Forum on Risks to the Public in Computers and Related Systems
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Volume 16: Issue 28
Friday 22 July 1994
Contents
Hoods Hit the Highway- Jon Loeliger
- Dutch police victim of phone-tapping criminals
- Ralph Moonen
- As the Worm Turns--Ant-icipating Problems
- Mich Kabay
- It's a real world out there, and the Internet is part of it.
- Phil Agre
- Automated mail listserver causes "Spamming" on the Internet
- Jean Renard Ward
- Leahy Statement on Gore Statement on Clipper
- Marc Rotenberg
- Privacy Journal this month
- Robert Ellis Smith
- CFP: IEEE Symposium on Security and Privacy
- Catherine A. Meadows
- Info on RISKS (comp.risks)
Hoods Hit the Highway
Jon Loeliger <jdl@healthcare.com> Fri, 22 Jul 1994 09:49:25 -0500From Jon Loeliger, Healthcare Communications Inc. jdl@healthcare.com Hoods Hit the Highway; Computer users warned of scams By Charlotte Anne Lucas Austin Bureau of The Dallas Morning News Dallas Morning News, 1 July 1994, REPRINTED WITH PERMISSION OF THE DALLAS MORNING NEWS AUSTIN -- Computer users, beware: Driving on the information highway, it's possible to get fleeced. Scam artists have hit the cyberspace, offering high-tech ponzi schemes, sending illegal electronic chain letters and hyping virtually worthless stock, according to state securities regulators across the nation. In Texas, regulators say an Austin retiree lost $10,000 in a fake mutual fund deal sold by a man who promoted his "money managing" skills through an on-line computer service. "The danger here is that cyberspace, which could be a beneficial way for consumers to do a better job of informing themselves, will instead be discredited as a haven for fast-buck artists," said Denise Voigt Crawford, the Texas Securities Commissioner. In New Jersey and Missouri on Thursday, securities regulators filed cease and desist orders against promoters who used computer links to tout allegedly fraudulent deals. Texas regulators say it is likely that they will seek an indictment in the case of the nonexistent mutual fund. But with nearly 4 million computer users nationwide linked into commercial computer services and 20 million people on the internet, a world-wide computer network, "it is almost too big to police effectively," said Jared Silverman, chief of the New Jersey Bureau of Securities and chairman of a multi-state team that investigates computer fraud. In response, regulators in all 50 states issued a bulletin to investigators, describing the potential frauds and listing steps small investors can take to protect themselves. "We're trying to tell people to be careful," said Ms. Crawford, "there is a new fraud on the horizon." Although regulators are concerned about the problem, Ms. Crawford acknowledges enforcement will be a challenge. Because electronic conversations, or E-mail, are considered private, "we don't know what difficulties we are going to have getting subpoenas enforced or what kind of cooperation we will get from (commercial bulletin board systems)." [sic] Officials say promoters tend to advertise offers or stock tips on the financial bulletin board sections of on-line computer services such as CompuServe, America Online and Prodigy, or in the specialized discussion forums in the Internet. Regulators said that of 75,000 messages posted on one computer service bulletin board during a recent two-week period, 5,600 were devoted to investment topics. While some commercial computer bulletin board services try to control the publicly posted investment tips, most do not try to control most communications on the service. What begins as innocent E-mail can end with an unwary investor "getting cleaned out by high-tech schemers," said Ms. Crawford. In Texas, the case under investigation began when an Austin retiree posted a public note in a commercial bulletin board system looking for conversations about the stock market, according to John A. Peralta, deputy director of enforcement at the Texas Securities Board. "He was contacted. It turned into a private E-mail conversation, a telephone conversation and then exchanges through the mail," said Mr. Peralta. But the person who promoted himself on the computer as a skilled money manager turned out to be unlicensed -- and the mutual fund the retiree invested in turned out to be nonexistent. Mr. Peralta said at least one other person, not from Texas, invested $90,000 in the same deal, "We are aware of two, but we don't really know," he said. "There may be dozens of victims." Securities regulators began taking interest in on-line scams last fall, after Mr. Silverman -- a computer junkie -- raised the issue at a national meeting of regulators. "I heard stories about things going on on computer bulletin board services, and I have been monitoring these things for close to a year," he said. In fact, the New Jersey case came from Mr. Siverman's off-hours cruising of an on-line service. "I sit at a keyboard two hours a day -- to the chagrin of my wife -- scanning these things," he said. What he found was a promoter pushing an E-mail chain letter. The promoter, identified only as from San Antonio, claimed that in exchange for $5, investors could earn $60,000 in three to six weeks. Regulators said participants were told to send $1 to each of five people on a list in the computer bulletin board, add their own name to the list and post it on 10 different computer bulletin board sites. That, regulators said in a statement, "amounted to a high-tech variation on the old pyramid scam, which is barred by federal and state laws." In Missouri, regulators Thursday moved against an unlicensed stockbroker for touting his services and "making duubious [sic] claims for stocks not registered for sale in the state." Among other things, regulators said, the promoter falsely claimed that Donald Trump was a "major, behind-the-scenes player in a tiny cruise line" whose stock he pitched. Ms. Crawford said that while computer users may be sophisticated in some ways, they still are attractive targets because they tend to have discretionary income and frequently are looking for ways to invest their money. Some of the commercial services also allow users to use various aliases, making it all the more difficult for investigators to figure out who they are really communication with.
