In Risks V14, No 58, an anonymous person submitted a claim from another person, who also wished to remain anonymous, that a bulletin board calling itself AIS BBS and claiming to be an official activity of the US Treasury Department, exists and makes virus code available for downloads. Our anonymous poster apparently believes this - >I am dismayed that this type of activity is being condoned by an American >Governmental Agency. I can only hope that this operation is shut down and the >responsible parties are reprimanded. I am extremely disturbed by the thought >that my tax money is being used for, what I consider, unethical, immoral and >possibly illegal activities. I know that most of the people reading this list are a little paranoid about risks, but this is ridiculous. The anonymous submitter did not provide the phone number of the BBS so there is no way we can check the claims, but, even if it exists, does anyone seriously believe that it is being run by the Treasury Department? I fully believe that our government sometimes does things that are stupid, immoral, and illegal, but this isn't the kind of stupidity that they do. In short, we need to be critical thinkers. In addition, we need to think about the way in which anonymous posting lets things like this get widely disseminated without exposing the original poster to embarrassment and ridicule. The next hoax, lie, or distortion from an anonymous source may not be this obvious. Is the ability to anonymously make this kind of claim a risk?
ACM Council issued the following statement on computer games a couple of years ago. I believe that, unfortunately, there has been no follow-up. Barbara The pool of potential female and minority scientists and engineers remains virtually untapped, despite demographic trends pointing to the urgent need to train substantial new talent from these sectors. There are products, such as computer games, which are the first significant introduction to technology for most young people. Many girls and minority children do not identify with most of these products which are currently on the market. It is in society's best interest that these products attract and be accessible to these children. Through the appropriate mechanisms, ACM will form a proactive interest group which will address these concerns.
In regard to the questions about the value of space travel and pyramids, nobody has mentioned the definitive words of the great engineer ( graphite and pencil manufacturing) and philosopher H. Thoreau. They are: As for the Pyramids, there is nothing to wonder at in them so much as the fact that so many men could be found degraded enough to spend their lives constructing a tomb for some ambitious booby, whom it would have been wiser and manlier to have drowned in the Nile, and then given his body to the dogs. (from Walden) In fact, the whole chapter called "Economy" is filled with such gems. One more I just have to quote: Many are concerned about the monuments of the West and the East, - to know who built them. For my part, I should like to know who in those days did not build them, - who were above such trifling. But to proceed with my statistics. email@example.com
[An ATM Trojan Horse of a Different Feather. More on the fragmentary report of Eric's... PGN] Excerpted from the Boston _Globe_ 12May93. Yankee 24 is a New England ATM network. "Fake ATM plays gotcha with users" [AP] MANCHESTER, Conn. — Some computer-literate thieves stole thousands of dollars by setting up a bogus automatic teller machine in a mall and using it to make counterfeit bank cards, authorities said. The mobile machine, rolled into the Buckland Hills Mall about two weeks ago dispensed money for a time, but eventually ran out, said Manchester police spokesman Gary Wood. While customers were using the machine, the ATM recorded their account numbers and personal identification codes, authorities said. The thieves then made counterfeit band cards encoded with account information and used them to withdraw money from ATMs in New York City operated by Citibank and Chemical Bank. About $3,000 in fraudulent withdrawals from the ATMs were discovered by late Monday, said Richard L. Yanak, president of the Yankee 23 ATM network. The withdrawals were made from accounts based at three Hartford area banks. ... The bogus machine was once an authentic ATM that the thieves either stole of acquired on the used market, Yanak said. Unsuspecting customers were forced to use the 5-foot machine after at least one of the mall's two legitimate ATMs was sabotaged with glue-covered plastic cards. The scam was uncovered when a local bank found that someone had tried seven or eight times to use one of its bank cards at a New York ATM — either because of a problem with the card or because the thief tried to withdraw more than the account's limit, Yanak said. Officials never gave their direct permission to install the machine, [Margaret] Steeves [Yankee 24's marketing director] said. Police believe the thieves returned to the mall on Sunday night or early Monday morning to retrieve the machine. Steeves said ATM customers are protected under federal banking regulations, which limit their liability to $50 if their loss is reported within 48 hours. K. M. Peterson Systems/Network Management Group, Computervision Corp.
The new twist on the scam was that this "ATM machine" dispensed money. According to the radio news report I heard yesterday, it gave out "some cash to forestall suspicion that something was wrong."
