Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
According to the April 25/94 Globe and Mail: Canadian Human Resources Minister Lloyd Axworthy is embarrassed by the leaking of a sensitive working paper to the press. It concerns government plans and "specifically indicated that Quebec wasn't going to get full control over job training any time soon." Unfortunately, an operator did not press the 0-2-1 fax code that would have sent it to English speaking provincial government offices. By hitting 1-2-1 instead, the working paper went to eight French language newspapers in Quebec, two of which eventually published stories on it. Some are questioning whether it was indeed an error or the work of a saboteur. Reporters "marvel that a document of particular sensitivity to Quebec accidentally went to Quebec newspapers only." Several years ago a similar faux pas occurred in the Canadian parliamentary press gallery when a young woman sent a detailed account of her romantic exploits of the past weekend by email to a female friend. She accidentally filed it with every newspaper's parliamentary reporter, but they were gentlemen and did not publish it. Dr. Tom Keenan, I.S.P. Dean, Faculty of Continuing Education University of Calgary 2500 University Dr. NW Calgary, AB T2N 1N4 CANADA Voice: (403) 220-5429 FAX: (403) BUG-EXIT = 284-3948
>From the Associated Press newswire via Executive News Service (GO ENS) on CompuServe: Inmates-Computers, By MARIA S. FISHER, Associated Press Writer KANSAS CITY, Kan. (AP, 18 Apr 1994) — The letter startled Nick Tomasic. It was from a prison inmate; other fellow prisoners, assigned to computerize records, had taken a Social Security number from an accident report and tried to sell it. Tomasic is the district attorney for Wyandotte County. It was his number. The author makes the following key points: o 29 states and the federal government use prisoners for data entry. o The National Correctional Industries Association in Belle Mead, NJ scoffed at the potential risk of misuse, saying that in 12 years, there have been no cases of abuse. o Tomasic warned that criminals could determine addresses and phone numbers of witnesses and victims during data entry. o In Johnson City, KS, Sheriff Kent P. Willnauer is looking into allegations that a prisoner passed Social Security numbers and other data to a confederate who opened fraudulent bank accounts. o Kansas State government officials insist that the data entry program saves taxpayers hundreds of thousands of dollars and that there is no danger to privacy or safety of residents. Michel E. Kabay, Ph.D./ Dir. Education / Natl Computer Security Assoc.
>From the Reuter newswire via Executive News Service (GO ENS) on CompuServe: CHINESE PAIR HELD IN TECHNOLOGY THEFT, By Robert Boczkiewicz DENVER, April 15 (Reuter) - A federal judge cited national security concerns Friday when he refused to free a Chinese citizen who remains under house arrest charged with stealing software technology." According to the author, the FBI arrested Wang Liaosheng and Jing Cui for an alleged theft of source code from Ellery Systems, Inc of Boulder, CO. Wang, a former employee of this firm, allegedly sold information to Beijing Machinery Import & Export (Group) Corp for $550,000. The pair face charges of computer and wire fraud and could be punished by a maximum of 15 years in prison and $500,000. Michel E. Kabay, Ph.D./ Dir. Education / Natl Computer Security Assoc.
>From the Washington Post newswire via Executive News Service (GO ENS) on CompuServe: Message Posted On Internet Spurs Probe; Jokes, Threats Directed At African Americans By John Burgess, Washington Post Staff Writer, 25 Apr 1994 The sordid side of the emerging electronic culture got a very public airing at the University of Michigan this month. Officials there are investigating an incident involving a stolen computer password and a death threat against African Americans that was sent over the global Internet computer network. The author continues with the following key points: o the perpetrator is still unknown. o On April 5, someone using a University of Michigan email address sent the offensive message to 30 newsgroups on the Net. o "Purporting to come from a group called the Organization for the Execution of Minorities, the posting was a lengthy collection of jokes and riddles directed against black Americans. It also contained rambling threats of death and injury." o The host system was immediately flooded with angry protests from around the Net. o The supposed originator protested his innocence and repudiated the message and its content. o Campus computer security specialists think the student may have been a victim of a classic Trojan Horse which collected logins and passwords by spoofing the login screen and writing the ID/password pairs to a file for retrieval. o International users also received the posting and criticized Americans for racism. Michel E. Kabay, Ph.D./ Dir. Education / Natl Computer Security Assoc.
>From _The Globe and Mail_ [Canada], Mon 94.04.25 p. A3: "Pensioners to keep overpayments: Ottawa to write off $14 million mistake by computer." According to the Canadian Press report, 8,000 pensioners received overpayments because the computer programs at the Canada Pension Plan did not correctly combine pensions. "...[I]t took years to uncover the mistake and figure out what to do about it." [MK comments: what amuses me is the headline which blames the mistake on the computer. Quality Assurance, where art thou?] Michel E. Kabay, Ph.D. / Dir. Education / Natl Computer Security Assoc.