Dutch police victim of phone-tapping criminals
Ralph Moonen <ralph@inter.nl.net> Fri, 22 Jul 1994 11:59:33 +0200Usually law enforcement's arguments for regulated encryption center around their ability to tap criminal's conversations. In the Netherlands this discussion has taken a whole new twist when Dutch newspaper De Telegraaf laid hands on phone-tap recordings not from the police, but from criminals who had tapped various high police officials' home and work phones. Needless to say the newspaper published transcripts of the recordings which proved to be quite interesting. (Proving police used several illegal means of gathering evidence and revealing a lot of internal trouble in the police dept.) Soon after publication police officials called for more funding to be able to buy encryption devices. Was this just naivety on the part of the police to assume criminals couldn't wire-tap or was it an isolated incident where the criminals got lucky? Evidence supports only the first assumption. Hopefully this incident will lead to more discussion on encryption technology. A while ago legislation was proposed to ban encryption without having a permit for such devices. This proposal was cut down in light of strong opposition from industry and commerce. After that, no-one in the Netherlands really took up the issue, which I think we all agree upon is one of the most important ones of the information age. Oh, the RISK? I dunno, but I think it's obvious :-) --Ralph
As the Worm Turns--Ant-icipating Problems
"Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> 22 Jul 94 08:47:44 EDT>From the United Press International newswire (94.07.21 @ 12:17 EDST) via CompuServe's Executive News Service (GO ENS): Ants help BT improve computers By SIMONA de LOGU "LONDON, July 21 (UPI) -- British Telecom scientists are exploring ways of making computer programs more robust and adaptable by using ant colonies as models for interactive programs that respond to changing conditions in computer networks. A team of computer specialists based at BT's Martlesham Heath laboratories in Ipswich, east England, has been studying research material on ants for the past two years and using their findings on developing programs." Key points from the article: o "Our system is made up of small, autonomous, reactive, mobile blocks of computer code that interact in a way derived from ant behavior," said scientist Simon Steward. "The control system that emerges from all of these mobile software agents working together is inherently adaptable and robust unlike normal computer programs." o The goal of the work is to prevent system crashes when an unanticipated [PGN, please forbear] condition occurs. o The distributed computing model uses message-passing to coordinate computation. o "The programs are mobile like ants, moving from one computer to another, when needed." o After making software or parameter changes, the "mobile programs" would "leave messages for other programs on how the system has been adapted." o Modules will display "a certain amount of random behavior...." o The system will display heuristic, goal-seeking behaviour. [Comments from MK follow:] Programs that move from system to system are usually called worms. The work described above is related to Von Neumann's concepts of cellular automata, and I guess would count as an example of "artificial life" or a-life. The idea that semi-autonomous computer programs would migrate from place to place reminds one of the debate about "useful viruses." I was getting antsy about this (the idea was really bugging me), so I searched on "ant or ants" in the Ziff Computer Database Plus (GO COMPDB on CompuServe) and located an article in Computergram International (June 10, 1994), p. 15 entitled, "British Telecom's research lab claims to have found the fastest Travelling Salesman algorithm." In this application, which runs on a single RISC workstation, "The search algorithm is set in motion on a problem to find the shortest travelling distance between several cities, for example. In effect a whole series of `ants' are thrown on a map of the area and if the system doesn't find a destination city, it dies, whereas if it does find a chosen destination city it `gives birth' and grows." A path is then established between cities. The algorithm is very fast--two seconds for a 100-point optimization problem and 2.5 minutes for 1000 points. All this is fascinating, and I naturally wondered about the implications for system reliability. Turning back to the UPI story, it seems to me that there must be a lot of work to include quality assurance principles into heuristic, semi-autonomous algorithms that change system or network configuration. The consequences of malfunction increase when the problems occur in control structures e.g., a hole in your hose can swamp your lawn, but a bug in your electronic shutoff valve that reverses inputs (off -> on) can really put a bee in your bonnet. One of the main objections to free-roaming software worms and viruses is that they (themselves) offer no opportunity for a system manager or owner to block their activity (one can usually do so with antivirus tools, though). When a system is seeded with these rogue programs, one never knows what will flower. Who wants untested software making changes in her computer system? Similarly, how do we cope with "genetic" algorithms that spontaneously make changes in, say, operating system tables or even executable code? How does one test a real-time change in the operating system? It will be interesting to follow this work and see how concerns for reliability are worked into this evolving field. Michel E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn
It's a real world out there, and the Internet is part of it.
