IYIR for HTML

INFOSEC Year in Review 1997

M. E. Kabay, PhD, CISSP Assoc. Prof. Information Assurance Dept. of Computer Information Systems, Division of Business Norwich University [email protected]

Category 11 Breaches of confidentiality 1997-02-23 medical data confidentiality PA News In Sheffield, England, a hospital handed over 50,000 confidential gynecological records to a data processing firm that hired people off the street and set them to work transcribing the unprotected data. The scandal resulted in withdrawal of the contract, but thousands of records were exposed to a wide variety of people with no background checking to ascertain their reliability.

Category 11 Breaches of confidentiality 1997-04-08 QA operations security confidentiality AP, Reuters The General Accounting Office lambasted the IRS for improper operations security, saying that the IRS "misplaced" 6,000 computer tapes and cartridges. Sen. John Glenn (D-OH), who released the report, also introduced a bill to define criminal penalties against IRS employees who snoop into taxpayer records without cause. Glenn said that out of 1,515 cases of unauthorized browsing identified in the 1994 and 1995 fiscal years at the IRS, only 23 employees were fired for the activity.

Category 11 Breaches of confidentiality 1997-04-30 medical confidentiality AIDS database UPI Greg Wentz was found guilty of anonymously mailing a list of 4,000 names of people with AIDS to two Florida newspapers. It turned out that he was acting vindictively to punish his ex-lover, William Calvert III. Calvert was also charged with a misdemeanor for misusing the list, which he obtained at work in the Pinellas County Health Department. Wentz faces up to 60 days in jail and up to $500 in fines.

Category 11.1 Data leakage 1997-07-02 medical informatics telemedicine Australian A report by Trudy Harris in _The Australian_ reviewed risks of telemedicine, a technology of great value in Australia because of great distances and sparse population. Risks included interception of unencrypted medical information, modification of critical parameters for patient care, and unauthorized access to confidential patient records.

Category 11.1 Data leakage 1997-07-10 hacker password attack Wall Street Journal Mark Abene, a security expert formerly known to the underground as Phiber Optik, launched a command to check a client's password files — and ended up broadcasting the instruction to thousands of computers worldwide. Many of the computers obligingly sent him their password files. Abene explained that the command was sent out because of a misconfigured system and that he had no intention of generating a flood of password files into his mailbox. Jared Sandberg, Staff Reporter for the The Wall Street Journal, wrote, "A less ethical hacker could have used the purloined passwords to tap into other people's Internet accounts, possibly reading their e-mail or even impersonating them online." Mr Abene was a member of the Masters of Deception gang and was sentenced to a year in federal prison for breaking into telephone company systems. The accident occurred while he was on parole.

Category 11.1 Data leakage 1997-07-19 confidentiality error Telecomworldwire A firm of accountants received passwords and other confidential codes from British Inland Revenue. Government spokesmen claimed it was an isolated incident. [How exactly did they know that it was an isolated incident?]

Category 11.1 Data leakage 1997-08-07 privacy journalists Internet Reuters; RISKS 19 28 The ICSA's David Kennedy reported on a problem in Hong Kong, where Reuters described a slip that revealed personal details about hundreds of journalists at the end of June. Passport and identity-card details were revealed on the government Website for a couple of days. DK commented, "I suppose that's one way to get the media interested in privacy matters."

Category 11.1 Data leakage 1997-08-15 privacy credit reports database AP, EDUPAGE Experian Inc. (formerly TRW Information Systems & Services), a major credit information bureau, discontinued its online access to customers' credit reports after a mere two days when at least four people received reports about other people.

Category 11.2 Unauthorized disclosure 1997-08-28 privacy Web EDUPAGE According to an independent group that monitors government activities, US federal Web sites are failing to protect user privacy. OMB Watch said, "There is no government-wide policy regarding privacy concerns on federal Web sites... Agencies collect personal information about visitors to their Web sites, but fail to tell them why that information is being collected and what it is being used for." After the report, three agencies that were collecting cookies files stopped doing so.

Category 11.2 Unauthorized disclosure 1997-09-08 SSN privacy RISKS, EPIC Alert, AP 19 37 In September, six months after its ill-fated implementation of online access to the Personal Earnings and Benefits Estimate Statement (PEBES) service, the Social Security Administration announced its revised system. The most important change was that sensitive data such as the detailed earnings report would be available only by snail-mail; in addition, the system would impose a strict limit on the amount of information available online to any one requestor. Privacy advocates such as Marc Rotenberg of the Electronic Privacy Information Center (EPIC) congratulated the SSA on the improvements and praised it for consulting with the public.

Category 11.3 Data theft 1997-07-10 Web vandalism hackers credit card AP In early July, 2397 customers of the ESPN Sportszone and nba.com received anonymous letters containing the last eight digits of their own credit cards. Both Web sites were sited on the Starwave hosting service. The message said, "You are the victim of a careless abuse of privacy and security. This is one of the worst implementations of security we've seen." The perpetrators claimed to be "an anonymous organization seeking to make the Internet a safe place for the consumer to do business." Although none of the credit card numbers seemed to have been used fraudulently, Starwave managers warned customers to get new credit card numbers as a precaution.

Category 12.1 Wiretapping 1997-01-16 wiretaps law enforcement rules proposal EDUPAGE EDUPAGE reports: >The Federal Bureau of Investigation has released for public comment a new proposal for facilitating tapping of digital phone calls by law enforcement officials armed with court orders. Under the new proposal, which is significantly more modest than what the Bureau had asked for in a earlier plan, law enforcement officials would operate under a formula in which (for example) 523 phone lines could be monitored simultaneously in a place such as Manhattan. Privacy advocates oppose the FBI's plan as an unacceptable expansion of electronic surveillance. (New York Times 15 Jan 97 A8)<

Category 12.1 Wiretapping 1997-02-18 wiretapping infowar court investigation Reuters In France, the equivalent of the supreme court examined the legality of an inquiry into illegal wiretapping allegedly carried out by a government anti-terrorism unit. The unit was active in the administration of the late François Mitterand.

Category 12.1 Wiretapping 1997-05-29 wiretapping eavesdropping privacy telephones government investigation Reuters Government officials in Lebanon acknowledged for the first time that cellular phones and land lines were being systematically y tapped and the findings being distributed within the government. A parliamentary committee was formed to investigate the situation.

Category 12.1 Wiretapping 1997-08-08 FBI wiretap warrant surveillance Internet phone Inter@ctive Week Online Law enforcement agencies have long been able to obtain a tap-and-trace authorization from any local U.S. attorney. However, to be able to install a wiretap that would allow monitoring of conversations requires police to obtain authorization from a judge. As phone companies move towards sending speech over the Internet, tap-and-trace orders can actually provide full access to conversations being sent over the Net. Civil libertarians are concerned about a possible abuse of privacy; the Center for Democracy and Technology (CDT) and the Electronic Frontier Foundation (EFF) have both expressed concerns to the Federal Communications Commission. The ACLU is also concerned about the FBI's new wiretap policy.

Category 12.1 Wiretapping 1997-08-16 wiretap bug phone eavesdropping UPI A Dallas Schools Superintendant, Yvonne Gonzalez, caused anger among some employees by pursuing an investigation of corruption in the system. In mid-August, she was shocked to find possible evidence of a temporary bug on her phone — a couple of soldered wires. No other evidence of wire-tapping was found.

Category 12.2 Interception 1997-02-06 cellular eavesdropping scanners AP Rep. Billy Tauzin, a Congressman from Louisiana, demonstrated to the House Commerce Telecommunications Subcommittee that an off-the-shelf police-frequency scanner can be modified to capture cellular phone calls in two minutes using a soldering iron and a two-inch wire. He then showed on the spot that the modified scanner could pick up a conversation between a cell- phone user and a regular telephone. The subcommittee is studying proposals to toughen enforcement of the law sponsored in 1992 by Rep. Edward Markey of Massachusetts that makes interception of cellular phone calls illegal and bans importation of foreign-made scanners capable of picking up these calls. The law also makes it illegal to sell scanners that can be altered easily to intercept cell- phone calls. Representatives of the Personal Communications Industry Association and the Cellular Telecommunications Industry Association argued that current laws, as written, are unenforceable and urged new approaches to protect privacy of wireless communications and that would include emerging technologies.

Category 12.2 Interception 1997-04-23 Eavesdropping cellular phone mobile ECPA criminal prosecution interception RISKS; UPI, AP 18 75 Newt Gingrich's cell phone calls were overheard in December 1996 by a Florida couple using a radio scanner in their car. Gingrich was overheard "plotting strategy on how to deal with his ethics problems and possible attacks from opponents. This despite his promise, made the same day to the ethics subcommittee by his laywer, that he would not use his office or his allies to orchestrate a counter-attack to the charges." The snoopers brought their tape to the senior Democrat on the Congressional ethics committee; somehow a copy of the tape came into the possession of the New York Times, which published a report that caused much annoyance to all concerned. Republicans called foul, pointing out that such eavesdropping is explicitly illegal according to federal wiretapping statutes. In federal court in April 1997, John and Alice Martin were charged with wiretapping and faced fines of $5,000 each.

Category 12.2 Interception 1997-05-22 eavesdropping packet sniffer hoax EDUPAGE AT&T's WorldNet ISP was shown not to use the SSL to encrypt communications involving its account management. An engineer reported that he was able to capture other users' packets and list IDs and passwords. AT&T fielded someone who declared that the hole did not matter "because only WorldNet subscribers have access to those pages." [I guess only honest people bother to get WorldNet user accounts, eh?] However, be that as it may, it turned out the accusation was a hoax: the packet sniffers were placed on an internal LAN, not on the Internet, by system administrators gone bad.

Category 12.2 Interception 1997-09-19 pager wireless interception eavesdropping RISKS 19 39, 40 The White House pager system was wide open to listeners in September; a hacker posted extensive transcripts of Secret Service and other communications from and about the First Family. Opponents of the Administration's policies on weak cryptography crowed that the case illustrated the importance of cryptography for security. The Secret Service denied that the breach was a security problem at all.

Category 12.2 Interception 1997-11-21 pager interception eavedropping wiretapping AP, Washington Post, UPI, RISKS 19 35 Steve Bellovin summarized a case of digital eavedropping in NJ in August: "A New Jersey company has been charged with illegally intercepting and selling messages sent via a paging service. The messages — the content of which was sold to news organizations — were intended for delivery to the offices of various senior New York City officials, including the mayor's office and various top police and fire department officers." He added that the reason the authorities used pagers was their mistaken belief that the devices are more secure than phones. Where is PGP for pagers, wondered Dr Bellovin. In November, Steven Gessman, Vinnie Martin and Robert Gessman admitted illegally snatching the alphanumeric pager messages and divulging their contents to their paying subscribers. They were scheduled for sentencing on March 3, 1998.

Category 13 Data diddling, data corruption, embezzlement 1997-07-17 wiretap eavesdropping EDUPAGE In July 1997, the telephone industry protested against FBI plans to allow continued wiretapping of conference calls even after the target leaves the conference call. The EDUPAGE editors wrote, "Arguing that the FBI's requests for expanded wiretap capabilities go beyond that agency's authority, telephone industry officials are asking the Federal Communications Commission to help them resist the FBI's proposed digital phone design, which would allow law enforcement officials to continue the wiretapping of a conference call even after the person targeted by a court-authorized wiretap drops out of the call. The phone industry claims the request would cost billions of dollars to implement and would expose it to lawsuits by civil liberties groups fighting against privacy invasions."

Category 13.1 Data diddling 1997-01-11 salami diddling fraud programming Trojan audit RISKS 18 75 Peter G. Neumann wrote in RISKS: "Willis Robinson, 22, of Libertytown, Maryland, was sentenced to 10 years in prison (6 of which were suspended) for having reprogrammed his Taco Bell drive-up-window cash register — causing it to ring up each $2.99 item internally as a 1-cent item, so that he could pocket $2.98 each time. He amassed $3600 before he was caught." Another correspondent adds that management assumed the error was hardware or software and only caught the perpetrator when he bragged about his crime to co-workers."

Category 13.1 Data diddling 1997-02-12 data diddling intrusion AP In Round Rock City, TX, the mayor's pager number started answering the phone with a rap song full of obscenities instead of the usual "Leave a message please." The mayor promised to change his pager security code more often. "I'm just glad my mother or my wife didn't try to page me," said the embarrassed official.

Category 13.1 Data diddling 1997-05-31 phreaking answering machine diddling RISKS 19 20 After MI5 placed ads for recruits in Britain, 20,000 hopeful security agents called in only to hear a bizarre message on the answering machine: "Hello my name is Colonel Blotch. I am calling on behalf of the KGB. We have taken over MI5 because they are not secret any more and they are a very [useless] organisation."

Category 13.1 Data diddling 1997-06-26 fraud identification authentication diddling sabotage AP An employee of the San Mateo County District Attorney's office was accused of conspiring to have his boss, Ralph Minow, fired from his job. Paul Schmidt is accused of planting a logic bomb in his boss' computer using a fake time-stamp to make it look as if Minow had caused his own computer to crash on 97.03.26. Minow was unable to exculpate himself because the backup tapes he looked for were gone. Minow was fired and told he would be prosecuted for sabotage. However, computer security specialists noticed that one of the printouts presented as incriminating evidence of Minow's depredations had a logoff message of "Good evening" even though Schmidt claimed to have printed them in the morning. Close investigation revealed audit trails on the computer showing that someone had set the clock back to the 25th and then back. Schmidt was fired and filed a wrongful dismissal lawsuit, claiming that he was an innocent whistle-blower being persecuted for his efforts.

Category 13.1 Data diddling 1997-07-23 data diddling PA News In January, 30 million people called British Airways in a contest to win tickets on the Concorde aircraft. Two British Telecom employees from the same office won two of the 190 tickets — a coincidence that statisticians estimate had odds of 25 million to 1. Upon investigation, BT concluded that its employees "could have used technical knowledge to circumvent the filter system designed to let only a specified number of calls reach the ticket allocating office." The two men were fired and promptly sued for wrongful dismissal.

Category 13.1 Data diddling 1997-09-11 SSN impersonation social engineering authentication verification QA quality assurance RISKS; AP 19 39 It is so easy for the Social Security Administration to accept death reports that someone has died that mischief-makers can easily ruin someone life if they haven't died. In Overland Park, KS Ms Kirsten Phillips was reported dead to the SSA by a nonexistent brother-in-law. One week later, she was electronically revived, but by then the damage was done: government payments stopped, direct withdrawals by the government from her bank accounts, cancelled credit cards — a real mess. [SSA regulations ought to require at least one independent verification of reported death — by calling the purportedly deceased person, for instance, or requiring official documentation from a government source.]

Category 13.1 Data diddling 1997-10-01 hacker vandalism SANS The widely-respected SANS Security Digest was hacked in October 1997, with satirical, vulgar nonsense replacing the usual sedate text. The hacked issue began inauspiciously as follows: "Your October Network Security Digest is below. The Digest comes out eight times per year so slap mah fro. You'll also get a couple mre messages this week, and if you're lucky, uuencoded porn of my wife. y0urs tr00ly in smut, Alan Paller and Michele Crabb

And now, what you've been dr00ling for!@# . . . CONTENTS: 1) pr0n (a GIF uuencoded) 2) VULNERABILITY THAT SOMEONE ELSE FOUND (exploit for SAMBA bug) 3) pr0n (a JPEG uuencoded) 4) 3l33t wAr3z (a URL) 5) H0w t0 subscr1be t0 BuGTRaQ!@# 6) m0r3 pr0n (another JPEG) 7) QUICK TIDBITS"

Category 13.1 Data diddling 1997-10-02 hacking QA bank AAP In Brisbane, Australia, three men charged with hacking A$1.76M by transferring the funds from the Commonwealth Bank to accounts at the Metway Bank in mid-September 1997 claimed that they were the victims of a quality assurance error. Their solicitor alleged that the Commonwealth Bank placed A$50M into a practice account that was supposed to be used for learning how to use the online system for direct payments.

Category 13.1 Data diddling 1997-10-24 data diddling theft debit card bank e-commerce RISKS 19 42 Benoit Lavigne, writing in RISKS, reported on a curious case of data diddling. It seems that thieves broke into a picture- framing business at three in the morning on the night of Friday to Saturday. Using ten bank debit cards, the thieves instituted ten debit corrections to "refund" a total of $240,000 into their accounts from the business. The theft was bad enough, but the bank took over two weeks to reinstate the merchant's account's. One of the key vulnerabilities at the merchant's site was that the staff left a special card required to initiate transactions in the cash register. In addition, Lavigne commented, there ought to have been some mechanism on the bank side to identify the thoroughly unusual pattern of transactions and either queried them or stopped them while awaiting confirmation.