Antonella Dalessandro asks for recent citations on pathological conditions induced by playing video games. Most of the articles I found in a Medline search were about the use of video games as therapy (e.g. for schizophrenics or the developmentally disabled) or in experimental use (e.g. assessing reaction time or attention). However, I did find two major articles on video game pathology from 1990, and some followups and letters since. TI - Reflex seizures induced by calculation, card or board games, and spatial tasks: a review of 25 patients and delineation of the epileptic syndrome. SO - Neurology 1990 Aug;40(8):1171-6 AB - Nine patients had reflex activation of seizures by calculation, card and board games, or spatial tasks. The common denominator for these and the 16 others reported in the literature appears to be activity related to function of the parietal lobe. The clinical and EEG findings in all 25 patients support the diagnosis of primary generalized epilepsy. Seizures usually start during adolescence and consist of myoclonus, absences, and generalized convulsions. Specific inquiry about reflex activation should be carried out in patients with generalized epilepsy since this is rarely provided spontaneously. Attacks could be controlled satisfactorily in 89% of our patients. The genetic features are those of a primary generalized epileptic disorder without evidence for a specific inheritance of reflex sensitivity. Neuropsychological analysis of the stimuli points to parietal cortical dysfunction. These stimuli lead to activation of a generalized epileptic process analogous to the occipital cortical participation in the activation of generalized epileptic abnormality occurring in patients with photosensitive epilepsy. TI - Electroclinical study of video-game epilepsy. SO - Dev Med Child Neurol 1990 Jun;32(6):493-500 AB - Seven patients (five boys, two girls) with video-game epilepsy (VGE) are reported, which reflects the fact that these games have increased in popularity recently among Japanese children. Their ages at onset ranged from four to 13 years. The seizure phenomena were of three types: generalised tonic-clonic, partial seizure and headache. Interictal physical and neurological examinations were within normal limits. EEGs taken while they played video-games confirmed the diagnosis of VGE and revealed three triggers of seizures: flashing lights, special figure patterns and scene-changing. They were recommended to avoid playing video-games, but sodium valproate was effective if seizures persisted even after such avoidance. TI - Video games: benign or malignant? SO - J Dev Behav Pediatr 1992 Feb;13(1):53-4 TI - Nintendo surgery [letter] SO - JAMA 1992 May 6;267(17):2329-30 TI - Nintendo elbow [letter] SO - West J Med 1992 Jun;156(6):667-8 TI - Nintendo neck [letter] SO - Can Med Assoc J 1991 Nov 15;145(10):1202 TI - Nintendo enuresis [letter] SO - Am J Dis Child 1991 Oct;145(10):1094 TI - Nintendo power [letter] SO - Am J Dis Child 1990 Sep;144(9):959 TI - Nintendo epilepsy [letter] SO - N Engl J Med 1990 May 17;322(20):1473 Lawrence Hunter, PhD., National Library of Medicine, Bldg. 38A, MS-54 Bethesda. MD 20894 USA tel: +1 (301) 496-9300 fax: +1 (301) 496-0673
A quick scan of the Ziff-Davis Computer Database Plus, available on CompuServe, using the text words "epilep* AND seizure*" revealed the following references: 1 Australia - video games cleared in epilepsy scare., Newsbytes, March 4, 1993 pNEW03040007. Reference # A13669571 Text: Yes (1234 chars) Abstract: No 2 Japan: Nintendo to research epilepsy & video games., Newsbytes, Feb 17, 1993 pNEW02170003. Reference # A13668827 Text: Yes (1314 chars) Abstract: No 3 Trivial pursuits. ('Cyberzone' television program) (Technology)(Virtual Reality), Computer Weekly, Jan 28, 1993 p28(1). Reference # A13428978 Text: Yes (5116 chars) Abstract: Yes 4 Military contractor converts to more civilian production. (Israel Aircraft Industries), Industrial Engineering, Jan 1993 v25 n1 p28(2). Reference # A13472137 Text: Yes (5019 chars) Abstract: Yes 5 User interfaces: where the rubber meets the road. (Cover Story), Computers in Healthcare, Feb 1993 v14 n2 p16(5). Reference # A13394186 Text: Yes (12409 chars) Abstract: Yes 6 Is TV game harmful to children? British boy dead. (television-based video games), Newsbytes, Jan 11, 1993 pNEW01110003. Reference # A13355402 Text: Yes (1920 chars) Abstract: No 7 Wandering through the brain: the power of a "magic wand" helps neurosurgeons prepare for complicated procedures. (Applications), Computer Graphics World, Oct 1992 v15 n10 p71(2). Reference # A12816647 Text: Yes (8554 chars) Abstract: Yes 8 The