I thought the info-mac readers would find this article interesting..... Jay Rolls, Stuttgart, Germany <firstname.lastname@example.org> [sent to RISKS by gio@DARPA.MIL (Gio Wiederhold) via many others] COMPUTER CHEATS TAKE CADSOFT'S BAIT Employees of IBM, Philips, the German federal interior ministry and the federal office for the protection of the constitution are among those who unwittingly 'turned themselves in' when a German computer software company resorted to an undercover strategy to find out who was using illegal copies of one of its programs. Hundreds of customers accepted Cadsoft's offer of a free demonstration program that, unknown to them, searched their computer hard disks for illegal copies. Where the search was successful, a message appeared on the monitor screen inviting the customer to print out and return a voucher for a free handbook of the latest version of the program. However, instead of a handbook the users received a letter from the Bavarian-based software company's lawyers. Since the demonstration program was distributed last June about 400 people have returned the voucher, which contained coded information about the type of computer and the version of the illegally copied Cadsoft program being used. Cadsoft is now seeking damages of at least DM6,000 (ECU3,06E2) each from the illegal users. Cadsoft's tactics are justified by manager Rudolf Hofer as a necessary defence against pirate copying. The company had experienced a 30% drop since 1991 in sales of its successful Eagle design program, which retails at DM2,998. In contrast, demand for a DM25 demo version, which Cadsoft offered with the handbook of the full version, had jumped, indicating that people were acquiring the program from other sources. Although Cadsoft devised its plan with the help of lawyers, doubts have been raised about the legal acceptability of this type of computer detective work. In the case of government offices there is concern about data protection and official secrets. The search program may also have had side-effects that caused other files to be damaged or lost. Cadsoft is therefore preparing itself for what could be a long legal battle with some customers. So far it has reached out-of-court agreement with only about a quarter of those who incriminated themselves.
RISK in paragraph three. The following appeared in the _Milpitas Post_ Vol. 37 No. 2, January 13, 1993, of Milpitas, CA on page 1. Superior Court ruling upholds `Wizards' ban, by Christina Kirby A SUPERIOR court judge has upheld the Milpitas Unified School District's 2-year-old ban on the Wizards spelling game. The ruling was handed down last Friday. The computer game was banned in 1990 by the school board following complaints from parents that it promoted satanic worship. Teachers, seeking to reverse the ban, argued that it infringed on their rights to choose teaching materials, and broke laws prohibiting state agencies, such as school districts, from supporting any religion. The court ruled that the school district had acted within its authority and had not violated the California constitution by banning the game. "With all due respect, we don't agree with the court's decision," said Catherine Porter, an attorney representing the teachers. "Based on the California constitution, we do believe that we provided significant evidence to show that the purpose and effect of the ban was religious and not secular." Pleased by the ruling, Milpitas Superintendent Jack Mackay said, "We always thought the board was acting within its authority to maintain a secular environment." Porter said Monday that the teachers would be discussing whether or not to appeal the decision. email@example.com
Source: St Pete Times, 1/26/93, pg 3B, Tim Roche A personnel supervisor "who knew the ins and outs of a computer system that managed charger accounts for thousands of jewelry store customers along the Eastern Seaboard" and a former co-worker worked a scam using the supervisors ability to alter the computers database, illustrating the risks of: - inadequate controls within the computer system - retail store policy shortcomings - the procedure by which they let users who have had their card stolen continue to charge purchases - flaws in the system accountability "Using computer passwords of other employees, detectives said, Benjamin Francois was able to alter customer records and list a credit card as lost or stolen. Then his friend, John Wise, would appear at a jewelry store and claim to be the customer whose credit card was missing. By store policy, Wise only was required to give sales clerks a name, Social Security number and a secret code that would allow customers whose cards were lost or stolen to continue charging merchandise. "If the clerk asked to see some identification, Wise would explain ... he had no photo to prove he was the customer, but he would give the clerk the secret code Francois had obtained from the computer." Affected between June 2nd and last September were: - jewelry stores in Tampa, Orlando, Palm Beach and Altamonte Springs FL - Jewelers Financial Services, which ran accounts for: . Zales Jewelers, Bailey Banks & Biddle Jewelers, Gordons Jewelers Francois was able to delete the references to stolen or lost cards on the charge accounts after the purchases were made. The two men were arrested after a tip in November led police investigators to "verify the mainframe database" records. Of particular interest: system controls allow Francois to manipulate the database, then hide the activity so that, apparently, the real customers were not billed. If the report is correct, it was the November tip and not any system controls that revealed the thefts. Apparently the charges were allowed to fall into some sort of accounting black hole. Norm deCarteret Advantis - Tampa FL