Category 13.1 Data diddling 1997-12-05 data diddling taxes RISKS 19 48 Some Quebec restaurateurs have been using a U.S.-made computer program (a "zapper") that skimmed off up to 30% of the receipts, thereby evading Revenue Canada and provincial government tax payments to the tune of millions of dollars per year. A related story in the *Montreal Gazette* added that *Le Point* journalists succeeded in getting technical support on the zapper programs from POS equipment vendors; there seemed to be nothing unusual about the programs, judging from the matter-of-fact way the vendors responded to requests.

Category 13.2 Data corruption & destruction 1997-02-07 E&O RISKS 18 82 The National Association of Securities Dealers lost 20,000 records from its files because managers issued faulty guidelines which gave clerks the impression they were supposed to dispose of (too many) disciplinary records. It was estimated that recovery of the electronic records would take two months.

Category 13.2 Data corruption & destruction 1997-09-03 data diddling QA Knight-Ridder Newspapers Lois Gates was surprised to discover in August 1997 that according to the Social Security Administration, she died in June 1997. The hale 65-year old was even more dismayed to find that the SSA had taken money out of her account in restitution for "erroneous" payments. Once the story hit the news media, the snafu was on its way to being fixed within days.

Category 13.3 Embezzlement 1997-01-17 data diddling PA News Jamie Griffin, a 21-year old clerk working for London and Manchester Assurance in Exmouth, England altered computer records to hide his theft of more than £44,000. He lost all on gambling and then claimed that he had been forced to steal the money by the IRA. He eventually pleaded guilty to five charges of theft and was sentenced to seven months in jail.

Category 13.3 Embezzlement 1997-02-03 Data diddling RISKS 18 81 Commercial customers of a major bank in the Netherlands can withdraw money directly from any bank account without permission and can falsify the text that appears in the victim's bank statement. This flaw in the security design was discovered by a minister in Friesia, the northern province of the Netherlands, when he was granted access to the accounts of his magazine subscribers. It became obvious that he had complete control over all debits and all text on victims' bank statements regardless of his original intent. Confronted with this evidence, a bank official dismissed the flaw as insignificant.

Category 13.3 Embezzlement 1997-03-18 data diddling fraud AP Daniel Perez, a claims processor at Unisys Corp. in Florida was accused of embezzling $1.3M by changing records in a database so that he could process claims against the fraudulent accounts. Working with confederates, the accused may have been involved in fraud totaling about $20M. Tim Moore, Florida Department of Law Enforcement Commissioner, scoffed at claims by Unisys that the discovery of the fraud as a result of auditors' work showed that their security systems were OK. ""I think anybody would suggest that Unisys use tighter security measures," said Moore.

Category 13.3 Embezzlement 1997-07-26 embezzlement data diddling RISKS 19 26 Peter G. Neumann writes, "While working as a civilian military pay supervisor in the Army finance and accounting office at Fort Myer from 1994 to 1997, Teasa Hutchins Jr. caused regular military paychecks to be deposited to a bank account in the name of a bogus officer, and accumulated $169,000 for himself. He has pleaded guilty and faces up to 10 years in prison and a $250,000 fine."

Category 14.1 Viruses 1997-02-04 Macro virus RISKS 18 81 ff The ISO/ANSI C++ Standards Committee was hit by the Word Concept virus, suspending a meeting of 60 top-level programming experts for 20 minutes. The contributor to RISKS, Nathan Myers, noted an additional risk: ". . . causing users who know better than to run the buggy software laughing themselves silly at those who don't, and then getting punched in the nose."

Category 14.1 Viruses 1997-02-06 UNIX virus LINUX Business Wire The Bliss virus infects LINUX systems and was described on the USENET in the autumn of 1996. In February 1997, it was again reported in Linux and Bugtraq mailing lists. Someone sent the virus to McAfee, which erroneously published a news release claiming discovery of the virus and development of the first LINUX scanner. However, Dave Kennedy, Group Leader of the NCSA's Research, Education and Consulting Group, wrote, "They have no legitimate claim of discovery. And one of the Linux guru's has an MD5 based Linux scanner, but tripwire works too. So they have no legitimate claim to the first scanner either."

Category 14.1 Viruses 1997-02-19 Virus (Mac) RISKS 18 83 PhotoDisc Inc. distributed a CD-ROM containing a virus-infected copy of Acrobat 3.0 in mid-February. Letters sent to customers did not admit that the company had distributed a virus, but rather described the problem as a "corruption" which could be cleared up by a "utility" that turned out to be a well-known free anti-virus program.

Category 14.1 Viruses 1997-04-15 viruses NCSA The ICSA's annual virus prevalence survey showed that despite increasing use of anti-virus products, three times more infections were reported in 1996 than in 1995. Macro viruses caused more than half of all virus infections. E-mail attachments are now an important vector for infection.

Category 14.1 Viruses 1997-07-31 virus data corruption delay report AP UN plans to approve food shipments to Iraqi children were delayed when an Iraqi document arrived at UN HQ on a virus- infected diskette. The virus caused a delay of a few days.

Category 14.1 Viruses 1997-10-02 virus QA quality assurance Reuters Compaq Computer Corporation shot itself in the virtual foot in September when 10% of its new Presario computers produced in Taiwan and shipped to Japan contained a virus apparently introduced at the manfacturing plant.

Category 14.4 Trojans 1997-04-29 Trojan AOL EDUPAGE The Department of Energy's Computer Incident Advisory Capability (CIAC) warned users not to fall prey to the AOL4FREE.COM Trojan, which tries to erase files on hard drives when it is run. A couple of months later, the NCSA worked with AOL technical staff to issue a press release listing the many names of additional Trojans; these run as TSRs (Terminate - Stay Resident programs) and capture user IDs and passwords, then send them by e-mail to Bad People. Reminder: do NOT open binary attachments at all from people you don't know; scan all attachments from people you do know with anti-virus and anti-Trojan programs before opening.

Category 14.4 Trojans 1997-07-31 AOL Trojan Horse Reuters, Newsbytes AOL announced its "Download Sentry" to warn its naïve users about the dangers of executing binary file attachments that may contain Trojans. Recently AOL has been plagued by attachments that act as keystroke-capture programs and e-mail user IDs and passwords to criminals for fraudulent access to the network.

Category 14.4 Trojans 1997-11-06 phone fraud web pornography Trojan RISKS, EDUPAGE, news wires 18 80 ff Viewers of pornographic pictures on the sexygirls.com site were in for a surprise when they got their next phone bills. Toronto victims who downloaded a "special viewer" were actually installing a Trojan program that silently disconnected their connection to their normal ISP and reconnected them (with the modem speaker turned off) to a number in Moldova in central Europe. The long-distance charges then ratcheted up until the user disconnected the session — sometimes hours later, even when the victims switched to other, perhaps less prurient, sites. The same fraud was reported in Feb in New York City, where a federal judge ordered the scam shut down. An interesting note is that AT&T staff spotted the scam because of unusually high volume of traffic to Moldova, not usually a destination for many US phone calls. In November, the FTC won $2.74M from the bandits to refund to the cheated customers.

Category 14.5 Virus hoaxes 1997-01-19 good times hoax joke parody e-mail In late 1996, a parody of the Good Times hoax circulated through the Net. One of its most off-the-wall sections was, "Goodtimes will give you Dutch Elm disease. It will leave the toilet seat up. It will make a batch of Methamphetamine in your bathtub and then leave bacon cooking on the stove while it goes out to chase gradeschoolers with your new snowblower."

Category 14.5 Virus hoaxes 1997-05-15 hoax urban myth rumor NYT Alex Gramling, writing in the New York Times, summarized the problems caused by unverified forwarding of rumors and urban myths. Jessica Mydek, for example is not in fact a seven-year-old dying of brain cancer, and the American Cancer Society has never volunteered to donate three cents for each copy of the hoax. Tommy Hilfiger has never appeared on the Oprah Winfrey Show, let alone made racist remarks about who should wear his line of clothing. Despite attempts to counter such harmful rumors, victims have little power to overcome human stupidity and irresponsibility. [Moral: don't forward unsubstantiated stories through the net, especially if they are shocking, or make you angry. Here's some biolerplate I use to explain to gullible hoax victims how they can avoid being fooled in future:

* * * A FRIENDLY MESSAGE ABOUT THE WARNING YOU JUST SENT ME * * *

The warning you have forwarded is a hoax. The danger is imaginary and the problem is nonexistent.

Security experts request that no one circulate unverified warnings of vague, alarming dangers.

Key indicators that a message is a hoax:

* use of exclamation marks (no official warning uses them); * use of lots of UPPERCASE text (typical of youngsters); * misspellings and bad grammar; * no date of origination or expiration; * references to official-sounding sources (e.g., Microsoft, CIAC, CERT) but no URL for details; * no valid digital signature from a known security organization; * requests to circulate widely (no such request is made in official documents).

Some guidelines for avoiding viruses and Trojan Horse programs: — always run a good (e.g., ICSA-certified) antivirus program in background; — keep your virus strings up to date (e.g., at least monthly updates); — don't execute unknown software even if you know and like the person who went it to you; — don't forward executables unless you downloaded them from a trustworthy source (e.g., a legitimate Web site); — if you do forward something you have personally downloaded, include the URL for the origin of the executable file.

In addition, before alerting anyone to apprehended threats, check the anti-hoax pages on the Web. See, among others,

About virus hoaxes: http://www.vmyths.com http://www.icsa.net/html/communities/antivirus/hoaxes/

About other hoaxes: http://ciac.llnl.gov/ciac/CIACHoaxes.html http://www.urbanlegends.com/ http://www.cwrl.utexas.edu/~roberts/gullibility.html http://www.urbanmyths.com/

For a scholarly (and fascinating) analysis of why hoaxes spread, see the paper by Sarah Gordon entitled "Hoaxes & Hypes" at http://www.av.ibm.com/InsideTheLab/Bookshelf/ScientificPapers/Gordon/HH.html and also her excellent overview entitled "Received. . . and Deceived" at http://www.infosecuritymag.com/sept/cover.htm

For some more advice from M. E. Kabay on handling chain letters, see http://www.av.ibm.com/current/Feature2/index.html

For a series of articles on protecting Internet users against various types of danger and fraud, see http://www2.norwich.edu/mkabay/cyberwatch/index.htm

* * *

This page of advice is used with permission of the author, M. E. Kabay, PhD, CISSP, Assoc. Professor, Computer Information Systems, Norwich University Last revision 2001-12-17.

Category 15 Fraud (not embezzlement), extortion, slamming 1997-01-29 E-mail RISKS; AP 18 81 Ms Adelyn Lee sued Oracle Corporation for wrongful dismissal and sexual harassment. Her evidence included an e-mail message from her boss, Craig Ramsey, to the CEO Larry Ellison confirming that Ramsey had fired Lee in accordance with Ellison's direct instructions. She settled out of court for a $100,000 payment. Subsequent events showed that in fact Ms Lee logged into her ex-boss' e-mail account the day after she was fired and forged the message. She was found guilty of perjury and falsification of evidence; she faces up to four years in prison.

Category 15 Fraud (not embezzlement), extortion, slamming 1997-01-30 phone fraud appropriate-use policy Reuters Police in Mexico City have been placing so many calls to phone-sex lines that police stations have had their phones cut off or severely restricted.

Category 15 Fraud (not embezzlement), extortion, slamming 1997-01-30 cellular phone fraud AP Criminals altered imported cellular phones into Finland and "cloned" them by changing the electronic serial numbers — but used the same number for all the phones. When a victim of this scam reported his phone stolen, its serial number was inactivated; hundreds of phones went dead. This was the first indication of the extent of the problem. Experts predicted that the lost revenues would amount to the equivalent of tens of millions of dollars.

Category 15 Fraud (not embezzlement), extortion, slamming 1997-02-01 phone fraud slamming UPI Heartline Communications of Houston forged consumer signatures in their "slamming" operation — the unauthorized switch of long-distance carriers. A NJ judge has ruled in favor of consumers and may slap half-million dollar fines or more on the slammer.

Category 15 Fraud (not embezzlement), extortion, slamming 1997-02-11 fraud Reuters The FTC warned that scam artists have been using the Internet to promote the usual round of frauds. In particular, beware of franchise operations; demand written documentation justifying claims of specific income from such operations. Job seekers should be skeptical of any scheme demanding advance payment for job placement; and be aware that there are _no_ "undisclosed" government positions.

In a related story, the British Securities and Investments Board announced a new Web site with information about Internet scams and risky investments promoted on the Net. See for details.

Category 15 Fraud (not embezzlement), extortion, slamming 1997-02-24 fraud UPI, AP The FTC won a settlement from Fortuna Alliance company in Washington state, which fraudulently deposited money contributed by victims fleeced through Internet promotions of a pie-in-the-sky pyramid (or Ponzi) scheme that promised $5,000 a month and more in return for an enrollment fee of $500 — if they suckered their friends and acquaintances into "investing" in the scheme. Most of the money received instantly went into bank accounts in Antigua. The settlement included restitution of $2.8M and assurances that the business would close down. AP reported that total reimbursements could top $5M and that (A pyramid / Ponzi scheme pays early contributors fraudulent profits out the money paid by subsequent victims; when the source of funds dries up through exhaustion of the pool of gullible people in the network, the criminals abscond with the remaining funds.)

Category 15 Fraud (not embezzlement), extortion, slamming 1997-03-14 phone fraud stealing dial tone RISKS 18 90 From Britain, a salutary case: Unexplained long-distance calls on family phone; phone company claims could not be an error. Correspondents explain how someone could steal dial tone using wireless phones, vestigial phone lines, or wiretaps. Do not accept the "computer cannot lie" syndrome.

Category 15 Fraud (not embezzlement), extortion, slamming 1997-04-15 fraud e-mail RISKS 19 8 In April, many Microsoft Network (MSN) users received fraudulent e-mail asking for their credit card numbers to help recover from a fictitious virus attack that had supposedly wiped out billing records.

Category 15 Fraud (not embezzlement), extortion, slamming 1997-04-16 bank error QA law fraud UPI Frank McPherson discovered a balance of $169,000 in his bank account. He told a teller about it and was informed that the money must be his. Figuring it was a credit from the government, he promptly spent it all on useful things like a new truck, a car, some mountain bikes, a new home, a camcorder and some new clothes. Unfortunately, the teller was wrong, so McPherson ended up in court, charged with fraud. Moral: do not spend money that comes from nowhere into your bank account, regardless of tellers who breezily say the computer couldn't be wrong.

Category 15 Fraud (not embezzlement), extortion, slamming 1997-04-24 fraud Internet EDUPAGE According to Deloitte & Touche, criminals are defrauding European Union members of about $77B a year using Internet-based or Internet-mediated fraud.

Category 15 Fraud (not embezzlement), extortion, slamming 1997-04-27 fraud Internet EDUPAGE The FTC, securities regulators and attorneys-general from 24 states found 215 cases of fraudulent marketing in a single day of surfing the Web. The FTC issued stern warnings to the fraud artists and dozens of them shut down altogether. The FTC intends to continue surfing the Web, but urges consumers to be careful and demand evidence of the wild claims they encounter. In one case, someone claimed to be able to earn $100,000 a year by grooming pets; another claimed that victims of his scam would earn $240,000 a year operating 900-number phone lines.

Category 15 Fraud (not embezzlement), extortion, slamming 1997-05-17 spam vandalism denial of service fraud RISKS 19 16 Drew Henry Madden, 16, was a boy with a penchant for computing. He tricked several banks into giving him credit cards, which he then used to order $18,000 of goods and services via computer-based purchases. He pleaded guilty to 104 countrs of fraud and was sentenced to 12 months in prison. His defense team argued that he should receive psychiatric treatment for what they described as "an anxiety disorder and elements of an obsessive, compulsive disorder." His mother excused his behavior by saying, "If we were a wealthy family he'd be at a private school, where his talents could be directed properly." Um, what about parental direction of the child's talents? (More news in October listing, where the boy was identified as Drew Henry Madden and pleaded guilty to yet more fraud.)

Category 15 Fraud (not embezzlement), extortion, slamming 1997-05-22 credit card hacker social engineering AAP An unidentified 16-year-old boy with a penchant for computing tricked several banks into giving him credit cards, which he then used to order $18,000 of goods and services via computer-based purchases. He pleaded guilty to 104 countrs of fraud and was sentenced to 12 months in prison. His defense team argued that he should receive psychiatric treatment for what they described as "an anxiety disorder and elements of an obsessive, compulsive disorder." His mother excused his behavior by saying, "If we were a wealthy family he'd be at a private school, where his talents could be directed properly." Um, what about parental direction of the child's talents? (More news in October listing, where the boy was identified as Drew Henry Madden and pleaded guilty to yet more fraud.)

