Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
I guess you can say that one risks of BARFmail is that if it gets to a
certain point, volunteers will just say no.
I run an exploder list for RISKS for all U.S. military and government sites.
I also run the mail list for the Computer Privacy Digest. In each case I have
seen an increasing amount of BARFmail, broken mailers, people with improper
addresses, and general incompetence among many postmasters.
I use to spend 15-45 minutes a week in mail list maintenance. Now it
is close to three hours a week. With every Risks Digest that is sent out
I get back 3-4 error messages; with the Computer Privacy Digest, I get
about 10.
As a subscriber,
o You should ensure that you have enough space in your mailbox for the lists
that you subscribe to.
o If you domain address changes, please let us know.
o If your account is canceled, please let us know.
The system administrator as part of his job should ensure that:
o All outgoing mail is stamped properly so that replies can be sent back.
- Several times a month I get add requests from <name@host>
as opposed to <name@host.domain>. I have to go through the
received lines to get a valid email address.
o Send rejected mail to the right place:
- It should go to the Errors-To, Reply-to, List-request
address. I had to stop my notification service front the CPD
thanks to a badly configured mailer.
o There are military machines that use subhosts, which is
in violation of RFC 822. I have to source route these
(name%subhost@realhost) in the mail list. I am talking about
the Sperry hosts that a lot of military sites use. These
STILL DON'T use DNS aka nameservers.
dennis
[I am exceedingly grateful to Dennis, who handles .mil and .gov
RISKS traffic for me, and also to Lindsay.Marshall@newcastle.ac.uk
who provides a similar indirection service for RISKS readers in the
U.K. Anything you can do to make their lives and mine simpler with
respect to E-mail addresses would be greatly appreciated. PGN]
[RISKS readers may be interested in the following report from The Sydney
Morning Herald, August 13, 1993). Malcolm Butler (malb@ee.uts.edu.au)]
Your word is my command: ATM
Researchers at the University of Queensland unveiled yesterday a prototype of
what they say is the first voice-activated automatic teller machine (ATM).
But in an embarrassing moment during a media demonstration, a mock ATM
incorrectly accepted the voice od a female journalist and allowed her to
gain access to the "funds" of a male researcher.
It was quickly pointed out that the machines accuracy would improve with
fine-tuning and that security was the opposite of convenience. A second
imposter who tried to con the machine was unsuccessful. All he could
extract from it was a wicked cackle.
The system uses the new technology of artificial neural networks ... It
verifies customers' identities by comparing their voices with samples
that have been stored on a computer.
This aural equivalent of a fingerprint is good news for those who have trouble
remembering their personal identification numbers but, unfortunately, the
system, still has a few glitches. It accepts 10 per cent of imposters,
rejects 1 per cent of true customers and may not be sympathetic if you have a
cold, are drunk, or your voice sounds different.
``It may turn out that it would be a good idea for you to go in sometime and
leave a voice sample when you have a cold so that it can recognise you when
you are in that situation," said one of the project's researchers, Professor
Tom Downs.
[...] The researchers say the system could also be used for credit card or
banking transactions by telephone and for allowing entry into restricted
buildings. Their next project will be to develop a system which allows free
conversations between ATMs and customers.
Professor Downs said several voice-verification systems had been developed
overseas but were relatively unsophisticated.
On Thursday afternoon, 29 July, WCBS Radio (NYC) broadcast an interview with a
city official about a new scam: modifying the circuit board of a gas pump
controller so the pumps will deliver less gasoline than indicated by the
display.
He characterized this as "just old fashioned cheating, using new technology."
In one case, his inspector discovered that the pump delivered about 5 gallons
while indicating 7 gallons.
He said his department will be stepping-up inspections, but of course they
cannot check every filling station at once! He advised motorists to keep
records of gas purchases and odometer readings, and report any suspicious
sales immediately. He said several offenders have already been caught in this
manner--an alert citizen noticed the short delivery amounts.
