The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 14 Issue 30

Tuesday 2 February 1993


o Clever Tactics Against Piracy
Jay Rolls
o Educational computer game banned in Milpitas CA
o "Two charged with computer fraud in credit scam"
Norm deCarteret
o Bible belt broadcast bungle
Peter J. Scott
o Phone Fraud numbers
John Mello
o Re: Clinton Transition Team E-Mail
James Barrett
o Re: EM Radiation (and cell phones)
Lauren Weinstein
Andrew Klossner
o Certification - Proposed Legislation (USA)
Alan Underwood
o Erratum: GAO ordering number
James H. Paul
o The Federal Criteria for Information Technology Security review
Nicki Lynch
o Preliminary Program for 1993 Security & Privacy
Dick Kemmerer
o Computers, Security and the Law
reply to Francoise Vassie
o Info on RISKS (comp.risks)

Clever Tactics Against Piracy

Jay Rolls <>
Fri, 29 Jan 93 14:16:11 +0100
I thought the info-mac readers would find this article interesting.....
Jay Rolls, Stuttgart, Germany  <>

   [sent to RISKS by gio@DARPA.MIL (Gio Wiederhold) via many others]


Employees of IBM, Philips, the German federal interior ministry and the
federal office for the protection of the constitution are among those who
unwittingly 'turned themselves in' when a German computer software company
resorted to an undercover strategy to find out who was using illegal copies of
one of its programs.

Hundreds of customers accepted Cadsoft's offer of a free demonstration program
that, unknown to them, searched their computer hard disks for illegal copies.
Where the search was successful, a message appeared on the monitor screen
inviting the customer to print out and return a voucher for a free handbook of
the latest version of the program. However, instead of a handbook the users
received a letter from the Bavarian-based software company's lawyers.

Since the demonstration program was distributed last June about 400 people
have returned the voucher, which contained coded information about the type of
computer and the version of the illegally copied Cadsoft program being used.
Cadsoft is now seeking damages of at least DM6,000 (ECU3,06E2) each from the
illegal users.

Cadsoft's tactics are justified by manager Rudolf Hofer as a necessary defence
against pirate copying. The company had experienced a 30% drop since 1991 in
sales of its successful Eagle design program, which retails at DM2,998. In
contrast, demand for a DM25 demo version, which Cadsoft offered with the
handbook of the full version, had jumped, indicating that people were
acquiring the program from other sources.

Although Cadsoft devised its plan with the help of lawyers, doubts have been
raised about the legal acceptability of this type of computer detective work.
In the case of government offices there is concern about data protection and
official secrets. The search program may also have had side-effects that
caused other files to be damaged or lost.  Cadsoft is therefore preparing
itself for what could be a long legal battle with some customers.  So far it
has reached out-of-court agreement with only about a quarter of those who
incriminated themselves.

Educational computer game banned in Milpitas CA

Chocolate Flavored Clorox <>
Thu, 21 Jan 93 10:59:25 PST
RISK in paragraph three.

The following appeared in the _Milpitas Post_ Vol. 37 No. 2, January
13, 1993, of Milpitas, CA on page 1.

Superior Court ruling upholds `Wizards' ban, by Christina Kirby

  A SUPERIOR court judge has upheld the Milpitas Unified School
District's 2-year-old ban on the Wizards spelling game.  The ruling was
handed down last Friday.
  The computer game was banned in 1990 by the school board following
complaints from parents that it promoted satanic worship.
  Teachers, seeking to reverse the ban, argued that it infringed on
their rights to choose teaching materials, and broke laws prohibiting
state agencies, such as school districts, from supporting any religion.
  The court ruled that the school district had acted within its authority and
had not violated the California constitution by banning the game.
  "With all due respect, we don't agree with the court's decision," said
Catherine Porter, an attorney representing the teachers.  "Based on the
California constitution, we do believe that we provided significant evidence
to show that the purpose and effect of the ban was religious and not secular."
  Pleased by the ruling, Milpitas Superintendent Jack Mackay said, "We
always thought the board was acting within its authority to maintain a
secular environment."
  Porter said Monday that the teachers would be discussing whether or
not to appeal the decision.