Category 15 Fraud (not embezzlement), extortion, slamming 1997-05-25 packet sniffer credit card fraud EDUPAGE A thief who ran a packet sniffer to capture 100,000 credit card numbers from a dozen on-line commerces was arrested when he tried to sell the list to the FBI for $260,000.

Category 15 Fraud (not embezzlement), extortion, slamming 1997-05-26 fraud Web ghost redirection penetration hack Guardian Weekly Garth McLachlan of the Organised Crime Unit of the National Criminal Intelligence Service of the UK reported on new ways of defrauding victims on the Net. Simple methods include putting up Web sites that market fraudulent schemes; e.g., Ponzi / pyramid sales. Another scam is the reputable-looking site that offers venture capital — in return for a $10,000 advance fee for evaluation of the business proposals. Anyone gullible enough to send that much money to unknown people usually gets asked for more and more money but never gets anything in return. In another scam, criminals offer credit cards, collect detailed information from the victims, and then generate fraudulent cards or attack the victims' bank accounts directly. Another form of chicanery is to hack a competitor's Web page to change the prices of their products so they lose money when their automated sales programs accept credit card numbers; or sometimes to substitute a competitor's phone number so orders come to them instead of to the owner of the hacked Web page.

Category 15 Fraud (not embezzlement), extortion, slamming 1997-06-03 identity theft fraud credit cards checks American Banker Cheryl and Roger Cullen were arrested in Delaware at dawn on 1997.03.19 in the act of trying to burn evidence of an alleged crime spree that involved hundreds of false identities and check and credit-card frauds probably amounting to more than a million dollars since 1992. The case, one of the most difficult fraud investigations of recent years, demonstrates the importance of each act of verification in the banking and commerce sector. Credit-card applications, in particular, should be scrutinized with care and all details checked for veracity before cards are issued. According to the Federal reserve, check fraud alone cost society $615M in 1995, compared with $59M for physical bank robberies.

Category 15 Fraud (not embezzlement), extortion, slamming 1997-06-04 fraud counterfeit electronic commerce Guardian Weekly, Reuter The National Criminal Intelligence Service of the UK publicly stated that the growth in electronic commerce and specifically the coming widespread use of electronic money (e.g., the smart card systems of Mondex) will open an enormous vulnerability in the economy. Digital counterfeiting would likely be impossible to distinguish, said Gareth MacLachlan, head of the Organised Crime Unit of the NCIS; he emphasized the value of integrating full audit trails into all forms of electronic money, including electronic "cash" system that are designed at present to provide anonymous financial transactions. Dr James Backhouse of Computer Security Research Centre at the London School of Economics agreed, saying, "The biggest impact would be the loss of any audit trail. Most bank transactions leave some trail within the system and this would be lost."

Category 15 Fraud (not embezzlement), extortion, slamming 1997-06-08 extortion hacking penetration banks Newsday Newsday published a cover story by Matthew McAllester that started, "COMPUTER HACKERS have successfully forced financial institutions in the United States, Europe and Asia to pay millions of dollars in ransom by threatening the companies' computer networks.

"The payouts were confirmed by law enforcement officials, banking insiders and security experts interviewed over the past several weeks. When most successful, the sources said, the crimes have linked disgruntled insiders with computer experts recruited throughout the world - including the former Soviet Union, India and southeast Asia - by organized crime groups."

See for details.

Category 15 Fraud (not embezzlement), extortion, slamming 1997-06-15 Netscape bug extortion EDUPAGE, Newsbytes, Christian Orellana, a Danish computer consultant, threatened to release information to the press about a serious security weakness in Netscape Navigator unless he were paid more than the $1,000 prize offered by Netscape to encourage independent quality assurance tests. His message included the words, "I think the person most suited for handling this is somebody in charge of the company checkbook. . . . I'll leave it to you to estimate what impact that would have on Netscape stocks.'' His actions were almost universally reviled by professional security specialists.

Category 15 Fraud (not embezzlement), extortion, slamming 1997-07-03 Internet fraud EDUPAGE Canadian investment regulators announced they would cooperate with the U.S. Federal Trade Commission in prosecuting investment frauds involving supposed "Internet Shopping Malls." The project is called "Field of Schemes" and aims to educate senior citizens particularly targeted by criminals.

Category 15 Fraud (not embezzlement), extortion, slamming 1997-07-07 hackers extortion blackmail infowar Web vandalism Electronic Telegraph According to an investigation by Robert Uhlig, reporter for the Electronic Telegraph in Britain, criminal hackers have been trying to blackmail hundreds of corporate and government officials by threatening to post defamatory claims on corporate Web sites. According to Nick Lockett, a barrister (attorney) with special expertise in cyberlaw, "Typically, the hackers say they will put defamatory information about a senior MP or other public figure on the target company's web site and then let the MP know about the publication of the material. If the threat is ignored, they make a small change to the company's site to prove their point and force it to take them seriously. They are testing the waters at the moment. This is almost certainly a market research exercise. A big campaign of blackmail is about to start." The journalist reports that the extortion demands are in the thousands of pounds.

Category 15 Fraud (not embezzlement), extortion, slamming 1997-07-15 slamming AP The FTC, overwhelmed with over 16,000 complaints from enraged customers whose long-distance telephone service has been switched without their permission — a practice known as "slamming" — proposed several changes in their regulations to help victims. For example, victims would no longer pay anything at all for calls placed via the slammers' services (unlike the current rule, which pays the slammers at the rate the victims' original phone company would have charged). Other changes would force the predators to obtain explicit consent for changes and to provide easy ways to cancel unauthorized changes.

Category 15 Fraud (not embezzlement), extortion, slamming 1997-07-29 bank fraud counterfeit checks audit policy UPI Check fraud costs American businesses nearly $10B annually. Around 55% of all criminal cases reported to the FBI involve check fraud and counterfeiting. Much of this fraud could be prevented if organizations paid attention to reasonable commercial standards. For example, every organization showed verify its bank statements quickly, conduct periodic audits, and Institute controls over accounts payable and payroll functions.

Category 15 Fraud (not embezzlement), extortion, slamming 1997-08-21 hackers credit card fraud encryption AP, USA Today http://www.usatoday.com/life/cyber/tech/ctb104.htm Five teenagers in Bloomington, MN created about 25 credit-card numbers and stole thousands of dollars of electronic gear before they were caught. Sceptics suggested that one of the boys, who worked at a dry cleaners, more likely stole all the card numbers from his employer.

Category 15 Fraud (not embezzlement), extortion, slamming 1997-08-26 fraud impersonation Web theft credit card ISP EDUPAGE, AP Naïve AOL members responded to credible e-mail asking them to visit a Web site where they could read a letter from AOL's chairman. The members then filled out forms with their credit card numbers and other information supposedly to update AOL records. Unfortunately, the Web site was run by thieves.

Category 15 Fraud (not embezzlement), extortion, slamming 1997-08-29 beeper fraud toll call Newsday Scott Van Pala, a 21-year old college student in Nassau County near New York City, set up a 540-number toll line at his parents home. He was arrested in August and accused of beeping at least 4,000 beeper users at all hours of the day and night; his victims included doctors, law enforcement officers and attorneys. The victims of the scam would call the 900 number and hear a click — but be billed $0.95 per call. Others would hear only a busy signal and waste their time trying to get through. The attack lasted over 10 weeks, at which point investigators compared notes on the fraudulent billings and easily tracked the suspect down. Investigators estimated that the criminal realized $4,000 from the scam. He faced 4 years in prison.

Category 15 Fraud (not embezzlement), extortion, slamming 1997-09-02 fraud Internet credit cards Reuters A former graduate student at Nova Southeastern University was charged with fraudulent applications for credit cards. He allegedly applied for 174 credit cards via the Internet using the names of fellow students; however, he used the same address for all of them. Banks contacted police and no cards were issued. Maybe now we understand why he had withdrawn from graduate school before he was arrested.

Category 15 Fraud (not embezzlement), extortion, slamming 1997-09-10 Internet fraud abuse consumers protection AP The National Consumers League opened a new Web site to help consumers evaluate propositions circulating through the Internet. Complaints to the NCL tripled in 1997, with about 100 reports of fraud a month compared with about 35 per month in 1996. John D. McClain of AP wrote, "The league officials said the most common signs of fraud are extravagant promises of profits, guarantees of credit regardless of bad credit history, suspiciously low prices or prizes that require up-front payments." The site is .

Category 15 Fraud (not embezzlement), extortion, slamming 1997-09-28 spam fraud law RISKS, EDUPAGE 19 19 In May, Craig Nowak, a clueless college student, chose a return address at random for his slimy first attempt at junk e-mail. Unfortunately for his victim, "flowers.com" is a legitimate business whose owner received 5,000 bounced messages and plenty of abuse for supposedly spamming the world. Fortunately for the anti-spam cause, the enraged florist, Tracy LaQuey Parker, launched a lawsuit for damages and was supported by the Electronic Frontier Foundation (Austin chapter) and the Texas Internet Service Providers Association. In late September, the plaintiffs won a temporary injunction against the defendant and his ISP preventing him from further use of the appropriated domain name (not that he'd have wanted to, at that point). In November, the defendant was fined $18,910 plus court costs.

Category 15 Fraud (not embezzlement), extortion, slamming 1997-09-30 Internet fraud law enforcement AAP The Australian Competition and Consumer Commission announced that it was joining with more than 30 other agencies worldwide to share information about consumer fraud on the Internet and to prosecute e-crooks. Consumer Affairs Minister Chris Ellison said that "Internet scams ripped off thousands of Australians each year, with promotions including fake credit card offers, tickets in phoney lotteries, useless investments, worthless phone cards and pyramid selling schemes." He added that the Commission would not release details of it targets and said, "Those involved in scams will be in for a shock."

Category 15 Fraud (not embezzlement), extortion, slamming 1997-10-03 hacker credit card fraud forgery AAP A 16-year-old Australian, Drew Henry Madden, of Brisbane started defrauding businesses using stolen and forged credit-card numbers just after leaving school. By 1997, he had stolen $100,000 in goods and services. In October, he pleaded guilty to 294 counts of fraud. He was given a suspended sentence. His defense attorney blamed poor security for the losses: "Defence counsel Simon Lewis said Madden started with very minor credit card fraud, but it escalated alarmingly, because the safeguards were so inadequate." Despite the youngster's unusual revenue stream, his mother appeared to have accepted his globe-trotting ways and massive purchases of lottery tickets without comment.

Category 15 Fraud (not embezzlement), extortion, slamming 1997-10-21 forgery perjury chat room AP In Michigan, Circuit Judge Alice Gilbert ordered a search of an unnamed woman's computer systems by defense attorneys. The woman accused 26-year old Sean A. Crockett of assaulting her in Feb 1997 after they met via an online chat room but is in turn accused of having boasted online in a "Man Haters" chat room about fabricating the accusation.

Category 15.1 Fraud 1997-01-08 fraud Internet AOL Russia AP, EDUPAGE AOL staff became suspicious about enormously expensive bills being run up by Russian users. Investigation revealed so much credit-card fraud, stolen user IDs and passwords and other forms of fraud that the company terminated services in 40 Russian cities. From mid-December 1996 on, the 2,000 Russian AOL subscribers must now access the service by logging on to local Russian Internet Service Providers.

Category 15.1 Fraud 1997-01-08 credit card fraud insider PA News In one of the more spectacular cases of insider fraud, Elizabeth John, a manager at Harrods in London admitted having taken 1,288 receipts and confidential records from her employer's store to her flat — but insisted that she had simply forgotten to return them. The scam, involving her brother (who confessed) and others, netted 205,000 pounds of profit. One victim was so wealthy that he failed to notice that 120,000 pounds of fraudulent charges had been attributed to his Gold Mastercard. In all, 70 customers had their credit cards pillaged.

Category 15.1 Fraud 1997-01-08 fraud AOL AOL4FREE Reuters Nicholas Ryan, a 20-year-old Yale University student, pleaded guilty to creating the AOL4FREE program that allowed an unknown number of larcenous AOL users to cheat the company of their $2.95 per hour access fee. On a single day, submitted AOL, the program was used 2,000 times for illegal access. Ryan, who called himself "Happy Hardcore," continuously modified his program to counter defensive measures taken by AOL programmers. As a result, the young man faced up to five years in federal prison and up to $250,000 in fines.

Category 15.1 Fraud 1997-01-23 infowar privacy credit card confidentiality UPI Missing atheist Madalyn Murray O'Hair's American Express card has been used and paid regularly since her disappearance in September 1995. O'Hair's son, Bill Murray, is asking that the Texas Rangers be assigned to the case and allowed to use the expense data in tracking the missing woman.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-01-15 e-mail spam vandalism racism obscenity ISP AP Someone sent a "racist joke and obscenity-laced poem" to about 140,000 users of the Erol's Internet access service in Springfield, VA. Technicians labored diligently to find the criminal hacker who vandalized the system and to remove the text from the entire network.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-01-21 infowar sabotage information warfare AP Call Management, a hotel reservations firm, has an 800 number almost identical to that of Holiday Inns, 1-800-HOLIDAY. One of Call Management's numbers is 1-800-H0LIDAY, with the letter O replaced by the numeral zero. Holiday Inns won a federal court action claiming that Call Management's number was a trademark infringement; however, on appeal, the decision was reversed because Call Management did not use the number in promotions. Finally, the Supreme Court of the United States refused to hear this case of electronic mimicry.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-01-22 infowar sabotage information warfare Reuters A Belgian lunatic has terrified travelers by broadcasting false and dangerous instructions to aircraft by using a mobile radio transmitter. The impostor seems to know so much about specialized technical vocabulary that police think he may be or have been an air-traffic controller. Authorities assure the traveling public that the rogue is more a nuisance than a threat; all instructions must be repeated to the real controller, and so far the impostor's fraudulent commands have been caught and repudiated by the real controllers.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-01-22 infowar e-threats information warfare UPI, Reuters Youngsters in grade 10 at Profile High School in Bethlehem, NH sent death threats to the White House Web site from their school computers. The messages were traced within minutes by the Secret Service and the children were suspended from school and lost their Internet privileges for the next two years.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-01-28 infowar corporate espionage information warfare EDUPAGE, UPI Informix sued Oracle after 11 software engineers defected to their competitor. However, in June, Informix dropped the suit, saying that the company "has learned that Oracle and the engineers have not misappropriated or disclosed any confidential Informix information and that Informix trade secrets are adequately protected. Informix regrets any statements or allegations that the engineers misappropriated any trade secrets or disclosed them to Oracle."

Category 16 INFOWAR, industrial espionage, hacktivism 1997-01-31 infowar libel information warfare AP Walter Cronkite, whom polls revealed to be the most respected man in the United States in the 1980s, was appalled to discover a page of lies about him on the Web. A 28-year-old programmer, Tim Hughes, invented and posted a scurrilous story about Cronkite's becoming enraged at the author, shrieking imprecations at the couple, boasting about his own infidelity, and spitting in their spice cake at a Florida restaurant. In addition, the anti-Cronkite Web page included falsified photographs purporting to show Cronkite at a KKK meeting. Cronkite threatened to sue for libel; Hughes took the page down and weakly protested that it was all a joke.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-02-03 Authenticity information warfare RISKS 18 81 Opponents of negotiation with Colombian terrorists sent fraudulent e-mail to the kidnappers after the Colombian government announced it would negotiate via e-mail.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-02-11 infowar crypto export policy information warfare AP The increasing dependence on ubiquitous computing puts the United States at risk, computer security experts testified at a meeting of the House Science Subcommittee on Technology. Dan Farmer warned, "It seems that we only react to disasters. This is really serious stuff we're talking about here." The experts strongly urged relaxing restrictions on exports of strong encryption technology.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-02-14 pornography infowar information warfare PA News A British consultancy has won a contract from the European Parliament to study all possible ways of interfering with the use of the Internet for dissemination of pornography, pedophilia, and slavery. Smith System Engineering of Surrey will work with legal, social policy and technology experts to report on the possibilities.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-03-04 industrial espionage hacking RISKS 18 85 On 97.02.28, the _Dallas Morning News_ posted news on its Web site before publishing it in its paper edition the next morning. The news report claimed that Timothy McVeigh's admitted to his lawyer, Stephen Jones, that he had in fact bombed the Oklahoma City Federal Building. Jones accused the _News_ of stealing the information through a computer hack.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-03-09 phone phreak industrial sabotage information warfare infowar EDUPAGE A Swedish man was fined for harassing 911 operators in Florida. He randomly interfered with their work by stunts such as interconnecting two operators or disrupting phone calls.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-03-17 infowar identity theft information warfare RISKS 18 91 RISKS published a summary of theft-of-identity cases and gave the URL of "What Can Consumers Do To Avoid Becoming Theft-of-Identity Victims?". See .

