Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The California Employment Development Department sent out 75,000 duplicate unemployment checks --- which it attributed to a "computer error" [you guessed it, right?]. "Those who cash their checks will be asked to reimburse the state or will have future benefits docked," said a spokesperson. [Source: San Francisco Chronicle, article by Jonathan Marshall, p. A15.] [I wonder what the increased workload will be in trying to recover from this accident, and whether they will actually catch all of those who cashed the extra check or will do so at some point in the next six months! PGN]
Brinton Cooper <abc@brl.mil> suggests several good ways to reduce the RISK that
you're dealing with a fake ATM machine.
Another way to "authenticate" an ATM machine is to use it to ask for your
bank balance--a piece of information only a genuine ATM would (presumably)
have. Since you can't do this without giving the machine your PIN, a failure
means you have to check your bank balance every few days thereafter to see if
someone made a withdrawal--or just change your PIN. But if you believe the
risk of the machine being fake is low, and a way to phone the bank whose name
appears on the machine is not apparent, this is another possibility.
Dan Franklin
The question of whether color-blind people can see signs and controls isn't
particularly a computer related one, but is certainly made more of an issue
by the complex interfaces common in computerized systems.
The number of people affected is surprisingly large. I'm not very color blind
and have no trouble telling red from green, so long as they are fairly bright,
but a have a real problem with black-on-red or red-on black signs and
displays. They look like, say, maroon on crimson, with practically no
contrast. (For some reason, green doesn't seem to have this problem.) I
believe this is a common problem for the large number of slightly color blind
people. For the more severely color blind there is also the better-known
problem is of not being able to distinguish between reds and greens of similar
brightness.
For designers of computer displays, I'd think it would be straightforward
to test them for color-blind robustness by replacing the color pallette
used in the program with a monochrome one that maps each color to an
suitably bright shade of grey. Or if that's hard, one could always point
a video camera at the sign or display and show the image on a
black-and-white TV.
Regards,
John Levine, johnl@iecc.cambridge.ma.us, {spdcc|ima|world}!iecc!johnl
There's a risk in associating your cause with the 2nd Amendment. Some constitutional protections are "more equal" than others. hunter@ncbi.nlm.nih.gov (Larry Hunter) writes: > ... One consequence of that balance is that you cannot legally possess > nuclear weapons or even, say, a .50 caliber machine gun privately. "A well regulated militia, being necessary to the security of a free state, the right of the people to keep and bear arms, shall not be infringed." Everyone I know who has studied the history of this statement agrees that it means that "the people" must have unrestricted access to all types of arms, in order to a) obviate the need for a standing army, and b) defend the country in the absence of a standing army. No one I know expects (or desires) that private ownership of nuclear arms be allowed (although private ownership of the most powerful weapons of the day, such as canons, was common in the 18th century, and is exactly what the framers of the constitution sought to protect). Also, a .50 caliber machine gun can be purchased legally in most states, if you pay the appropriate federal tax. Paul Robinson <TDARCOS@MCIMAIL.COM> writes: > Judges frown heavily on laws mandating prior restraint, ... This is good if use you some other amendment (not the 2nd) to back up your case. The Brady Bill (which mandates a 5-day waiting period on the purchase of a handgun) is pure prior restraint. There is no empirical evidence whatsoever that it will have any beneficial impact on the level of violent crime in the U.S. Such laws have been enacted in several states, but none has ever been shown to have reduced any aspect of violent crime. Even though the premise of such laws is "government must restrain the people prior to the purchase of a handgun, on the chance that the purchaser might be planning to commit a crime with it," none of them has ever been struck down for this reason. Pick another amendment with which to defend crypto, because the 2nd is risky. Peter K. Boucher
PGN writes: > [Incidentally, at last week's IEEE Symposium on Research in Security > and Privacy, a rump group decided that because crypto falls under > munitions controls, the right to bear arms must sanction private uses of > cryptography! PGN] While this may amuse some, this actually addresses at a profound and often overlooked intent of the 'Founding Fathers'. The People are guarenteed the right to bear arms, not just for personal defense (which was obvious to them), but also because: politicians prefer unarmed peasants. An unarmed populace is much easier to dominate. And so is a populace without the ability to have privacy. David Honig
