Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
A federal jury in Los Angeles found that Microsoft's MS-DOS 6.0 software infringed upon a Stac Electronics patent for data compression, and awarded Stac $120M in damages. [San Francisco Chronicle, Business Digest, 24 Feb 1994]
I read this story in Robert Park's "What's New" from opa@aps.org, and am forwarding it because, though it came up in conjunction with the CIA spy, it seems relevant to the discussions of Clipper here. -> Recall the 1986 case of Larry Chin, a career CIA analyst and spy -> for China; he also fooled the polygraph. In 1983 I was waiting to -> testify before the House Security Subcommittee. OTA Director John -> Gibbons was summarizing a study of the scientific validity of the -> polygraph for the subcommittee. Loosely paraphrased, Gibbons was -> explaining that these things couldn't distinguish between a lie -> and the sex act. Seated next to me was General Richard Stillwell -> (ret.) of the CIA. He had no idea who I was, but he could contain -> himself no longer; leaning toward me, Stillwell muttered, "I wish -> these damn scientists would leave intelligence to the experts."
SERVICE INTERRUPTION
Cleanliness is not always the best policy.
There was a short interruption to some ACS services on Thursday, February 24,
1994. The gopher server, postbox, and HomeNet services were offline for about
1 hour at the beginning of the day.
A member of the custodial staff plugged his vacuum cleaner into a power strip
attached to our uninterrupted power supply (UPS). Poooooof. Down went
several computers and part of the network. Just when you think that you have
solved the problem of power outages with a brand new UPS .......
ACS is working with the custodial services to remedy the problem and prevent
future such occurrences.
Lisa Balbes, Osiris Consultants Scientific Software/Technical Writing
2229B Hedgerow Rd, Columbus, OH 43220 balbes@osiris.rti.org 614-442-9850
This is 2nd hand from soc.culture.portuguese. Portuguese police found out that a drug traffic ring used pagers to receive orders from clients, and also to receive announcements of new bulk deliveries (This is a more recent practice in Portugal than in the US, given the relatively recent arrival of pageers there and the less serious drug problem). They arrested one of the drug sellers, took his pager, and started recording the arriving messages. Soon they figured out the code used by the ring, and they caught them all. Two lessons: 1. Physical access to a node is the best way to break into a network. 2. Old-fashioned police work can take advantage of the vulnerabilities in criminal activities created by the use of new technology. Even if all the links in that network had been securely encrypted, the method followed by the portuguese police would still work. Food for thought in relation to the current Clipper debate. Fernando Pereira, 2D-447, AT&T Bell Laboratories, 600 Mountain Ave, PO Box 636 Murray Hill, NJ 07974-0636 pereira@research.att.com
By Business Times Staff, Bombay, 25 Feb 1994 Clearing of cheques at the Reserve Bank of India's national clearing cell (NCC) at Nariman Point came to a half on Wednesday night as a result of a "major fault" in the IBM mainframe computer handling the clearance of magnetic ink character recognition (MICR) cheques. The fault has crippled the reader-sorter machine. As a result of the breakdown, clearing and settlement of about 10 lakh (i. e. one million) cheques valued at Rs. 1,000 crores (i. e. Rs 10 thousand million, roughly equal to US$ 300 million) have been held up over the last two days. The disruption has sent corporate houses and the salaried class into a panic as salary payments were due this week. Sources in the RBI said the fault was yet to be located at the time of going to press today. Personnel from the RBI's Calcutta and Madras Offices and experts from Computer Maintenance Corporation, the maintenance agent of IBM, have been summoned. The breakdown, according to the sources, was unprecedented in recent times and "the experts are grappling" with the snag since yesterday. The NCC handles about six lakh cheques each day amounting to a total value of Rs. 1,000 crores. Clearance of high-value cheques (over Rs. 1 lakh) and inter-bank instruments, however, is being carried out unhampered. The worst hit were the public account cheques into which category fall salary cheques and other instruments. The NCC has been inundated with calls from commercial banks which wanted to find out when normalcy will be restored. As it happens, the snag that stopped the clearing of cheques came at the end of the month and many salaried employees have been left with no choice but to get