Matt Healy matt@wardsgi.med.yale.edu Dept of Genetics (WardLab-SHM I-148)
333 Cedar Street NEW HAVEN, CT 06510
With the passage of the new budget, the IRS has shifted into high gear. One provision of the bill imposes the higher rates retroactively to Jan 1. Last Thursday night (Aug 12) our local TV news did a story about a Tucson small-businessman who received a tax bill for $72G. They showed the bill, it looked real, including low order digits, properly placed commas & decimal point, etc. Apparently the man was a real slacker; about half the amount was for interest & penalties. The IRS had no immediate comment, but apparently this man was not the only recipient of such a bill. Now it seems to me, that if this guy & his five friends would just pay their fair share, instead of whining to the media, we'd have this deficit thing licked in no time. Way to go, Prez! The RISK here should be apparent to all programmers: When laying out your printed forms, be sure to allow extra space in the numeric fields. Always use double precision for money amounts. It's stupid to have a program break just because some intermediate value is unexpectedly large, or to not have room on the form for a big amount. The constants for interest rates & penalties should be specified to high enough precision, so that the cents are calculated accurately. Clearly the IRS hires pros: These guys really know their stuff! All their commas and periods lined up exactly, no extra punctuation, nothing out of place, even a properly placed floating dollar sign. Too often, RISKS concentrates on the failures and screwups. It's high time that we recognized the people who do it right, and celebrate a job well done. The hard working programmers behind the tax bills often go unacknowledged. Let's show them our appreciation. Tax programmers, I take my hat off to you! Rich Schroeppel rcs@cs.arizona.edu
>If the bytes are uniformly distributed, there is a good chance they
>are encrypted.
> [But NOT NECESSARILY. ... simplifications are tricky. PGN]
The whole subject is tricky. Functionally, there is no real difference between
compression and encryption other than degree of difficulty in breaking 8*).
Run the compressed file through UUENCODE or a TEKHEX generator and we are back
to a non-random string. (BTW XXENCODE permits use of a user-supplied table --
is this Encryption ?).
I *suspect* that the telco filter is very simplistic - could just be
interrupting the connection on an XOFF (Ctrl-S or 13h). Might not even be
deliberate.
Point is that it is easy to disguise text as binary, slightly more difficult
to make binary look like text, but not impossible, engineers have been doing
it for years - "I didn't know you were *trying* to block binary, it just
looked like a faulty design."
Padgett
A recent New York Times featured a policy wherein all electronic correspondence among people at the White House must be preserved. As Oliver North discovered, email can be forever. More to the point is Richard Nixon's experience. Once he recorded all his phone conversations, he exposed himself to having them subpoenaed! Here is an example where the reality of electronic communications and our legal systems are seriously out of step. Essentially all business records and, I wouldn't be surprised, all personal records, can be subpoenaed. In the government, many of the records must be supplied upon request. (A reader with more expertise can clarify the legal aspects of this). It can be quite disconcerting to discover that a private memo citing the possibility that a chemical might cause cancer surfaces twenty years later to prove that your company knew about the danger and failed to act. On the other hand, such exposure is often necessary to uncover criminal behavior. Let's assume that a balance has been struck over the year between the publics need to know and the requirements of privacy for classic paper documents. While this might be a big assumption, it is the status quo. One develops defenses such as a paperless office (i.e., never write anything down, just discuss it in person or on the phone) or shredding memos upon reading them. These aren't perfect as the Nixon experience shows and when participates choose to, or accidentally preserve information. This all changes when the normal means of conversations leaves an indelible trail. While this policy cites email, bits is bits and as we shift to digital PBXes in which text, voice, images are all stored in the same pool, we have lost all privacy. Unfortunately, this issue was not explicitly faced in the 1700's and thus there was no provision in the constitution. There are those that argue that there is no right to privacy in a commercial setting, that an employer has a right to tape all conversations on premises and install video cameras in every nook and cranny. And some have. After all, who knows how many rest room visits were just a way to take a break without accomplishing anything. But it also means a world that doesn't allow tentative thinking, questioning of the norm, diplomacy or correction. It is a world where all ones inner thoughts are exposed to analysis and criticism without a chance to refute or comment. It is a world where innocuous behavior might resurface twenty years later and be judged in an entirely different world. It is a world that guarantees mediocrity since any behavior that doesn't reinforce the popular images of the majority (even if it is not a real majority) will result in disgrace. Sadly, the problem is not easy to solve. The opposite extreme of a world with no paper trail can be a conspiratorial world where all behavior is hidden and thus is suspect, if not corrupt. I don't have easy answers but am concerned that people should be aware that while email might be the successor to the paper memo, it is much more than that and extending an old policy can have serious, and unexpected, ramifications. Is a world with perfect memory better than one without history?
