Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
In RISKS-FORUM 7.49, Eric Postpischil and Henry Spencer disagree with Ed Nilges' assertion (in RISKS-FORUM 7.45) that increasing technical abilities of computer games has corresponded with a decline in social and moral content. They point out the subtle yet insidious context of chess and _Monopoly_, the large number of computer games that encourage moral behavior, and the overt content of standard wargames. Although many of their points are valid, I must disagree with the basic contentions of Eric and Henry. I, too, have noticed the same disturbing trend aptly noted by Ed. I have been involved with the design, use, and history of wargames (perhaps more correctly called "conflict simulations") for nearly 20 years. Over that time, I have witnessed a definite change in attitude among those in the field. In the mid 70s, a major debate erupted over whether the industry leader should or should not do a proposed project for the Pentagon. The consensus was that dealing with the Pentagon would poison the intellectual atmosphere that had so far kept conflict simulations a model of integrity. The project was never done. Shortly thereafter, the industry leader was destroyed in a hostile takeover attempt, and surviving companies began the first Pentagon projects. Today, most wargaming companies fight for those precious Pentagon dollars, and gaming has suffered for it. Many simulations are today designed for the purpose of developing better ways to slaughter people, rather than as intellectual history lessons. Worse, there is a disturbing tendency to design simulations as vehicles for displaying aggression. Certainly 20 years of progress has given us conflict simulations that are technically far more accurate than anything done in the "Golden Years" of the 60s and 70s, and the use of computers in simulations has revolutionized the industry. But with the improvement in technical accuracy and mechanics has come a change in the purpose of wargames. Instead of serving primarily as learning tools, they are now approached as pure profit-making ventures, military aids, or macho exercises. The "learning tool" aspect is still there, but it has been subverted by baser instincts. Of course, there is the "fun" aspect of conflict simulations. Even the most intellectual simulations invariably contain certain amounts of "fun," and most of us get a great deal of satisfaction that way. I would not deny that I myself have enjoyed watching my Soviet infantry turn a Nazi pillbox into a fireball. Yet when that enjoyment becomes the PRIMARY purpose of the simulation, something is wrong. This is one of the more disturbing aspects of many arcade-type computer games. It doesn't matter whether you are pushing a button on a joystick, typing in a line of commands, or moving a cardboard counter across a map. What are the functions of the simulation? I submit that greed and aggression have no place in the study of a human activity which is itself intrinsically rooted in greed and aggression. Michael Trout (miket@brspyr1) =-=-=-=-=-=-= UUCP:brspyr1!miket BRS Information Technologies, 1200 Rt. 7, Latham, N.Y. 12110 (518) 783-1161
The conditioning effect of violent video games should be at least as much of a
concern as the effect of similar content on viewers of ordinary TV. Video
games do not present the spare, tokenized arena of chess or Monopoly; they
present a (speculative) graphical scene of the player's struggle toward the
goal. When the player and the obstacles are cast in demeaning human
stereotypes, the game is degrading to play. The key aspect of video games is
the explicit graphical interface that requires the player to focus on the
images of the game's creators rather than create his/her (possibly less hostile
in some cases) own mental images.
{ihnp4!pacbell,pyramid,sun,{uunet,ucbvax}!mtxinu}!sybase!tim
Voluntary disclaimer: This posting is solely my personal opinion.
It is not a representation of Sybase, Inc.