"Two charged with computer fraud in credit scam"

Norm deCarteret 813-878-3994 (TL 438) <>
Sat, 30 Jan 93 11:20:36 EST
Source:  St Pete Times, 1/26/93, pg 3B, Tim Roche

A personnel supervisor "who knew the ins and outs of a computer system that
managed charger accounts for thousands of jewelry store customers along the
Eastern Seaboard" and a former co-worker worked a scam using the supervisors
ability to alter the computers database, illustrating the risks of:

  - inadequate controls within the computer system
  - retail store policy shortcomings
  - the procedure by which they let users who have had their card stolen
    continue to charge purchases
  - flaws in the system accountability

"Using computer passwords of other employees, detectives said, Benjamin
Francois was able to alter customer records and list a credit card as lost or
stolen.  Then his friend, John Wise, would appear at a jewelry store and claim
to be the customer whose credit card was missing.  By store policy, Wise only
was required to give sales clerks a name, Social Security number and a secret
code that would allow customers whose cards were lost or stolen to continue
charging merchandise.  "If the clerk asked to see some identification, Wise
would explain ...  he had no photo to prove he was the customer, but he would
give the clerk the secret code Francois had obtained from the computer."

Affected between June 2nd and last September were:
  - jewelry stores in Tampa, Orlando, Palm Beach and Altamonte Springs FL
  - Jewelers Financial Services, which ran accounts for:
    . Zales Jewelers, Bailey Banks & Biddle Jewelers, Gordons Jewelers

Francois was able to delete the references to stolen or lost cards on the
charge accounts after the purchases were made.  The two men were arrested
after a tip in November led police investigators to "verify the mainframe
database" records.

Of particular interest: system controls allow Francois to manipulate the
database, then hide the activity so that, apparently, the real customers were
not billed.  If the report is correct, it was the November tip and not any
system controls that revealed the thefts.  Apparently the charges were allowed
to fall into some sort of accounting black hole.

Norm deCarteret                                        Advantis - Tampa FL

Bible belt broadcast bungle

Peter J. Scott <pjs@euclid.Jpl.Nasa.Gov>
Thu, 28 Jan 93 08:31:21 -0800
Heard this on the radio this morning: a major Christian radio network is
alerting its member stations to check their latest shipments of religious
compact discs before airing them.  It seems that some other CDs were
mislabelled at the factory and shipped along with the religious ones.
Unfortunately the itinerant CDs were by the Dead Kennedys.  A spokesman for
the radio network said, "This is what happens whenever people get around
machines."  The CBS newsreader, with masterful understatement, said, "The Dead
Kennedys CDs included songs such as, `I Kill Children,' which some Christian
listeners may not find inspirational."

Peter J. Scott, Member of Technical Staff    |
Jet Propulsion Laboratory,  NASA/Caltech     |   SPAN:  GROUCH::PJS

Phone Fraud numbers

John Mello <>
Tue, 2 Feb 93 14:31:12 PST
The major telecomm carriers are reporting that 1992 was a bad year for the
phone baddies intent on ripping off phone service from corporations. Sprint
reported fraud claims by its business customers dived 96 percent, to $670,000,
or $1,350 per incident compared to an average loss of $35,000 in 1991. AT&T
says fraud claims made to it dropped about 88 percent and MCI says it has also
seen a drop in claims. In other words, 1992 losses were a far cry from the $1
billion to $3 billion a year claimed as losses in past years. The major reason
for the drop: customer awareness

Re: Clinton Transition Team E-Mail

James Barrett <>
Thu, 28 Jan 1993 18:12:46 GMT
>    Mail Delivery Failure. No room in mailbox.

This is because Jock Gill who handles Email for Clinton was at the
inauguration and not near his computer for a week.  The link is back up and
generating *lots* of mail (press releases) from Clinton.