Just a point of information concerning Larry Hunter's post on the analogy between encryption as a "fundamental right" and other rights, such as those recognized by the US Bill of Rights. Larry observes: # ... I am completely convinced that framers of the Constitution would have # wholeheartedly endorsed citizen access to effective encryption as a # fundamental right. ... Unfortunately, Larry then reasons that "the `right to keep and bear arms' strategy for defending encryption doesn't seem like to succeed practically" based upon some erroneous assumptions concerning the second amendment. # .... there are several practical problems with the idea. First of all, # constitutional rights must be balanced against each other. Your right to # bear arms is balanced against the rights of your neighbors to pursue their # happiness in an orderly society. One consequence of that balance is that # you cannot legally possess ... , say, a .50 caliber machine gun privately. Of course, some thoughtful citizens would observe that there is no balancing act in Larry's statement. Your neighbors' ability pursue their happiness in an orderly society is enhanced by both your and their ability to accept responsibility for personal safety in this otherwise unsafe world. And this includes responsibility for protection from potentially corrupt governments. Regardless, by the analogy to personal weaponry (machine gun), Larry weakens his point unnecessarily, since in fact these *can* be owned and used in this country. They are taxed and regulated, but nevertheless legal to own by any honest citizen, not otherwise having local restrictions. The real balancing act in his analogy is between too-powerful government and the threat posed by an armed citizenry — and in fact our history has many examples where the government has backed off or altered potentially unfair policies based upon the fear of the consequences when We the People reasserted control via arms. Information is the ultimate in personal "arms". In today's age, how else than by knowing the citizenry's thoughts and plans can a government preserve and protect its power base? That is to say, encryption technology becomes a powerful protection of citizens from from too-big government, and *control* of encryption is that big-government's counter. Fortunately, Larry concludes with a message many of us soundly support: # We should be # fighting the claim that cryptography is useful primarily to criminals (and # is therefore threatening) for precisely the same reason [that we fight # claims that speech, arms, etc. are only useful to criminals.] Jim Purtilo
In RISKS DIGEST 14.64, drand@osf.org writes:
|> That the crooks could always create more effective crypto gear is also a red
|> herring. Maybe they could. But the law is being structured so that this
|> itself would be considered probable cause of a crime. We'll have to see if
|> (how much) this is abused. One hopes that just the unlicensed crypto gear
|> would not be sufficient to indict honest people.
Ok, I guess I must have skimmed over this part. Let me see if I understand
this properly:
If I have got more secure crypto gear, probable
cause exists that I have committed a crime.
Hmmm. Does this include any crypto gear that may have been purchased before
the corresponding CLIPPER-enabled gear became available? Or am I allowed to
deduct the cost of the gear I previously bought as well as the cost of the new
CLIPPER gear I must buy to fall into line with the law?
Of course, this becomes a powerful tool for anyone interested in secured
international information exchange. Since it is probable that most countries
that use an existing (more secure?) encryption standard are not likely to
switch to CLIPPER, any one exchanging such information must own gear capable
of understanding that encryption. Hence, probable cause and you are tapped.
Hmmm again. Does knowledge of the encryption algorithm also count as probably
cause? After all, one can always do it in software... Hmmm again. Do they
have to be able to find a program which implements it, or merely some text
which describes the algorithm?
I expect this will become worse than the witch hunts of old; however, instead
of starting a rumour that someone you don't like is a warlock or witch, the
rumour will be that "Jay knows RSA!"
Somehow, to me this seems the most horrific part of this whole mess. I do
hope I've misunderstood.
jay@vnet.ibm.com (c) Copyright 1993. All rights reserved.
Jim Bidzos writes: >The only way to make that advantage "disappear" is to publish everything about >Capstone, including the algorithm that the keys you manage are used with, and >wait a few years and a few hundred papers before proposing it as a standard. Whit Diffie also asked for publication of the Skipjack algorithm. That's good, as far as it goes, but it's possibly more important to publish papers giving design rules and cryptanalysis methods so that the readership can judge the quality of your cipher design methods. This occurs in the private sector (especially in academia) but is not something we're likely to see from the NSA. Although I would love to learn their methods, I wouldn't want the NSA to publish these details. I want my tax dollars to be of some good and NSA secrecy is part of that package. So — I just don't want any NSA involvement in commercial cryptography. We'll limp along on our own. Perhaps, if we do something really stupid (eg., use RSA when the NSA knows that the PRC's cryptanalysts know how to factor 1000 bit numbers in seconds) they'll be nice enough to tell us, but that's the limit of the interaction I would hope to have with the NSA. In particular, I hope this round of examination of export policy exempts commercial cryptography (especially freely available code) from controls. It's not even good gallows humor that my company is restricted from shipping DES subroutine code to a country where there is DES subroutine code already on BBSs. Then again, maybe that is how we will have to develop code from now on: write code assuming that the customer will find and install his own public domain subroutine packages of DES, RSA, etc. ....