Epilog System: automated long-term EEG monitoring for epilepsy. (electroencephalogram)(includes related articles on valid data keys and the volume of data generated by EEGs), Computer, Sept 1992 v25 n9 p5(10). Reference # A12717601 Text: No Abstract: Yes 9 Picture this: wide-ranging developments in data acquisition methods add a new dimension to computer-based medical imaging. (includes related articles on medical image terminology, digital video fluoroscopy and one-dimensional magnetic resonance imaging), Computer Graphics World, Sept 1992 v15 n9 p43(8). Reference # A12672713 Text: Yes (32524 chars) Abstract: Yes 10 Letters. (Letter to the Editor), PC Magazine, August 1992 v11 n14 p19(4). Reference # A12436301 Text: Yes (10284 chars) Abstract: No 11 No-Squint II. (SkiSoft Publishing Corp.'s No-Squint II 1.0 utility program to enhance cursor size on portable computers) (Software Review), Home Office Computing, Sept 1991 v9 n9 p58(1). Reference # A11203289 Text: Yes (1550 chars) Abstract: No 12 Fascinating rhythm: we can reap more from computers that respond to our rhythmical nature., Computer Graphics World, August 1990 v13 n8 p117(4). Reference # A8733680 Text: Yes (7735 chars) Abstract: Yes 13 Are we having fun yet? (ennui among programmers) (Bit by Bit) (column), Computer Language, August 1990 v7 n8 p113(4). Reference # A8761856 Text: Yes (8946 chars) Abstract: Yes 14 Word processing. (Real Time), Personal Computing, August 1990 v14 n8 p49(2). Reference # A8719958 Text: Yes (4262 chars) Abstract: Yes 15 This SkiSoft word processor is a welcome sight for sore eyes., PC-Computing, March 1990 v3 n3 p56(1). Reference # A8171802 Text: Yes (1448 chars) Abstract: No 16 IBM's research division at work on diverse projects., InfoWorld, July 3, 1989 v11 n27 p37(1). Reference # A7412002 Text: No Abstract: Yes Michel E. Kabay, Ph.D., Director of Education, National Computer Security Association Carlisle, PA.
Stimulated by the "Cripple Clipper" Chip discussions, I invested some time to investigate the European approach in this area. Mobile communication security is practically available, since some time, in Western Europe based on some technology which will now alsp be applied in Australia [see Roger Clarke: Risk Forum 14.56). In contacts with people from producers, carriers and Telecom research, I collected the following facts: - Dominated by Western European telecommunications enterprises, a CCITT subsidiary (CEPT=Conference Europeenne des Administrations des Postes et des Telecommunications; founded 1959, presently 26 European countries, mainly from Western/Northern Europe) formed a subgroup (ETSI=European Telecommunications Standards Institute) which specified, in a special Memorandum of Understanding (MoU) the GSM standard (=Groupe Special Mobile). Presently, ETSI (planned as EEC's Standardisation Institute in this area) has 250 members from industry (63%), carrier (14%), government (10%), appliers and research (together 10%). Research here means essentially Telecom and related "research" institutes. - GSM documents specify roughly the functional characteristics including secure encryption of transmitted digital messages (see "European digital cellular telecommunication system (phase 2): Security Related Network Functions"). Apart from protocols, details of algorithms are secret. - GSM contains 3 secret algorithms (only given to experts with established need-to-know, esp. carriers or manufacturers): Algorithm A3: Authentication algorithm, Algorithm A8: Cipher Key Generator (essentially a 1-way function), and Algorithm A5: Ciphering/Deciphering algorithm (presently A5/1,A5/2). Used in proper sequence, this set of algorithms shall guarantee that NOBODY can break the encrypted communication. - Mobile stations are equipped with a chipcard containing A3 and A8, plus an ASIC containing A5; the (non-mobile) base stations (from where the communication flows into the land-based lines) is equipped with an ASIC realising A5 encryption, and it is connected with an "authentication center" using (ASIC, potentially software based) A3 and A8 algorithms to authenticate the mobile participant and generate a session key. - When a secure communication is started (with the chipcard inserted in the mobile station), authentication of the mobile participant is performed by encrypting the individual subscriber key Ki (and some random seed exchanged between the mobile and base station) with A3 and sending this to the base station where it is checked against the stored identity. Length of Ki: 128 bit. - If authenticated, the individual subscriber key Ki (plus some random seed exchanged between mobile and basis station) is used