Re: EM Radiation (and cell phones) (Menon, RISKS-14.29)

Lauren Weinstein <>
Wed, 27 Jan 93 16:55 PST
The issues surrounding the topic of possible negative health effects from
cellular phone use are going to be among the hottest (no pun intended) in
coming years.

There are no definitive studies that fully address the complexities of the
situation, especially in view of increasing circumstantial evidence that
non-ionizing radiation may have more biological effects than previously

It's true that walkie-talkies, ham radios, etc. have been around for
many years--but there are some potentially significant differences
with cellular phones:

1) Most walkie-talkie, police radios, ham radios, etc. are operated
   in a push-to-talk mode.  You're only transmitting when you're
   actually talking.  Cell phones transmit continuously, so exposure
   is continuous during calls.

2) Cell phones operate at higher frequencies than most common
   service or ham radios (common hand-held ham radios, for
   example, usually go no higher than the 440 Mhz band.  Cell
   phones operate in the 800-900 Mhz region, which puts them
   just about in the microwave range.

Recently there have been a number of concerns raised about microwave exposure
to the operators of police radar units.  We're talking longer exposure and
higher frequencies in the radar case--but nobody knows where the "thresholds"
might be for exposure to possibly show effects in some persons.  The bottom
line is that the higher the frequency, the more "energetic" the effects.

In at least a couple of the cases of persons accusing cell phones of causing
tumors, part of their evidence is the shape and direction of tumor
growth--they apparently are aligned with the antenna and growing inward from
the outside.  Of course, this says nothing about cause and effect--but it has
to at least be considered.

It's true that cell phones use quite low power.  But a little power packs a
bigger "punch" at these frequencies, and with the antenna right next to the
head the *field strength* (which matters more than the absolute power) can be
quite high (inverse square law applies).

Concerns about health effects from hand-held radios have been around for a
long time.  But with the millions of people using continuously transmitting,
ultra high frequency units who never did before, some new dimensions are added
to the picture--and they are definitely worthy of serious consideration.

By the way, not all cellular systems are created equal when it comes to
radiation exposure.  The new CDMA digital system, for example, throttles back
the power from the portable unit depending on how close you are to the cell
site--the site transmitter sends a signal back to the handheld controlling the
power level.  The main reason for doing this is to drastically increase
battery life, but it has the additional benefit of reducing overall exposure
as well.

Re: EM Radiation - is smoking safer? (Menon, RISKS-14.29)

Andrew Klossner <>
Wed, 27 Jan 93 17:03:44 PST
    "We've had walkie talkies (ok - two way radios) for years with
    no perceivable or admitted risk to the health of users."

Not so.  Long term (over 20 years) use of two-way radios by police officers
has been linked to higher incidences of glaucoma.  This is one reason why the
transmitter unit is now worn on the belt, with the microphone pinned to the

(This means that the transmitter irradiates the gonads instead of the
eyeballs ... a possible new risk?)

  -=- Andrew Klossner  (


AProf Alan Underwood <>
Mon, 1 Feb 93 10:07:02 EST
>From Alan Underwood, School of Information Systems, Queensland University of
Technology. e-mail

I am seeking assistance in obtaining copies of any current US/European
legislation (proposed or enacted) for the certification of computing
professionals. Also, I have seen some reference to 6(?) US States considering
such legislation. I would like to know which States so that I can visit them
on an upcoming sabbatical.

Any assistance would be appreciated.

Erratum: GAO ordering number

Thu, 28 Jan 1993 10:51:23 -0500 (EST)
Sorry, folks — human error strikes again.  GAO's distribution center
is at (202) 275-6241.  The warehouse is in Maryland, but they don't
take the orders there.  Mea culpa, mea culp, mea maxima culpa.

   [ (Stuart Bell) notes FAX (301) 258-4066,
   no charge for single copies — just provide all info.]

   [and later from James Paul:]

Well, it's worse than I thought.  GAO has been migrating to the new Government
telephone system and apparently this has caught up with their ordering
operation.  When you dial (202) 275-6241, you are now directed to call (202)
512-6000.  At the same time the message says you will automatically be
switched over to the new number.  I really apologize for all the confusion.
Me, I just get 'em directly.