Phil Agre <pagre@weber.ucsd.edu> Fri, 22 Jul 1994 14:21:17 -0700Many denizens of the Internet think of it as a place of untrammeled free speech and decentralized democracy. Evidence is accumulating that it's more complicated than that. Writing in the liberal journal _The Nation_, Jon Wiener (a historian at UC Irvine whose does a sort of investigative journalism) outlines some of the complications. The full reference is: Jon Wiener, Free Speech on the Internet, The Nation 258(23), 13 June 1994, pages 825-828. He describes the Karla Homolka trial in Canada, a group of Turks who swamp newsgroups with automatic messages denying the Armenian genocide, gun activists taking over alt.motherjones, libel suits provoked by on-line statements, gender imbalances, abusive behavior by unreformed net-guys, and more. None of which means the net is bad; it just means the net is part of reality. At one level the Risk is computer-related: bad stuff can happen on-line, just like in real life. But the real Risk comes from believing the hype: just because it's decentralized doesn't make it democratic. If we want democracy we have to actively make it. Just like in real life. Phil Agre, UCSD
Automated mail listserver causes "Spamming" on the Internet
Jean Renard Ward <jrward@midget.ptltd.com> Fri, 22 Jul 94 08:49:50 EDTThe past week I have been getting filled-out copies of a survey form completed by beta users of the netsurf.com services. Each day up to a half-dozen of these forms would show up in my Internet mailbox. Evidently the problem caused by three factors: (1) the original survey form had in the "cc:" field the listserv address for mailing to the entire beta user group, (2) many of the beta users had "reply to all" set as the default for their mailer software, and (3) the folks at netsurf.com hat configured their listserver to remail the incoming Emails with the completed forms back out to the addresses on their beta user list. The only interesting thing about getting the completed survey forms is that most of the respondents to the survey seemed to be middle-aged males with "erotica" as one of their interests in using the Internet. Netsurf's questionnaire specifically stated that they had no interest in invading anyone's privacy, so that the questionnaire would be effectively confidential, even though they could not guarantee that formally. Notes Emailed to netsurf.com had no effect. Finally, out of frustration, I did a "reply to all" on one of the incoming forms with a note about the problem back out to the same listserver. Although this was an act of "spamming" on its own, it did get the people at netsurf.com to address (intentional pun) the problem. A last note: I got a note from netsurf.com blaming __me__ and all those users who had set "reply to all" as the default in their mail software for spamming their beta user list, rather than admitting that they had overlooked the possible effects of their listserver and mailing configuration. By the way -- this is being sent with a cc: to netsurf.com.
Marc Rotenberg <rotenberg@washofc.epic.org> Fri, 22 Jul 1994 15:48:32 EST
Subject: Leahy Statement on Gore Statement on Clipper
U.S. SENATOR PATRICK LEAHY, Vermont
STATEMENT OF PATRICK LEAHY ON
VICE PRESIDENT GORE'S CLIPPER CHIP LETTER
July 21, 1994
I have read the July 20th letter from the Vice President about the
Administration's current thinking on Clipper Chip and, to my mind, it
represents no change in policy. In fact, when this letter was sent, I
would be surprised if the Administration even thought it was news.
The letter makes clear to me that the Administration continues to
embrace key escrow encryption technology, and stands behind Clipper Chip
as a federal standard for telephone communications. The official
standard makes clear that this standard applies to any communications
over telephone lines. Those communications include not only voice, but
also low-speed computer data and facsimile messages. The Administration
is working on encryption technologies for higher-speed transmissions,
such as for computer networks and video networks.