The National Institute of Standards and Technology (NIST) has issued a request for public comments on its proposal to establish the "Skipjack" key-escrow system as a Federal Information Processing Standard (FIPS). The deadline for the submission of comments is September 28, 1993. The full text of the NIST notice follows. CPSR is urging all interested individuals and organizations to express their views on the proposal and to submit comments directly to NIST. Comments need not be lengthy or very detailed; all thoughtful statements addressing a particular concern will likely contribute to NIST's evaluation of the key-escrow proposal. The following points could be raised about the NIST proposal (additional materials on Clipper and the key escrow proposal may be found at the CPSR ftp site, cpsr.org): * The potential risks of the proposal have not been assessed and many questions about the implementation remain unanswered. The NIST notice states that the current proposal "does not include identification of key escrow agents who will hold the keys for the key escrow microcircuits or the procedures for access to the keys." The key escrow configuration may also create a dangerous vulnerability in a communications network. The risks of misuse of this feature should be weighed against any perceived benefit. * The classification of the Skipjack algorithm as a "national security" matter is inappropriate for technology that will be used primarily in civilian and commercial applications. Classification of technical information also limits the computing community's ability to evaluate fully the proposal and the general public's right to know about the activities of government. * The proposal was not developed in response to a public concern or a business request. It was put forward by the National Security Agency and the Federal Bureau of Investigation so that these two agencies could continue surveillance of electronic communications. It has not been established that is necessary for crime prevention. The number of arrests resulting from wiretaps has remained essentially unchanged since the federal wiretap law was enacted in 1968. * The NIST proposal states that the escrow agents will provide the key components to a government agency that "properly demonstrates legal authorization to conduct electronic surveillance of communications which are encrypted." The crucial term "legal authorization" has not been defined. The vagueness of the term "legal authorization" leaves open the possibility that court-issued warrants may not be required in some circumstances. This issue must be squarely addressed and clarified. * Adoption of the proposed key escrow standard may have an adverse impact upon the ability of U.S. manufacturers to market cryptographic products abroad. It is unlikely that non-U.S. users would purchase communication security products to which the U.S. government holds keys. Comments on the NIST proposal should be sent to: Director, Computer Systems Laboratory ATTN: Proposed FIPS for Escrowed Encryption Standard Technology Building, Room B-154 National Institute of Standards and Technology Gaithersburg, MD 20899 Submissions must be received by September 28, 1993. CPSR has asked NIST that provisions be made to allow for electronic submission of comments. Please also send copies of your comments on the key escrow proposal to CPSR for inclusion in the CPSR Internet Library, our ftp site. Copies should be sent to <clipper@washofc.cpsr.org>. [Federal Register Vol 58 No 145, NIST, Docket No. 930659-3159, RIN 0693-AB19, "A Proposed Federal Information Processing Standard for an Escrowed Encryption Standard (EES)", 58 FR 40791, Friday, July 30, 1993 is available for anonymous FTP on CRVAX.SRI.COM in the RISKS: archive directory, with file name RISKS-14.84N, of from Dave Banisar <banisar@washofc.cpsr.org>. PGN]
Feature interactions can create security loopholes or even bring the public
telephone network down. Since various critical systems — emergency services
and airport control towers — depend on the telephone network, the subject is
relevant to RISKS. For more information, I would refer readers to the August
1993 issues of Computer and Communications magazines, especially the
introductory articles and the paper by Kuhn et. al., ``Improving Public
Switched Network Security in an Open Environment'' in Computer, pp. 32-35.
Also, Cameron and Lin published a paper in the Proceedings of the 1991 SIGSOFT
Conference on Software for Critical Systems, ``A Real-Time Transition Model
for Analyzing Behavioral Compatibility of Telecommunications Services''.
Otherwise, little work has been published on approaches that can protect the
network and its users from potential effects of feature interactions, so
responses from people who have worked on other critical systems would be most
welcome.
CALL FOR PARTICIPATION
Second International Workshop on Feature Interactions
in Telecommunications Software Systems
Amsterdam, The Netherlands
May 9-10, 1994
This workshop is the second in a series, whose mission is to encourage
researchers from a variety of computer science specialties (software
engineering, protocol engineering, distributed artificial intelligence, formal
techniques, software testing, and distributed systems, among others) to apply
their techniques to the feature interaction problem that arises in building
telecommunications software systems (see the back page for a description of
the problem). We welcome papers on avoiding, detecting, and/or resolving
feature interactions using either analytical or structural approaches.