Heard this on the radio this morning: a major Christian radio network is alerting its member stations to check their latest shipments of religious compact discs before airing them. It seems that some other CDs were mislabelled at the factory and shipped along with the religious ones. Unfortunately the itinerant CDs were by the Dead Kennedys. A spokesman for the radio network said, "This is what happens whenever people get around machines." The CBS newsreader, with masterful understatement, said, "The Dead Kennedys CDs included songs such as, `I Kill Children,' which some Christian listeners may not find inspirational." Peter J. Scott, Member of Technical Staff | firstname.lastname@example.org Jet Propulsion Laboratory, NASA/Caltech | SPAN: GROUCH::PJS
The major telecomm carriers are reporting that 1992 was a bad year for the phone baddies intent on ripping off phone service from corporations. Sprint reported fraud claims by its business customers dived 96 percent, to $670,000, or $1,350 per incident compared to an average loss of $35,000 in 1991. AT&T says fraud claims made to it dropped about 88 percent and MCI says it has also seen a drop in claims. In other words, 1992 losses were a far cry from the $1 billion to $3 billion a year claimed as losses in past years. The major reason for the drop: customer awareness
> Mail Delivery Failure. No room in mailbox. This is because Jock Gill who handles Email for Clinton was at the inauguration and not near his computer for a week. The link is back up and generating *lots* of mail (press releases) from Clinton.
The issues surrounding the topic of possible negative health effects from cellular phone use are going to be among the hottest (no pun intended) in coming years. There are no definitive studies that fully address the complexities of the situation, especially in view of increasing circumstantial evidence that non-ionizing radiation may have more biological effects than previously thought. It's true that walkie-talkies, ham radios, etc. have been around for many years--but there are some potentially significant differences with cellular phones: 1) Most walkie-talkie, police radios, ham radios, etc. are operated in a push-to-talk mode. You're only transmitting when you're actually talking. Cell phones transmit continuously, so exposure is continuous during calls. 2) Cell phones operate at higher frequencies than most common service or ham radios (common hand-held ham radios, for example, usually go no higher than the 440 Mhz band. Cell phones operate in the 800-900 Mhz region, which puts them just about in the microwave range. Recently there have been a number of concerns raised about microwave exposure to the operators of police radar units. We're talking longer exposure and higher frequencies in the radar case--but nobody knows where the "thresholds" might be for exposure to possibly show effects in some persons. The bottom line is that the higher the frequency, the more "energetic" the effects. In at least a couple of the cases of persons accusing cell phones of causing tumors, part of their evidence is the shape and direction of tumor growth--they apparently are aligned with the antenna and growing inward from the outside. Of course, this says nothing about cause and effect--but it has to at least be considered. It's true that cell phones use quite low power. But a little power packs a bigger "punch" at these frequencies, and with the antenna right next to the head the *field strength* (which matters more than the absolute power) can be quite high (inverse square law applies). Concerns about health effects from hand-held radios have been around for a long time. But with the millions of people using continuously transmitting, ultra high frequency units who never did before, some new dimensions are added to the picture--and they are definitely worthy of serious consideration. By the way, not all cellular systems are created equal when it comes to radiation exposure. The new CDMA digital system, for example, throttles back the power from the portable unit depending on how close you are to the cell site--the site transmitter sends a signal back to the handheld controlling the power level. The main reason for doing this is to drastically increase battery life, but it has the additional benefit of reducing overall exposure as well. --Lauren--
"We've had walkie talkies (ok - two way radios) for years with no perceivable or admitted risk to the health of users." Not so. Long term (over 20 years) use of two-way radios by police officers has been linked to higher incidences of glaucoma. This is one reason why the transmitter unit is now worn on the belt, with the microphone pinned to the lapel. (This means that the transmitter irradiates the gonads instead of the eyeballs ... a possible new risk?) -=- Andrew Klossner (email@example.com) (uunet!tektronix!frip.WV.TEK!andrew)
>From Alan Underwood, School of Information Systems, Queensland University of Technology. e-mail firstname.lastname@example.org I am seeking assistance in obtaining copies of any current US/European legislation (proposed or enacted) for the certification of computing professionals. Also, I have seen some reference to 6(?) US States considering such legislation. I would like to know which States so that I can visit them on an upcoming sabbatical. Any assistance would be appreciated.