Category 16 INFOWAR, industrial espionage, hacktivism 1997-03-24 disaster recovery information warfare infowar RISKS 18 93 The Canadian _Globe and Mail_ newspaper (97.03.22, p. A17) reported that computerization hit choppy waters on a recent cruise:

Splendour on the seas: As we learned one evening, computer problems aren't the sole domain of land lubbers. Nowadays, everything is run by the darned things — even cruise ships.

By Helga Loverseed

Seems this new cruise ship is so completely computer-controlled that it can barely function at all when the computer systems fail. Provides a stunning example of what could happen under information warfare conditions and also a warning of problems that could occur with the Millennium Bug.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-04-02 industrial espionage RISKS 19 2 An unnamed correspondent reported that one of his acquaintances is angry at UPS for putting a package-tracking system online without adequate security. He is convinced that the decline in his mail-order business is in part due to competitive intelligence: his competitors are finding out where he ships his products by cracking the checksum system that supposedly maintains confidentiality. The businessman has now attacked the UPS system by "laboriously retrieving their shipping destinations."

Category 16 INFOWAR, industrial espionage, hacktivism 1997-04-06 RFI information warfare radio Reuters A mysterious Venetian separatist interrupted TV broadcasts in Italy five times in three weeks. At one point, he broke into "Gone with the Wind" and launched a seven-minute declaration of independence for Venice.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-04-15 industrial espionage information warfare EDUPAGE The president and several employees of Avant! Corp. were charged in an industrial espionage case; they are alleged to have stolen computer source code from Cadence Design Systems to use in their own line of products.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-04-24 corporate espionage intellectual property theft employees EDUPAGE Symantec launched a lawsuit against McAfee Associates Inc. claiming that McAfee's PC Medic program is a direct rip-off of Symantec's CrashGuard program.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-04-28 intellectual property theft espionage infowar San Jose Mercury News Scott Thurm and David Wilson summarized recent cases of conflict over intellectual property in Silicon Valley. Stealing information has become much easier because of the thoroughgoing computerization of high-tech information. Firms are responding by beefing up all levels of security and "spiking" their source code with non-functional parts that categorically identify their code if it does get stolen and used by competitors. According to a 1995 survey by the American Society for Industrial Security (ASIS), "companies are most often victimized by people who had legitimate access to their secrets — employees, suppliers, customers, contractors and business partners. Outsiders — hackers, competitors or foreign intelligence agents — accounted for only one-fourth of the losses. . . ." Losses are variously estimated nationwide as ranging from about $25B (ASIS) to $100B (FBI).

Category 16 INFOWAR, industrial espionage, hacktivism 1997-05-06 industrial espionage intellectual property employees theft EDUPAGE Novell Inc. sued three of its ex-employees who formed Wolf Mountain Group for alleged theft of ideas on how to make Windows NT computers work in parallel as clusters of processors. Wolf Mountain agreed to change the name of their business, which happens to be the project code name for the clustering technology they worked on at Novell.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-05-07 industrial espionage sabotage Reuters Borland International sues Microsoft for raiding its employee and strongly implies that the shift of employer constitutes industrial espionage and sabotage. Borland accuses MS of hiring 34 Borland employees over the last 30 months by enticing them to leave with huge signing bonuses and other incentives. MS dismisses the accusations, saying that it's a free market and that nobody is forced to work for them.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-05-20 information warfare EDUPAGE Winn Schwartau, the Paul Revere of Cyberspace, speaking at a conference in Ottawa, cyberspace is increasingly a battlefield for e-spies. "Schwartau estimated the U.S. economy loses more than $100-billion annually through economic espionage, growing by 500% since 1992."

Category 16 INFOWAR, industrial espionage, hacktivism 1997-06-03 information warfare Defense Daily 195 45 Defense Secretary William Cohen contributed to the Quadrennial Defense Review. He emphasized the U.S. DoD's commitment to defensive and offensive information warfare. "Although our current capabilities are adequate to defend against existing information operations threats, the increasing availability and decreasing costs of sophisticated technology to potential adversaries demand a robust commitment to improve our ability to operate in the face of information threats as we approach the 21st century." The report also emphasizes the importance of unprecedented cooperation between DoD, other government agencies, the business sector and the public and mentions DoD support for the President's Commission on Critical Infrastructure Protection.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-06-10 information warfare Web hack http://www.iwar.org The U.S. Dept. of Agriculture lost control of its Web site to hackers who used it to spam the Net. As a result, the site was shut down for a week, preventing release of the monthly USDA World Supply and Demand Forecast. Information warfare experts wondered if this incident were designed specifically to delay release of the information, which affects the futures market.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-06-17 industrial espionage info warfare intellectual property AP, UPI Two Taiwanese citizens were arrested after trying to bribe a Bristol-Myers Squibb Co. scientist into turning over technological secrets for the manufacture of Taxol, a drug to fight ovarian cancer. The employee reported the approaches to his employers, and with the help of the FBI the two industrial spies were arrested. Kai-Lo Hsu, said to be the leader of the plan, faces 35 years in jail; his accomplice Chester Ho faces 10 years in jail. Hsu and Ho were charged in July; their putative accomplice, Jessica Chou, was still a fugitive at that time.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-06-18 information warfare infrastructure Reuters In June, Robert Marsh, head of the President's Commission on Critical Infrastructure Protection, told reporters that the United States lacks the tools to fight a possible computer assault on critical infrastructure such as telecommunications, banking and power grids and that it is only a matter of time before such attacks take place.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-06-24 hacker database information warfare OTC WarRoom Research LLC of Baltimore, MD announced The Manhattan Cyberproject, an industry-wide effort to share information about hacker activities and technologies. It planned to create a massive database supported by major companies such as IBM and Bell Atlantic and be open for business in 1998. Contact Mark Gembicki, the Project Coordinator

Category 16 INFOWAR, industrial espionage, hacktivism 1997-06-25 information warfare Jane's Information Group 27 25 Jane's Information Group reported that Northrop Grumman's Electronic Sensors and Systems Division and Electronic and Systems Integration Division would jointly be conducting a 13-month study on recovery from information warfare attacks on behalf of the US Air Force.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-07-17 economic espionage infowar book Wired John Fialka of the Wall Street Journal published a fascinating analysis of economic espionage: _War by Other Means: Economic Espionage in America_. By John J. Fialka: US$25. W. W. Norton & Company: +1 (212) 354 5500, or on the Web. Although some commentators such as Jeff Man of Wired criticized what they described as xenophoic "Hogwash", the book includes eye-opening details of the theft of US industrial secrets by agents of foreign powers.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-07-22 DISA information warfare EDUPAGE Bob Ayers, head of the Information Warfare Division at the U.S. Defense Information System Agency, urged infosec specialists to stop thinking in terms of prevention of attack but rather to focus on delaying damage.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-08-18 infowar espionage israel IWAR mailing list Israel was again named among 23 countires engaging in industrial, economic and trade espionage in the US according to a joing CIA-FBI report published in August. Israeli officials protested that the report confused legal, open-source intelligence with espionage.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-08-28 industrial espionage Reuters, AP Harold Worden retired from Eastman Kodak in Rochester, NY after 30 years of service. He then founded a consulting firm that hired up to 60 other Kodak retirees and proceeded to try to sell information gleaned from thousands of stolen confidential documents about Kodak's top-secret acetate-manufacturing machine. The trade secrets were offered to competitors of Kodak; however, both Agfa and Konica informed Kodak and the FBI of the attempts. The FBI then set up a sting operation in which agents pretended to be Chinese nationals intent on stealing the secrets for a mythical factory in China. In August, he pleaded guilty to to one count of interstate transportation of stolen property and went to jail for 15 months as well as having to pay a $30,000 fine. Kodak has also sued him in civil court for damages.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-09-04 industrial espionage pharmaceutical infowar UPI In 1994, Subu Kota and Vemui Bhaskar Reddy, both from the Boston area, were arrested for industrial espionage when they sold biotechnology secrets to a Russian-speaking undercover FBI agent. In September, the two went on trial for conspiring to sell methods for creating erythropoetin (EPO) which stimulates red-blood cell production and is worth about $2B a year in worldwide sales.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-09-05 industrial espionage infowar AP The owners of a Taiwanese company were charged in Cleveland with industrial espionage. Pin Yen Yang, 70, of Taipei, Taiwan, and his daughter, Hwei Chen Yang, 39, were accused of stealing secrets from Avery Dennison starting in 1989. Avery Dennison claim that the losses to the Four Pillars company in Taiwan may have cost the American company up to $200M in losses. the Taiwanese allegedly paid $150,000 to a high ranking researcher who had access to company secrets.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-10-01 QA information warfare sabotage RISKS 19 40 According to correspondent Bryan O'Sullivan, writing in RISKS, Internet Explorer 4.0 includes several features that used to be packaged in the Windows Plus! CD add-in for Windows 95. The anti-aliasing feature works well to make large fonts look smoother on screen — except in Netscape Navigator, where the old blocky effects still reign. If this claim is confirmed, it sounds like level-two information warfare in Winn Schwartau's terminology.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-10-21 infowar critical infrastructure EDUPAGE Preliminary reports from the President's Commission on Critical Infrastructure Protection urged the administration to increase spending on R&D to defend against attacks on the nation's information infrastructure. This is one of the first official reports to recognize the vulnerability of civilian computer, communications and control systems to deliberate electronic sabotage by hostile forces. In October the final report came out and warned that the United States communications infrastructure is increasingly vulnerable to terrorist attacks.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-10-28 industrial espionage EDUPAGE, TechInvestor (CMP) In another industrial espionage case, Digital Equipment Corp. accused Intel of stealing chip designs and using them in the Pentium design. A few weeks later, predictably, Intel counter-sued DEC, demanding it return confidential information about Intel designs. In June, DEC filed a legal motion demanding that a former DEC employee now working for the enemy keep his mouth shut about Intel proprietary information. In addition, DEC asked for legal orders to force Intel to preserve all documents relevant to the case, including e-mail and accused Intel of monopolistic practices. The suit was settled out of court in October.

Category 16 INFOWAR, industrial espionage, hacktivism 1997-12-01 industrial espionage information warfare Security Management 41 12 Richard Withers and Steve Albrecht provided an excellent review of a case of industrial espionage, where Daniel Worthing, a maintenance worker, offered proprietary information from PPG to its competitor Owens-Corning Fiberglass in 1996. Owens- Corning officials immediately told PPG about the offer and the FBI set up a sting operation which eventually resulted in the arrest and conviction of the spy. The article provides a thorough review of counter-surveillance measures and describes how to set up an espionage-response plan if spying is discovered.

Category 16.1 Industrial espionage 1997-01-07 espionage competitive intelligence information warfare EDUPAGE According to EDUPAGE, >A report released by the National Counterintelligence Center (NACIC) indicates that the Internet is the fastest growing method used by foreign entities to gather intelligence about U.S. companies. "All requests for information received via the Internet should be viewed with suspicion," says the report, which urges caution in replying to requests coming from foreign countries or foreign governments, particularly with regard to questions about defense-related technology. NACIC works in close coordination with the CIA, but is an autonomous agency reporting the National Security Council. (BNA Daily Report for Executives 6 Jan 97 A15)<

Category 16.1 Industrial espionage 1997-01-09 industrial espionage infowar information warfare Reuters, AP The four-year saga of Jose Ignacio Lopez de Arriortua, General Motors' Opel Division and Volkswagen AG ended in January 1997 with an out-of-court, secret settlement. Arriortua had been accused of having stolen confidential information from his previous employer, GM Opel, when he was hired by VW.

Category 16.2 Industrial information systems sabotage 1997-01-09 Sabotage information warfare RISKS 18 75 The San Francisco Chronicle reported that a fired subcontractor was arrested and accused of trying to cause damage to the California Department of Information Technology. A later report indicated that the accused may have spent six hours online before being detected and crashing the system. Data had to be restored from backups. System management admitted that they had not known that the accused had been fired and therefore did not alter security after his dismissal. Another commentator added that some contracts explicitly forbid direct involvement of a contractor in facilities management duties; it would normally take weeks to send notification about a subcontractor's firing through the layers of governmental bureaucracy in such a case.

Category 16.4 Military & government perspectives on INFOWAR 1997-01-07 infowar information warfare EDUPAGE A task force organized by the Defense Science Board recommended that a central authority for information warfare be set up by the U.S. government. The proposal recommends at least $580M in expenditures to harden civilian and military systems against penetration and sabotage. One of the most interesting proposals is that the Pentagon be allowed in law to retaliate against attackers.

Category 16.4 Military & government perspectives on INFOWAR 1997-01-10 InfoWar information warfare RISKS 18 75 In January, a Defense Department panel issued a report demanding an additional $3B of spending on information warfare defensive measures to protect the US telecommunications and computing infrastructure. The authors predicted significant attacks on the information infrastructure by the early years of the new millennium.

Category 16.6 Disinformation, PSYOPS 1997-01-10 Sabotage infowar information warfare disinformation PSYOPS RISKS 18 75 A letter drive attacking a mail-order pharmacy in 6,000 mailed warnings was linked to Shoppers Drug-Mart employee. The "Society of Concerned Pharmacists," ostensibly an organization devoted to protecting consumers against the dangers of the Meditrust service, seems to have been the product of an secretary from the competing firm.

Category 16.6 Disinformation, PSYOPS 1997-02-11 AI fraud infowar EDUPAGE In a scary development, the New York Times reported in February 1997 that there are scientists developing software "capable of lying, cheating and stealing." The report stated, "Commercial and entertainment applications, rather than military ones, increasingly are driving artificial intelligence, and some AI software developers are even working on the design of a networked world in which software agents might try to take unfair of each other in commercial transactions."

Category 17 Penetration, phreaking (entering systems, stealing telephone service) 1997-02-13 penetration management EDUPAGE Computer Science Corporation warned that many organizations are being attacked by ex-employees or by ex-employees of outsourced computing services. Some experts are urging large organizations to implement single-logon systems with centralized control of every user's passwords. According to EDUPAGE's summary, "One ex-employee of a Big Six accounting firm continued to use the company's e-mail and voice-mail systems a year after he left, and even accessed the company's internal network occasionally, although by that time he was employed by a competitor."

Category 17 Penetration, phreaking (entering systems, stealing telephone service) 1997-02-19 intrusion penetration hackers RISKS, Reuters Teenaged criminal hackers in Croatia may have broken into US military computers, although no classified materials were thought to have been compromised. According to Reuters reporter Laura Lui, "the U.S. Defence [sic] Department had contacted Croatian police through Interpol to demand an investigation while local police searched the youngsters' flats and confiscated their computer equipment. The damage caused by the teenagers' destruction of high-profile protection programmes could reach half a million dollars, the daily said."

Category 17 Penetration, phreaking (entering systems, stealing telephone service) 1997-03-01 penetration hacking AP A 15-year-old Croatian hacker broke into computers at Anderson AFB in Guam in January using hacking tools available free on the Internet. He tried to read through files but was surprised to see them disappearing every time he accessed one. On 97.02.05 he was arrested by Croatian police and his computers were confiscated. Vice Miskovic, whose pseudonym was "Intruder," cannot be charged with computer trespass because there are no such Croatian laws.

Category 17 Penetration, phreaking (entering systems, stealing telephone service) 1997-03-04 security management EDUPAGE The Information Warfare Division of the Defense Information Systems Agency of the U.S. Department of Defense tested 15,000 Pentagon systems whose vulnerabilities had been signaled to system managers in a previous audit. About 90% of these systems were still vulnerable to common penetration techniques.

Category 17 Penetration, phreaking (entering systems, stealing telephone service) 1997-03-06 medical records penetration privacy law AP The U.S. National Research Council issued a committee report urging hospitals to strengthen their information security measures to reduce the likelihood of unauthorized access to computerized medical records. The committee recommended, among other measures, thorough audit trails; effective passwords; timed-screen savers; data classification and access restrictions; firewalls to prevent access from Internet connections; and encryption of all patient data sent through the Internet.

Category 17 Penetration, phreaking (entering systems, stealing telephone service) 1997-03-22 hacker penetration Reuters The Datastream Cowboy was finally convicted and fined the equivalent of $1,915 for cracking the U.S. Air Defense System computers. In 1994, the then sixteen-year-old music student Richard Pryce's intrusions were interpreted to be a major and dangerous attack on the security of Pentagon systems and were described in Senate Armed Services Committee hearings as the "number one threat to U.S. Security." Pryce broke into Griffiss Air Base in New York and a Lockheed computer network in California, among others. He explained his escapades as an attempt to impress his hacker friends: "It was more of a challenge really, going somewhere I wasn't meant to. If you set out to go somewhere and you get there, other hackers would be impressed." Pryce refused lucrative offers for book and film rights to his story and now pursues his double-bass studies, hoping to earn a place in a symphony orchestra.

