoft word processor is a welcome sight for sore eyes.,
PC-Computing, March 1990 v3 n3 p56(1).  Reference # A8171802 Text: Yes (1448
chars) Abstract: No

16 IBM's research division at work on diverse projects., InfoWorld, July 3,
1989 v11 n27 p37(1).  Reference # A7412002 Text: No Abstract: Yes

Michel E. Kabay, Ph.D., Director of Education, National Computer Security
Association Carlisle, PA.

Mobile ComSec in Europe (A5)

Mon, 3 May 1993 19:27:33 +0200

Stimulated by the "Cripple Clipper" Chip discussions, I invested some time to
investigate the European approach in this area. Mobile communication security
is practically available, since some time, in Western Europe based on some
technology which will now alsp be applied in Australia [see Roger Clarke: Risk
Forum 14.56). In contacts with people from producers, carriers and Telecom
research, I collected the following facts:

     - Dominated by Western European telecommunications enterprises, a
       CCITT subsidiary (CEPT=Conference Europeenne des Administrations des
       Postes et des Telecommunications; founded 1959, presently 26 European
       countries, mainly from Western/Northern Europe) formed a subgroup
       (ETSI=European Telecommunications Standards Institute) which specified,
       in a special Memorandum of Understanding (MoU) the GSM standard (=Groupe
       Special Mobile). Presently, ETSI (planned as EEC's Standardisation
       Institute in this area) has 250 members from industry (63%), carrier
       (14%), government (10%), appliers and research (together 10%). Research
       here means essentially Telecom and related "research" institutes.

     - GSM documents specify roughly the functional characteristics including
       secure encryption of transmitted digital messages (see "European digital
       cellular telecommunication system (phase 2): Security Related Network
       Functions"). Apart from protocols, details of algorithms are secret.

     - GSM contains 3 secret algorithms (only given to experts with established
       need-to-know, esp. carriers or manufacturers):
           Algorithm A3: Authentication algorithm,
           Algorithm A8: Cipher Key Generator (essentially a 1-way function),
           Algorithm A5: Ciphering/Deciphering algorithm (presently A5/1,A5/2).
       Used in proper sequence, this set of algorithms shall guarantee that
       NOBODY can break the encrypted communication.

     - Mobile stations are equipped with a chipcard containing A3 and A8, plus
       an ASIC containing A5; the (non-mobile) base stations (from where the
       communication flows into the land-based lines) is equipped with an ASIC
       realising A5 encryption, and it is connected with an "authentication
       center" using (ASIC, potentially software based) A3 and A8 algorithms to
       authenticate the mobile participant and generate a session key.

     - When a secure communication is started (with the chipcard inserted in
       the mobile station), authentication of the mobile participant is
       performed by encrypting the individual subscriber key Ki (and some
       random seed exchanged between the mobile and base station) with A3 and
       sending this to the base station where it is checked against the stored
       identity.  Length of Ki: 128 bit.

     - If authenticated, the individual subscriber key Ki (plus some random
       seed exchanged between mobile and basis station) is used to generate a
       session key Kc; length of Kc: 64 bit. Different from Clipper, a session
       key may be used for more than one session, dependent on the setting of
       a flag at generation time; evidently, this feature allows to minimize
       communication delays from the authentication process.

     - Using session key (Kc), the data stream (e.g. digitized voice) is en-
       crypted using the A5 algorithm and properly decrypted at base station.

     - A more complex authentication procedure including exchange of IMSI
       (International Mobile Subscriber Identity) may be used to authenticate
       the subscriber and at the same time to generate the session key (using
       a combined "A38" algorithm) and transmit it back to the mobile station.

Comparing the European A5 approach with US' "Cripple Clipper Chip", I find
some surprising basic similarities (apart from minor technical differences,
such as key lengths and using ASICs only versus Chipcard in the mobile

    1) Both approaches apply the "SbO Principle" (Security by Obscurity): "what
       outsiders don't know, is secure!" Or formulated differently: only
       insiders can know whether it contains built-in trapdoors or whether it
       is really secure!