Last chance to register for
1994 IEEE SYMPOSIUM ON RESEARCH IN SECURITY AND PRIVACY
May 16-18, 1994
Claremont Resort,
Oakland, California
The program for this, the main conference on computer security research, was
posted in RISKS-15.43, 30 Jan 1994. I won't repeat the whole thing, but here
are the details of the very exciting panels that have been arranged. These
were missing from the earlier posting.
Monday 2:00--3:30 PANEL: Firewalls
Moderator: Steve Kent (BBN)
Panelists: Steve Bellovin (AT&T) — "Firewalls are good"
Phil Karn (Qualcomm) — "Firewalls are bad"
Tuesday 2:00--3:30 PANEL: What Security Needs To Learn From Other Fields
Moderator: Teresa Lunt
Panelists: Nancy Leveson (U. Washington) — safety
Fred Schneider (Cornell) — dependability
Jeffrey Voas (Reliable Software Technology) — testing
Brian Snow (NSA) — security perspective
There's still time to register. The easiest way to get the program
and registration form is by WWW from http://www.csl.sri.com (follow
the link under conferences), or by anonymous ftp of the file
/pub/oakland94.txt from ftp.csl.sri.com. If all else fails,
send email requesting the form to John Rushby (Rushby@csl.sri.com).
We just finished a pretty strange case. A woman came in a reported that her estranged husband was stalking her. The officer that took the call started an investigation for the alleged stalking and contacted our County Attorney, (DA to most folks). While investigating the matter the suspects lawyer turned over email from the wife to the husband soliciting contact. It started to look like a normal domestic situation where the complaint matches the mood. Sgt Banks brought me the email so I could verify it and move on to other things. As I started looking into it things got strange. One of our campus systems is an Alpha running VMS and we have a special NEWUSER procedure which allows staff to create their own accounts, providing they know all of the important information about themselves. As I investigated the accounts I found that the suspect and victims account were created within a few minutes of each other. I placed a trap on the logins to both accounts and soon learned that every access to her account was immediately preceded or followed by an access to his account and from the same computer. Over the next several months I tracked the access to both accounts and watched as the suspect turned over more and more email from his wife. This guy was pretty creative in that he wrote long letters to himself and even changed his writing style to mimic hers. We had a pretty solid interference case for the false evidence he was creating but it was only a misdemeanor. We really wanted to put together a felony due to some other crimes the suspect had committed, which were pending prosecution. Finally, the wife decided to take a computer course on campus. The first day of class the students were told to create accounts on the campus computer system. Our victim went to the computer lab and followed all of the appropriate steps only to find she couldn't create an account because her authorization had been used already. Confused she went to her assigned User Consultant and complained that she was denied access. The consultant, not knowing about my investigation, disusered the fraudulent account and helped the victim get a new one. The gig was up since I was certain the suspect would realize we were watching him now. Fortunately, denial of computer service is a felony in Wyoming. We then pursued the arrest warrant. Several days later our suspect was arrested at his office on campus. When arrested he asked if he could call his attorney. When we said yes, he led us down the hall to a locked computer lab. He entered the code on the door and walked to the phone which sat two feet from the very computer that had been used to generate many of the fraudulant messages. By now our case was pretty solid. The suspect was charged with Computer Crimes: Crimes Against Computer Users which carried a three year felony term, ten years if intent to commit fraud is proven. Kinda heavy but pretty funny when you face the guy and he lies through his teeth. He thought he was dealing with a couple of Barney Fife's and he treated us like we were stupid. Obviously we didn't know what we were talking about and he had received all of the mail from his wife. We booked him and went back to work. As it turned out, the joke was on us. On the day of the preliminary hearing the suspects lawyer arrived with a sworn affidavit from the wife. She decided that she had not been stalked and that her husband had not denied her of any computer service. It appears a reconciliation is in the works. Naturally we decided not to pursue prosecution with a hostile victim and our case was dropped. Really a shame considering the hours we had invested. The suspect has some federal time hanging over him on some other crimes but I really would have liked to see him lie on the stand about his computer feats. Oh well. I never thought I'd have a computer-domestic disturbance.
INDUSTRIAL SPY'S LEGAL LOOPHOLE TO BE CLOSED
Britain's industrial spies enjoy a legal loophole. If they access a computer
to which they are not authorised, they can be found guilty under the Computer
Misuse Act, 1990. If they manage to deceive an authorised user into giving
them information from that computer, they almost certainly commit no offence.
The UK government signaled on March 24th 1994 that it would introduce remedial
legislation. However the precise form is still unclear and there appears to
be no date for implementation.