Sorry, folks — human error strikes again. GAO's distribution center is at (202) 275-6241. The warehouse is in Maryland, but they don't take the orders there. Mea culpa, mea culp, mea maxima culpa. [email@example.com (Stuart Bell) notes FAX (301) 258-4066, no charge for single copies — just provide all info.] [and later from James Paul:] Well, it's worse than I thought. GAO has been migrating to the new Government telephone system and apparently this has caught up with their ordering operation. When you dial (202) 275-6241, you are now directed to call (202) 512-6000. At the same time the message says you will automatically be switched over to the new number. I really apologize for all the confusion. Me, I just get 'em directly.
The **PRELIMINARY DRAFT** of the U.S. Federal Criteria for Information Technology Security (FC) (which will eventually replace the "Orange Book") is available on-line. The files are located on both the NIST Computer Security Bulletin Board and on the NCSC's DOCKMASTER computer system. DOCKMASTER has the FC available in UNIX compressed postscript format, while the NIST BBS has the FC available in PKZIP postscript format. When printed out, both volumes of the document total approximately 280 pages double-sided. By the first week of February, the FC (without the figures) should be available in ASCII format at both sites. The figures will also be available individually in postscript form. What follows are instructions on how to download the files from both sites, how to register your name for announcements, and how to send in comments. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - TO DOWNLOAD THE FILES FROM DOCKMASTER: The files can be found on DOCKMASTER in the directory: >site>pubs>criteria>FC - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - TO DOWNLOAD THE FILES FROM NIST'S BBS: Volumes 1 and 2 of the FC can be accessed through the Internet via anonymous ftp. To download, ftp to csrc.nist.gov or to 22.214.171.124. Log in as "anonymous" and use your Internet address as the password. The FC postscript files are in directory /bbs/nistpubs. The files are fcvol1.ps.Z and fcvol2.ps.Z, for volumes one and two respectively. Both of these volumes have been ZIPped using PKZIP. The PKZIP program is available in /bbs/software should you need to download it. REGISTERING YOUR NAME: When you receive an electronic copy of the draft FC, please send us you name, mailing address, telephone, and e-mail address to the e- mail address listed below and state that you have an electronic copy of the FC. If you distribute the document to additional people in your organization, please send us the same information on those people as well. We will put the names into our database for any further announcements, meeting notices, draft announcements, etc., related to the effort. NIST will be sending out a LIMITED NUMBER of hard copies, but due to the substantial expense of sending out such a large document - even at book rate, we would prefer people to receive the document via electronic means. Therefore, by sending us your name and the names of those in your organization who have the downloaded copies of the document, it saves us from having to send additional hard copies. COMMENTS: We are soliciting TECHNICAL, SUBSTANTIVE comments on the document. The deadline for comments is March 31, 1993. All those who contribute substantive comments will be invited to a two-day workshop at the end of April 1993 to resolve the comments. The workshop will be held in the Washington-Baltimore area in a to-be- announced location. Please send your comments to: firstname.lastname@example.org or, if you prefer, you can send us a 3.5" or 5.25" diskette in MSDOS or UNIX format (please indicate which) to: Federal Criteria Comments ATTN: Nickilyn Lynch NIST/CSL, Bldg 224/RM A241 Gaithersburg, MD 20899 We would prefer to receive electronic copies of comments and/or name registrations, but we will also receive hardcopy comments/name registrations at this same address. You can also contact us via the following fax: FAX: (301) 926-2733 Thank you in advance for your interest in this effort. Federal Criteria Group, National Institute of Standards and Technology
