- Email: [email protected]
Industry grumbles Clipper Chips
Computer Audit Update
NEWS Hackers imprisoned under Computer Misuse Act Neil Woods, 26, and Karl Strickland, 22, members of the 'Eight Legged Groove Machine' hacking group, have been imprisoned for six months for offences committed under the UK's 1990 C o m p u t e r Misuse Act. Woods and Strickland admitted to conspiring to obtain telecommunication services dishonestly and engaging in the unauthorized publication of computer information, causing damage which the court was told could conservatively be estimated as in the region of £123 000. Known in hacking circles by the names 'Pad' and 'Gandalf', Woods and Strickland a c c e s s e d the UK's Joint Academic Network (JANET) and proceeded via the Internet to hack into BT, S.G. Warburg, EC systems and NASA. During one exchange between the two hackers, according to a report in the Independen~ Woods stated: "We want to be full-time hackers", to which Strickland replied: "If it moves, hack it". On passing sentence, Judge Michael Harris accepted that the activity of the hackers was not carried out with the intention of damaging systems, misusing information, or creating personal profit. However, he stated that a custodial sentence was appropriate, "to penalize you for what you have done and for the losses caused and to deter others who might similarly be tempted". Earlier this year, Paul Bedworth, another member of '8LGM', was acquitted of three charges under the Computer Misuse Act, following a plea of not guilty on medical grounds arising from an 'addiction' to computers.
Industry grumbles over Clipper Chips The Clinton administration has announced its attempt at a c o m p r o m i s e between right-to-privacy in electronic communications and the government need for surveillance. The trouble is that industry groups resent being shut out of the decision-making processes.
16
May 1993
Claims by the FBI and Secret Service that they need to tap into today's communications systems to fight crime have moved the US government to create and soon implement its own technology. The government's National Institute of Standards and Technology (NIST) has developed 'Clipper Chips' - - computer chips that scramble a telephone call or computer message using a secret algorithm or formula. Each chip comes with a pair of electronic 'keys' that could used by law enforcement agencies to decipher the secret messages generated by the chip. Under the Clinton proposal one key will be held by each of two separate 'trusted' third parties who would release them to law enforcement agencies that obtained legal authority to intercept the communications. Both keys would be needed to decipher a message. The technology will be installed in some government communications networks within weeks or months and could be available for business and even household use before the end of the year. Industry groups: the Electronic Frontier Foundation (EFF), a civil liberties group, and the Software Publishing Association (SPA), were 'surprised' at the announcement made last month, and group officials are disgruntled they were not asked to offer input on the technology solution. "We were really surprised over the news," said Doug Miller, SPA government affairs representative, who had to find out about the Clipper Chips through reading the New York Times. "This approach raises a lot of concerns about security, namely how to address export issues - - what foreign government will want to buy products where our government is able to tap into them?" The EFF is also grumbling over not being asked to give input. "A lot of questions need answeringthe (Clinton) administration reached a bottom line before conducting a study," said Gerry Berman, executive director of the EFF. "Can we trust an algorithm that can't be entrusted to the industry?" he added, referring to the electronic 'keys' that will be held by government officials. Berman also echoed concern that i n t e r n a t i o n a l m a r k e t s b e g r u d g e the US
©1993 Elsevier Science Publishers Ltd
May 1993
ComputerAudit Update
government having access to technology exported from America. Although the administration's plan calls only for equipping government telephones with the security devices, some groups are concerned the plan might become a standard for all manner of electronic communication before the public has a chance to debate its merits. The chip will be deployed first to law enforcement and intelligence agencies and also civilian agencies, such as the Internal Revenue Service. But the new system is also viewed as a data security standard that the Clinton administration believes will eventually be widely used in the nation's commercial telephone and computer networks. One US d a t a - s e c u r i t y equipment manufacturer expressed such concerns. People won't be able to trust these devices because there is a high risk that the government is going to have complete access to anything they are going to do, said Stephen Bryen, president of Secured Communications Technologies Inc, in Silver Spring, Maryland, and a former Pentagon official. This technology, which computer scientists refer to as a 'split key cryptographic system' has been previously developed as an approach by intelligence agencies but it has not previously been applied to the issue of individual privacy.