I am the sysop for the AIS BBS mentioned earlier. I would like to submit 2 pieces of information for your readers. One, the bbs number is 304-420-6083, although that will be changing soon, details are on the bbs. The second is that the screen captures displayed in the message to RISKS were done at at time when Mary Clark was taking care of the administrative function of upgrading user's access. She is a trainee and has no decisions on the management of the bbs; that is my job. I don't want to see her name tied to this as she is only functioning as directed. Her name was only on the bbs for a short period of time and has since been removed. It is unfortunate that this screen capture occurred during the very short period of time her name was listed, at least I view it as that. Any questions about the bbs should be directed to me. Thanks much. Kim Clancy
(Friedman, RISKS-14.60)
This reference was extracted from Computer Underground Digest, (CuD),
#5.36 (May 16 1993), File 2--Building Bridges of Understanding in
LE & Comp. Community -
> The problem with many of these formats is that they tend to exclude
> the average computer user or law enforcement agent. There's now an
> alternative. Kim Clancy, a security specialist for the Dept. of
> Treasury's Office of Public Debt, has begun the "round-table forum
> on Mindvox to bring a variety of views into open dialogue. The intent
> is to increase the understanding by the public of the legitimate tasks
> of law enforcement, and to expand an awareness of the civil liberties
> concerns of the computer public for investigators and others. Law
> enforcement personnel are understandably hesitant to engage in such
> discussions. But, from what I've seen, there is no ranting, the
> discussions are generally of high quality (although an occasional
> topic drift does occur), and those participating are sincere in their
> attempts to stimulate discussion.
[...]
> Kim's [Clancy] credentials for moderating this type of a forum are
> impressive. In addition to her security and anti-virus skills, she
> set up the AIS BBS, BBS run by Dept. of Treasury, Bureau of Public
> Debt. Run by Computer Security Branch, AIS BBS is intended as a
> resource for security specialists, scholars, or others seeking
> information about the varieties of computer abuse and how to combat
> them. The files range from CERT advisories, documents on viruses,
> and "underground" files to simple public domain/shareware utilities,
> such as virus checkers. For those lacking ftp access, AIS BBS is
> an excellent source of information and a public service of value
> to a broad range of computer professionals and researchers. The
> AIS number is currently (304) 420-6083, in late may it will
> change to (304) 480-6083.
[ remainder deleted ]
Since the proverbial cat is out of the bag, I think the original poster was
justified to post the alert anonymously. I'd heard about this "service" being
run by Clancy a while back, but had actually verified that virus disassemblies
were available on AIS. Since that time (and quite possibly since public
disclosure or because of a change of direction), the SysOp of that system who
was once listed as "Mary Clark" has since been replaced by Clancy as the point
of contact on the system. Also, it would appear that they have removed the
virus disassembly from public access.
I don't think that its proper to question a posters integrity simply on the
basis that the message was posted anonymously. I think that there are
instances where anonymity on the network can be a good (and sometimes
necessary) thing. The situation of anonymous posting is solely dependent upon
the language, content and context of the information contained within the
message and in these interesting days of Big Brother, it might even be in some
folks best interest to post anonymously any information that may be considered
derogatory with regards to Uncle Sugar.
Power to the "little" people.
Paul Ferguson, Network Integrator, Centreville, Virginia USA fergp@sytex.com
I don't know who the anonymous submitter was, but I do know who is the
second person who wished to remain anonymous, for the simple reason
that he has sent me the full file non-anonymously. In fact, I know
this person personally and he is a very respectful person. BTW, the
part that has been published here is less than 1% of the full file. I
can send it to you, if you still don't believe. [...]
> I fully believe that our government sometimes does
> things that are stupid, immoral, and illegal, but this isn't the kind of
> stupidity that they do.
Well, maybe you shouldn't be that much confident about the things that
your government can do... Anyway, I do not know whether the US
Government really supports the BBS in question. All I know is that the
BBS claims to be "official".
> In short, we need to be critical thinkers. In addition, we need to think
> about the way in which anonymous posting lets things like this get widely
> disseminated without exposing the original poster to embarrassment and
> ridicule. The next hoax, lie, or distortion from an anonymous source may not
> be this obvious. Is the ability to anonymously make this kind of claim a
> risk?
Actually, the anonymous poster did a service to all of us by bringing such a
topic for discussion. What are the RISKS of ignoring valuable information,
just because the person who has posted it wished to remain anonymous? Another
issue is what are the RISKS of misusing the freedom of speech and officially
spreading viruses around...