The Federal Criteria for Information Technology Security review

nicki lynch <>
Fri, 29 Jan 93 16:08:16 EST
The **PRELIMINARY DRAFT** of the U.S. Federal Criteria for Information
Technology Security (FC) (which will eventually replace the "Orange Book") is
available on-line.  The files are located on both the NIST Computer Security
Bulletin Board and on the NCSC's DOCKMASTER computer system.  DOCKMASTER has
the FC available in UNIX compressed postscript format, while the NIST BBS has
the FC available in PKZIP postscript format.  When printed out, both volumes
of the document total approximately 280 pages double-sided.  By the first week
of February, the FC (without the figures) should be available in ASCII format
at both sites.  The figures will also be available individually in postscript

What follows are instructions on how to download the files from both sites,
how to register your name for announcements, and how to send in comments.

      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


The files can be found on DOCKMASTER in the directory:


      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


Volumes 1 and 2 of the FC can be accessed through the Internet via
anonymous ftp. To download, ftp to or to

Log in as "anonymous" and use your Internet address as the password.  The FC
postscript files are in directory /bbs/nistpubs.  The files are
and, for volumes one and two respectively.  Both of these volumes
have been ZIPped using PKZIP.  The PKZIP program is available in /bbs/software
should you need to download it.


When you receive an electronic copy of the draft FC, please send us
you name, mailing address, telephone, and e-mail address to the e-
mail address listed below and state that you have an electronic
copy of the FC. If you distribute the document to additional people
in your organization, please send us the same information on those
people as well.  We will put the names into our database for any
further announcements, meeting notices, draft announcements, etc.,
related to the effort.  NIST will be sending out a LIMITED NUMBER
of hard copies, but due to the substantial expense of sending out
such a large document - even at book rate, we would prefer people
to receive the document via electronic means.  Therefore, by
sending us your name and the names of those in your organization
who have the downloaded copies of the document, it saves us from
having to send additional hard copies.


We are soliciting TECHNICAL, SUBSTANTIVE comments on the document.  The
deadline for comments is March 31, 1993.  All those who contribute substantive
comments will be invited to a two-day workshop at the end of April 1993 to
resolve the comments.  The workshop will be held in the Washington-Baltimore
area in a to-be- announced location.

Please send your comments to:


or, if you prefer, you can send us a 3.5" or 5.25" diskette in
MSDOS or UNIX format (please indicate which) to:

                     Federal Criteria Comments
                     ATTN: Nickilyn Lynch
                     NIST/CSL, Bldg 224/RM A241
                     Gaithersburg, MD  20899

We would prefer to receive electronic copies of comments and/or name
registrations, but we will also receive hardcopy comments/name registrations
at this same address.  You can also contact us via the following fax:

                      FAX: (301) 926-2733

Thank you in advance for your interest in this effort.

Federal Criteria Group, National Institute of Standards and Technology

Preliminary Program for 1993 Security & Privacy

Dick Kemmerer <>
Tue, 02 Feb 93 18:02:25 PST

May 24-26, 1993, Claremont Resort, Oakland, California

Sponsored by the IEEE Technical Committee on Security and Privacy
In cooperation with the International Association of Cryptologic Research

Symposium Committee
  Teresa Lunt, General Chair
  Cristi Garvey, Vice Chair
  Richard A. Kemmerer, Program Co-Chair
  John Rushby, Program Co-Chair


9:00--9:30: Welcoming Remarks: Teresa Lunt and Dick Kemmerer
9:30--10:30:    VIRUSES AND INTRUSION DETECTION   Doug McIlroy, Session Chair
  9:30--10:00:  Measuring and Modeling Computer Virus Prevalence
            Jeffrey Kephart and Steve White
 10:00--10:30:  USTAT: A Real-Time Intrusion Detection System for UNIX
            Koral Ilgun

11:00--12:00:   CAUSALITY AND INTEGRITY:  George Dinolt, Session Chair
  11:00--11:30: Preventing Denial and Forgery of Causal Relationships
        in Distributed Systems
            Michael Reiter and Li Gong
  11:30--12:00: Message Integrity Design
                        Stuart Stubblebine and Virgil Gligor