Category 17 Penetration, phreaking (entering systems, stealing telephone service) 1997-03-25 infowar espionage information warfare EDUPAGE Recent admissions about the US-Iraqi war suggested that criminal computer hackers from the Netherlands cracked military computers at 34 sites and stole operational information which they offered to Iraqi intelligence. Ironically, the Iraqis apparently rejected the free information, suspecting it to be false. However, the hackers named in these stories vigorously denied any such story and provided strong reason to believe that this story is an urban legend based on journalistic and sensational distortion of interviews and mistaking conjecture for fact.

Category 17 Penetration, phreaking (entering systems, stealing telephone service) 1997-03-26 intrusion joe accounts passwords penetration RISKS 18 94 Hungary's main ISP, MATAV, revealed that about 1,200 IDs and passwords were compromised because of its lax security. Seems the company actually published the list of IDs to which it had initially assigned billing numbers — as a warning to change the passwords.

Category 17 Penetration, phreaking (entering systems, stealing telephone service) 1997-05-09 phreaking penetration RISKS 19 13 The alcohol-abusing glue-sniffing youngster known as the Swedish "Demon Freaker" who placed 60,000 free calls worth $250K and linked Florida switchboards to sex lines last year was fined the equivalent of $350 and sent to a psychiatric institution. He was caught while harassing an emergency-response operator in the US with claims that his penis was glued to the wall; while he was being encouraged to continue with his story, officials traced the call to Sweden. Swedish police identified his home because it was the only one making so many calls to the US. The 19-year-old's mother said that he had a history of alcohol abuse and glue sniffing but that she had no idea of his nocturnal phone calls to the U.S.

Category 17 Penetration, phreaking (entering systems, stealing telephone service) 1997-06-17 hack penetration e-mail passwords ISP Ottawa Citizen A16-year-old A+ student from a private school in Brockville, ON cracked into RipNet, a local ISP, and stole 1300 user IDs and passwords, handing them out to four of his friends. The break-in was discovered immediately and the ISP managers contacted police. The authorities decided to let the school deal with the delinquents. The ringleader was expelled from computer classes for a year; all five miscreants were ordered to write essays analyzing the moral dimensions of their actions. The ISP contacted all the victims and arranged for them to change their passwords.

Category 17 Penetration, phreaking (entering systems, stealing telephone service) 1997-06-26 hacker phreak penetration PBX voice-mail OTC A 15-year-old phreak calling himself "Mr Nobody" claimed he cracked Netcom On-Line Communications Service Inc. in 1995 and listened to voice-mail messages as well as placing long-distance calls at company expense. He pointed out that the company voice-mail boxes had the same passwords as their own extension. In addition, the phreak encouraged his friends to place free calls at Netcom expense.

Category 17 Penetration, phreaking (entering systems, stealing telephone service) 1997-07-14 impersonation social engineering airport hacker Newsbytes The German hacker known as "Kimble Schmitz" infiltrated Munich Airport three times in a few days by smiling at a security guard and by waving a visitor's card purchased from a stationery shop. The hacker and a friend gained access to the VIP jet area, to restricted areas with national and international planes, and to the control tower. Airport managers responded by charging the hacker with trespass. The German press generally sided with the hacker and launched critical stories about airport security. In general, it is not a good idea to test people's security without their permission!

Category 17 Penetration, phreaking (entering systems, stealing telephone service) 1997-07-21 cellular phone cloning phreaking Newsbytes In early May, AirTouch Cellular security staff identified an unusual pattern of fraudulent cell-phone calls in Salt Lake City, UT using numbers assigned to Phoenix, AZ customers. Two illegal aliens were arrested in mid-July and charged with cloning cell phones (assigning other people's electronic serial numbers, or ESNs, to new phones) and then selling the units for $200 each.

Category 17 Penetration, phreaking (entering systems, stealing telephone service) 1997-07-29 ISP hackers consortium EDUPAGE In July, the International Computer Security Association (ICSA) formed the Internet Service Provider Security Consortium (ISPSEC) composed of national backbone, corporate value-add and individual dial-up service providers to promote the development of activities to make the Internet a safer place. ISPSEC will develop, implement, and maintain global measures to improve security on the Internet. Through cooperation and communication among multiple ISPs, Internet users will encounter a consistent set of policies and procedures that will prevent or mitigate malicious activity. This is a necessary evolution to build consumer trust. ISPSEC is primarily comprised of large national service providers. ICSA is expanding the ISPSEC concept to regional and local ISPs. It is anticipated and expected that the policies and procedures agreed upon between these large service providers will filter down to the smaller ISPs that are connected via backbone providers. See .

Category 17 Penetration, phreaking (entering systems, stealing telephone service) 1997-07-30 hacker phreak Newsbytes A 23 year-old hacker, Leon Fitch of Manchester, was charged in London with three offenses under the Computer Misuse Act. Details of the case were unavailable due to restrictions on reporting of cases sub judice.

Category 17 Penetration, phreaking (entering systems, stealing telephone service) 1997-08-01 spam junk e-mail lawsuit damages RISKS, AP 19 27 Strong Capital Management, Inc. alleges that David Smith and Glenn Canady broke into SCM's computers to send 250,000 ads with fraudulent headers for "cyberstripping," computer equipment and sports betting. SCM demands penalties of $5,000 per message — about $125M in all. SCM has added mechanisms to stop further transmission of such messages. [The use of civil litigation to attack hackers is one of the most powerful tools available to fight them. This will be an interesting and possibly landmark case with implications not only for the growing displeasure over fraudulent REPLY-TO addresses but also for penetration in general.]

Category 17 Penetration, phreaking (entering systems, stealing telephone service) 1997-08-10 crackers hoax forgery university EDUPAGE Prosecutors in Fairfax County, Virginia, have filed criminal charges against two George Mason University students for hacking their way into university computers and sending derogatory e-mail under the names of random students and staff members. (from summary by EDUPAGE editors John Gehl and Suzanne Douglas).

Category 17 Penetration, phreaking (entering systems, stealing telephone service) 1997-09-02 AOL hacking criticism parody satire criticism ZDNN AOL repeatedly tried to shut down the Inside AOL site, which allegedly posts tips on breaking AOL security as well as the usual criticism and satire of the giant VAN. The anonymous Webmaster insisted on continuing to publish graphical objects taken without permission from AOL, claiming Fair Use.

Category 17 Penetration, phreaking (entering systems, stealing telephone service) 1997-09-18 war dialing hacker ZDNET Peter Shipley, a computer security expert in Berkeley, CA, dialed 1.4 million telephone numbers, day and night, to count the number of modem lines. He found 14,000 of the numbers to be modems; the article did not report on the 99% (around 1,386,000 phone numbers) of calls that didn't have modems connected. Next time you are awaked at 3 in the morning by a silent phone call, perhaps you should call Mr Shipley to find out if he was testing _your_ line to see if it was a modem.

Category 17 Penetration, phreaking (entering systems, stealing telephone service) 1997-09-19 hacker juvenile Vancouver Sun A 14-year-old hacker from the Burlington, ON area was arrested in September after over 500 attempts to enter computer systems all over North America and, according to news reports, evidence of malicious hacking. The child's attacks on US military computers caused his downfall, since according to Sgt. Terry Dickie, one of the fraud squad investigators, "This young fellow did try the military sites and that is part of the reason he got caught. They take a dim view and they are prepared to attack back — to hack the hacker."

Category 17 Penetration, phreaking (entering systems, stealing telephone service) 1997-10-01 password policy penetration identification authentication RISKS 19 40 Mike Jeays of Statistics Canada wrote in RISKS, "The CBC [public broadcaster in Canada] aired an article on improvements to the health care system in Manitoba on 24 Sep 1997. Viewers were assured that the security software was `the finest that money can buy.' The technically literate might have been discouraged by the use of a 3-character password in part of the demonstration.

Category 17 Penetration, phreaking (entering systems, stealing telephone service) 1997-10-06 hacker vandal intellectual property industrial espionage OTC In Tokyo, a hacker broke into the Nippon Telegraph and Telephone Corporation's (NTT) computer network and stole programs used in software development. According to NTT officials (as reported by OTC news wire), "The culprit is thought to have gained access to the network through the use of an internal identification number after uncovering the telephone number of the modem adapting the phone line to NTT's computer network."

Category 17 Penetration, phreaking (entering systems, stealing telephone service) 1997-11-10 phone phreaking fraud prevention detection The Dominion (Auckland, NZ) The New Zealand Telecom fraud unit saved the company several $M in its first four month in 1997. Using an HP computer to spot unusual calling patterns, the system helps staff notify subscribers if calls seem to be outside their usual usage of the telephone system. Some of the frauds were costing $K per day. The proactive approach to spotting fraud has paid off in reduced complaints from customers and avoidance of disputes over expensive calls.

Category 17 Penetration, phreaking (entering systems, stealing telephone service) 1997-11-11 fraud theft credit card Reuters According to police in San Carlos, a city south of San Francisco, four teen-agers hacked their way into an on-line auction house, stole credit card numbers and fraudulently obtained $20,000 of computer equipment which they arranged to have delivered to an empty house in their neighbourhood. Police caught up with the juvenile gang when one of the children had stolen goods delivered to his own home.

Category 17 Penetration, phreaking (entering systems, stealing telephone service) 1997-11-14 phreak phone hacker default canonical password RISKS 19 46 Phone phreaks have exploited canonical (default) passwords on PBXs, allowing unlimited international calls from the Macedonian Foreign Ministry. The PBX was left with its DISA (direct inward service access) enabled, allowing the intruders to exploit the system by using a well-known standard password.

Category 17 Penetration, phreaking (entering systems, stealing telephone service) 1997-11-26 hacking penetration survey RISKS 19 47 The US Senate Permanent Investigations Subcommittee found evidence that "Worldwide, hackers cost businesses an estimated $800 million in 1995 through break-ins to computer systems at banks, hospitals, and other large businesses."

Category 18.1 Theft 1997-01-29 theft ATM AP Thieves bypassed fancy electronic security measures on a Portland, TN automated teller machine. They attached cables to the device and ripped it off its foundation using a tow truck. The ATM was found ripped open in a field some miles away.

Category 18.1 Theft 1997-02-02 infowar intrusion theft privacy PA News UK Defence Secretary Michael Portillo appears to have been the victim of a theft of computer files. The _Sunday Times_ reported to police that it was offered 7,000 confidential files on 12 floppies from the Minister's parliamentary office dating from 1987. The thieves asked for 2,000 pounds payment and said that private files from Deputy Prime Minister Michael Heseltine and Home Secretary Michael Howard were also available for a fee.

Category 18.1 Theft 1997-03-25 theft counterfeit RISKS 18 94 Thieves have stolen valuable equipment used to make "non-counterfeitable" drivers' licenses in Florida. The machines were left in unguarded, unprotected state offices.

Category 18.1 Theft 1997-04-02 computer theft RISKS 19 2 ff When the CalTrain computer used to issue tickets by mail was stolen, the company initiated cancellations for the thousands of credit cards in their unencrypted database. These cancellations were to be carried out before users were informed that their credit cards would no longer work: not much fun for travelers with only one credit card. Luckily or unluckily (you decide), a later posting revealed that the credit-card companies seem to have ignored the requests for cancellation.

Category 18.1 Theft 1997-05-02 computer theft privacy RISKS 19 12 When a computer hard-disk was stolen from Levi Strauss, the personnel records containing personal information for 40,000 employees and former employees were compromised. A company spokesperson lamely assured the public that the data would be hard to read and that it wouldn't happen again. Moral: encrypt sensitive data on hard disks. Peter Neumann warned that the employee records would make the victims susceptible to theft of identity.

Category 18.1 Theft 1997-05-06 laptop theft EDUPAGE In 1996, claims the computer-insurance company SafeWare, 265,000 laptop computers were reported stolen — up 27% from 1995.

Category 18.1 Theft 1997-05-17 computer theft forgery RISKS 19 16 In Oregon, the DMV lost its license-making equipment to thieves who stole the computer, printers, cables, and a camera. Observers expect a flood of forged drivers' licenses real soon now.

Category 18.1 Theft 1997-05-28 theft hardware industrial espionage AP Losses of computer components to thieves in Silicon Valley are approaching $1M per week, and the region's political representatives have asked that the FBI upgrade its San Jose satellite office to be a full-fledged center for fighting the growing problem. Thieves have lately been breaking into delivery vans rather than attacking factories, says a spokesperson for the San Jose Police Department's high-tech squad. The parts are then either shipped to Asia for inclusion in low-cost computer boards or sold right back to the victims who may be in desperate need of the components that were stolen. Another problem, according to Rep. Zoe Lofgren (D-CA), is industrial espionage. According to Richard Cole, AP Writer, "San Jose Police Chief Louis Cobarruvias sent a letter to Freeh along the same lines in March, saying Chinese and Japanese organized crime groups are taking a growing interest in Silicon Valley."

Category 18.1 Theft 1997-06-03 theft hardware chips UP In Los Angeles, 17 people were indicted for two military-style attacks on computer component factories. The defendants are accused of stealing $10M of chips and motherboards from Centon Electronics, Inc. on 97.05.16; in addition, 11 of the defendants are charged with theft of $400K of computer chips from Multi-Industry Technology, Inc. The alleged ring-leader, John That Luong, faces additional charges in San Francisco in connection with other computer robberies. The ring was described as being involved in Asian organized-crime syndicates.

Category 18.1 Theft 1997-06-05 chip theft EDUPAGE EDUPAGE editors write: "Federal prosecutors have indicted 17 individuals for their involvement with an Asian organized- crime syndicate responsible for armed robberies in May 1995 of more than $10 million worth of Intel Pentium chips from two companies in Orange County, California. (New York Times 4 Jun 97)"

Category 18.1 Theft 1997-06-23 theft hardware chips RISKS 19 23 In Hacienda Heights, CA, five armed thieves kidnapped a businessman, took him to his factory and stole $800,000 in computer chips. Two criminals were arrested.

Category 18.1 Theft 1997-06-26 theft hardware cable denial of service backhoe RISKS 19 23 Betty O'Hearn contributed this précis of a curious incident in the Far East (slightly edited): >[From Reuters news wire 97.06.19 09:19 EDT] A thief removed 60 meters of cable from the center of the remote Russian city of Ulan-Ude (the capital of the Republic of Buryatiya, near Mongolia), which shut down external communications for five hours on 19 Jun 1997. "The incident . . . affected military . . . [and] other communications in the region and caused an estimated loss of 800 million rubles ($135,000)." Apparently, the criminal or criminals may have been harvesting precious metal from the lines. ("Earlier this week two thieves were electrocuted in eastern Kazakhstan as they tried to steal copper wires from a high-voltage power transmission line.") [Source: Itar-Tass news, 19 Jun 1997]<

Category 18.1 Theft 1997-08-15 airport theft fraud confidence tricksters laptops security UPI Air travellers should beware unusual gefuffles at security checks. Organized gangs identify victims with valuable computers and cameras. While one criminal goes quietly througy security before the victim, one or more step in front of the victim and cause delays by carrying metal objects, dropping things, or getting into mock arguments. Meanwhile, the first thief makes off with valuables. Solution: do not allow anyone to step in front of you once you have put your valuables through the X-ray machine; if you are delayed, call out clearly to the security staff to keep their eye on your belongings.

Category 18.1 Theft 1997-08-22 theft medical research cancer data confidentiality PA News Professor David Newell of Newcastle University suffered a grievous loss when someone stole his computer and five floppy disks containing the sole copy of his research data. The thief eventually returned the five disks; the professor politely requested the return of his computer. Had no one ever broached the topic of off-site backups to the good professor?

Category 18.1 Theft 1997-08-26 credit card theft sniffer ISP FBI sting RISKS, EDUPAGE 19 19 Peter Neumann summarized one of the largest cyber-related FBI stings of recent years: >Carlos Felipe Salgado Jr. ("Smak", 36, Daly City, CA) was arrested at San Francisco Airport on 21 May 1997 after he sold an encrypted diskette with personal data on more than 100,000 credit-card accounts to undercover FBI agents, who paid him $260,000, checked out the validity of the data, and then nabbed him. He reportedly had obtained the information by hacking into various company databases on the Internet or by packet-sniffing an unidentified San Diego-based ISP. He faces up to 15 years in prison and $500,000 in fines.<

In August, Salgado pleaded guilty to the charges before beginning trial.