donn@cs.utah.edu (Donn Seeley) quotes in Risks 7.50 portions of the Newsweek article about credit doctors. The concluding question is: Are credit bureaus' security measures really this lax? It's not hard to believe, just appalling. I have a couple of comments to add: 1) This type of activity is not uniquely a computer risk. I can imagine a computerless credit bureau, where records are kept on paper, and further imagine a 'credit doctor' fraudulently obtaining the credentials necessary to gain access to the credit bureau. The 'doctor' then calls up the credit bureau and obtains the desired information. The difference, of course, is that in this case the 'doctor' is probably dealing with a human at the credit bureau, and this human might by some chance figure out that the 'doctor' is up to no good. 2) The computer-related risk is, of course, that this sort of activity is much more likely to happen with computerized credit bureaus. The volume of information involved, and the anonymity of the individual making the request for credit information (via a terminal) make it much more difficult for requests to be validated and for fraudulent usage to be detected. This is just one more example of a well-known risk that is all too often not accounted for in the design of a system. 3) Surely there must be a reasonable way to provide legitimate access to credit information without making it so easy to obtain illegitimate access! As the credit bureaus operate today, any individual who knows how to access the credit bureau's computer can apparently locate anyone's credit information. It has been demonstrated that we cannot place much trust in those individuals at the banks, etc. who have access to the credit bureaus. I can imagine an individual whose credit information is on file at the credit bureau providing a unique 'password' to the bank for the purpose of a credit check, but how then is that password protected from abuse? (I seem to remember a proposal for a relatively secure version of this sort of thing in CACM 3-4 years ago.) Or is this an inevitable and unavoidable risk of having computerized records? I should hate to think so — it might lead me to advocate keeping computers away from such sensitive records. These issues are not really new, so I think I'll stop at this point, and wait for the next creative abuse of computerized personal records to pop up in the news.
The commodore homecomputer has an EPROM containing the boot and basic software. This ROM is in principle programmable only if the programming voltage is applied. In practice it is possible to modify the ROM by writing to it many times. This already caused a severe problems because a crashing program destroyed the ROM in a computer of a friend of mine. I do not know if there already is a ROM virus on the 64, but I'm sure it is possible. This makes those computers more vulnerable to viruses than any other homecomputer.
> REMOTE WILL DAMAGE your home TV sets."
I'd say they're just trying to scare you. I find it hard to imagine a remote
control that puts out enough infrared to even be competitive with direct
sunlight — and any consumer product must be designed for the possibility of
lengthy periods of direct sunlight.
Henry Spencer at U of Toronto Zoology
Talking about TV sets that are claimed to be damaged by remote controllers...
I happened to go to Disneyland lately where I saw the 3D movie "captain EO".
As you might know, this 3D effect is done using a special kind op polaroid
glasses. They said after the movie was over:
"Please do not take these glasses as a souvenir.
They will impair your vision outside this theatre."
There they go again! What's the difference between this theatre and the outside
world? Those glasses will either impair your vision on the long run (which I
doubt) or they won't. The only difference between the inside of the theatre
and the outside world is the 3D illusion they make.
— Jurjen N.E. Bos
[Irrelevant to computers, but nevertheless interesting
as another example of the same approach! PGN]
When I worked at HP, we acquired a new HP-IB hard disk drive with integral tape backup. To perform a backup or restore, you simply pull off the faceplate and press disk-to-tape or tape-to-disk. Both switches were identical, and you can guess what eventually happened... [As you might guess, there are about 12 messages pending on variants of "rm" pitfalls and other single-keystroke fiascos. We'll slow down on these for a while. PGN]
In RISKS 7.53 <Allen L. Chesley> Writes:
> Another point we had questions about, and they could not answer, is what
> happens to all of those companies (like banks) who now do some business using
> the touch-tone key pad. Under ISDN, signalling uses the "D" channel, not one
> of the voice carrying "B" channels. Therefore you cannot listen and capture
> touch-tones off of the conversation.
I'm not absolutely certain that we are talking about the same thing, but
"Feature Group D" services do indeed allow you to capture touch tones off of
the conversation. (I have worked with this, so I know something about it.)
The ANI signalling *is* done on different lines from the ones that carry the
conversation, and uses something other than DTMF. However, once the ANI
signalling is done, the receiver of the call performs an "Acknowledgement Wink"
on the special line. This opens the 'voice path', which is what carries both
the conversation, and any additional touch tones the caller sends. (Such as a
command code to tell the bank what to do with your account.)