Submissions are encouraged in (but are not limited to) the following topic
areas:
- Classification of feature interactions.
- Modeling, reasoning, and testing techniques for detecting feature
interactions.
- Software platforms and architecture designs to aid in avoiding,
detecting, and resolving feature interactions.
- Tools and methodologies for promoting software compatibility and
extensibility.
- Mechanisms for managing feature interactions throughout the
service life-cyle.
- Management of feature interactions in PCS, ISDN, and Broadband
services, as well as IN services.
- Management of feature interactions in various of the operations
support functions such as Service Negotiation, Service Management,
and Service Assurance.
- Feature Interactions and their potential impact on system Security
and Safety.
- Environments and automated tools for related problems in other
software systems.
- Management of Feature Interactions in various proposed
architectures such as TMN, INA, ROSA, CASSIOPEIA, SERENITE, or
PLATINA.
FORMAT
We hope to promote a dialogue among researchers in various related
areas, as well as the designers and builders of telecommunications
software. To this end, the workshop will have sessions for paper
presentations, including relatively long discussion periods. Panel
discussions and tool demonstrations are also planned.
ATTENDANCE
Workshop attendance will be limited to 90 people. Attendance will be
by invitation only. Prospective attendees are asked to submit either a
paper (maximum 5000 words) or a single page description of their
interests and how they relate to the workshop. About 16-20 of the
attendees will be asked to present talks. We will strive for an equal
mix of theoretical results and practical experiences. Papers will be
published in a conference proceedings.
SUBMISSIONS
Please send five copies of your full original paper or interest
description to:
Wiet Bouma
PTT Research, Dr. Neher Laboratories
PO Box 421 or St. Paulusstraat 4
2260 AK Leidschendam 2264 XZ Leidschendam
The Netherlands The Netherlands
E-mail: L.G.Bouma@research.ptt.nl
Tel: +31 70 332 5457
FAX: +31 70 332 6477
IMPORTANT DATES:
November 15, 1993: Submission of contributions.
January 15, 1993: Notification of acceptance.
February 15, 1993: Submission of camera-ready versions.
WORKSHOP CO-CHAIRPERSONS
Wiet Bouma & Hugo Velthuijsen (PTT, The Netherlands)
PROGRAM COMMITTEE
Chair: E. Jane Cameron (Bellcore, USA) [Rest deleted. Request it. PGN]
Call for Papers IFIP SEC'94 - updated information August 1993
Technical Committee 11 - Security and Protection in Information
Processing Systems - of the UNESCO affiliated INTERNATIONAL
FEDERATION FOR INFORMATION PROCESSING - IFIP,
announces:
Its TENTH INTERNATIONAL INFORMATION SECURITY CONFERENCE, IFIP SEC'94
TO BE HELD IN THE NETHERLANDS ANTILLES (CARIBBEAN), FROM MAY 23
THROUGH MAY 27, 1994.
Organized by Technical Committee 11 of IFIP, in close cooperation with the
Special Interest Group on Information Security of the Dutch Computer Society
and hosted by the Caribbean Computer Society, the TENTH International
Information Security Conference IFIP SEC'94 will be devoted to advances in
data, computer and communications security management, planning and control.
The conference will encompass developments in both theory and practise,
envisioning a broad perspective of the future of information security. The
event will be lead by its main theme "Dynamic Views on Information Security in
Progress".
Papers are invited and may be practical, conceptual, theoretical, tutorial
or descriptive in nature, addressing any issue, aspect or topic of
information security. Submitted papers will be refereed, and those presented
at the conference, will be included in the formal conference proceedings.
Submissions must not have been previously published and must be the
original work of the author(s). Both the conference and the five
tutorial expert workshops are open for refereed presentations.
The purpose of IFIP SEC'94 is to provide the most comprehensive international
forum and platform, sharing experiences and interchanging ideas, research
results, development activities and applications amongst academics,
practitioners, manufacturers and other professionals, directly or indirectly
involved with information security. The conference is intended for computer
security researchers, security managers, advisors, consultants, accountants,
lawyers, edp auditors, IT, adminiatration and system managers from
government, industry and the academia, as well as individuals interested and/or
involved in information security and protection.