English Law knows no concept of information theft - you can steal pieces of
paper and data media containing information but there is no specific law
protecting commercial secrets. The law is more concerned with catching the
means of industrial espionage: bugging and tapping are criminal offences,
respectively under the Wireless Telegraphy and Interception of Communications
Acts. The Computer Misuse Act punishes unauthorised access without, in section
1, caring what the reason was.
Recent coverage by the BBC-TV's leading current affairs show Panorama and by
the London Sunday Times has revealed that 200 UK pounds is the average rate
charged by private detectives to assemble a dossier of an individual's bank
balances, medical records and tax status. Nearly all of the information comes
via abuse of this loop-hole. The technique is variously called the pretext
call, the voice-hack, the imposter and the masquerade. The private detective
assumes whatever "official" identity is necessary to mislead the bank clerk or
government employee. Recently one "detective agency" has been circulating
leading figures in the UK with offers to obtain critical data on any
individuals in whom they were interested.
If any offence is being committed, it is probably by the computer owners, who,
under the Data Protection Act, have an obligation to take appropriate steps to
secure data under their control. (Eighth Principle, Data Protection Act,
1984). Data Protection obligations apply within the European Union.
A case in a magistrate's court (lowest level) last December suggested that
there might be a way of extending the Computer Misuse Act to cover such third
parties. Malcolm Farquharson induced a female employee of a cellular phone
company to obtain details of cellular phone numbers and their ESNs (Electronic
Serial Numbers) so that he could fraudulently clone phones. The numbers were
held on a computer to which the female employee had authorised access.
Farquharson, but not the employee, was found guilty and sentenced to six
months in prison although he had never touched the computer.
However legal experts believe that this case would not survive appeal to a
higher court.
The UK Home Office say that the loophole will probably be closed by means of
an amendment to the Data Protection Act but have so far produced no wordings
nor a timetable. On April 10th, Home Secretary Michael Howard said that the
Government was considering a new offence of gaining information by deception.
Even when the loophole is closed the abuse is likely to continue - enforcing a
law where a telephone-based perpetrator is already doing a good job pretending
to be someone else is never going to be easy.
Peter Sommer at the Virtual City London N4 4SR United Kingdom
hcorn@cix.compulink.co.uk CompuServe: 100012,2610
I have owned four combination locks in my life. All of them were made by 'Dudley', a Canadian company. Admittedly, these are not top of the line locks. They were, however, the brand of lock officially "endorsed" by my school in grade 7 when I first got a locker. That was in 1979. I owned that lock until 1991 when it was broken into at the local gym. I immediately went out and bought the first 'Dudley' lock I picked out of a basketful in front of the local bookstore checkout counter. By mere coincidence, this lock had the same combination as my old one. I treated this as fortunate happenstance. Later, I lost the new lock and was forced once again to replace it. Again, I selected the first lock in the basket. This time it had a different combination which I promptly forgot when the lock lay idle for six months. So this time, I purposely searched through the basket for a lock with MY combination on it. I found one in less than thirty seconds. The locks are of the tumbler variety with markings from 0 to 59. I've tried my lock and I can be off by one marking when dialing the combination. Still, considering that I have successfully obtained 3 of 4 locks with the same combination, I'm tempted to go home tonight and try to "find" the combination I lost. Perhaps I'll even time myself. Neil McKellar (mckellar@cs.ualberta.ca)
Perhaps one of your readers can explain how the Midwest edition of *The New York Times* today had a photo on the front page with the caption. "Joseph P. Kennedy Jr. being arrested at the White House yesterday", with no further explanation or story anywhere in the paper? Stewart Rowe usr2210a@tso.uc.edu
In their Internet advertising, Canter and Siegal are ignoring some fundamental
characteristics of the net as currently constituted. I think they'll find
their attempt at Internet advertising will fairly quickly become ineffective -
though many people may be annoyed along the way.
The relevant characteristics of the Internet are (a) the anonymity; (b) the
low cost of generating any particular kind of message. What, after all,
prevents anyone from taking a C&S ad, modifying it slightly - changing the
addresses and phone numbers, for example - and posting it back as widely as
the original? If only a few people do this, it will be impossible to tell
which are the real ads and which are fakes - short of calling a phone number
and finding that it terminates, say, at the Bar Association rather than C&S.
Of course, ads that mention price will raise even more severe problems. If
the spoof suggests a completely unreasonable price, the business can probably
disclaim it. But what happens when the spoof suggests a reasonable-looking
price that happens to leave the advertiser with no profit? He is left the
the choice of accepting the price, and losing money, or disclaiming the ads,
damaging his own reputation.
Traditional printed ads can, of course, also be spoofed. However, attempts
to do so are rare. First, it's very expensive to do; second, the traditional
at least attempt to verify the identity of advertisers. Neither of these
constraints apply on the net.