to generate a session key Kc; length of Kc: 64 bit. Different from Clipper, a session key may be used for more than one session, dependent on the setting of a flag at generation time; evidently, this feature allows to minimize communication delays from the authentication process. - Using session key (Kc), the data stream (e.g. digitized voice) is en- crypted using the A5 algorithm and properly decrypted at base station. - A more complex authentication procedure including exchange of IMSI (International Mobile Subscriber Identity) may be used to authenticate the subscriber and at the same time to generate the session key (using a combined "A38" algorithm) and transmit it back to the mobile station. Comparing the European A5 approach with US' "Cripple Clipper Chip", I find some surprising basic similarities (apart from minor technical differences, such as key lengths and using ASICs only versus Chipcard in the mobile station): 1) Both approaches apply the "SbO Principle" (Security by Obscurity): "what outsiders don't know, is secure!" Or formulated differently: only insiders can know whether it contains built-in trapdoors or whether it is really secure! 2) Both approaches aim at protecting their hemisphere (in the European case, including some interest spheres such as "down-under", to serve the distinguished British taste:-) from other hemispheres' competition. The most significant differences are: A) that US government tries to masquerade the economic arguments with some legalistic phrases ("protect citizen's privacy AND protect them against criminal misuse") whereas Western Europeans must not argue as everybody knows the dominance of EEC's economic arguments (and the sad situation of privacy in most EEC countries :-) B) that US government must produce the rather complex "escrow agencies" where European law enforcers must only deal with ETSI (manufacturers and carriers!) about reduced safety in "A5/n" algorithms (n=1,2,...). Presently, different "A5/n" algorithms are discussed. Apart from the "secure" original algorithm A5 (now labeled A5/1), a "less secure, export oriented A5/2" has been specified (according to my source which may not be fully informed, this will go to "down-under" :-). One argument for such "A5/n" multiplicity is that availability of more A5/n algorithms may even allow to select, during authentication, one algorithm from the set thus improving security of communication; at the same time, as these algorithms are secret, the secret automatic selection (e.g. triggered by some obscure function similar to the random exchange in the authentication process) may allow to crack the encrypted message. My (contemporary) conclusion is that security of both A5 and CC is questionable as long as their security cannot be assessed by independent experts. In both cases, economic interests seem to play a dominant role; there are clear indications of forthcoming economic "competition", and I wonder which side Japan will take (maybe they decide to start their own crippled SecureCom standard?) Klaus Brunnstein (Univ Hamburg; May 3, 1993)
SECURITY AND CONTROL OF INFORMATION TECHNOLOGY IN SOCIETY An IFIP WG 9.6 Working Conference to explore the issues: August 12 - 17, 1993 Venue: the conference ship M/S Ilich between Stockholm and St.Petersburg Dependence on information technology (IT) is widespread. IT is used for the option and control of a range of social, industrial, commercial, governmental and regulatory processes, yet it introduces new potential threats to personal privacy and freedom, and new opportunities for criminal activity. These dangers have to be countered and controlled in a manner that balances the benefits of IT. Therefore careful consideration has to be given to determine what constitutes the most effective control and regulation of IT. Such topics should be high on national agendas. IFIP's Working Group on Information Technology Misuse and the Law (WG 9.6) is holding a working conference to explore these issues, from 12 to 17 August, aboard the conference ship M/S Ilich between Stockholm and St.Petersburg. On the Saturday of the conference week the conference will convene in St.Petersburg for meetings with Russian representatives, providing a valuable opportunity to discuss some of the problems of IT in an emerging capitalist economy. The conference, Security and Control of Information Technology, will explore major issues, including particular reference to Eastern European Economies. The organisers are keen to attract people representing a wide range of interests, including central government, regulatory bodies, information system users, relevant public interest groups, the