The Vice President says that they want to work with industry to
design a key escrow system that could be implemented not just in
hardware, but also in software, that would be voluntary, exportable and
not rely upon a classified encoding formula. The Administration said all
this last February when the federal standard was approved. Yet, when
Administration witnesses were questioned about the progress they had made
in this effort at my Judiciary subcommittee hearing in early May, I
learned they had held only a few meetings.
Last week, the Appropriations Committee accepted strong Report
language I suggested on Clipper Chip. The Attorney General is directed
to report to Congress within four months on ten areas of concern about
Clipper Chip.
I agree with the Vice President that balancing economic and privacy
needs with law enforcement and national security is not always an easy
task. But we can do better than Clipper Chip.
Privacy Journal this month
Robert Ellis Smith <0005101719@mcimail.com> Fri, 22 Jul 94 14:38 ESTHere are the headlines from the July 1994 PRIVACY JOURNAL: DIVORCE LAWYERS FIND A SPOUSE'S PC A GOLD MINE A TENTATIVE PROPOSAL FOR A NATIONAL ID CARD AN ILLUSTRATION ON HOW MATT BLAZE DISCOVERED A HOLE IN CLIPPER A NEW DATA BASE FOR BRADY GUN-CONTROL LAW TWO PRIVACY CLEARINGHOUSES SEEK FUNDING HOW VEGAS AND JERSEY KEEP A COMPUTERIZED EYE ON HIGH ROLLERS A VICTIM OF E-MAIL PROFANITIES LOSES LAWSUIT CALIFORNIA BEGINS NEW 'OPT-OUT' FOR CREDIT-CARD CUSTOMERS Robert Ellis Smith/Publisher 401/274-7861, or 0005101719@mcimail.com [The all-caps format makes it begin to sound like a weekly tabloid. PGN]
CFP: IEEE Symposium on Security and Privacy
Catherine A. Meadows <meadows@itd.nrl.navy.mil> Fri, 22 Jul 94 17:27:46 EDT
CALL FOR PAPERS
1995 IEEE Symposium on May 8-10, 1995
Security and Privacy Oakland, California
sponsored by
IEEE Computer Society Technical Committee on Security and Privacy
in cooperation with
The International Association for Cryptologic Research (IACR)
The Symposium on Security and Privacy has for fifteen years been the
premier forum for the presentation of developments in computer security,
and for bringing together researchers and practitioners in the field.
This year, we seek to build on this tradition of excellence by
re-emphasizing work on engineering and applications as well as theoretical
advances. We also seek to broaden the scope of the Symposium by
introducing new topics. We want to hear not only about new theoretical
results, but also about work in the design and implementation of secure
systems and work on policy relating to system security. We are
particularly interested in papers on policy and technical issues relating
to privacy in the context of the information infrastructure, papers that
relate software and system engineering technology to the design of secure
systems, and papers on hardware and architectural support for secure
systems.
The symposium will focus on technical aspects of security and privacy as
they arise in commercial and industrial applications, as well in
government and military systems. It will address advances in the theory,
design, implementation, analysis, and application of secure computer
systems, and in the integration and reconciliation of security and privacy
with other critical system properties such as reliability and safety.
Topics in which papers and panel session proposals are invited include,
but are not limited to, the following:
Secure systems Privacy Issues Access controls
Security verification Network security Policy modeling
Information flow Authentication Database security
Data integrity Security Protocols Viruses and worms
Auditing Biometrics Smartcards
Commercial and industrial security Intrusion Detection
Security and other critical system properties Distributed systems
A new feature of the symposium this year will be a special session of
very brief (5-minute) talks. Our goal is to make it possible for us to
hear from people who are advancing the field in the areas of system
design and implementation, and who would like to present their ideas to
the symposium audience but may lack the time and resources needed to
prepare a full paper. Submissions for this session will be accepted
up to five weeks before the symposium, to permit us to hear of the most
recent developments. Abstracts of these talks will be distributed at
the conference.
INSTRUCTIONS TO AUTHORS:
Send six copies of your paper and/or proposal for a panel session to
Catherine Meadows, Program Co-Chair, at the address given below. Papers and
panel proposals must be received by November 7, 1994. Papers, which
should include an abstract, must not exceed 7500 words. The names and
affiliations of the authors should appear on a separate cover page
only, as a ``blind'' refereeing process is used. Authors must certify
prior to December 25, 1994 that any and all necessary clearances
for publication have been obtained.
