Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
I thought the info-mac readers would find this article interesting..... Jay Rolls, Stuttgart, Germany <jrolls@bbn.com> [sent to RISKS by gio@DARPA.MIL (Gio Wiederhold) via many others] COMPUTER CHEATS TAKE CADSOFT'S BAIT Employees of IBM, Philips, the German federal interior ministry and the federal office for the protection of the constitution are among those who unwittingly 'turned themselves in' when a German computer software company resorted to an undercover strategy to find out who was using illegal copies of one of its programs. Hundreds of customers accepted Cadsoft's offer of a free demonstration program that, unknown to them, searched their computer hard disks for illegal copies. Where the search was successful, a message appeared on the monitor screen inviting the customer to print out and return a voucher for a free handbook of the latest version of the program. However, instead of a handbook the users received a letter from the Bavarian-based software company's lawyers. Since the demonstration program was distributed last June about 400 people have returned the voucher, which contained coded information about the type of computer and the version of the illegally copied Cadsoft program being used. Cadsoft is now seeking damages of at least DM6,000 (ECU3,06E2) each from the illegal users. Cadsoft's tactics are justified by manager Rudolf Hofer as a necessary defence against pirate copying. The company had experienced a 30% drop since 1991 in sales of its successful Eagle design program, which retails at DM2,998. In contrast, demand for a DM25 demo version, which Cadsoft offered with the handbook of the full version, had jumped, indicating that people were acquiring the program from other sources. Although Cadsoft devised its plan with the help of lawyers, doubts have been raised about the legal acceptability of this type of computer detective work. In the case of government offices there is concern about data protection and official secrets. The search program may also have had side-effects that caused other files to be damaged or lost. Cadsoft is therefore preparing itself for what could be a long legal battle with some customers. So far it has reached out-of-court agreement with only about a quarter of those who incriminated themselves.
RISK in paragraph three. The following appeared in the _Milpitas Post_ Vol. 37 No. 2, January 13, 1993, of Milpitas, CA on page 1. Superior Court ruling upholds `Wizards' ban, by Christina Kirby A SUPERIOR court judge has upheld the Milpitas Unified School District's 2-year-old ban on the Wizards spelling game. The ruling was handed down last Friday. The computer game was banned in 1990 by the school board following complaints from parents that it promoted satanic worship. Teachers, seeking to reverse the ban, argued that it infringed on their rights to choose teaching materials, and broke laws prohibiting state agencies, such as school districts, from supporting any religion. The court ruled that the school district had acted within its authority and had not violated the California constitution by banning the game. "With all due respect, we don't agree with the court's decision," said Catherine Porter, an attorney representing the teachers. "Based on the California constitution, we do believe that we provided significant evidence to show that the purpose and effect of the ban was religious and not secular." Pleased by the ruling, Milpitas Superintendent Jack Mackay said, "We always thought the board was acting within its authority to maintain a secular environment." Porter said Monday that the teachers would be discussing whether or not to appeal the decision. shaun@octel.com
Source: St Pete Times, 1/26/93, pg 3B, Tim Roche
A personnel supervisor "who knew the ins and outs of a computer system that
managed charger accounts for thousands of jewelry store customers along the
Eastern Seaboard" and a former co-worker worked a scam using the supervisors
ability to alter the computers database, illustrating the risks of:
- inadequate controls within the computer system
- retail store policy shortcomings
- the procedure by which they let users who have had their card stolen
continue to charge purchases
- flaws in the system accountability
"Using computer passwords of other employees, detectives said, Benjamin
Francois was able to alter customer records and list a credit card as lost or
stolen. Then his friend, John Wise, would appear at a jewelry store and claim
to be the customer whose credit card was missing. By store policy, Wise only
was required to give sales clerks a name, Social Security number and a secret
code that would allow customers whose cards were lost or stolen to continue
charging merchandise. "If the clerk asked to see some identification, Wise
would explain ... he had no photo to prove he was the customer, but he would
give the clerk the secret code Francois had obtained from the computer."
Affected between June 2nd and last September were:
- jewelry stores in Tampa, Orlando, Palm Beach and Altamonte Springs FL
- Jewelers Financial Services, which ran accounts for:
. Zales Jewelers, Bailey Banks & Biddle Jewelers, Gordons Jewelers
Francois was able to delete the references to stolen or lost cards on the
charge accounts after the purchases were made. The two men were arrested
after a tip in November led police investigators to "verify the mainframe
database" records.