their cheques discounted. The back-up programmes which the NCC had were of no avail and the experts had to be summoned. The RBI put up a notice at its Amar Building office and at the NCC yesterday about the snag and said: "Due to a problem with the computer system with the national clearing cell, processing of MICR presentations of yesterday evening (February 23) could not be completed. Member banks are advised that settlement of this clearing will not be accounted for today (February 24). A further communication will follow." Branches of commercial banks have been advised by their respective zonal offices that "outward MICR clearing could not be presented" yesterday and have been instructed not to release the credits of clearing presented on February 23 and thereafter until further notice. "The system will have to be rectified, its programme loaded, tested to see whether it can function to its usual capacity and then only the backlog can be cleared," the sources said. The would mean a delay of at least two more days, they added. Loading its programme, incidentally, takes a substantially long period. "We have made some progress since yesterday and hope to locate the problem by tonight. We expect the machine to start only by tomorrow evening," the sources added. The mainframe could not load the programme properly on Wednesday night and all efforts by the NCC staff came to naught. Personnel from RBI offices and the CMC had to be flown in yesterday. The RBI is also in touch with IBM personnel who designed the system. The RBI said in a statement the "computer system developed certain hardware and consequential software problems" on Wednesday. "The problems are being attended to on an emergency basis and the normal cheque clearing and settlement work is expected to resume shortly," the statement said. High-value cheques and inter-bank payments account for a very large proportion of the clearing settlement in terms of value, the RBI said. S. Ramani, National Centre for Software Technology, Gulmohar Cross Road No 9, Juhu, Bombay 400 049, India Ph: +91 (22) 620 0590 or 620 1606)
There is a long article on the "inhabitants of Cyberspace" who "may be villians, victims, or bystanders" in the March issue of Scientific American, written by Paul Wallich. While the content is probably well-known to Risks readers, the article gives a very good overview of the issues, and people involved. There are also photos of "Phiber Optik," Dorothy Denning, Donn Parker, and the illustrious editor of this esteemed journal. Of interest to historians might be the bibliography, listing information available only by FTP or e-mail as if this is the everyday way of locating information in a library. Martin Minow minow@apple.com
Van Eck in Action
Over the last several years, I have discussed in great detail how the
electromagnetic emissions from personal computers (and electronic gear in
general) can be remotely detected without a hard connection and the
information on the computers reconstructed. Electromagnetic eavesdropping is
about insidious as you can get: the victim doesn't and can't know that anyone
is 'listening' to his computer. To the eavesdropper, this provides an ideal
means of surveillance: he can place his eavesdropping equipment a fair
distance away to avoid detection and get a clear representation of what is
being processed on the computer in question. (Please see previous issues of
Security Insider Report for complete technical descriptions of the
techniques.)
The problem, though, is that too many so called security experts, (some
prominent ones who really should know better) pooh-pooh the whole concept,
maintaining they've never seen it work. Well, I'm sorry that none of them
came to my demonstrations over the years, but Van Eck radiation IS real and
does work. In fact, the recent headline grabbing spy case illuminates the
point.
Exploitation of Van Eck radiation appears to be responsible, at least in part,
for the arrest of senior CIA intelligence officer Aldrich Hazen Ames on
charges of being a Soviet/Russian mole. According to the Affidavit in support
of Arrest Warrant, the FBI used "electronic surveillance of Ames' personal
computer and software within his residence," in their search for evidence
against him. On October 9, 1993, the FBI "placed an electronic monitor in his
(Ames') computer," suggesting that a Van Eck receiver and transmitter was used
to gather information on a real-time basis. Obviously, then, this is an ideal
tool for criminal investigation - one that apparently works quite well. (From
the Affidavit and from David Johnston, "Tailed Cars and Tapped Telephones: How
US Drew Net on Spy Suspects," New York Times, February 24, 1994.)