    2) Both approaches aim at protecting their hemisphere (in the European
       case, including some interest spheres such as "down-under", to serve
       the distinguished British taste:-) from other hemispheres' competition.

The most significant differences are:

    A) that US government tries to masquerade the economic arguments with some
       legalistic phrases ("protect citizen's privacy AND protect them against
       criminal misuse") whereas Western Europeans must not argue as everybody
       knows the dominance of EEC's economic arguments (and the sad situation
       of privacy in most EEC countries :-)

    B) that US government must produce the rather complex "escrow agencies"
       where European law enforcers must only deal with ETSI (manufacturers and
       carriers!) about reduced safety in "A5/n" algorithms (n=1,2,...).

Presently, different "A5/n" algorithms are discussed. Apart from the "secure"
original algorithm A5 (now labeled A5/1), a "less secure, export oriented
A5/2" has been specified (according to my source which may not be fully
informed, this will go to "down-under" :-). One argument for such "A5/n"
multiplicity is that availability of more A5/n algorithms may even allow to
select, during authentication, one algorithm from the set thus improving
security of communication; at the same time, as these algorithms are secret,
the secret automatic selection (e.g. triggered by some obscure function
similar to the random exchange in the authentication process) may allow to
crack the encrypted message.

My (contemporary) conclusion is that security of both A5 and CC is
questionable as long as their security cannot be assessed by independent
experts. In both cases, economic interests seem to play a dominant role; there
are clear indications of forthcoming economic "competition", and I wonder
which side Japan will take (maybe they decide to start their own crippled
SecureCom standard?)

Klaus Brunnstein (Univ Hamburg; May 3, 1993)

"Security&Control of IT in Society"

Mon, 3 May 1993 18:33:16 +0200

       An IFIP WG 9.6 Working Conference to explore the issues:
                          August 12 - 17, 1993

Venue: the conference ship M/S Ilich between Stockholm and St.Petersburg

Dependence on information technology (IT) is widespread. IT is used for the
option and control of a range of social, industrial, commercial, governmental
and regulatory processes, yet it introduces new potential threats to personal
privacy and freedom, and new opportunities for criminal activity.  These
dangers have to be countered and controlled in a manner that balances the
benefits of IT. Therefore careful consideration has to be given to determine
what constitutes the most effective control and regulation of IT.  Such topics
should be high on national agendas.

IFIP's Working Group on Information Technology Misuse and the Law (WG 9.6) is
holding a working conference to explore these issues, from 12 to 17 August,
aboard the conference ship M/S Ilich between Stockholm and St.Petersburg. On
the Saturday of the conference week the conference will convene in
St.Petersburg for meetings with Russian representatives, providing a valuable
opportunity to discuss some of the problems of IT in an emerging capitalist

The conference, Security and Control of Information Technology, will explore
major issues, including particular reference to Eastern European Economies.
The organisers are keen to attract people representing a wide range of
interests, including central government, regulatory bodies, information system
users, relevant public interest groups, the legal profession, and academics.
Participants from all parts of Europe and beyond will be welcome. In addition
to full conference papers there will be discussion groups and shorter

Eur. Ing. Richard Sizer (UK), chairman of WG 9.6, is conference chairman, Dr.
Louise Yngstrom (Sweden) is in charge of local organisation and Prof. Martin
Wasik is chairman of the International Programme Committee.  The proceedings
will be published by Elsevier North Holland and edited by Ing. Sizer, Prof. M.
Wasik and Prof. R. Kaspersen (Netherlands).

Those desiring  to  attend  the  conference  and  requiring  further
information may contact Prof. Wasik at:

  Faculty of  Law, Manchester  University, Manchester  M13 9PL,  U.K.,
  Tel. +44 61 275 3594, Fax +44 61 275 3579.

or for local arrangements, contact Ann-Marie Bodor at:
  Dept of  Computer ans  Systems Sciences,  Stockholm  University/KTH,
  Electrum 230, Sweden, Tel +46 8 162000, Fax +46 8 7039025.