Charlotte Dunlap
Data Protection Act ruling spotlights accountants Following a recent UK High Court ruling, thousands of accountants will be forced to register as data users under sections of the 1984 Data Protection Act, according to a report in Computing. The ruling follows an appeal by the UK's Data Protection Registrar, Eric Howe, against the decision of Walton-on-Thames magistrates in January that London accountant Francis Griffin need not register as a data user under sections 5.1, 5.5 and 19.2 of the Act. The magistrates court had decided that Griffin, who
©1993 Elsevier Science Publishers Ltd
was preparing statistics on behalf of a client for the Inland Revenue, was not in control of the data and therefore was not legally a data user. However, the High Court reversed this decision and ruled that accountants preparing such statistics for government departments on behalf of clients must register as data users.
NAO report exposes inadequate MOD system AUK National Audit Office report has brought to light inefficiencies in a computer system used by the Ministry of Defence's Directorate of Sales, where staff are still relying upon paper-based systems some two years after installation of the computer. According to a report in Computer Weekly, the system, which is used for selling off defence equipment that is surplus to existing r e q u i r e m e n t s , was i n c o m p l e t e l y cabled, inadequately supported, and staff did not receive enough training to be able to work on the system. As a result of these factors the directorate has returned to its manual database system. "The directorate is bringing in a new system which suggests they recognize there is a problem," said an NAO spokesman.
DOS virus scan disappointing Security features in MS DOS 6.0 are incapable of detecting more than 1000 viruses, according to a report in Computing.Tests, carried out by US virus testing company VSUM, showed that DOS 6.0 could only identify 53.1% of 2015 known viruses. Central Point, which supplied the software, claimed there were weaknesses in the tests. Jim Horsburgh, UK managing director, argued: "Scanning for viruses is just one feature of an anti-virus product. The overall approach to protection should be looked at." However, he also admitted that the anti-virus component in DOS 6.0 was out of date. To deal with this problem, Central Point has launched a new service, Safe Six. Using this service DOS 6.0 users can subscribe to regular virus updates.
17
NEWS Hackers imprisoned under Computer Misuse Act Neil Woods, 26, and Karl Strickland, 22, members of the 'Eight Legged Groove Machine' hacking group, have been imprisoned for six months for offences committed under the UK's 1990 C o m p u t e r Misuse Act. Woods and Strickland admitted to conspiring to obtain telecommunication services dishonestly and engaging in the unauthorized publication of computer information, causing damage which the court was told could conservatively be estimated as in the region of £123 000. Known in hacking circles by the names 'Pad' and 'Gandalf', Woods and Strickland a c c e s s e d the UK's Joint Academic Network (JANET) and proceeded via the Internet to hack into BT, S.G. Warburg, EC systems and NASA. During one exchange between the two hackers, according to a report in the Independen~ Woods stated: "We want to be full-time hackers", to which Strickland replied: "If it moves, hack it". On passing sentence, Judge Michael Harris accepted that the activity of the hackers was not carried out with the intention of damaging systems, misusing information, or creating personal profit. However, he stated that a custodial sentence was appropriate, "to penalize you for what you have done and for the losses caused and to deter others who might similarly be tempted". Earlier this year, Paul Bedworth, another member of '8LGM', was acquitted of three charges under the Computer Misuse Act, following a plea of not guilty on medical grounds arising from an 'addiction' to computers.
Industry grumbles over Clipper Chips The Clinton administration has announced its attempt at a c o m p r o m i s e between right-to-privacy in electronic communications and the government need for surveillance. The trouble is that industry groups resent being shut out of the decision-making processes.