>From what we can gather at this point, the FBI black-bagged Ames' house and
installed a number of surveillance devices. We have a high confidence factor
that one of them was a small Van Eck detector which captured either CRT
signals or keyboard strokes or both. The device would work like this:
A small receiver operating in the 22MHz range (pixel frequency) would detect
the video signals minus the horizontal and vertical sync signals. Since the
device would be inside the computer itself, the signal strength would be more
than adequate to provide a quality source. The little device would then
retransmit the collected data in real-time to a remote surveillance vehicle or
site where the video/keyboard data was stored on a video or digital storage
medium.
At a forensic laboratory, technicians would recreate the original screens and
data that Mr. Ames entered into his computer. The technicians would add a
vertical sync signal of about 59.94 Hz, and a horizontal sync signal of about
27KHz. This would stabilize the roll of the picture. In addition, the
captured data would be subject to "cleansing" - meaning that the spurious
noise in the signal would be stripped using Fast Fourier Transform techniques
in either hardware or software. It is likely, though, that the FBI's device
contained within it an FFT chip designed by the NSA a couple of years ago to
make the laboratory process even easier.
I spoke to the FBI and US Attorney's Office about the technology used for
this, and none of them would confirm or deny the technology used "on an active
case."
Of course it is possible that the FBI did not place a monitoring device within
the computer itself, but merely focused an external antenna at Mr. Ames'
residence to "listen" to his computer from afar, but this presents additional
complexities for law enforcement.
1. The farther from the source the detection equipment sits means that
the detected information is "noisier" and requires additional forensic
analysis to derive usable information.
2. Depending upon the electromagnetic sewage content of the immediate
area around Mr. Ames' neighborhood, the FBI surveillance team would be limited
as to what distances this technique would still be viable. Distance squared
attenuation holds true.
3. The closer the surveillance team sits to the target, the more likely
it is that their activities will be discovered.
In either case, the technology is real and was apparently used in this
investigation. But now, a few questions arise.
1. Does a court surveillance order include the right to remotely
eavesdrop upon the unintentional emanations from a suspect's electronic
equipment? Did the warrants specify this technique or were they shrouded
under a more general surveillance authorization? Interesting question for the
defense.
2. Is the information garnered in this manner admissible in court? I
have read papers that claim defending against this method is illegal in the
United States, but I have been unable to substantiate that supposition.
3. If this case goes to court, it would seem that the investigators would
have to admit HOW they intercepted signals, and a smart lawyer (contradictory
allegory :-) would attempt to pry out the relevant details. This is important
because the techniques are generally classified within the intelligence
community even though they are well understood and explained in open source
materials. How will the veil of national security be dropped here?
To the best of my knowledge, this is the first time that the Government had
admitted the use of Van Eck (Tempest Busting etc.) in public. If anyone
knows of any others, I would love to know about it.
