- Email: [email protected]
Computer Freud
Vol 8. No 7. Page 5. even if the perpetrator computer".
is in the same state as the host/victim
Another major problem is how to define computer crime. The OTA's definition is "a set of crimes in which computerized data or software play a major role", but again this fails to grapple with the central problem of some hacking being relatively harmless and other hacking involving computer professionals. Several bills on computer crime are in the offing, and the opinion of the OTA is a powerful one as far as Congress is concerned. But whether it is powerful enough to persuade Congress to pass major laws against the views of the Administration remains to be seen.
COMPUTER
FREUD
A report in Computer Security Journal (No. 3 Winter 1985) describes a psychological approach to computer security. Recognizing the fact that computer security is most often infringed by authorized users, a programme was developed using a series of six steps with the aim of creating a psychological environment based on peer group influence which would deter computer crime as well as reducing the opportunity to commit fraud. The program was tested at a US Air Force organization in ten locations in California, Arizona and Nevada over a period of one year. It involved about 100 employees. Two other user groups in the same area were simultaneously observed and the evidence of computer crime between the three groups was compared. The six steps are all considered to be dependent on each other the lack of one would render the others much less effective. 1. To make a definite statement about the company's attitude towards computing - that it must be crime-free and that any conduct which might appear to be dishonest or a conflict of interest is not permitted. 2. To reach an agreement among all the users on what is considered proper computer use. This requires a lot of discussion among the group with some consensus emerging at the end of it all. 3. To publish the rules, so that every user knows what they are. 4. To know who all users of the computer are. All users must be brought into the peer group so that the peer group influence can affect them. Applicants were screened twice before employment. 5. Every suspected deviation from the rules must be investigated. 6. Disciplinary procedure must be clear, coherent and fair. The test program took twelve months to complete. The two other user groups suffered the theft of hardware and interference with a computer program, while the particular organization which implemented the program was free from computer crime for that period. As an actual experiment, this would fail due to the lack of constants in the variation of user groups. However, having a (s 1986 Elsevier Science Publishers B.V. (Information & Business Division). Amsterdam./86/$0.00 + 2.20 No part ofthis publication may be reproduced. stored in a retrieval system. or transmitted bp any form or by any means, (Readers
electrr,nic, in the I1.S
mecharlic.al. A.
plcasn
pbotucopying.
rec.ordinfiorotherwisa.
SCD spcv ial regulations
listed
on
without
hack cover.)
thr: prior
permission
of the publishers
Vol 8. No 7. Page 6. clear, fair policy on misdemeanours , and promoting a positive psychological environment with much integration of employees and discussion with them, is undoubtedly very important.
NEW SECURITY SERVICE
Racal has set up a new subsidiary called Racal-Guardata to provide a network security service to computer uses and to manufacture computer security equipment. One of the first pieces of equipment from the company is a password generator called the Watchword. This is a hand-held unit, about the size of a calculator, which is linked to security software in the host computer. A multi-digit 'challenge' is flashed on the screen which the user keys into his own personal Watchword, together with his own ID. The Watchword unit then generates the correct 'answer' to the original challenge and the user keys this into the host computer to gain access. Racal-Guardata
GOVERNMENT V. PRIVATE ENCRYPTION
is based in Fleet, Hampshire, UK; Tel:
0252 622144.
A recent directive by the US Government about the NSA (National Security Agency) has rekindled fears about the ever vigilant Big Brother spying on all data communications. The directive, no 145, proposes that the NSA develop a standard with which to replace the current universally-used DES (Data Encryption Standard). The motive behind this move is believed to be the urgent need to stop hackers breaking into top secret security systems, but more sinister reasons are suspected by some. In 1979, a Senate select cormnittee secretly investigated NSA. The agency was accused of trying to undermine the DES Cryptographic system in order to make it easier to eavesdrop on it, by calling for the size of the key to be shortened from 128 bits. It was believed by some that the Agency had formulated a way of decoding DES encrypted communications which used the smaller key. The Senate select committee did clear the NSA of any suspicion at the time, but this new move to replace the DES encryption with a NSA -designed standard will cause alarm. Most data encryption methods are based on the DES system, which depends on the secrecy of the keys used to code and decode messages. Bowever, NSA claims that the fact that the DES algorithm is widely publicised is a threat to its security. The replacement standard would have a secret algorithm with the keys being changed as often as several times a minute. But a rival company, RSA Data Security, have developed a compatible standard which they hope will compare with DES and offer greater secrecy than what the Agency has on offer. The RSA public key crypt0 system called Mailsafe is based on a patented algorithm developed by researchers at the Massachusetts Institute of Technology using a key bit length that can be varied by the user between 336 and 672 bits. This algorithm, say RSA, could take a Cc: 1966 Elsevier Science Publishers B.V. (Information & Business Division), Amsterdam.i66/$0.00 + 2.20 No part of this publication may be reproduced. stored in a retrievalsystem.or transmittedby any formor hy any
means,electronic.mechanical.photocopying.recordingorotherwisH.without the prior permissionofthc publishers in the U.S.A. - pleasexc special regulatlnns listed on hack cover.)