1993 IEEE SYMPOSIUM ON RESEARCH IN SECURITY AND PRIVACY May 24-26, 1993, Claremont Resort, Oakland, California Sponsored by the IEEE Technical Committee on Security and Privacy In cooperation with the International Association of Cryptologic Research Symposium Committee Teresa Lunt, General Chair Cristi Garvey, Vice Chair Richard A. Kemmerer, Program Co-Chair John Rushby, Program Co-Chair PRELIMINARY PROGRAM MONDAY 9:00--9:30: Welcoming Remarks: Teresa Lunt and Dick Kemmerer 9:30--10:30: VIRUSES AND INTRUSION DETECTION Doug McIlroy, Session Chair 9:30--10:00: Measuring and Modeling Computer Virus Prevalence Jeffrey Kephart and Steve White 10:00--10:30: USTAT: A Real-Time Intrusion Detection System for UNIX Koral Ilgun 11:00--12:00: CAUSALITY AND INTEGRITY: George Dinolt, Session Chair 11:00--11:30: Preventing Denial and Forgery of Causal Relationships in Distributed Systems Michael Reiter and Li Gong 11:30--12:00: Message Integrity Design Stuart Stubblebine and Virgil Gligor 2:00--3:30: PANEL: Privacy Enhanced Mail Panelists: TO BE ANNOUNCED 4:00--5:00: AUTHENTICATION PROTOCOLS: Teresa Lunt, Session Chair 4:00--4:30 Authentication Method with Impersonal Token Cards Refik Molva and Gene Tsudik 4:30--5:00: Interconnecting Domains with Heterogeneous Key Distribution and Authentication Protocols Frank Piessens, Bart DeDecker and Phil Janson 6:00: POSTER SESSIONS TUESDAY 9:00--10:30: TIMING CHANNELS: John Rushby, Session Chair 9:00-- 9:30: Modelling a Fuzzy Time System Jonathan Trostle 9:30--10:00: On Introducing Noise into the Bus-Contention Channel James Gray 10:00--10:15: Discussant: TO BE ANNOUNCED 10:15--10:30: Open Discussion 11:00--12:00: INFORMATION FLOW: John McLean, Session Chair 11:00--11:30 A Logical Analysis of Authorized and Prohibited Information Flows Frederic Cuppens 11:30--12:00 The Cascade Vulnerability Problem J. Horton, R. Harland, E. Ashby, R. Cooper, W. Hyslop, B. Nickerson, W. Stewart, and K. Ward 2:00--3:30: PANEL: The Federal Criteria Panelists: TO BE ANNOUNCED 4:00--5:00: DATABASE SECURITY: Marv Schaefer, Session Chair 4:00--4:30: A Model of Atomicity for Multilevel Transactions Barbara Blaustein, Sushil Jajodia, Catherine McCollum and LouAnna Notargiacomo 4:30--5:00: Achieving Stricter Correctness Requirements in Multilevel Secure Database Vijayalakshmi Atluri, Elisa Bertino and Sushil Jajodia 5:00: IEEE Technical Committee Meeting 6:00: POSTER SESSIONS WEDNESDAY 9:00--10:30: ANALYSIS OF CRYPTOGRAPHIC PROTOCOLS: Yacov Yacobi, Session Chair 9:00-- 9:30: Trust Relationships in Secure Systems — A Distributed Authentication Perspective Raphael Yahalom, Birgit Klein and Thomas Beth 9:30--10:00: A Logical Language for Specifying Cryptographic Protocol Requirements Paul Syverson and Catherine Meadows 10:00--10:30: A Semantic Model for Authentication Protocols Thomas Woo and Simon Lam 11:00--12:00: SYSTEMS: Virgil Gligor, Session Chair 11:00--11:30: Detection and Elimination of Inference Channels in Multilevel Relational Database Systems X. Qian, M. Stickel, P. Karp, T. Lunt and T. Garvey 11:30---12:00 Assuring Distributed Trusted Mach Todd Fine 12:00: SYMPOSIUM ADJOURNS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Symposium Registration: Dates strictly enforced by postmark. Advance Member (to 4/12/93) $240* Late Member (4/13/93-4/30/93) $290* *Registration must include IEEE number to qualify. Advance Non-Member $300 Late Non-Member $370 Advance Student $50 Late Student $50 Mail registration to: Cristi Garvey R2/2104 TRW Defense Systems Group One Space Park Redondo Beach, CA 90278 (310) 812-0566 ****** ABSOLUTELY NO REGISTRATIONS BY EMAIL ******
The University of York in the UK is running a two day conference on Computers, Security and the Law that may be of interest to the readers of COMP.RISKS. The programme for the conference follows. If you do not think this is a suitable place for this but know of somewhere that is perhaps you could forward it or let me know and I will do so. FINAL PROGRAMME. COMPUTERS: SECURITY AND THE LAW 31 March - 1 April 1993 The conference will be run by the Department of Computer Science in association with the Society for Computers & Law and the Licensing Executives Society . The aim of the conference is to highlight some of the important legal issues that surround the use, and abuse, of computer technology in a way that should be accessible to the non-specialist, such as lawyers or computer scientists. The target audience for