Of particular interest: system controls allow Francois to manipulate the
database, then hide the activity so that, apparently, the real customers were
not billed. If the report is correct, it was the November tip and not any
system controls that revealed the thefts. Apparently the charges were allowed
to fall into some sort of accounting black hole.
Norm deCarteret Advantis - Tampa FL
Heard this on the radio this morning: a major Christian radio network is alerting its member stations to check their latest shipments of religious compact discs before airing them. It seems that some other CDs were mislabelled at the factory and shipped along with the religious ones. Unfortunately the itinerant CDs were by the Dead Kennedys. A spokesman for the radio network said, "This is what happens whenever people get around machines." The CBS newsreader, with masterful understatement, said, "The Dead Kennedys CDs included songs such as, `I Kill Children,' which some Christian listeners may not find inspirational." Peter J. Scott, Member of Technical Staff | pjs@euclid.jpl.nasa.gov Jet Propulsion Laboratory, NASA/Caltech | SPAN: GROUCH::PJS
The major telecomm carriers are reporting that 1992 was a bad year for the phone baddies intent on ripping off phone service from corporations. Sprint reported fraud claims by its business customers dived 96 percent, to $670,000, or $1,350 per incident compared to an average loss of $35,000 in 1991. AT&T says fraud claims made to it dropped about 88 percent and MCI says it has also seen a drop in claims. In other words, 1992 losses were a far cry from the $1 billion to $3 billion a year claimed as losses in past years. The major reason for the drop: customer awareness
> Mail Delivery Failure. No room in mailbox. This is because Jock Gill who handles Email for Clinton was at the inauguration and not near his computer for a week. The link is back up and generating *lots* of mail (press releases) from Clinton.
The issues surrounding the topic of possible negative health effects from
cellular phone use are going to be among the hottest (no pun intended) in
coming years.
There are no definitive studies that fully address the complexities of the
situation, especially in view of increasing circumstantial evidence that
non-ionizing radiation may have more biological effects than previously
thought.
It's true that walkie-talkies, ham radios, etc. have been around for
many years--but there are some potentially significant differences
with cellular phones:
1) Most walkie-talkie, police radios, ham radios, etc. are operated
in a push-to-talk mode. You're only transmitting when you're
actually talking. Cell phones transmit continuously, so exposure
is continuous during calls.
2) Cell phones operate at higher frequencies than most common
service or ham radios (common hand-held ham radios, for
example, usually go no higher than the 440 Mhz band. Cell
phones operate in the 800-900 Mhz region, which puts them
just about in the microwave range.
Recently there have been a number of concerns raised about microwave exposure
to the operators of police radar units. We're talking longer exposure and
higher frequencies in the radar case--but nobody knows where the "thresholds"
might be for exposure to possibly show effects in some persons. The bottom
line is that the higher the frequency, the more "energetic" the effects.
In at least a couple of the cases of persons accusing cell phones of causing
tumors, part of their evidence is the shape and direction of tumor
growth--they apparently are aligned with the antenna and growing inward from
the outside. Of course, this says nothing about cause and effect--but it has
to at least be considered.
It's true that cell phones use quite low power. But a little power packs a
bigger "punch" at these frequencies, and with the antenna right next to the
head the *field strength* (which matters more than the absolute power) can be
quite high (inverse square law applies).
Concerns about health effects from hand-held radios have been around for a
long time. But with the millions of people using continuously transmitting,
ultra high frequency units who never did before, some new dimensions are added
to the picture--and they are definitely worthy of serious consideration.
By the way, not all cellular systems are created equal when it comes to
radiation exposure. The new CDMA digital system, for example, throttles back
the power from the portable unit depending on how close you are to the cell
site--the site transmitter sends a signal back to the handheld controlling the
power level. The main reason for doing this is to drastically increase
battery life, but it has the additional benefit of reducing overall exposure
as well.
--Lauren--
"We've had walkie talkies (ok - two way radios) for years with
no perceivable or admitted risk to the health of users."
Not so. Long term (over 20 years) use of two-way radios by police officers
has been linked to higher incidences of glaucoma. This is one reason why the
transmitter unit is now worn on the belt, with the microphone pinned to the
lapel.
(This means that the transmitter irradiates the gonads instead of the
eyeballs ... a possible new risk?)