IFIP SEC'94 will consist of a FIVE DAY - FIVE PARALLEL STREAM - enhanced
conference, including a cluster of SIX FULL DAY expert tutorial workshops.
In total over 120 presentations will be held. During the event the second
Kristian Beckman award will be presented. The conference will address
virtually all aspects of computer and communications security, ranging
from viruses to cryptology, legislation to military trusted systems,
safety critical systems to network security, etc.
The six expert tutorial workshops, each a full day, will cover the
following issues:
Tutorial A: Medical Information Security
Tutorial B: Information Security in Developing Nations
Tutorial C: Modern Cryptology
Tutorial D: IT Security Evaluation Criteria
Tutorial E: Information Security in the Banking and Financial Industry
Tutorial F: Security of Open/Distributed Systems
Each of the tutorials will be chaired by a most senior and internationally
respected expert.
The formal proceedings will be published by Elsevier North Holland
Publishers, including all presentations, accepted papers, key-note talks,
and invited speeches.
The Venue for IFIP SEC'94 is the ITC World Trade Center Convention
Facility at Piscadera Bay, Willemstad, Curacao, Netherlands Antilles.
A unique social program, including formal banquet, giant 'all you can eat'
beach BBQ, island Carnival night, and much more will take care of leisure
and relax time.
A vast partners program is available, ranging from island hopping, boating,
snorkeling and diving to trips to Bonaire, St. Maarten, and Caracas.
A special explorers trip up the Venezuela jungle and the Orinoco River
is also available.
For families a full service kindergarten can take care of youngsters.
The conference will be held in the English language. Spanish translation
for Latin American delegates will be available.
Special arrangements with a wide range of hotels and appartments complexes
in all rate categories have been made to accommodate the delegates and
accompanying guests. (*)
The host organizer has made special exclusive arrangements with KLM Royal
Dutch Airlines and ALM Antillean Airlines for worldwide promotional fares
in both business and tourist class. (**)
(*)(**) Our own IFIP TC11 inhouse TRAVEL DESK will serve from any city on
the globe.
All authors of papers submitted for the referee process will enjoy special
benefits.
Authors of papers accepted by the International Referee Committee will enjoy
extra benefits.
If sufficient proof (written) is provided, students of colleges, universities
and science institutes within the academic community, may opt for
student enrollment. These include special airfares, appartment accommodations,
discounted participation, all in a one packet prepaid price.
(Authors' benefits will not be affected)
**************************
INSTRUCTIONS FOR AUTHORS
**************************
Five copies of the EXTENDED ABSTRACT, consisting of no more than 25 double
spaced typewritten pages, including diagrams and illustrations, of
approximately 5000 words, must be received by the Program Committee no
later than November 15th, 1993.
We regret that electronically transmitted papers, papers on diskettes,
papers transmitted by fax and handwritten papers are not accepted.
Each paper must have a title page, which includes the title of the paper,
full names of all author(s) and their title(s), complete address(es),
including affiliation(s), employer(s), telephone/fax number(s) and
email address(es).
To facilitate the blind refereeing process the author(s)' particulars
should only appear on the separate title page. The language of the
conference papers is English.
The first page of the manuscript should include the title, a keyword list
and a 50 word introduction. The last page of the manuscript should include
the reference work (if any).
Authors are invited to express their interest in participating in the
contest, providing the Program Committee with the subject or issue that
the authors intend to address (e.g. crypto, viruses, legal, privacy, design,
access control, etc.) This should be done preferably by email to
< TC11@CIPHER.NL >, or alternately sending a faxmessage to
+31 43 619449 (Program Committee IFIP SEC'94)
The extended abstracts must be received by the Program Committee on or
before November 15th, 1993.
Notification of acceptance will be mailed to contestants on or before
December 31, 1993. This notification will hold particular detailed
instructions for the presentation and the preparation of camera ready
manuscripts of the full paper.
Camera ready manuscripts must be ready and received by the Program Committee
on or before February 28, 1994.
If you want to submit a paper, or you want particular information on
the event, including participation, please write to:
IFIP SEC'94 Secretariat, Postoffice Box 1555, 6201 BN MAASTRICHT
THE NETHERLANDS - EUROPE
or fax to IFIP SEC'94 Secretariat: +31 43 619449 (Netherlands)
or email to TC11@CIPHER.NL
Please report problems with the web pages to the maintainer