the conference is senior management and those in both public and private sector organisations who wish to improve their knowledge about the legal aspects of buying, using or creating computer related products and services. The conference will be of interest to the police, the civil service, banks, insurance and building societies. The programme will take place over two consecutive days. The first day will deal with the legal aspects of intellectual property rights, copyright and contract law as it relates to computer products and services. The second day will deal with the topics of computer crime and its prevention, security, data protection and privacy. The conference dinner will be a Medieval Banquet at St William's College (founded in 1461). The keynote speaker will be Emma Nicholson, MP. Proceedings of the conference will be published and be available to participants after the conference. REGISTRATION AND FEES: Delegates will be able to register for either of the two days separately if they wish. Fees: #275 for full conference, #165 for single day; a discount is available for early booking by 19th February 1993. (See application form for further details. PROGRAMME: DAY ONE 0930 - 0950 Registration 0950 - 1000 Introduction. Chair: Dr Keith C Mander, Head of Department of Computer Science, University of York. 1000 - 1030 Overview of law relating to Intellectual Property Rights. Speaker: David Stanley, Licensing Executives Society. Copyright Law, The Patent Law, The Law of Confidence, The Law of Designs, Trade Marks, Semiconductor regulations. 1030 - 1115 Intellectual Property Rights as they apply to computers. Speaker: John Sykes, Licensing Executives Society. Hardware, software and firmware. Back-up copies, "Look and feel" - the limits to copyright protection, work created on a computer, work generated by a computer. 1145 - 1230 Acquisition of computers 1. Speaker: Geoff Allan, Independent Computer Consultant. How does the acquisition process work?; documents involved - Invitation to Tender, Proposal, Specification; what are the legal ramifications and importance of these documents? 1415 - 1500 Acquisition of computers 2. Speaker: Dai Davis, Society for Computers & Law. The legal issues in acquisition contracts; payment triggers; bespoke software - escrow agreements, maintenance agreements. 1500 - 1545 Facilities Management Contracts. Speaker: Jane Rawlings, Society for Computers & Law. What is facilities management?; types of arrangements available; issues - software licensing and performance; response time, availability, confidentiality, employment, security and computer crime. 1615 - 1700 Review and discussion: a plenary session. 1900 - 2200 Conference Dinner: Keynote Speaker: Emma Nicholson, MP. PROGRAMME: DAY TWO 0930 - 0950 Registration 0950 - 1000 Introduction. Chair: Dai Davis, Society for Computers & Law. 1000 - 1045 Computer crime. Speaker: to be announced on the day. Types of computer fraud, unauthorised access,, unauthorised modification, conspiracy to defraud, blackmail, fraud as theft, other offences. 1045 - 1130 "The Monday morning syndrome". Speaker: Dennis Jackson, Computer Security Consultant, Staffordshire County Council. The story of a real intrusion to a computer system and its world-wide ramifications. 1200 - 1245 Computer crime (Damage to programs or data). Speaker: Dr Jan Hruska, Sophos Ltd. What is a virus?; criminal damage; reckless damage; blackmail, common viruses. 1400 - 1445 Data Protection Act, Security & Privacy. Speaker: Dr J N Woulds, Senior Assistant Registrar, Office of the Data Protection Registrar. Overview and Principles of the Act, legal requirements and constraints on computer users, supervision by the Registrar. 1445 - 1530 Security techniques. Speaker: John A Clark, CSE Lecturer in Safety Critical Systems, University of York. Physical, logical and procedural security; authentication and access control; accounting and intrusion detection; communications security; evaluation. 1530 - 1600 Review and discussion: a plenary session. 1600 Tea and depart. FURTHER DETAILS FROM: Conference Organiser: Francoise Vassie Centre for Continuing Education King's Manor, York, YO1 2EP The University of York Tel 0904 433900 Fax 0904 433906 or E-Mail KIMBLE@UK.AC.YORK.MINSTER
Please report problems with the web pages to the maintainer