-=- Andrew Klossner (andrew@frip.wv.tek.com)
(uunet!tektronix!frip.WV.TEK!andrew)
>From Alan Underwood, School of Information Systems, Queensland University of Technology. e-mail alanu@snow.fit.qut.edu.au I am seeking assistance in obtaining copies of any current US/European legislation (proposed or enacted) for the certification of computing professionals. Also, I have seen some reference to 6(?) US States considering such legislation. I would like to know which States so that I can visit them on an upcoming sabbatical. Any assistance would be appreciated.
Sorry, folks — human error strikes again. GAO's distribution center is at (202) 275-6241. The warehouse is in Maryland, but they don't take the orders there. Mea culpa, mea culp, mea maxima culpa. [stu@national.mitre.org (Stuart Bell) notes FAX (301) 258-4066, no charge for single copies — just provide all info.] [and later from James Paul:] Well, it's worse than I thought. GAO has been migrating to the new Government telephone system and apparently this has caught up with their ordering operation. When you dial (202) 275-6241, you are now directed to call (202) 512-6000. At the same time the message says you will automatically be switched over to the new number. I really apologize for all the confusion. Me, I just get 'em directly.
The **PRELIMINARY DRAFT** of the U.S. Federal Criteria for Information
Technology Security (FC) (which will eventually replace the "Orange Book") is
available on-line. The files are located on both the NIST Computer Security
Bulletin Board and on the NCSC's DOCKMASTER computer system. DOCKMASTER has
the FC available in UNIX compressed postscript format, while the NIST BBS has
the FC available in PKZIP postscript format. When printed out, both volumes
of the document total approximately 280 pages double-sided. By the first week
of February, the FC (without the figures) should be available in ASCII format
at both sites. The figures will also be available individually in postscript
form.
What follows are instructions on how to download the files from both sites,
how to register your name for announcements, and how to send in comments.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TO DOWNLOAD THE FILES FROM DOCKMASTER:
The files can be found on DOCKMASTER in the directory:
>site>pubs>criteria>FC
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TO DOWNLOAD THE FILES FROM NIST'S BBS:
Volumes 1 and 2 of the FC can be accessed through the Internet via
anonymous ftp. To download, ftp to csrc.nist.gov or to 129.6.54.11.
Log in as "anonymous" and use your Internet address as the password. The FC
postscript files are in directory /bbs/nistpubs. The files are fcvol1.ps.Z
and fcvol2.ps.Z, for volumes one and two respectively. Both of these volumes
have been ZIPped using PKZIP. The PKZIP program is available in /bbs/software
should you need to download it.
REGISTERING YOUR NAME:
When you receive an electronic copy of the draft FC, please send us
you name, mailing address, telephone, and e-mail address to the e-
mail address listed below and state that you have an electronic
copy of the FC. If you distribute the document to additional people
in your organization, please send us the same information on those
people as well. We will put the names into our database for any
further announcements, meeting notices, draft announcements, etc.,
related to the effort. NIST will be sending out a LIMITED NUMBER
of hard copies, but due to the substantial expense of sending out
such a large document - even at book rate, we would prefer people
to receive the document via electronic means. Therefore, by
sending us your name and the names of those in your organization
who have the downloaded copies of the document, it saves us from
having to send additional hard copies.
COMMENTS:
We are soliciting TECHNICAL, SUBSTANTIVE comments on the document. The
deadline for comments is March 31, 1993. All those who contribute substantive
comments will be invited to a two-day workshop at the end of April 1993 to
resolve the comments. The workshop will be held in the Washington-Baltimore
area in a to-be- announced location.
Please send your comments to:
lynch@csmes.ncsl.nist.gov
or, if you prefer, you can send us a 3.5" or 5.25" diskette in
MSDOS or UNIX format (please indicate which) to:
Federal Criteria Comments
ATTN: Nickilyn Lynch
NIST/CSL, Bldg 224/RM A241
Gaithersburg, MD 20899
We would prefer to receive electronic copies of comments and/or name
registrations, but we will also receive hardcopy comments/name registrations
at this same address. You can also contact us via the following fax:
FAX: (301) 926-2733
Thank you in advance for your interest in this effort.