It's true that a careful reading of the header lines will often reveal which
are the true ads, and which are the fakes. But why should the people who the
ad is trying to reach bother to check header lines? The whole point of an ad
is to communicate information quickly. The same reasoning shows that digital
signatures wouldn't help. Who would bother to check them? Only those who
have an established relationship with the sender of the ad would likely even
have a quick ability to verify the signature - and that's not the population
a broadly distributed ad is trying to reach.
When the spoofers are traceable - and it's well known that it's often
impossible to trace a message, much less *prove* that a particular individual
sent it - the legal situation might get rather interesting. Even ignoring the
very broad protection the courts have recently granted to parody, why is the
spoofer's message any less legitimate than the original? If the spoof ads
look entirely different, refer to "Carver and Siegalman", and have different
addresses and phone numbers, just what right to "Canter and Siegal" have to
complain? They are not being directly referred to or identified. If they
have a problem establishing a unique identity in the noise of the marketplace
- and no one ever said that all marketplace participants have to be genuine -
that's not the law's concern.
— Jerry
This list should help in setting up kill files or to watch for later posts:
Sender: LISTSERV list owners' forum <LSTOWN-L@SEARN.BITNET>
Poster: Wes Morgan <morgan@ENGR.UKY.EDU>
Subject: Updated addresses for Canter & Siegel [mispeling curekted]
It appears that Canter & Siegel, the law firm which recently flooded both
Usenet and LISTSERVs with their "Green Card Lottery" posting, have secured
access to the net through many sources. For those of you interested in
blocking their access to your list, here is the current collection of
addresses for that firm.
cslaw@delphi.com
cslaw@win.net
cslaw@witchcraft.com
cslaw@pipeline.com
cslaw@netcom.com
cslaw@indirect.com (currently disabled)
lcanter@delphi.com
lcanter@win.net
lcanter@witchcraft.com
lcanter@pipeline.com
lcanter@indirect.com (currently disabled)
76636.443@compuserve.com
They also, apparently, have sites of their own; those sites are
lcanter.win.net and msiegel.win.net.
In an article in Tuesday's _New York Times_, Mr. Carter basically said,
"this was immensely profitable; we will be doing this in the future."
Forewarned is forearmed...
--Wes
I've been closely following the accounts of this case in the Boston
Globe and The Tech (a student-published newspaper at MIT). Until your
report, I had not heard any assertions that the student had actually
been arrested.
According to an article in The Tech on Friday April 8th, 1994:
"A federal grand jury charged an MIT student yesterday on a felony
charge for allegedly allowing the piracy of over $1 million in
business and entertainment software using Athena workstations."
According to an article in The Tech on Tuesday April 12th, 1994:
"David M. LaMacchia '95, who was indicted last Thursday for
conspiracy to commit wire fraud, will be arraigned this Friday at
the U.S. District Courthouse in Boston, according to LaMacchia's
lawyer Harvey Silverglate."
Other than Cohen's article, and a couple of followup articles in RISKS DIGEST,
I've seen no report that he had been actually arrested. I cannot imagine why
he would need to be arrested. (I would expect that if he already has a
lawyer, and the lawyer knows of the scheduled arraignment three or more days
beforehand, he would most likely show up in court. Maybe I missed something.
What was your source?)
-Tim Shepard
In his post, Fredrick Cohen states "An MIT student was arrested today for having a BBS at the school that was used by the participants to store and fetch commercial software." and goes on to paint the student as practically an innocent bystander caught up in other peoples crimes by happenstance. If one is to believe any of the reportage on the real incident, the student was anything but innocent. All the reportage in the Boston Globe, not known for its great sympathy with law enforcement, made it quite clear that the student actively advertised his BBS as a place to upload and download pirated software. He went out of his way to personally solicit software on at least some occasions (according to the reports). In this, he would be guilty of various crimes regardless of the means he used to carry the crimes out. While I feel a little sorry for him, in that he probably felt he was carrying on some idealistic fight, I don't feel particularly sorry for him, and he deserves to be prosecuted. Let's save our righteous indignation for the truly innocent, wrongly accused and persecuted by people in power. Doug Rand <drand@osf.org> Open Software Foundation, Motif Development
Okay, so how exactly is it possible in this system for the turnstile to (a) deduct the fare from the card, and (b) identify whose card it was, so that it won't deduct it again if the same card is re-swiped — and yet not figure out that it now has to unlock itself? By the way, what happens if the turnstile does unlock, and the rider hands the card back across the barrier to someone else? Will the second rider get admitted without a second fare being deducted, because the same card was used? Mark Brader, msb@sq.com SoftQuad Inc., Toronto [Also related comments from dan@wais.com (Dan Aronson) and sullivan@geom.umn.edu (John Sullivan). PGN]