Category 18.1 Theft 1997-10-31 theft burglary privacy questionnaires Internet Reuters Burglars in the UK were reported to be offering free software and sending out questionnaires asking about details of people's private life and computer equipment — and then robbing cooperative victims. Moral: think before you answer questions from strangers.

Category 18.1 Theft 1997-11-19 theft robbery authentication certificates CD-ROMs computers Reuters, EDUPAGE In November, four masked gunmen attacked Thompson Litho Ltd in Scotland, bound its employees and stole 200,000 certificates of authenticity, 100,000 CD-ROMs, computers and other equipment — an estimated $16 million worth of goods. The company immediately circulated the serial numbers of the authentication certificates to dealers worldwide to prevent use in pirated software.

Category 19 Counterfeits, forgery (including commercial software/music piracy) 1997-02-17 Forgery RISKS 18 83 Robert Ames, victim of attacks on his reputation by forged, offensive USENET postings, found the fraudulent messages archived on DejaNews even though he had repudiated the forgeries using PGP-signed messages.

Category 19 Counterfeits, forgery (including commercial software/music piracy) 1997-03-09 counterfeit EDUPAGE, COMPTEX In Monterey Park, CA, two Chinese nationals were raided by police; their company had 23,000 counterfeits of Windows 95 software. In July, 43-year-old Zhijian Song and 38-year-old Jian Ping Zhu pleaded no contest to the charges of counterfeiting and were sentenced to 16 months in prison.

Category 19 Counterfeits, forgery (including commercial software/music piracy) 1997-03-26 forgery RISKS 18 94 A convict was released from prison when his girlfriend sent in a pardon ostensibly from the PA governor. The same pair then tried to free the runaway's cell-mate using a forged fax claiming to be from the governor of FL. Luckily, someone checked with the governor's office before releasing the prisoner.

Category 19 Counterfeits, forgery (including commercial software/music piracy) 1997-08-05 forgery spam denial of service harassment fraud e-mail porn C|Net news.comhttp://www.news.com/News/Item/0,4,13141,00.html An innocent Florida businessman, Bruce Hovland, was harassed by thousands of phone calls from angry strangers who complained about junk e-mail that threatened to bill their credit cards for almost $200 in return for pornographic videos they had never ordered and did not want. Mr Hovland was the victim of a deliberate smear campaign, probably by a creep who had refused to pay rent at his marina and lost his boat as a result. The malefactor spammed the net in Hovland's name and suggested that people call his business number collect. Hovland guesses that he lost about two weeks of business because his phones were ringing off the hook. Hovland points out that his case was relatively minor; he imagines the mayhem if an emergency number were posted on the Net in such a fraud. The case illustrates the difficulty for victims in finding an agency willing to receive and follow up on complaints about such outrageous and dangerous attacks.

Category 19 Counterfeits, forgery (including commercial software/music piracy) 1997-08-10 hoax rumor myth EDUPAGE, AP A minor storm erupted in August when Kurt Vonnegut was credited with a clever commencement address at MIT; unfortunately, the "address" was a pirated version of a column by March Smich of the Chicago Tribune.

Category 19 Counterfeits, forgery (including commercial software/music piracy) 1997-08-19 counterfeit color printers EDUPAGE According to the Secret Service and the U.S. Department of the Treasury, kids have been trying to counterfeit money using PCs and color printers and copiers. Authorities are trying to get the word out to "these knucklhead kids" that counterfeiting is a serious offense, with sentences of up to 15 years in federal prison.

Category 19 Counterfeits, forgery (including commercial software/music piracy) 1997-08-20 spam fraud hoax impersonation RISKS, Newsbytes 19 32 Someone sent an offensive e-mail message throughout the Net ostensibly from Samsung America's legal counsel. The e-mail caused a fuss, with many victims announcing that they would no longer buy from Samsung. Investigation showed that the e- mail contained forged, fraudulent headers and that Samsung and their lawyers had nothing to do with the hoax. Moral: if a professional is sending e-mail that makes it look like they have lost their senses, the message may very well be fraudulent.

Category 19 Counterfeits, forgery (including commercial software/music piracy) 1997-08-25 fraud counterfeit components chips memory Computer Reseller News Resellers with a sharp eye noticed funny-looking memory chips on some of the boards coming in from low-end manufacturers. Turned out the "memory chips" were dummies that were not even connected to the rest of the board. Resellers began using a test program called WhatMem from Data Depot, in Clearwater, FL. The scam died down as memory prices dropped, but resellers are still advised to run occasional quality control checks on their components.

Category 19 Counterfeits, forgery (including commercial software/music piracy) 1997-10-28 fraud forgery cheating universities EDUPAGE Boston University invited other universities to join its lawsuit against eight term-paper mills selling student papers over the Internet. According to EDUPAGE, the university accused the companies of "wire fraud, mail fraud, racketeering, and violating a Massachusetts law prohibiting the sale of term papers." The plaintiff dismissed claims that disclaimers advertising the papers as "research tools only" are a sham.

Category 19.1 Software piracy 1997-01-02 software theft Reuters Jacqueline Wong of Reuters reports on the battle against software theft in Singapore. Microsoft has planted its own store in the shopping center that is most popular with computer users and is joining actively with police in raids on factories and stores where the pirated software is manufactured and sold. Local software developers applaud the move, saying that software theft harms their efforts to earn a living from writing software.

Category 1A Criminal hacker scene (conventions, meetings, testimony, biographies, publicat 1997-01-14 sabotage infowar information warfare EDUPAGE Gateway2000 discovered that 20,000 copies of a promotional video promoted more than its new PC; the tape included 30 seconds of pornography. Officials guess that it's a case of industrial sabotage by a disgruntled employee in the company that made the tape.

Category 1A Criminal hacker scene (conventions, meetings, testimony, biographies, publicat 1997-05-02 sabotage RISKS 19 12 According to Peter Neumann, "Wilson Chan Chi-kong, 29, the former employee of Reuters financial information agency who had sabotaged the dealing-room systems, was apparently motivated by revenge after a dispute with his superior. The damage control took more than 1,700 man-hours, and the estimated cost was HK$1.3 million. He has been jailed."

Category 1A Criminal hacker scene (conventions, meetings, testimony, biographies, publicat 1997-05-05 criminal hackers revenge sabotage Netly News Both Jonathan Littman and Joshua Quittner have been harassed by enraged criminal hackers and their supporters for daring to write opinions critical of hacker icons Kevin Mitnick and Kevin Poulson. Interference has included disconnection of ISP access, interference with e-mail, and attacks on Web pages promoting Littman's book. Quittner suffered damage to his e-mail services and extensive rerouting of his home phone: to a long-distance answering machine, to a phone-sex number and to 1- 800-EAT-SHIT.

Category 1A Criminal hacker scene (conventions, meetings, testimony, biographies, publicat 1997-06-27 backhoe denial of service sabotage Net OTC In another "backhoe attack," a construction crew inadvertently sliced through a major component of the Internet backbone in Florence, NJ. WorldCom's service to UUNet Technologies and MFS Communications as well as several other ISPs were severely affected. Many users were unable to access the Net and e-mail transfers were erratic throughout the U.S.

Category 1A Criminal hacker scene (conventions, meetings, testimony, biographies, publicat 1997-07-17 libel e-mail infowar sabotage PA News In England, Western Provident Association Ltd sued Norwich Union Healthcare Ltd in 1995 over rumors that WPA was insolvent and under investigation by the Department of Trade and Industry. Norwich Union executives admitted that its employees had circulated internal e-mail with these false allegations and agreed in July to pay WPA £45,000 (about $75,000) in damages out of court. Moral: apply the same standards of ethical judgement to e-mail communications as to any other communication.

Category 1A Criminal hacker scene (conventions, meetings, testimony, biographies, publicat 1997-07-20 sabotage EDUPAGE An enraged computer user shot his PC four times in the hard drive and once in the monitor. The Issaguah, WA resident was arrested by police. Copyright © 2003 M. E. Kabay. All rights reserved. Page 46 INFOSEC Year in Review 1997

Category 1A Criminal hacker scene (conventions, meetings, testimony, biographies, publicat 1997-08-10 ISP availability disaster EDUPAGE In early August, an explosion interrupted electrical power around Boston; a resulting fire at MIT blocked access to the Net for BBN Planet subscribers.

Category 1A Criminal hacker scene (conventions, meetings, testimony, biographies, publicat 1997-08-12 hacker spam vandalism Web hacktivism C|Net http://www.news.com/News/Item/0,4,13296,00.html A hacker attacked "Spamford" Wallace's Cyber Promotions site in August, causing several hours of downtime. Anti-spam activists generally condemned the use of illegal tactics to harass the King of Spam.

Category 1A Criminal hacker scene (conventions, meetings, testimony, biographies, publicat 1997-08-22 online voting fraud rigging farce Netly News When Cool Site of the Day announced that nominations for Cool Site of the Year were open to the 365 winners of the daily contest, they didn't expect one of their former winners to try to rig the election. However, managers of Zug, a comedy site, asked the 364 other participants to vote for Zug in the Cool Site of the Year category; in return, they would nominate cooperators in whatever other category they wanted. Cool Site of the Day managers were terribly offended, even though the practicality of honest online voting is currently zero.

Category 1A Criminal hacker scene (conventions, meetings, testimony, biographies, publicat 1997-11-25 sabotage disgruntled employee EDUPAGE, Newsbytes, RISKS 19 47 A disgruntled former help-desk operator at Forbes Magazine was accused of sabotaging the company's computers and causing more than $100,000 in damages. In a similar case brought at the same time, an enraged consultant for Art Assets of Manhattan allegedly deleted files and databases on his client's systems after being insulted at a meeting to discuss a billing dispute. The accused faced up to five years in jail and fines of up to $250,000 if convicted of the respective crimes.

Category 1B Pornography, Net-harm, cyberstalking, gambling, online auctions 1997-02-26 hacker AP, Reuter Chris Zboralski, a 21 year-old French criminal hacker, was fined $8,500 and given an 18-month suspended sentence in Paris for using the FBI's phone system to place $250K of AT&T international phone calls at US government expense in 1994. According to AP, Judge Francis Bruty called Zboralski "a computer genius with a lamentable morality." However, his expertise consisted largely of impersonating an FBI agent and convincing a bureaucratic dupe to give him the access numbers for the FBI's conference-call account. Zboralski showed no remorse; on the contrary, he signed a book deal with a French publisher and announced that he was going into business as a security consultant. Better watch your phones if you hire him.

Category 1B Pornography, Net-harm, cyberstalking, gambling, online auctions 1997-05-20 hacker intrusion AP, InfoSecurity News In Greeneville, TN, convicted criminal hacker Wendell Dingus was sentenced to six months of home monitoring and ordered to pay $40,000 in restitution to the Air Force Information Warfare Center and other military organizations for the 1995 intrusions he perpetrated against them. He also admitted to cracking into NASA computers.

Category 1B Pornography, Net-harm, cyberstalking, gambling, online auctions 1997-06-02 hacker psychology C!Net http://www.usnews.com:80/usnews/issue/970602/2crac.htm David Freedman and Charles Mann published _At Large_ (Simon & Schuster), an analysis of the curious case of Matt Singer, known in the computer underground as "phantomd." This maladjusted and unfortunate youngster broke into accounts at MIT, Los Alamos and Livermore National Laboratories, Intel, and many other sites. He tried to use the supercomputers at NASA sites to run Crack, a password-guessing program for determining passwords encrypted in UNIX password files. The FBI's National Computer Crime Squad, founded ion 1992 by Agent Jim Settle, obtained warrants for wiretaps on their key suspect, Matt Singer. By this time, the youngster was attempting to break into the main Internet backbones to run a high-speed sniffer program. With an accomplice, he snagged 60 Mb of data in break-ins of a few minutes at a time, accumulating untold numbers of logins and unencrypted passwords. In December 1992, the FBI burst into the Singers' home and found a poverty-stricken, brain-damaged, schizophrenic 19-year old barely aware of the world around himself but addicted to the joys of criminal hacking. The Department of Justice declined to prosecute and the case sank into obscurity, as did Matt Singer, who was living on Social Security disability payments when the authors completed their book about him.

Category 1B Pornography, Net-harm, cyberstalking, gambling, online auctions 1997-06-17 hacker sentencing Mitnick LA Times Kevin Mitnick was sentenced to 22 months in prison for cellular phone fraud and for violation of the terms of his probation. The feckless fugitive hacker faced additional charges from a 25-count federal indictment for software theft. The judge also ordered the computer addict to stay away from all computers, cell phones or software when he is released from prison. Mitnick was also prohibited from being employed in any job that would allow him to have access to computers without approval from a probation department officer. In November, Mitnick's lawyer appealed for funds to help protest the conditions under which Mitnick was allegedly held, including solitary confinement, freezing temperatures in his cell, and being manacled for his trips to the showers.

Category 1B Pornography, Net-harm, cyberstalking, gambling, online auctions 1997-06-19 hacker culture information warfare TechWire The UK's Defence Evaluation and Research Agency warned that "The hacker community is splitting into a series of distinct cultural groups — some of which are becoming dangerous to businesses and a potential threat to national security." Alan Hood, a research scientist in the information warfare section of DERA, said that information brokers coordinate attacks by ordinary hackers and then sell the information to governments or competing organizations. Meta-hackers observe ordinary hackers and then silently take advantage of the vulnerabilities discovered by the blabbermouth hackers. "Elite" hackers stick to their own class of hacker and sneer at those who use widely-available tools and scripts. "Dark-side" hackers attack systems for financial gain or to do harm, violating the much-vaunted standards of the hacker world. Most importantly, Hood urged network managers to stop trying to prevent all attacks; instead, focus on deterrence, protection, detection and reaction. Make it difficult enough for hackers that they will move on to another target; encrypt sensitive data and prevent social engineering; install intrusion-detection software; and respond to all attacks or oddities on your systems.

Category 1B Pornography, Net-harm, cyberstalking, gambling, online auctions 1997-07-12 hackers convention AP In Las Vegas, computer hackers staged yet another DefCon — the fifth annual and largest yet, with 1500 people packed into a second-rate hotel convention hall. Participants included legitimate firms prospecting for possible employees, hoping that their candidates could manage the transition from cyber-desperado to honest security expert.

Category 1B Pornography, Net-harm, cyberstalking, gambling, online auctions 1997-07-14 hacker convention Black Hat Microsoft L0pht ELECTRONIC ENGINEERING TIMES; Computerworld 31 28 Microsoft reversed its usual policy and sent staff to the Black Hat Briefings in Las Vegas to meet hackers who demonstrated flaws in Windows NT security. Despite the scepticism of more conservative security experts such as your editor, NT marketing director Carl Karanan said, "It's good to look at things in perspective; this conference does that. We've opened up a dialogue. The hackers do a service. We're listening and we're learning." Other audience members at the Briefings came from Cisco, ESPN, Toyota, Price-Waterhouse, the Defense Department and the National Security Agency. At a Meet the Enemy session, several system administrators expressed scepticism about the supposedly good intentions of the hackers. Key NT hackers presenting at the conference included "Mudge" from the L0pht; Yobie Benjamin of Cambridge Technology Partners; and Dominique Brezinski.

Category 1B Pornography, Net-harm, cyberstalking, gambling, online auctions 1997-07-16 hackers convention Hack-Tic HIP Scotsman, Wired, Agence Presse France The Hacking in Progress hacker convention took place in August in a field near Amsterdam. Some of the topics of discussion suggest that the hacker underground may be moving towards a more mainstream approach to technology. For example there were talks about Internet censorship, spam, and cryptography. Many of the hackers now work for corporations, including the Dutch ISP XS4All, which was itself founded by reformed hackers. However, the criminal side of hacking was also well represented. Many of the discussions focused on how to abuse systems rather than on how to repair them. There was also an embarrassing incident when telephone engineers for the Netherlands PTT discovered a break-in by a cellular phone user at the camp who fraudulently tried to place free international calls.

Category 1B Pornography, Net-harm, cyberstalking, gambling, online auctions 1997-07-22 fraud hackers insiders theft fraud diddling The Futurist via Times of India One of the Masters of Deception, John Lee, was reported in July as boasting about his ability to break into systems and steal products and services. Despite his one-year prison term, Lee is said to have "admitted that he would certainly be tempted to do it all again." However, wrote Gene Stephens in _The Futurist_, "a far greater threat to businesses than hackers are disgruntled and financially struggling employees. As internal theft from retail stores has always been many times greater in volume than theft from shoplifters, robbers, and burglars, theft by employees armed with inside information and computer access is and will continue to be a much larger problem than intrusion by hackers, crackers, and terrorists combined."