2:00--3:30:     PANEL: Privacy Enhanced Mail
                        Panelists: TO BE ANNOUNCED

4:00--5:00: AUTHENTICATION PROTOCOLS:  Teresa Lunt, Session Chair
  4:00--4:30    Authentication Method with Impersonal Token Cards
            Refik Molva and Gene Tsudik
  4:30--5:00:   Interconnecting Domains with Heterogeneous Key
        Distribution and Authentication Protocols
            Frank Piessens, Bart DeDecker and Phil Janson


9:00--10:30:    TIMING CHANNELS: John Rushby, Session Chair
   9:00-- 9:30: Modelling a Fuzzy Time System
            Jonathan Trostle
   9:30--10:00: On Introducing Noise into the Bus-Contention Channel
            James Gray
  10:00--10:15: Discussant:  TO BE ANNOUNCED
  10:15--10:30: Open Discussion

11:00--12:00:   INFORMATION FLOW: John McLean, Session Chair
  11:00--11:30  A Logical Analysis of Authorized and Prohibited
        Information Flows
            Frederic Cuppens
  11:30--12:00  The Cascade Vulnerability Problem
            J. Horton, R. Harland, E. Ashby, R. Cooper,
            W. Hyslop, B. Nickerson, W. Stewart, and K. Ward

2:00--3:30: PANEL: The Federal Criteria
            Panelists: TO BE ANNOUNCED

4:00--5:00: DATABASE SECURITY:  Marv Schaefer, Session Chair
  4:00--4:30:   A Model of Atomicity for Multilevel Transactions
            Barbara Blaustein, Sushil Jajodia,
            Catherine McCollum and LouAnna Notargiacomo
  4:30--5:00:   Achieving Stricter Correctness Requirements in
        Multilevel Secure Database
            Vijayalakshmi Atluri, Elisa Bertino and
            Sushil Jajodia

5:00:   IEEE Technical Committee Meeting


9:00--10:30: ANALYSIS OF CRYPTOGRAPHIC PROTOCOLS:  Yacov Yacobi, Session Chair
   9:00-- 9:30: Trust Relationships in Secure Systems
        — A Distributed Authentication Perspective
            Raphael Yahalom, Birgit Klein and Thomas Beth
   9:30--10:00: A Logical Language for Specifying Cryptographic
        Protocol Requirements
            Paul Syverson and Catherine Meadows
  10:00--10:30: A Semantic Model for Authentication Protocols
            Thomas Woo and Simon Lam

11:00--12:00:   SYSTEMS: Virgil Gligor, Session Chair
  11:00--11:30: Detection and Elimination of Inference Channels
        in Multilevel Relational Database Systems
            X. Qian, M. Stickel, P. Karp, T. Lunt and
            T. Garvey
  11:30---12:00 Assuring Distributed Trusted Mach
            Todd Fine


    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Symposium Registration: Dates strictly enforced by postmark.

Advance Member (to 4/12/93) $240*

Late Member (4/13/93-4/30/93) $290*

*Registration must include IEEE number to qualify.

Advance Non-Member $300
Late Non-Member    $370

Advance Student    $50
Late Student       $50

Mail registration to:
        Cristi Garvey
        TRW Defense Systems Group
        One Space Park
        Redondo Beach, CA 90278
        (310) 812-0566


Computers, Security and the Law

Sat, 30 Jan 93 16:14:27
The University of York in the UK is running a two day conference on Computers,
Security and the Law that may be of interest to the readers of COMP.RISKS.
The programme for the conference follows.  If you do not think this is a
suitable place for this but know of somewhere that is perhaps you could
forward it or let me know and I will do so.

                          FINAL PROGRAMME.
                       31 March - 1 April 1993

The conference will be run by the Department of Computer Science in
association with the Society for Computers & Law and the Licensing Executives
Society .

The aim of the conference is to highlight some of the important legal issues
that surround the use, and abuse, of computer technology in a way that should
be accessible to the non-specialist, such as lawyers or computer scientists.