[Dave Parnas asked me to post the following message from him. It is HIS, not MINE. PGN] The article in [Nuclear Engineering International, 12/93, p.10, reported by Bob Dolan contained the following assertion, "no other reactor protection system in the world, past or present, has received more attention than the PPS". Having read the report that was leaked to the BBC and later circulated by other organizations, I see no evidence to support that statement. For example, there have no reports of the software having been subject to a formal (mathematically based) inspection procedure such as the one used for the Nuclear Station at Darlington Ontario. The leaked report also showed that the authorities were quite prepared to accept a safety-critical software product that had FAILED the majority of its tests on the basis of vague and unsubstantiated claims that the failures were caused by the test harness not the program itself. The report did not indicate that there were any plans to rectify the problems in the test harness and carry out the test properly. There was no indication of how the test cases were selected and whether they were statistically meaningful. I know that in other nuclear plant situations, far more care was taken in the design of testing procedures. The Sizewellreport was kept secret and I have heard of no plans to have British software experts who are not part of the nuclear industry take part in the evaluation procedure. My experience suggests that, for whatever reasons, "inside experts" tend to be less rigorous and demanding than "outsiders". Organisations tend to pick the experts whom they expect to say what they want to be told. They aren't always right in their predictions, but I have never seen an industry knowingly engage a "loose cannon". In the Darlington case, reports were not kept secret, and the inspection process involved many outside consultants. Sizewell seems to me to provide ample evidence that outside scrutiny, openness, and an active press are essential when there are potential conflicts between short-term financial exigency and safety. Nobody who read that report could have much faith in the authorities who were prepared to accept such test results. Prof. David Lorge Parnas, Communications Research Laboratory Department of Electrical and Computer Engineering, McMaster University, Hamilton, Ontario Canada L8S 4K1
With simulations, good modelling of the real situation and initial conditions
is important. With simulation-based propaganda, however, it's also useful to
know the biases of the game-writer and the desired conclusion you're supposed
to come to :-)
At the Knoxville World's Fair in ?1983, the Tennessee Valley Authority had a
simulation game that put you in charge of their power system, letting you pull
levers to choose how much power to get from what source, in order to keep
enough power for the demand at the best price. The conclusion you were
supposed to get was (surprise, surprise), "Use all the hydro power you can,
then all the nukes you can, then coal&oil". As a resident of an area whose
government gave electrical supply monopoly to the folks who own Three Mile
Island and a few other old nuclear plants, I thought they should at *least*
have the nuke plants go off-line every once in a while, spending money real
fast when they're down :-)
SimCity had a fairly strong bias toward City Planners telling people what to
do and making decisions for them instead of letting them do what they want.
Is SimHealth similarly biased toward single-decider systems?
Bill Stewart
>... In his view, this would lead to birth of the ultimate couch potato. The solution is quite obvious, and even environmentally friendly! Take your standard electronic stationary bike (which uses an electrical generator to produce the current required to run the display) and replace the current display panel with an LCD display and waterproof keyboard. For even better performance, use logic devices that operate faster if more power is available, so someone really cranking on the pedals will get their job to compile faster than someone who's coasting... and hence get the fat bonus check! (The home version would determine the recharge period of your weapons (in games) by the amount of power supplied by the user.) Not only does this ensure that computer users will be among the fittest people on the planet (doing aerobic exercise for 8 hours a day), it would eliminate the need to use fossil fuels to power computer systems, monitors, etc. Of course, it would require waterproof printouts. But on the other hand, this ensures that long meetings of the programming staff would be a thing of the past.... Bear Giles bear@cs.colorado.edu/fsl.noaa.gov
Electronic Frontier Foundation Statement on FBI Draft Digital Telephony Bill
EFF has received a draft of the FBI's new, proposed "Digital
Telephony" bill. After initial analysis, we strongly condemn bill, which
would require all common carriers to construct their networks to deliver to
law enforcement agencies, in real time, both the contents of all
communications on their networks and the "signalling" or transactional
information.
In short, the bill lays the groundwork for turning the National
Information Infrastructure into a nation-wide surveillance system, to be
used by law enforcement with few technical or legal safeguards. This image
is not hyperbole, but a real assessment of the power of the technology and
inadequacy of current legal and technical privacy protections for users of
communications networks.
Although the FBI suggests that the bill is primarily designed to
maintain status quo wiretap capability in the face of technological
changes, in fact, it seeks vast new surveillance and monitoring tools.
Among the new powers given to law enforcement are:
1. Real-time access to transactional information creates the ability to
monitor individuals in real time.
The bill would require common carrier network (telephone companies
and anyone who plans to get into the telephone business, such as cable TV
companies) to deliver, in real time, so called "call setup information."
In the simplest case, call setup information is a list of phone numbers
dialed by a given telephone currently under surveillance. As we all come
to use electronic communications for more and more purposes, however, this
simple call setup information could also reveal what movies we've order,
which online information services we've connected to, which political
bulletin boards we've dialed, etc. With increasing use of
telecommunications, this simple transactional information reveals almost as
much about our private lives as would be learned if someone literally
followed us around on the street, watching our every move.