(Readers
is in the same state as the host/victim
Another major problem is how to define computer crime. The OTA's definition is "a set of crimes in which computerized data or software play a major role", but again this fails to grapple with the central problem of some hacking being relatively harmless and other hacking involving computer professionals. Several bills on computer crime are in the offing, and the opinion of the OTA is a powerful one as far as Congress is concerned. But whether it is powerful enough to persuade Congress to pass major laws against the views of the Administration remains to be seen.
COMPUTER
FREUD
A report in Computer Security Journal (No. 3 Winter 1985) describes a psychological approach to computer security. Recognizing the fact that computer security is most often infringed by authorized users, a programme was developed using a series of six steps with the aim of creating a psychological environment based on peer group influence which would deter computer crime as well as reducing the opportunity to commit fraud. The program was tested at a US Air Force organization in ten locations in California, Arizona and Nevada over a period of one year. It involved about 100 employees. Two other user groups in the same area were simultaneously observed and the evidence of computer crime between the three groups was compared. The six steps are all considered to be dependent on each other the lack of one would render the others much less effective. 1. To make a definite statement about the company's attitude towards computing - that it must be crime-free and that any conduct which might appear to be dishonest or a conflict of interest is not permitted. 2. To reach an agreement among all the users on what is considered proper computer use. This requires a lot of discussion among the group with some consensus emerging at the end of it all. 3. To publish the rules, so that every user knows what they are. 4. To know who all users of the computer are. All users must be brought into the peer group so that the peer group influence can affect them. Applicants were screened twice before employment. 5. Every suspected deviation from the rules must be investigated. 6. Disciplinary procedure must be clear, coherent and fair. The test program took twelve months to complete. The two other user groups suffered the theft of hardware and interference with a computer program, while the particular organization which implemented the program was free from computer crime for that period. As an actual experiment, this would fail due to the lack of constants in the variation of user groups. However, having a (s 1986 Elsevier Science Publishers B.V. (Information & Business Division). Amsterdam./86/$0.00 + 2.20 No part ofthis publication may be reproduced. stored in a retrieval system. or transmitted bp any form or by any means, (Readers
electrr,nic, in the I1.S
mecharlic.al. A.
plcasn
pbotucopying.
rec.ordinfiorotherwisa.
SCD spcv ial regulations
listed
on
without
hack cover.)
thr: prior
permission
of the publishers
Vol 8. No 7. Page 6. clear, fair policy on misdemeanours , and promoting a positive psychological environment with much integration of employees and discussion with them, is undoubtedly very important.
NEW SECURITY SERVICE
Racal has set up a new subsidiary called Racal-Guardata to provide a network security service to computer uses and to manufacture computer security equipment. One of the first pieces of equipment from the company is a password generator called the Watchword. This is a hand-held unit, about the size of a calculator, which is linked to security software in the host computer. A multi-digit 'challenge' is flashed on the screen which the user keys into his own personal Watchword, together with his own ID. The Watchword unit then generates the correct 'answer' to the original challenge and the user keys this into the host computer to gain access. Racal-Guardata
GOVERNMENT V. PRIVATE ENCRYPTION
is based in Fleet, Hampshire, UK; Tel:
0252 622144.
A recent directive by the US Government about the NSA (National Security Agency) has rekindled fears about the ever vigilant Big Brother spying on all data communications. The directive, no 145, proposes that the NSA develop a standard with which to replace the current universally-used DES (Data Encryption Standard). The motive behind this move is believed to be the urgent need to stop hackers breaking into top secret security systems, but more sinister reasons are suspected by some. In 1979, a Senate select cormnittee secretly investigated NSA. The agency was accused of trying to undermine the DES Cryptographic system in order to make it easier to eavesdrop on it, by calling for the size of the key to be shortened from 128 bits. It was believed by some that the Agency had formulated a way of decoding DES encrypted communications which used the smaller key. The Senate select committee did clear the NSA of any suspicion at the time, but this new move to replace the DES encryption with a NSA -designed standard will cause alarm. Most data encryption methods are based on the DES system, which depends on the secrecy of the keys used to code and decode messages. Bowever, NSA claims that the fact that the DES algorithm is widely publicised is a threat to its security. The replacement standard would have a secret algorithm with the keys being changed as often as several times a minute. But a rival company, RSA Data Security, have developed a compatible standard which they hope will compare with DES and offer greater secrecy than what the Agency has on offer. The RSA public key crypt0 system called Mailsafe is based on a patented algorithm developed by researchers at the Massachusetts Institute of Technology using a key bit length that can be varied by the user between 336 and 672 bits. This algorithm, say RSA, could take a Cc: 1966 Elsevier Science Publishers B.V. (Information & Business Division), Amsterdam.i66/$0.00 + 2.20 No part of this publication may be reproduced. stored in a retrievalsystem.or transmittedby any formor hy any
means,electronic.mechanical.photocopying.recordingorotherwisH.without the prior permissionofthc publishers in the U.S.A. - pleasexc special regulatlnns listed on hack cover.)
(Readers