Category 1B Pornography, Net-harm, cyberstalking, gambling, online auctions 1997-08-04 hackers hiring Computerworld Matthew Harrigan, founder of MicroCosm, a San Francisco security company that specializes in Tiger Team attacks, is an ex- hacker who hires only ex-hackers as security consultants. Author William Spain interviewed him for an article in Computerworld and analyzed the risks of hiring people who have fun breaking the law. Russ Hailey, president of Lawrence, Kan.-based Secure Network Systems, was not keen on this strategy: "I would not hire an ex-thief to protect a warehouse, and I won't employ any ex-hackers, period," he said.

Category 1B Pornography, Net-harm, cyberstalking, gambling, online auctions 1997-08-08 hackers convention meeting AP At the Beyond HOPE (Hackers on Planet Earth) meeting in New York sponsored by 2600 Magazine in August, hackers expressed the Party Line on how useful and knowledgeable they are: "Hackers actually design the systems and show how they work, how to make them better, and how to make them secure, said Emmanuel Goldstein [Eric Corley], an editor of [2600] a hacker magazine." David Kalish of Associated Press quoted a hacker known as Chesire: "Crashing the system should not be your objective. It had been in the past. That's the playground bully. Now it's no longer cool. Anyone can crash a system. It's more clever to find out how to make it NOT crash." For all the positive spin, however, organizers of the meeting asked the hotel to disconnect all the phone jacks in their rooms for the duration of the conference.

Category 1B Pornography, Net-harm, cyberstalking, gambling, online auctions 1997-11-26 hacking penetration intrusion court case RISKS, Times (London), PA News 19 48 Matthew Bevan (AKA "Kuji"), an alleged associate of Richard Pryce (the "Datastream Cowboy") walked free in November when charges of unauthorized access and data modification (into the Griffiss AFB and Lockheed) were dropped.

Category 1B2 Child pornography 1997-01-14 child pornography arrests police investigation privacy EDUPAGE EDUPAGE reports: >Ontario police have charged several people with downloading child pornography off the Internet. The police refuse to reveal the techniques they use to build cases against people caught with huge stockpiles of child porn, and defense lawyers and legal experts say constitutional issues surrounding the state's right to monitor a person's private computer will surface as the cases come to court. Defense lawyer Marie Henein finds it "a little frightening" that you could be sitting at your computer at home while the police are assessing what you're doing. She and another lawyer represent an Ontario man charged with distributing child pornography on the Internet after police seized 20,000 computer files containing photos and video clips. (Montreal Gazette 13 Jan 97 A5)<

Category 1B3 Pedophilia, kidnapping, Net-adoption fraud 1997-01-09 child pornography rape arrest DPA In Solothurn, Switzerland, police arrested a 37-year-old child molestor who had spread tens of thousands of pictures on the Internet with pornographic representations involving children. The paedophile computer-expert confessed, the authorities said in Solothurn. According to police statements, the 37-year-old abused numerous girls in Cambodia in a massive misuse and recorded this on video. The police found more than 100 corresponding photos in the Internet.

Category 1B4 Stalking & harassment 1997-04-01 anonymity stalking harassment threats free speech law AP John Hendren,writing for AP, reported in April on several cases of cyber-harassment. An Annapolis, MD woman was mail bombed after she warned other writers about extortionate fees from an author's agency; her name, phone number and address were posted on alt.sex groups on the USENET and resulted in floods of offensive phone calls. A woman in Atlanta was appalled when someone posted a photograph of an unknown anonymous woman with the victim's name and contact information; she received calls from men who told her the announcement claimed she was offering free sex. A victim of such anonymous harassment founded WHOA — Women Halting Online Abuse — to help victims fight this oppression. The CyberAngels, an offshoot of the Guardian Angels vigilante group, claim to be willing and able to help victims; another vigilante is Peter Hampton, who can marshall thousands of people to saturate Web servers and who claims to take unspecified measures to damage harassers.

Category 1B4 Stalking & harassment 1997-04-15 eavesdropping harassment cyberstalking RISKS, Reuters 19 8 ff Around April 1997, police resolved a case of what had appeared at first to be spectacularly successful and mysterious technical attack on a suburban family in Emeryville, Ontario. Starting at the beginning of 1997 and dubbed "The Emeryville Horror" by a credulous press, the case involved heavy breathing on the phone, vague threats, boasts and inexplicable control of household electrical appliances. Counter-surveillance experts swept the house and found it "clean." Police suggested that the couple's adolescent boy might be responsible. After much denial by the family, they brought their son into the local police station for a polygraph exam to prove his innocence; he promptly confessed to the whole thing, which turned out to be a prank gone 'way too far. The 15-year old was recommended for psychiatric evaluation. As Ron Pfeifle implied in a subsequent issue of RISKS, the moral for all of us techno-nerds who speculated about wiring, HERF guns, and the whole bit: use Occam's Razor liberally when something seems too weird to be true.

Category 1B7 Hate groups, speech 1997-07-31 hoax rumor fabrication Internet infowar Reuter The notorious fabrication, the "Franklin Diary" first surfaced in 1934 in a US pro-Nazi publication; it purports to quote Ben Franklin as an anti-Semite. Despite repeated debunking, the fraudulent document continues to circulate in the neo-Nazi underground, including KKK networks. It has recently been quoted in Hamas materials and seems to be kept alive today by repeated postings on the Internet. The Franklin Institute in Philadelphia has been swamped with phone calls about this document, which is described as being kept there.

Category 1B9 Non-virus hoaxes, urban myths 1997-10-13 hoax chain letter availability denial of service PA News Poor little 8-year Craig Shergold was dying of a brain tumor — in 1989. He issued an appeal for get-well cards that began circulating through the Internet ten years ago. In 1997, he was now a healthy, strapping 18-year-old and he said he DOESN'T WANT ANY MORE DAMN GET-WELL CARDS. His family and the Royal Mail issued a world-wide appeal begging people to stop circulating the hoary chain letter and its variants through the Net and via fuzzy photocopies. The family has received over 140 million cards and still gets three to four sacks full daily. At one point it became extremely difficult to find the real mail in the flood of good wishes. This is a real-life case of the Sorcerer's Apprentice. Stop awready!

Category 1C Identity, impersonation, spoofing 1997-01-20 pornography appropriate-use policy Reuters A young Polish man was arrested by police in Katwice province for allegedly distributing child pornography via the Internet from his workplace computer. The porn was discovered and reported by a discussion group in Sweden.

Category 1C Identity, impersonation, spoofing 1997-01-21 pornography EDUPAGE From EDUPAGE: "A feature article on pornography on the Internet said the abundance of sex on the Internet is the result of a century of obscenity battles won in the courts. It mentions that Industry Canada has recently released a background paper on illegal and offensive material on Internet, which points out that many Web images are taken from magazines that are freely available in Canada. (Ottawa Citizen 21 Jan 97 A4) "

Category 1C Identity, impersonation, spoofing 1997-01-23 pornography EDUPAGE EDUPAGE: "An Albany, New York, college business major was arrested yesterday in a cyberporn sting operation, on a charge of using America Online to transmit three dozen sexually explicit photos of children. (Vancouver Province 23 Jan 97 A37)"

Category 1C Identity, impersonation, spoofing 1997-01-24 AOL pornography lawsuit AP, Reuters In Miami, FL, the mother of a pedophile's victim sued AOL for allowing pedophiles to set up chat rooms for trading in child pornography. Her son was raped and photographed by Richard Russell, a middle-school teacher; he is serving a 22-year sentence in state prison for his crimes. The mother argues that AOL should have monitored activities on its service and prevented the abuse. Because of AOL's lack of policing, she says, "AOL service became known to the pedophile community as a place for open discussion, trading, and marketing of child pornography. In essence, AOL Inc. has created a home shopping network for pedophiles."

Category 1C Identity, impersonation, spoofing 1997-01-24 pornography Reuters Two Bavarians were arrested by German federal police for offering to sell children for sadistic sex and murder. The accused were denounced by users of Deutsche Telekom's T-Online Internet Access Service.

Category 1C Identity, impersonation, spoofing 1997-02-12 pornography seducation e-mail AP Paul Brown, Jr, a 47-year-old, 400-pound man, misrepresented himself as a 15 year-old boy in e-mail to a 12-year old girl in New Jersey. He was arrested in February and police found correspondence with at least ten other teenaged girls across the country. Brown convinced his young victims, some as young as 12, to perform various sexual acts in front of cameras and send him pictures and videotapes. He pleaded guilty in June to enticing a minor into making pornography. He faced fines of up to $250K and 5 years in prison. In August, one of his many victims told the court that she had suffered ridicule and humiliation as a result of her entrapment and had left her school to escape the trauma. She accused Brown of emotional rape. Displaying an astonishing interpretation of his own behavior, Brown said at his sentencing hearing, "It was just bad judgment on my part." Using good judgment, the court sentenced him to five years incarceration.

Category 1C Identity, impersonation, spoofing 1997-02-12 pornography filter Reuters, UPI In Boston, parents kicked up a ruckus when they discovered that the Boston Public Library has nothing in place to prevent children from Net-surfing into pornographic sites. The librarians pointed out that recent jurisprudence indicated that censoring materials in public libraries infringes on children's First Amendment rights. Within a day of the mayor's order to install CyberPatrol Web filtering software on 200 computers at Public Libraries across the city, the American Civil Liberties Union and the Office for International Freedom at the American Library Association protested the censorship.

Category 1C Identity, impersonation, spoofing 1997-04-08 child pornography FBI sting Net chat AP FBI Director Louis Freeh, speaking before a Senate panel, described the Bureau's attempts to protect children in cyberspace. The "Crimes Against Children" initiative includes a program in which undercover agents monitor chat lines where pedophiles have taken to impersonating children; the agents turn the tables on the victimizers and have been responsible for 91 arrests and 83 felony convictions since 1993.

Category 1C Identity, impersonation, spoofing 1997-05-27 child pornography international law treaties Reuters The 29 nations of the OECD agreed to harmonize national laws covering the distribution of child pornography through the Internet. The doctrine of dual criminality requires an act to be a crime in both jurisdictions for extradition to be legal, so this move could herald a more effective international response to the problem of child sexual abuse inherent in child pornography.

Category 1C Identity, impersonation, spoofing 1997-06-09 Internet pedophiles UPI Richard Romero went to trial in June, accused of tricking a 13-year-old boy into leaving his Chicago home for a tryst in Florida. The events allegedly took place in 1996, when Romero is accused of having befriended the child through the Net by pretending to be a 15-year-old boy. The abducted boy's mother luckily found details of the meeting place after the child had left home and police were able to track the pair with the help of a taxi driver who remembered them.

Category 1C Identity, impersonation, spoofing 1997-06-30 child pornography library censorship AP A library user was arrested for downloading images of nude boys onto floppy disks at the Lakewood Public Library in Ohio. Library staff reported James R. Thomas of Strongsville, OH to police and undercover agents watched him as he viewed and copied similar images. Thomas was banned from the library; however, library staff will continue to allow patrons to access the Internet from public terminals. In some libraries, Internet terminals have been placed in highly public areas where librarians can keep an eye on the screens.

Category 1C Identity, impersonation, spoofing 1997-07-02 child pornography chat rape AOL UPI Several police operations successfully captured pedophiles after hundreds of creeps sent sexual innuendos to a virtual girl. One was caught in Concord, CA as he prepared to enter a motel armed with condoms and a bag of Nordstrom lingerie. In another sting, police captured a homosexual pedophile in Washington, DC when he attempted to meet a virtual 13-year-old boy he had attempted to seduce via chat line.

Category 1C Identity, impersonation, spoofing 1997-07-11 child pornography Internet AP Fox Meadow School students and staff in Scarsdale, NY were shocked to find their well-liked teacher, Robert M. Nebens, charged with interstate transportation of child pornography and interstate travel with the purpose of engaging in sex with a person under 18. FBI Special Agent Anne Figueiras posed as a thirteen-year-old boy to trap the accused pedophile into arranging a meeting in Florida via the AOL online chatroom "Barely Legal: Male-for-Male." Other children may also have been abused by Nebens, according to the FBI.

Category 1C Identity, impersonation, spoofing 1997-07-17 hackers child pornography infowar Computer Weekly Hacker Christian Valor declared infowar on child pornographers in mid-July. His manifesto explained that he had scoffed at claims that the Net is being used by pornographers until he was made physically ill by anonymous child porn sent to him by e- mail. He appealed to hackers to join him in a cyber-vendetta against makers and purveyors of such images and claimed that law enforcement authorities would ignore the violations of law that such a campaign would entail.

Category 1C Identity, impersonation, spoofing 1997-07-18 Internet seduction child abuse AP A 22-year-old Senior Airman from Offutt AFB (NE), Brooker Maltais, pleaded guilty to statutory rape and sodomy of a 14-year- old Rochester NY girl he met via Internet chat and who ran away from home to be with him while he was absent without leave. He was sentenced to four years in military prison and a bad-conduct discharge.

Category 1C Identity, impersonation, spoofing 1997-07-25 Internet seduction UPI Two 15-year-old Bronx (NY) girls ran away in July with a 19-year-old man they met over the Internet. The three were captured by police in Orlando, FL; information the children left on their computers helped police track them down.

Category 1C Identity, impersonation, spoofing 1997-07-25 child pornography Internet PA News Graham Fitchie, a computer system manager in Merstham, Surrey, was convicted of trafficking in child pornography and was sentenced to three years in prison. He was a member of a ring of about 20 pedophiles around the world who traded such material; police found 20,000 obscene pictures in his home — the largest seizure of child porn in Britain to date. The evidence is being shared with other police forces in Britain and internationally.

Category 1C Identity, impersonation, spoofing 1997-07-28 pornography filtering censorship children hackers passwords Newsbytes Reports surfaced in late July that Web sites catering to seekers of pornography include thousands of user IDs and passwords for entering restricted porn catalogues. Some sites include instructions for bypassing Net-filtering software. Details of how to reach these filter-busting sites are widely circulated on IRC channels. Ironically, the people fighting hardest to shut down the password sites are the pornographers themselves, upset because they are losing potential revenue.

Category 1C Identity, impersonation, spoofing 1997-07-30 child pornography Reuters Spanish police in Barcelona arrested 12 people accused of participating in a network of pedophiles. They seized a large mass of child pornography, some of it distributed through the Internet, and found evidence that the adults were also involved in prostituting children.

Category 1C Identity, impersonation, spoofing 1997-08-01 Internet gambling RISKS 19 27 Peter G. Neumann commented cogently on the RISKS of Internet-based gambling: "The risks include bogus virtual casinos whose payoffs turn out to be more virtual than real, semi-legitimate casinos working credit-card scams on the side, glorious opportunities for money laundering, serious gambling debts accumulated in your name by a masquerader, spawning of serious undetected addictive behavior that might otherwise be observed (on the Internet no one knows you are a gambler, except for the casino), your 9-year-old gambling with your credit card — especially if your browser automagically inserts your credit information — and so on into the night. As a second-order effect, massive illegal activities could also lead to attempted restrictions on the good system security and cryptography necessary to conduct legitimate Internet commerce. In any event, whether or not you bet on the Net, don't bet on the Net being adequately secure! You are already gambling with the weaknesses in our computer-communication infrastructures, but NetBet could raise the ante considerably. Caveat aleator."

Category 1C Identity, impersonation, spoofing 1997-08-07 pedophiles Internet Reuters In Munich, two Internet users were put on trial for offering to sell young Czech girls as slaves for sadism and murder. The accused claim that they were just joking. However, police found a torture chamber in the couple's home.

Category 1C Identity, impersonation, spoofing 1997-08-09 Internet bomb children UPI Two Long Island teenagers blew themselves up by following an Internet recipe and running with a bottle full of explosives. The blame, no doubt, would rest on the Internet and not on their own stupidity.

Category 1C Identity, impersonation, spoofing 1997-08-14 child pornography ISP privacy AP A 21-year-old man in Loveland, CO was arrested after his ISP reported him to local police when staff members discovered child pornography downloads through his account. The case raised questions of privacy and the role and responsibilities of ISP's. Dave Banisar of the Electronic Privacy Information Center pointed out that most ISPs prefer to take a hands-off approach to what their customers are doing.

Category 1C Identity, impersonation, spoofing 1997-08-15 Internet addiction EDUPAGE, AP Kimberly S. Young, a clinical pyschologist at U. Pittsuburgh, reported that those at risk for "Internet addiction" are likely to gravitate to chat rooms and MUDs. She has been called into cases of divorce caused by Net addiction.

Category 1C Identity, impersonation, spoofing 1997-08-17 child pornography ISP privacy EDUPAGE When ISP staff investigating a Colorado customer's account ran across evidence of traffic in child pornography, they informed police and the man was arrested. Possession of child pornography is a misdemeanor; creation and distribution is a felony. The incident created a stir in privacy circles because ISPs normally avoid prying into customers' activities, much as common carriers take no responsibility for the content of phone calls and fax transmissions.