Papers must report original work that has not been published
previously, and is not under consideration for publication elsewhere.
Abstracts, overlength papers, electronic submissions, late
submissions, and papers that cannot be published in the proceedings
will be rejected without review. Authors will be notified of
acceptance by January 16 , 1995. Camera-ready copies are due not later
than March 6, 1995.
Panel proposals should describe, in two pages or less, the objective of
the panel and the topic(s) to be addressed. Names and addresses of
potential panelists (with position abstracts if possible) and of the
moderator should also be included.
Submitters of abstracts for the special session of five-minute talks
should submit one page abstracts to Catherine Meadows, program co-chair,
at the address given below. Abstracts must be received by April 3, 1995.
Authors will be notified of acceptance or rejection of abstracts by April
17. Submitted abstracts that are accepted will be distributed at the
conference.
The Symposium will also include informal poster sessions where preliminary
or speculative material, and descriptions or demonstrations of software,
may be presented. Send one copy of your poster session paper to Carl
Landwehr, at the address given below, by January 31, 1995, together with
certification that any and all necessary clearances for presentation have
been obtained.
Also for the first time this year, we will attempt to counsel prospective
authors. If you have questions about whether or how to present your work
to the symposium, please send e-mail to the Chair
(landwehr@itd.nrl.navy.mil), and we will do our best to assist you.
Information about this conference will be also be available by anonymous
ftp from chacs.itd.nrl.navy.mil in directory /pub/SP95, by World Wide Web from
http://www.itd.nrl.navy.mil/ITD/5540/announce/SP95.html,
or by sending email to sp95@itd.nrl.navy.mil.
PROGRAM COMMITTEE
Ross Anderson, Cambridge University, UK
Steve Bellovin, AT&T, USA
Tom Berson, Anagram Laboratories, USA
Oliver Costich, Independent Consultant, USA
George Dinolt, Loral, USA
Cristi Garvey, TRW, USA
Li Gong, SRI, USA
Sushil Jajodia, GMU, USA
Steve Kent, BBN, USA
Steve Lipner, TIS, USA
Teresa Lunt, ARPA/CSTO, USA
John McLean, NRL, USA
Jonathan Millen, Mitre, USA
Birgit Pfitzmann, Universit"at Hildesheim, Germany
Sylvan Pinsky, DoD, USA
Michael Reiter, AT&T, USA
Jaisook Rho, TIS, USA
Peter Ryan, DRA, UK
Tom Schubert, Portland State University, USA
Paul Syverson, NRL, USA
Vijay Varadharajan, HP, UK
Raphael Yahalom, Hebrew University, Israel
For further information concerning the symposium, contact:
Carl Landwehr, General Chair Catherine Meadows, Program Co-Chair
Naval Research Lab., Code 5542 Naval Research Laboratory, Code 5543
4555 Overlook Ave., SW 4555 Overlook Ave., SW
Washington DC 20375, USA Washington DC 20375, USA
Tel: +1 (202) 404-8888 Tel: +1 (202) 767-3490
FAX: +1 (202) 404-7942 FAX: +1 (202) 404-7942
landwehr@itd.nrl.navy.mil meadows@itd.nrl.navy.mil
Dale Johnson, Vice Chair John McHugh, Program Co-Chair
The MITRE Corporation Computer Science Department
Mailstop A156 Portland State University
202 Burlington Rd P.O. Box 751
Bedford, MA 01730-1420, USA Portland OR 97207-0751, USA
Tel: +1 617-271-8894 Tel: +1 (503) 725-5842
Fax: +1 617-271-3816 Fax: +1 (503) 725-3211
dmj@mitre.org mchugh@cs.pdx.edu
Charles Payne, Treasurer
Naval Research Lab., Code 5542
4555 Overlook Ave., SW
Washington DC 20375, USA
Tel: +1 (202) 404-8763
FAX: +1 (202) 404-7942
payne@itd.nrl.navy.mil
Peter Ryan, European Contact Jim Gray, Asia/Pacific Contact
Defence Research Agency Department of Computer Science
Room NX17 Hong Kong Univ. of Science & Technology
St Andrew's Rd Clear Water Bay, Kowloon, Hong Kong
Malvern Tel: +852 358-7012
Worcs WR14 3PS,UK Fax: +852 358-1477
Tel +44 (0684) 895845 gray@cs.ust.hk
Fax +44 (0684) 894303
ryan@rivers.dra.hmg.gb
Report problems with the web pages to the maintainer