We are all especially vulnerable to this kind of surveillance,
because, unlike wiretapping the *content* of our communications, it is
quite easy for law enforcement to get permission to obtain this
transactional information. Whereas courts scrutinize wiretap requests very
carefully, authorizations for access to call setup information are
routinely granted with no substantive review. Some federal agencies, such
as the IRS, even have the power to issue administrative subpoenas on their
own, without appearing before a court.
The real impact of the FBI proposal turns, in part, on the fact
that it is easy to obtain court approval for seizing transactional data.
The change from existing law contained in the FBI proposal is that
carriers would have to deliver this call setup information *in real time*,
directly to a remote listening post designated by law enforcement. Today,
the government can obtain this information, but generally has to install a
device (called a 'pen register') which is monitored manually at the
telephone company switching office.
2. Access to communication and signalling information for any mobile
communication, regardless of location allows tracking of an individual's
movements.
The bill requires that carriers be able to deliver either the
contents or transactional information associated with any subscriber, even
if that person is moving around from place to place with a cellular or PCS
phone. It is conceivable that law enforcement could use the signalling
information to identify that location of a target, whether that person is
the subject of a wiretap order, or merely a subpoena for call setup
information.
This provision takes a major step beyond current law in that it
allows for a tap and/or trace on a *person*, as opposed to mere
surveillance of a telephone line.
3. Expanded access to electronic communications services, such as the
Internet, online information services, and BBSs.
The privacy of electronic communications services such as
electronic mail is also put at grave risk. Today, a court order is
required under the Electronic Communications Privacy Act to obtain the
contents of electronic mail, for example. Those ECPA provisions would
still apply for the contents of such messages, but the FBI bill suggests
that common carriers might be responsible for delivering the addressing
information associated with electronic mail and other electronic
communications. For example, if a user connects to the Internet over local
telephone lines, law enforcement might be able to demand from the telephone
company information about where the user sent messages, and into which
remote systems that user connects. All of this information could be
obtained by law enforcement without every receiving a wiretap order.
4. The power to shut down non-compliant networks
Finally, the bill proposes that the Attorney General have the power
to shut down any common carrier service that fails to comply with all of
these requirements. Some have already called this the "war powers"
provision. Granting the Department of Justice such control over our
nation's communications infrastructure is a serious threat to our First
Amendment right to send and receive information, free from undue government
intrusion.
********************************
The posting represents EFF's initial response to the new FBI proposal.
Several documents, including the full text of the proposed bill and a more
detailed section-by-section analysis are available by anonymous ftp on
EFF's ftp site.
This document is digtel94.announce .
The documents can be located via ftp, gopher, or www, as follows:
ftp://ftp.eff.org/pub/EFF/Policy/Digital_Telephony/digtel94_bill.draft
ftp://ftp.eff.org/pub/EFF/Policy/Digital_Telephony/digtel94_analysis.eff
ftp://ftp.eff.org/pub/EFF/Policy/Digital_Telephony/digtel94.announce
for gopher, same but replace first part with:
gopher://gopher.eff.org/00/EFF/...
for WWW, same but replace first part with:
http:/www.eff.org/ftp/EFF/...
**************************************************************************
"I believe in markets doing what they do well, which is to develop technology,
and letting citizens do what they ideally do well, which is to set policy."
-Esther Dyson, President, EDventure Holdings, Inc.
The Electronic Frontier Foundation is working to protect your privacy. To
help stop Clipper and eliminate export controls on cryptography, support a
bill introduced in the House of Representatives, HR 3627. To support the
bill, send email to <cantwell@eff.org>.
Daniel J. Weitzner, Senior Staff Counsel, Electronic Frontier Foundation
1001 G St, NW Suite 950 East, Washington, DC 20001 <djw@eff.org>
202-347-5400 (v) 202-393-5509 (f)
*** Send mail to membership@eff.org for information on EFF. ***
Please report problems with the web pages to the maintainer