The RISKY thing about this setup, is that it takes an additional "Wink" to
'accept' the call. Theoretically, you could complete your entire conversation
without sending that wink, and never be billed for the call since the telco
doesn't start billing until the call is 'accepted'. Practically, if you did it
much, the telco would notice, and you would be "up the evil smelling tributary,
with no visible means of locomotion, and no knowledge of aquatics."
The reason for this setup is so a service can extract further addressing
information before the caller is billed. This prevents a caller from being
billed for a call which cannot be completed.
DISCLAIMER: I do not work for any telephone company.
Neither I, nor my company, condone any illegal actions.
Edwin Wiles, NetExpress Comm., Inc., 1953 Gallows Rd. Suite 300 Vienna, VA 22180
CALL FOR PAPERS
Invitational Workshop on Data Integrity
January 25-27, 1989
Sponsored by and Held at
National Institute of Standards and Technology
(formerly National Bureau of Standards)
Gaithersburg, Maryland
The National Institute of Standards and Technology is sponsoring an
Invitational Workshop on Data Integrity to be held at NIST in Gaithersburg,
Maryland on January 25-27, 1989. The Workshop will focus on the concepts of
data integrity and data quality, and the characteristics, metrics, and
principles needed to define and provide a suitable framework for data integrity
and data quality.
This invitational workshop is a follow-on to the October 27-29, 1987
invitational Workshop on Integrity and Privacy in Computer Information Systems
(WIPCIS). The latter originated as a response to a paper by Clark and Wilson
presented at the IEEE Security and Privacy Conference in April, 1987. That
paper compared commercial and military computer security policies. The 1987
Workshop focused on commercial sector interpretations of the issues of
Assurance, Granularity and Function, Identity Verification, Auditing, and
System Correspondence to Reality and related these to a data integrity model.
A subsequently-formed data integrity working group of the NIST Computer and
Telecommunications Security (CTS) Council has proposed definitions for data
integrity and data quality. These have been incorporated, along with other
conclusions, in a paper written by the working group chair Robert H. Courtney,
Jr. It is intended that this paper serve as a strawman to stimulate responses
in the form of papers to be given at the January Workshop. The Clark & Wilson
paper would form an example within this framework. Although computer and
telecommunications system integrity is broader than data integrity, consensus
findings about data integrity would contribute significantly to our
understanding and handling of the broader concerns of integrity.
Papers are being sought from the computer security community for presentation
at the Workshop. Papers could address but need not be limited to the following
topics:
o Key principles for achieving data integrity.
o Key principles for achieving data quality.
o The application of principles to achieve integrity and quality of data.
o The attributes of data quality (other than accuracy, timeliness and
completeness).
o Is confidentiality an attribute of data quality?
o Connection between Quality Assurance and data integrity.
o Connection between Quality Control and data quality.
o Relation between data quality and the value of data.
o Organization-specific data integrity/data quality policies derived from
a body of principles.
o Cost-Benefit Relationships between security controls and data quality
and integrity.
o Organizational structures for assigning data integrity, quality
assurance, and data quality functions.
o A realistic internal audit role relative to data integrity and quality.
o A reasonable external auditor role relative to data security and its
subset data integrity.
o The relation of people roles (ADP staff, user, internal auditor,
quality assurance, quality control) to data integrity and quality.
Papers should be submitted by November 17, 1988 to:
National Institute of Standards and Technology, Computer Security Division,
Attn: Zella Ruthberg, A-216 Technology, Gaithersburg, Maryland 20899
Approximately six papers will be selected for presentation and
discussion. Selections will be made by December 7, 1988.
The strawman paper will be sent on request. For further background, people may
also request a copy of the report of the 1987 WIPCIS workshop. The paper and
report are available from Robin Bickel at the above address or 301-975-3359.
For further information on the Workshop contact Zella Ruthberg at 301-975-3361.
Please report problems with the web pages to the maintainer