Federal Criteria Group, National Institute of Standards and Technology
1993 IEEE SYMPOSIUM ON RESEARCH IN SECURITY AND PRIVACY
May 24-26, 1993, Claremont Resort, Oakland, California
Sponsored by the IEEE Technical Committee on Security and Privacy
In cooperation with the International Association of Cryptologic Research
Symposium Committee
Teresa Lunt, General Chair
Cristi Garvey, Vice Chair
Richard A. Kemmerer, Program Co-Chair
John Rushby, Program Co-Chair
PRELIMINARY PROGRAM
MONDAY
9:00--9:30: Welcoming Remarks: Teresa Lunt and Dick Kemmerer
9:30--10:30: VIRUSES AND INTRUSION DETECTION Doug McIlroy, Session Chair
9:30--10:00: Measuring and Modeling Computer Virus Prevalence
Jeffrey Kephart and Steve White
10:00--10:30: USTAT: A Real-Time Intrusion Detection System for UNIX
Koral Ilgun
11:00--12:00: CAUSALITY AND INTEGRITY: George Dinolt, Session Chair
11:00--11:30: Preventing Denial and Forgery of Causal Relationships
in Distributed Systems
Michael Reiter and Li Gong
11:30--12:00: Message Integrity Design
Stuart Stubblebine and Virgil Gligor
2:00--3:30: PANEL: Privacy Enhanced Mail
Panelists: TO BE ANNOUNCED
4:00--5:00: AUTHENTICATION PROTOCOLS: Teresa Lunt, Session Chair
4:00--4:30 Authentication Method with Impersonal Token Cards
Refik Molva and Gene Tsudik
4:30--5:00: Interconnecting Domains with Heterogeneous Key
Distribution and Authentication Protocols
Frank Piessens, Bart DeDecker and Phil Janson
6:00: POSTER SESSIONS
TUESDAY
9:00--10:30: TIMING CHANNELS: John Rushby, Session Chair
9:00-- 9:30: Modelling a Fuzzy Time System
Jonathan Trostle
9:30--10:00: On Introducing Noise into the Bus-Contention Channel
James Gray
10:00--10:15: Discussant: TO BE ANNOUNCED
10:15--10:30: Open Discussion
11:00--12:00: INFORMATION FLOW: John McLean, Session Chair
11:00--11:30 A Logical Analysis of Authorized and Prohibited
Information Flows
Frederic Cuppens
11:30--12:00 The Cascade Vulnerability Problem
J. Horton, R. Harland, E. Ashby, R. Cooper,
W. Hyslop, B. Nickerson, W. Stewart, and K. Ward
2:00--3:30: PANEL: The Federal Criteria
Panelists: TO BE ANNOUNCED
4:00--5:00: DATABASE SECURITY: Marv Schaefer, Session Chair
4:00--4:30: A Model of Atomicity for Multilevel Transactions
Barbara Blaustein, Sushil Jajodia,
Catherine McCollum and LouAnna Notargiacomo
4:30--5:00: Achieving Stricter Correctness Requirements in
Multilevel Secure Database
Vijayalakshmi Atluri, Elisa Bertino and
Sushil Jajodia
5:00: IEEE Technical Committee Meeting
6:00: POSTER SESSIONS
WEDNESDAY
9:00--10:30: ANALYSIS OF CRYPTOGRAPHIC PROTOCOLS: Yacov Yacobi, Session Chair
9:00-- 9:30: Trust Relationships in Secure Systems
— A Distributed Authentication Perspective
Raphael Yahalom, Birgit Klein and Thomas Beth
9:30--10:00: A Logical Language for Specifying Cryptographic
Protocol Requirements
Paul Syverson and Catherine Meadows
10:00--10:30: A Semantic Model for Authentication Protocols
Thomas Woo and Simon Lam
11:00--12:00: SYSTEMS: Virgil Gligor, Session Chair
11:00--11:30: Detection and Elimination of Inference Channels
in Multilevel Relational Database Systems
X. Qian, M. Stickel, P. Karp, T. Lunt and
T. Garvey
11:30---12:00 Assuring Distributed Trusted Mach
Todd Fine
12:00: SYMPOSIUM ADJOURNS
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Symposium Registration: Dates strictly enforced by postmark.
Advance Member (to 4/12/93) $240*
Late Member (4/13/93-4/30/93) $290*
*Registration must include IEEE number to qualify.
Advance Non-Member $300
Late Non-Member $370
Advance Student $50
Late Student $50
Mail registration to:
Cristi Garvey
R2/2104
TRW Defense Systems Group
One Space Park
Redondo Beach, CA 90278
(310) 812-0566
****** ABSOLUTELY NO REGISTRATIONS BY EMAIL ******
The University of York in the UK is running a two day conference on Computers,
Security and the Law that may be of interest to the readers of COMP.RISKS.
The programme for the conference follows. If you do not think this is a
suitable place for this but know of somewhere that is perhaps you could
forward it or let me know and I will do so.
FINAL PROGRAMME.