The target audience for the conference is senior management and those in both
public and private sector organisations who wish to improve their knowledge
about the legal aspects of buying, using or creating computer related products
and services. The conference will be of interest to the police, the civil
service, banks, insurance and building societies.

The programme will take place over two consecutive days. The first day will
deal with the legal aspects of intellectual property rights, copyright and
contract law as it relates to computer products and services. The second day
will deal with the topics of computer crime and its prevention, security, data
protection and privacy.

The conference dinner will be a Medieval Banquet at St William's College
(founded in 1461).  The keynote speaker will be Emma Nicholson, MP.

Proceedings of the conference will be published and be available to
participants after the conference.


Delegates will be able to register for either of the two days
separately if they wish.   Fees: #275 for full conference, #165 for
single day; a discount is available for early booking by 19th
February 1993.  (See application form for further details.


0930 - 0950      Registration

0950 - 1000      Introduction.  Chair: Dr Keith C Mander, Head of
                 Department of Computer Science, University of York.

1000 - 1030      Overview of law relating to Intellectual Property
                 Rights.  Speaker: David Stanley, Licensing
                 Executives Society.

Copyright Law, The Patent Law, The Law of Confidence, The Law of
Designs, Trade Marks, Semiconductor regulations.

1030 - 1115      Intellectual Property Rights as they apply to
                 computers.  Speaker: John Sykes, Licensing
                 Executives Society.

Hardware, software and firmware. Back-up copies, "Look and feel" - the limits
to copyright protection, work created on a computer, work generated by a

1145 - 1230      Acquisition of computers 1.  Speaker: Geoff Allan,
                 Independent Computer Consultant.

How does the acquisition process work?; documents involved - Invitation to
Tender, Proposal, Specification; what are the legal ramifications and
importance of these documents?

1415 - 1500      Acquisition of computers 2.  Speaker: Dai Davis,
                 Society for Computers & Law.

The legal issues in acquisition contracts; payment triggers; bespoke
software - escrow agreements, maintenance agreements.

1500 - 1545      Facilities Management Contracts.  Speaker: Jane
                 Rawlings, Society for Computers & Law.

What is facilities management?; types of arrangements available;
issues - software licensing and performance; response time,
availability, confidentiality, employment, security and computer

1615 - 1700      Review and discussion: a plenary session.
1900 - 2200      Conference Dinner: Keynote Speaker: Emma Nicholson, MP.


0930 - 0950      Registration
0950 - 1000      Introduction.  Chair: Dai Davis, Society for
                 Computers & Law.

1000 - 1045      Computer crime.  Speaker: to be announced on the day.

Types of computer fraud, unauthorised access,, unauthorised modification,
conspiracy to defraud, blackmail, fraud as theft, other offences.

1045 - 1130      "The Monday morning syndrome".  Speaker: Dennis Jackson,
                 Computer Security Consultant, Staffordshire County Council.

The story of a real intrusion to a computer system and its world-wide

1200 - 1245      Computer crime (Damage to programs or data).
                 Speaker: Dr Jan Hruska, Sophos Ltd.

What is a virus?; criminal damage; reckless damage; blackmail, common viruses.

1400 - 1445      Data Protection Act, Security & Privacy.  Speaker:
                 Dr J N Woulds, Senior Assistant Registrar, Office of
                 the Data Protection Registrar.

Overview and Principles of the Act, legal requirements and
constraints on computer users, supervision by the Registrar.

1445 - 1530      Security techniques.  Speaker: John A Clark, CSE
                 Lecturer in Safety Critical Systems, University of York.

Physical, logical and procedural security; authentication and access control;
accounting and intrusion detection; communications security; evaluation.

1530 - 1600      Review and discussion: a plenary session.
1600             Tea and depart.


Conference Organiser: Francoise Vassie
Centre for Continuing Education
King's Manor, York, YO1 2EP
The University of York

Tel 0904 433900    Fax 0904 433906



Please report problems with the web pages to the maintainer