I am Bulgarian and my country is known as the home of many productive virus
writers, but at least our government has never officially distributed
viruses...
bontchev@fbihh.informatik.uni-hamburg.de
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Vogt-Koelln-Strasse 30, rm. 107 C, D-2000 Hamburg 54, Germany +49-40-54715-224
In Risks (Vol 14 #58) appeared a post that makes us appreciate freedom of
speech and information exchange we enjoy in the U.S. The primary risk I've
learned after reading the post is that anonymous posters with an axe to grind
are potential threats to freedom of expression.
Two anonymous posters falsely depict AIS BBS, a bulletin board run by
Dept of Treasury/Office of Public Debt personnel as a public
information service, as a board engaged in "unethical, immoral, and
possibly illegal activities" [...]
The remainder of the anonymous post presents screen captures of
directories and files to which the poster objects. Especially
troublesome for the anonymous accusers are virus-oriented files.
AIS is a reputable and professionally run open-access BBS. It has one of most
extensive collections of text and other files related to all aspects of
security in the country. Some may object to some of the materials, just as
some might object to RISKS DIGEST or CuD being "funded" with taxpayers money.
It strikes me as reprehensible to take selected material out of context and
piece together an image of immorality or worse by presenting a misleading
image of the materials on the BBS and the purposes for which those materials
are intended. That the accusers make their claims while hiding behind the
cloak of anonymity strikes me as the type of cowardice associated with witch
hunts.
The anonymous posters seem to be bothered by the existence of virus source
code on the board. I wager one would learn far more about virus writing and
distribution tactics from VIRUS-L than from the AIS files, but the two
anonymous posters seem to be part of a handful of strident pseudo-moral
entrepreneurs who feel that only the information they judge as appropriate for
public consumption should be made available. I'm surprised that the anonymous
critics did not also include a demand that public libraries also be closed.
It is one thing to disagree with the position of another and raise the
contentious issues as a matter of public debate. It is quite another to engage
in the cowardly act of anonymously distorting the function of a legitimate and
widely-used BBS by insinuating "unethical, immoral, and possibly illegal
activities."
CuD ran an interview with the AIS BBS personnel (CuD 4.37, 1992), and
a few excerpts may put the purposes of AIS BBS in perspective:
*** begin excerpts ***
Q: What is this Board? (name, number, who runs it (dept & sysop).
What kind of software are you using? When did the Board go
on-line?
A: The Bulletin Board System (BBS) is run by the Bureau of the
Public Debt's, Office of Automated Information System's Security
Branch. The mission of the Bureau is to administer Treasury's
debt finance operations and account for the resulting debt. The
OAIS security branch is responsible for managing Public Debt's
computer systems security. The AIS BBS is open to the public and
the phone number for the Board is (304) 420-6083. There are
three sysops, who manage the Remote Access software. The BBS
operates on a stand-alone pc and is not connected to any of other
Public Debt systems. The Board is not used to disseminate
sensitive information, and has been up operating for the past 15
months. <<This interview was as of mid-1992 - jt<>
Q: What are the goals and purposes of the Board?
A: The BBS was established to help manage Public Debt's security
program. Security managers are located throughout Public Debt's
offices in Parkersburg, WV and Washington DC. The security
programmers saw a need to disseminate large amounts of
information and provide for communication between program
participants in different locations. Because the Board was
established for internal purposes, the phone number was not
published. However, the number was provided to others in the
computer security community who could provide information and
make suggestions to help improve the bureau's security program.
Gradually, others became aware of the Board's existence.
Q: What kinds of files and/or programs do you have on the Board?
Why/how do you choose the files you have on-line?
A: There is a wide variety of files posted. In the beginning, we
posted policy documents, newsletter articles from our internal
security newsletter, bulletins issued by CERT, such as virus
warnings, and others for internal use. I located some
"underground" files that described techniques for circumventing
security on one of the systems we manage. The information, from
Phrack magazine, was posted for our security managers to use to
strengthen security. When we were called by others with the same
systems, we would direct them to those files as well.
Unexpectedly, the "hacker" that had written the file contacted me
through our BBS. In his article he mentioned several automated
tools that had helped him take advantage of the system. I
requested that he pass on copies of the programs for our use. He
agreed. This is how our "hacker file areas" came to be. Other
hackers have done the same, and have we also received many files
that may be useful. It is, indeed, an unusual situation when
hackers and security professionals work together to help secure
systems. However, this communication has been beneficial in
strengthening an already secure system.
Q: How did you get the idea to set it up?
A: The security branch accesses many BBSs on a daily basis for
research purposes, information retrieval and to communicate with
others. Since our security program is decentralized, the BBS
seemed to be an effective way of communicating with program
participants in diverse locations.
Please report problems with the web pages to the maintainer
x
Top