legal profession, and academics. Participants from all parts of Europe and beyond will be welcome. In addition to full conference papers there will be discussion groups and shorter presentations. Eur. Ing. Richard Sizer (UK), chairman of WG 9.6, is conference chairman, Dr. Louise Yngstrom (Sweden) is in charge of local organisation and Prof. Martin Wasik is chairman of the International Programme Committee. The proceedings will be published by Elsevier North Holland and edited by Ing. Sizer, Prof. M. Wasik and Prof. R. Kaspersen (Netherlands). Those desiring to attend the conference and requiring further information may contact Prof. Wasik at: Faculty of Law, Manchester University, Manchester M13 9PL, U.K., Tel. +44 61 275 3594, Fax +44 61 275 3579. or for local arrangements, contact Ann-Marie Bodor at: Dept of Computer ans Systems Sciences, Stockholm University/KTH, Electrum 230, Sweden, Tel +46 8 162000, Fax +46 8 7039025. CONFERENCE PROGRAMME Thursday Evening, August 12 Opening presentation: "The law cannot help" A debate led by K.Brunnstein (Germany) and R.Kaspersen (Netherlands) Chairman: Eur. Ing. Richard Sizer (U.K.) Friday Morning, August 13 Paper 1: "Privacy and Computing: a Cultural Perspective" R.Lundheim, G.Sindre (Norway) Paper 2: "Is International Law on Security of Information Systems Emerging ?" B.Spruyt, B.de Schutter (Belgium) Paper 3: "On the cutting edge between Privacy and Security" J.Holvast, R.Ketelaar (Netherlands), S.Fischer-Huebner (Germany) Paper 4: "Protection of the Information of Organisations in the Asia-Pacific region" M.Jackson (Australia) Friday Afternoon: Two Discussion Streams Stream 1: International cultural perspectives on IT, privacy and security (led by J.Holvast) Stream 2: Priorities for IT in emerging economies (led by R.Kaspersen) Saturday August 14 Part I: "IT and Security in Russia. Experts view" "IT and Security in Russia" E.V. Evtyushin (Russian Agency for New Information) "IT vs. Security in Russia" E.A. Musaev (Russian Academy of Sciences) "Problems of information protection in the Northwestern region of Russia" P.A. Kuznetsov (Association for Information Protection) Part II: "IT and Security in Russia - Commercial sector" TBD (Sberbank of Russia) TBD (St Petersburg Chamber of Commerce) Part III: "It and Security in Russia - Public Sector" TBD (Public Sector) Part IV: "Western Developments in IT-Security" R.Hackworth (U.K.): "The OECD Guidelines on IT Security" M.Abrams (USA): "From Orange Book to new US Criteria" P.White (U.K.): "Drafting Security Policies" TBD "INFOSEC Security Issues in the EC" Sunday August 15: Tour of St.Petersburg Monday Morning, August 16 Paper 5: "Recent development in IT security evaluation" K.Rannenberg (Germany) Paper 6: "On the formal specification of security requirements" A.Jones, M.Sergot (Norway) Paper 7: "Symbiosis of IT security standards" M.Abrams (USA) Paper 8: "An Academic Programme for IT Security" L.Yngstrom (Sweden) Monday Afternoon: Two workshops based on: Workshop 1: Paper 9: "Are US Computer Crime Laws Adequate ?" L.Young (USA) Paper 10:"Computer Crime in Slovakia ?" J.Dragonev, J.Vyskoc (Slovakia) Paper 11:"Computer Crime Coroners for an IT Society" S.Kowalski (Sweden) Workshop 2: Paper 12:"Computer supported security intelligence" I.Orci (Sweden) Paper 13:"Design for security functions of chipcard software" K.Dippel (Germany) Paper 14: "Court ordered wiretapping in USA" G.Turner (USA) CLOSING DISCUSSION AND CONCLUSIONS, Chairman: R.Sizer (U.K) (TBD: Speakers to be decided. Details of conference sessions are subject to change) The costs of attending the conference are now set as follows: One delegate: 4175 Swedish Krona Two delegates sharing one cabin: 3275 Swedish Krona (per person) Accompanying person: 3175 Swedish Krona (no conference proceedings) These prices include accommodation, all meals on board of the M/S Ilich and while in St.Petersburg, an excursion on Sunday and, for delegates, a copy of all conference papers. Cabins on the ship each have a window and a shower. Cheques or money orders (in Swedish Krona) should be made payable to the account: "Foriningen for Sakerhetsinformatik: IFIP WG 9.6" and sent as soon as possible and, in any event, not later than June 11, to: Ann-Marie Bodor, Dept. of Computer and Systems Sciences Stockholm University/KTH, Electrum 230, S-164 40 Kista, Sweden All registrations are responsible for making their own arrangements for travel to and from Stockholm, and for their visas and insurance. Registrations most probably cannot be accepted after June 11 due to the booking deadline for the cabins on board.
Please report problems with the web pages to the maintainer