                        CONFERENCE PROGRAMME

Thursday Evening, August 12

Opening presentation: "The law cannot help"

A debate led by K.Brunnstein (Germany) and R.Kaspersen (Netherlands)
Chairman: Eur. Ing. Richard Sizer (U.K.)

Friday Morning, August 13

Paper 1: "Privacy and Computing: a Cultural Perspective"
         R.Lundheim, G.Sindre (Norway)

Paper 2: "Is International Law on Security of Information Systems Emerging ?"
         B.Spruyt, Schutter (Belgium)

Paper 3: "On the cutting edge between Privacy and Security"
         J.Holvast, R.Ketelaar (Netherlands),
         S.Fischer-Huebner (Germany)

Paper 4: "Protection of the Information of Organisations in the
         Asia-Pacific region"
         M.Jackson (Australia)

Friday Afternoon: Two Discussion Streams

Stream 1: International cultural perspectives on IT, privacy and security
          (led by J.Holvast)

Stream 2: Priorities for IT in emerging economies (led by R.Kaspersen)

Saturday August 14

Part I:  "IT and Security in Russia. Experts view"

"IT and Security in Russia"
E.V. Evtyushin (Russian Agency for New Information)

"IT vs. Security in Russia"
E.A. Musaev (Russian Academy of Sciences)

"Problems of information protection in the Northwestern region of Russia"
P.A. Kuznetsov (Association for Information Protection)

Part II: "IT and Security in Russia - Commercial sector"

TBD (Sberbank of Russia)
TBD (St Petersburg Chamber of Commerce)

Part III: "It and Security in Russia - Public Sector"

TBD (Public Sector)

Part IV: "Western Developments in IT-Security"

R.Hackworth (U.K.): "The OECD Guidelines on IT Security"
M.Abrams (USA): "From Orange Book to new US Criteria"
P.White (U.K.): "Drafting Security Policies"
TBD "INFOSEC Security Issues in the EC"

Sunday August 15: Tour of St.Petersburg

Monday Morning, August 16

Paper 5: "Recent development in IT security evaluation"
         K.Rannenberg (Germany)

Paper 6: "On the formal specification of security requirements"
         A.Jones, M.Sergot (Norway)

Paper 7: "Symbiosis of IT security standards"
         M.Abrams (USA)

Paper 8: "An Academic Programme for IT Security"
         L.Yngstrom (Sweden)

Monday Afternoon: Two workshops based on:

Workshop 1:

Paper 9: "Are US Computer Crime Laws Adequate ?"
         L.Young (USA)

Paper 10:"Computer Crime in Slovakia ?"
         J.Dragonev, J.Vyskoc (Slovakia)

Paper 11:"Computer Crime Coroners for an IT Society"
         S.Kowalski (Sweden)

Workshop 2:

Paper 12:"Computer supported security intelligence"
         I.Orci (Sweden)

Paper 13:"Design for security functions of chipcard software"
         K.Dippel (Germany)

Paper 14: "Court ordered wiretapping in USA"
         G.Turner (USA)


(TBD: Speakers to be decided. Details of conference sessions are
subject to change)

The costs of attending the conference are now set as follows:

  One delegate: 4175 Swedish Krona
  Two delegates sharing one cabin: 3275 Swedish Krona (per person)
  Accompanying person: 3175 Swedish Krona (no conference proceedings)

These prices include accommodation, all meals on board of the M/S Ilich and
while in St.Petersburg, an excursion on Sunday and, for delegates, a copy of
all conference papers. Cabins on the ship each have a window and a shower.

Cheques or money orders (in Swedish Krona) should be made payable to the
account: "Foriningen for Sakerhetsinformatik: IFIP WG 9.6" and sent as soon as
possible and, in any event, not later than June 11, to:

  Ann-Marie Bodor, Dept. of Computer and Systems Sciences
  Stockholm University/KTH, Electrum 230, S-164 40 Kista, Sweden

All registrations are responsible for making their own arrangements for travel
to and from Stockholm, and for their visas and insurance.  Registrations most
probably cannot be accepted after June 11 due to the booking deadline for the
cabins on board.

Please report problems with the web pages to the maintainer