COMPUTERS: SECURITY AND THE LAW
31 March - 1 April 1993
The conference will be run by the Department of Computer Science in
association with the Society for Computers & Law and the Licensing Executives
Society .
The aim of the conference is to highlight some of the important legal issues
that surround the use, and abuse, of computer technology in a way that should
be accessible to the non-specialist, such as lawyers or computer scientists.
The target audience for the conference is senior management and those in both
public and private sector organisations who wish to improve their knowledge
about the legal aspects of buying, using or creating computer related products
and services. The conference will be of interest to the police, the civil
service, banks, insurance and building societies.
The programme will take place over two consecutive days. The first day will
deal with the legal aspects of intellectual property rights, copyright and
contract law as it relates to computer products and services. The second day
will deal with the topics of computer crime and its prevention, security, data
protection and privacy.
The conference dinner will be a Medieval Banquet at St William's College
(founded in 1461). The keynote speaker will be Emma Nicholson, MP.
Proceedings of the conference will be published and be available to
participants after the conference.
REGISTRATION AND FEES:
Delegates will be able to register for either of the two days
separately if they wish. Fees: #275 for full conference, #165 for
single day; a discount is available for early booking by 19th
February 1993. (See application form for further details.
PROGRAMME: DAY ONE
0930 - 0950 Registration
0950 - 1000 Introduction. Chair: Dr Keith C Mander, Head of
Department of Computer Science, University of York.
1000 - 1030 Overview of law relating to Intellectual Property
Rights. Speaker: David Stanley, Licensing
Executives Society.
Copyright Law, The Patent Law, The Law of Confidence, The Law of
Designs, Trade Marks, Semiconductor regulations.
1030 - 1115 Intellectual Property Rights as they apply to
computers. Speaker: John Sykes, Licensing
Executives Society.
Hardware, software and firmware. Back-up copies, "Look and feel" - the limits
to copyright protection, work created on a computer, work generated by a
computer.
1145 - 1230 Acquisition of computers 1. Speaker: Geoff Allan,
Independent Computer Consultant.
How does the acquisition process work?; documents involved - Invitation to
Tender, Proposal, Specification; what are the legal ramifications and
importance of these documents?
1415 - 1500 Acquisition of computers 2. Speaker: Dai Davis,
Society for Computers & Law.
The legal issues in acquisition contracts; payment triggers; bespoke
software - escrow agreements, maintenance agreements.
1500 - 1545 Facilities Management Contracts. Speaker: Jane
Rawlings, Society for Computers & Law.
What is facilities management?; types of arrangements available;
issues - software licensing and performance; response time,
availability, confidentiality, employment, security and computer
crime.
1615 - 1700 Review and discussion: a plenary session.
1900 - 2200 Conference Dinner: Keynote Speaker: Emma Nicholson, MP.
PROGRAMME: DAY TWO
0930 - 0950 Registration
0950 - 1000 Introduction. Chair: Dai Davis, Society for
Computers & Law.
1000 - 1045 Computer crime. Speaker: to be announced on the day.
Types of computer fraud, unauthorised access,, unauthorised modification,
conspiracy to defraud, blackmail, fraud as theft, other offences.
1045 - 1130 "The Monday morning syndrome". Speaker: Dennis Jackson,
Computer Security Consultant, Staffordshire County Council.
The story of a real intrusion to a computer system and its world-wide
ramifications.
1200 - 1245 Computer crime (Damage to programs or data).
Speaker: Dr Jan Hruska, Sophos Ltd.
What is a virus?; criminal damage; reckless damage; blackmail, common viruses.
1400 - 1445 Data Protection Act, Security & Privacy. Speaker:
Dr J N Woulds, Senior Assistant Registrar, Office of
the Data Protection Registrar.
Overview and Principles of the Act, legal requirements and
constraints on computer users, supervision by the Registrar.
1445 - 1530 Security techniques. Speaker: John A Clark, CSE
Lecturer in Safety Critical Systems, University of York.
Physical, logical and procedural security; authentication and access control;
accounting and intrusion detection; communications security; evaluation.
1530 - 1600 Review and discussion: a plenary session.
1600 Tea and depart.
FURTHER DETAILS FROM:
Conference Organiser: Francoise Vassie
Centre for Continuing Education
King's Manor, York, YO1 2EP
The University of York
Tel 0904 433900 Fax 0904 433906
or
E-Mail KIMBLE@UK.AC.YORK.MINSTER
Please report problems with the web pages to the maintainer