16
May 1993
Claims by the FBI and Secret Service that they need to tap into today's communications systems to fight crime have moved the US government to create and soon implement its own technology. The government's National Institute of Standards and Technology (NIST) has developed 'Clipper Chips' - - computer chips that scramble a telephone call or computer message using a secret algorithm or formula. Each chip comes with a pair of electronic 'keys' that could used by law enforcement agencies to decipher the secret messages generated by the chip. Under the Clinton proposal one key will be held by each of two separate 'trusted' third parties who would release them to law enforcement agencies that obtained legal authority to intercept the communications. Both keys would be needed to decipher a message. The technology will be installed in some government communications networks within weeks or months and could be available for business and even household use before the end of the year. Industry groups: the Electronic Frontier Foundation (EFF), a civil liberties group, and the Software Publishing Association (SPA), were 'surprised' at the announcement made last month, and group officials are disgruntled they were not asked to offer input on the technology solution. "We were really surprised over the news," said Doug Miller, SPA government affairs representative, who had to find out about the Clipper Chips through reading the New York Times. "This approach raises a lot of concerns about security, namely how to address export issues - - what foreign government will want to buy products where our government is able to tap into them?" The EFF is also grumbling over not being asked to give input. "A lot of questions need answeringthe (Clinton) administration reached a bottom line before conducting a study," said Gerry Berman, executive director of the EFF. "Can we trust an algorithm that can't be entrusted to the industry?" he added, referring to the electronic 'keys' that will be held by government officials. Berman also echoed concern that i n t e r n a t i o n a l m a r k e t s b e g r u d g e the US
©1993 Elsevier Science Publishers Ltd
May 1993
ComputerAudit Update
government having access to technology exported from America. Although the administration's plan calls only for equipping government telephones with the security devices, some groups are concerned the plan might become a standard for all manner of electronic communication before the public has a chance to debate its merits. The chip will be deployed first to law enforcement and intelligence agencies and also civilian agencies, such as the Internal Revenue Service. But the new system is also viewed as a data security standard that the Clinton administration believes will eventually be widely used in the nation's commercial telephone and computer networks. One US d a t a - s e c u r i t y equipment manufacturer expressed such concerns. People won't be able to trust these devices because there is a high risk that the government is going to have complete access to anything they are going to do, said Stephen Bryen, president of Secured Communications Technologies Inc, in Silver Spring, Maryland, and a former Pentagon official. This technology, which computer scientists refer to as a 'split key cryptographic system' has been previously developed as an approach by intelligence agencies but it has not previously been applied to the issue of individual privacy.
Charlotte Dunlap
Data Protection Act ruling spotlights accountants Following a recent UK High Court ruling, thousands of accountants will be forced to register as data users under sections of the 1984 Data Protection Act, according to a report in Computing. The ruling follows an appeal by the UK's Data Protection Registrar, Eric Howe, against the decision of Walton-on-Thames magistrates in January that London accountant Francis Griffin need not register as a data user under sections 5.1, 5.5 and 19.2 of the Act. The magistrates court had decided that Griffin, who
©1993 Elsevier Science Publishers Ltd
was preparing statistics on behalf of a client for the Inland Revenue, was not in control of the data and therefore was not legally a data user. However, the High Court reversed this decision and ruled that accountants preparing such statistics for government departments on behalf of clients must register as data users.
NAO report exposes inadequate MOD system AUK National Audit Office report has brought to light inefficiencies in a computer system used by the Ministry of Defence's Directorate of Sales, where staff are still relying upon paper-based systems some two years after installation of the computer. According to a report in Computer Weekly, the system, which is used for selling off defence equipment that is surplus to existing r e q u i r e m e n t s , was i n c o m p l e t e l y cabled, inadequately supported, and staff did not receive enough training to be able to work on the system. As a result of these factors the directorate has returned to its manual database system. "The directorate is bringing in a new system which suggests they recognize there is a problem," said an NAO spokesman.
DOS virus scan disappointing Security features in MS DOS 6.0 are incapable of detecting more than 1000 viruses, according to a report in Computing.Tests, carried out by US virus testing company VSUM, showed that DOS 6.0 could only identify 53.1% of 2015 known viruses. Central Point, which supplied the software, claimed there were weaknesses in the tests. Jim Horsburgh, UK managing director, argued: "Scanning for viruses is just one feature of an anti-virus product. The overall approach to protection should be looked at." However, he also admitted that the anti-virus component in DOS 6.0 was out of date. To deal with this problem, Central Point has launched a new service, Safe Six. Using this service DOS 6.0 users can subscribe to regular virus updates.
17