Category 1C Identity, impersonation, spoofing 1997-08-26 child porn FBI sting Internet AP Swiss residents John and Buntham Grabenstetter were arrested in Buffalo, NY after allegedly trying to sell child pornography to FBI agents posing as pornography mercants. The accused apparently offered the smut for sale via the Internet.

Category 1C Identity, impersonation, spoofing 1997-09-05 pornography Internet child Reuters A 24-year-old Polish man was convicted for spreading pornography via the Internet in Poland's first such case. He received a nine-month prison term suspended for three years contingent on good behavior.

Category 1C Identity, impersonation, spoofing 1997-09-22 pornography Reuters A poorly-designed survey in Britain sponsored by Novell revealed that one male worker in four among the respondents (the Reuters story failed to mention sample size, but everybody knows that size doesn't matter. . . ) knew someone at work who used the Internet to access pornography or other anti-social materials during working hours. Unfortunately, since several people may be aware of the same person's behavior, this provides only an upper bound on the number of pornophiles at work.

Category 1C Identity, impersonation, spoofing 1997-09-30 child pornography law enforcement sting AP, EDUPAGE A joint federal and New York State initiative captured more than 1,500 people involved in child pornography through the Internet. AOL cooperated in the sting operations, called Rip Cord because some of the images so enraged investigators that one yanked a computer cord out of the wall socket. The operation may have caught some big fish in Buffalo, NY — John and Buntham Grabbenstetter of Switzerland, accused of being the masterminds of a international child pornography ring.

Category 1C Identity, impersonation, spoofing 1997-10-01 police cybercrime Internet fraud criminal OTC New York State set up a cybercrime tip line for sending information directly to the NY Internet Unit established to fight fraud, pedophilia, and any other illegal activities involving the Net. See for details of the operation. Try to supply information on electronic wrong-doing in the Empire State.

Category 1C Identity, impersonation, spoofing 1997-11-06 censorship appropriate use library civil liberties EDUPAGE, NY Times In Loudoun, VA, the Library Board decided that adults would have to request permission to the uncensored Internet from a librarian. Youngsters less than 17 years old would not be permitted to surf the unfiltered Net without a parent or guardian physically present. The ACLU immediately protested the policy. Defenders of the filtering/censorship policy argued that allowing unfettered access to the filth-drenched Net would constitute a hostile work environment for employees.

Category 1C1 Impersonation 1997-01-08 fraud impersonation AP In New York, local police arrested 51 stockbrokers who allegedly paid to have two other stockbrokers take their qualifying exams in their place. The ringers charged up to $5,000 per exam. Luckily, an alert exam monitor noticed the same person showing up under different names. The National Association of Securities Dealers now requires fingerprinting and videotaping of all candidates. Samuel Maul, AP Writer, reports that the 53 people "were charged with forgery and criminal possession of forged instruments, which each carry a maximum penalty of seven years in prison, and falsifying business records and filing a false instrument, with penalties of up to four years in prison."

Category 1D Law Enforcement & Forensics (technology, organizations, proposals, litigatio 1997-04-07 identity theft RISKS 19 5 The San Francisco Chronicle published a detailed article by Ramon G. McLeod on theft of identity. The author discussed several cases of identity theft and provided telephone numbers for several organizations and law enforcement agencies to whom victims could turn for (various degrees of) help. See .

Category 1D Law Enforcement & Forensics (technology, organizations, proposals, litigatio 1997-08-07 identity collision theft SSN RISKS 19 28 In August, Antonio Picazo Mendoza Jr. of Stockton, CA, was taken to a local hospital after being beaten and robbed. When his first and last names, birthday, and Social Security Number matched those of a convicted criminal, Antonio Blanco Mendoza, the victim was thrown in jail for 17 days. It was unknown whether this was a case of mistaken identity or deliberate theft of identity.

Category 1D2 Technology for law enforcement 1997-08-12 e-mail tracing warrant fugitive murder investigation law enforcement San Jose Mercury News The badly decomposed body of a pregnant 17 year-old girl was found in the apartment of 27 year-old Troy A. Mayo in Roseville, CA. Mayo disappeared. A month later, a relative reported receiving e-mail from the fugitive and police contacted Hotmail Corp., where the e-mail came from. Responding to the police warrant, Hotmail cooperated with the investigation and police were able to locate the specific terminal used for the e-mail at the University of California library in Berkeley. Mayo sent another e-mail from the same terminal four hours later and was captured after a brief struggle.

Category 21.1 General QA failures 1997-01-08 QA quality assurance PA News A major stock brokerage in England faced million-pound claims for compensations after its new computer software generated a tide of errors. The errors sparked so many queries that the staff began falling behind in providing responses, leading to an avalanche of customer complaints. The company even had to stop taking on new business.

Category 21.1 General QA failures 1997-01-10 QA RISKS 18 75 In Finland, a software error caused the automobile registration system to send out 11,000 erroneous letters threatening to de- register cars because they were supposedly out of use. The embarrassed agency had to send out 11,000 letters of apology.

Category 21.1 General QA failures 1997-01-13 QA quality assurance ticket verification operator error RISKS 18 76 You might want to hang on to those "old-fashioned" paper tickets for a while. In a case posted to RISKS in January 1997, Robin Burke reports that his wife was informed that her electronic ticket had been used the week before her confirming phone call. It took several phone calls to prove that she was not trying to defraud the airline. It appears that a data entry operator had incorrectly brought up the wife's record and marked it "used" without noticing the mismatch.

Category 21.2 Security product QA failures 1997-01-16 QA AP Flintstones-viewers in Springfield, MO were startled in mid January when the Playboy Channel was patched into the Cartoon Channel for several minutes at mid-day while the audio remained in the stone age. At least one concerned mother complained to the cable-TV provider.

Category 21.2 Security product QA failures 1997-01-17 QA RISKS 18 77 In Springfield, MO, a cable-TV station inadvertently broadcast the Playboy Channel video along with the Flintstones audio track on the Cartoon Network, much to the surprise and possibly puzzlement of the kiddies who had stayed home because of bad weather that day.

Category 21.2 Security product QA failures 1997-01-19 phone fraud QA PA News In England, British Telecom installed 5,000 new pay-phones (adding to a total of 135,000) that were equipped for pre-paid phone cards. Unfortunately, software errors allowed an unspecified technique to be used to make expensive long-distance calls and calls to cellular phones without paying anything. The error was discovered five months after the phones were installed. Losses are unknown but estimated to be in the millions of pounds of lost revenue and obligatory payments to international interexchange carriers. In February, British Telecom assured pay-phone owners that they would not be charged for the fraudulent calls.

Category 21.2 Security product QA failures 1997-01-21 QA RISKS 18 78 Older Apollo workstations, now sold and supported by HP, will fail at 14:59 GMT on November 2, 1997 when the high bit of the Domain/OS system clock will set its high bit. Patches are available only for newer releases of the operating system.

Category 21.2 Security product QA failures 1997-01-23 QA RISKS 18 79 Software error gave some investors at Schwab (a big brokerage) cause for alarm when Telebroker, an automated phone response system, gave some callers the impression that they had gone broke by ignoring several important mutual funds in tallying net worth. The error lasted more than a day.

Category 21.2 Security product QA failures 1997-02-02 QA EDUPAGE An Assistant Commissioner of the Internal Revenue Service has conceded to a panel created by Congress that a $4-billion computer systems modernization project has failed, that IRS computers "do not work in the real world," and that the agency is incapable of bringing its computer capabilities up to the right level because it lacks the "intellectual capital" for the job. He proposed contracting out the processing of paper returns filed by individuals and abandoning a "big bang" approach to systems modernization in favor an incremental, piecemeal one. Though characterizing the systems as "dysfunctional," the administrator told that panel that the IRS "is wholly dependent on them." (New York Times 31 Jan 97)

Category 21.2 Security product QA failures 1997-02-04 QA Human factors RISKS 18 81 The security feature of FORD car radios can easily be subverted by employees who don't understand the purpose of the system. In a case reported to RISKS in February, Paddy Spencer describes how he got his radio code reset with no questions asked — and then had the code helpfully written on a company-supplied label stuck to the side of the radio.

Category 21.2 Security product QA failures 1997-02-08 QA PA News The British National Lottery experienced a software failure that prevented identification of the winners of the nine-million pound jackpot.

Category 21.2 Security product QA failures 1997-02-20 QA RISKS 18 83 Several dozen Massachusetts residents received multiple copies of their new driver's license in mid-February. The software glitch was identified and repaired quickly.

Category 21.2 Security product QA failures 1997-03-06 QA Explorer EDUPAGE Microsoft responded to flaws in Internet Explorer security by developing and posting patches within a week.

Category 21.2 Security product QA failures 1997-03-07 Explorer QA RISKS 18 88 More Internet Explorer security holes have been discovered. Eliashim showed that "hostile links" can be embedded in newsgroup messages or in messages received by Internet Mail as shortcuts. A group of University of Maryland students demonstrated that a newly-discovered bug could let a hacker remotely break into a user's computer or install viruses onto the system.

Category 21.2 Security product QA failures 1997-03-07 QA RISKS 18 88 Intuit Inc. sent a letter to its MacInTax users in early March detailing a potential pitfall for electronic filers. Users who fail to save their documents before filing them electronically may receive word from the IRS of an incomplete filing. Intuit Vice President Larry Wolfe said the problem is "absolutely covered" under Intuit's general product guarantee. "If a customer has filed an incomplete electronic return with MacInTax, Intuit will pay the penalty plus any interest assessed by the IRS," he said.

Category 21.2 Security product QA failures 1997-03-07 QA infowar RISKS 18 88 After a bombing in the Basque region of northern Spain, two groups of secret policemen fired at each other when, due to unknown factors, their computers were unable to obtain any information about each other's cars. They assumed that the armed men they were confronting were terrorists and started shooting at each other.

Category 21.2 Security product QA failures 1997-03-13 QA RISKS 18 90 MS-Office 97 internal formats are different from Office-95, causing problems for 3rd party utilities such as anti-virus scanners. Microsoft eventually provided utilities for older versions of its products to read files saved by newer versions.

Category 21.2 Security product QA failures 1997-03-20 QA computers cannot lie RISKS 18 92 Bank of America in Santa Rosa, CA insisted that $37,000 deposit must be correct even though honest clients insisted they handed in only $3,700.

Category 21.2 Security product QA failures 1997-03-24 QA RISKS 18 93 Lubbock County, Texas county computer program has thoroughly scrambled people and crimes; e.g., labeling people fined for not wearing seat belt as accused child molesters. Computer consultants insist that the criminal record "has complete data integrity."

Category 21.2 Security product QA failures 1997-03-27 QA RISKS 18 94 The bank clearing system in the UK failed in the last week of March, leaving many people without credit for their salary. Coming just before the four-day Easter break, this problem left many people in difficulty over the long weekend.

Category 21.2 Security product QA failures 1997-03-29 QA Seattle Post-Intelligencer Sandoz Pharmaceutical Corp's automated check system cut a refund for $1.99 using the ZIP code as an amount: 98002. Barry Lyn Stoller stupidly cashed the check and disappeared with the $98,002. Found in March 1997, apparently derelict. Arrested for theft. In May, he pleaded guilty to theft. Moral: don't think that accounting errors can legitimately contribute money to your lifestyle.

Category 21.2 Security product QA failures 1997-03-31 QA model RISKS 18 96 The Bank of Tokyo-Mitsubishi Bank Ltd. lost $83M because of a bad computer model; National Westminster Bank PLC lost $139M in a similar failure due to bad parameters in a financial model. These cases support the view that too many amateurs are creating complex mathematical models using easy-to-use spreadsheets and other tools but failing to create test suites that would point to problems in assumptions and initial values.

Category 21.2 Security product QA failures 1997-04-17 QA storage capacity RISKS, PA News 19 9 Saturation of MSN's server disk drives led to a two-day shutdown of the entire MSN e-mail system, preventing 2.5 million people from receiving their mail from MSN (and an unknown percentage with access only to MSN from sending e-mail). Of course, any of the affected people could have signed up to AOL for a practically unlimited time just by using one after another of the millions of AOL "FREE" diskettes we have all received. Tell me: has anyone bothered to buy any diskettes lately or are we all using reformatted AOL disks?

Category 21.2 Security product QA failures 1997-04-17 QA RISKS 19 9 Another victim of the infamous Bre-X fraud was the Toronto Stock Exchange, where unprecedented volume of trading in the stock resulted in buffer overflows and multiple system crashes because of two 20-year-old bugs that had gone unnoticed. Moral: remember to include volume and stress tests in your quality assurance suites.

Category 21.2 Security product QA failures 1997-04-28 QA RISKS 19 11 The Microsoft spell-check software that comes with Office 95 suggests an interesting correction for the string "zzzz." It recommends "sex."

Category 21.2 Security product QA failures 1997-05-02 DNS denial of service QA internet domain names RISKS 19 12 When MAI Network Services of McLean, VA provided Internet backbone operators with incorrect routing tables on 97.04.23, large portions of the Internet went dead for 20 minutes to three hours. The corrupt tables also flooded MAI servers and, by inadvertence, an innocent ISP as well, FL Internet Exchange.

Category 21.2 Security product QA failures 1997-05-09 QA Pentium hardware RISKS 19 13 According to an article in an electrical engineering journal, some cheap Pentium motherboards will fail quickly because of the poor quality and number of capacitors used to smooth out the power to the CPU chip. Spikes delivered to the processor could account for mysterious lockups and erratic behavior.

Category 21.2 Security product QA failures 1997-05-09 privacy database QA RISKS 19 14 The Kansas Sex-Offender Database that was published on the Web in May is full of egregious and irresponsible errors. In one county, 14 of the 16 addresses listed as residences of convicted sex offenders were wrong. The sex offenders had moved. No one bothered to check the correctness of the addresses listed, with the result that innocent people were already being harassed for being on the list. Makes you wish one of the bureaucrats responsible for the list had rented a dwelling where a pervert used to live. . . .

Category 21.2 Security product QA failures 1997-05-09 QA crypto RISKS 19 13 A bank decided to make mutual fund information available to its customers on a Web site. To secure access to a member's portfolio, the SSL code generated a unique 40-bit session key for each session. Unfortunately, the session key was foolishly constructed using the IP address as part of the value. When many employees from a single Internet site visited their portfolio, they ended up forcing the session keys to recycle within 40 minutes, resulting in access to an earlier inquirer's portfolio when an innocent later inquirer visited the site. Moral: don't make assumptions about sources of randomness and uniqueness. Birthdays are not unique. IP addresses are not unique. People's full names are not unique. Cartesian products of variables that don't have mutually exclusive values are not unique.

Category 21.2 Security product QA failures 1997-05-15 QA Pentium bug hardware RISKS 19 15 The floating-point arithmetic on Pentium II and Pentium Pro chips was reported as bad. See for details.

Category 21.2 Security product QA failures 1997-06-12 QA accounting RISKS 19 22 Jim Griffith summarized yet another huge accounting error: >CNNfn reports that a computer glitch at Smith Barney caused half a million customer accounts to be credited with $19 million each for a brief period Wednesday night. Company representatives claim that customers did not have access to the money, and that the balances were only visible to Smith Barney brokers and any customers who happened to look at their account balances via the Internet during the brief period that the problem exists. The problem was reportedly quickly noticed and fixed.

$19 million x 525,000 accounts = 9,975,000,000,000. That's $9.975 trillion, folks. Methinks someone misplaced the national debt by mistake...<

Category 21.2 Security product QA failures 1997-06-26 QA interface RISKS 19 23 Michael Passer reported that Ctrl-Enter, which normally introduces a page break in MS-Word 97 and other word-processing packages, is redefined without warning when using Word as the e-mail editor in MS-Outlook: it sends the e-mail message at once. Bad form: changing the meaning of common keystrokes _in the same program_ as a function of context is not cool, even when the keystroke redefinition is quietly noted on the File pull-down menu.

Category 21.2 Security product QA failures 1997-07-16 QA spreadsheets RISKS 19 24 Research on production spreadsheets reveals that in 300 files tested and in experiments with more than 1000 users, many spreadsheets contained serious errors. See for a table of findings of many independent studies showing cell-wise and sheet-wise error rates. For example, a study by ". . .Coopers and Lybrand in London. . . reported . . . that over 90% of all spreadsheets with more than 150 rows contained at least one significant formula mistake."

Category 21.2 Security product QA failures 1997-07-16 QA hardware calculation RISKS 19 24 A RISKS correspondent found that the newest revision of the DEC ALPHA motherboard has a defective pow() function. "Try 'pow(1.234567, 7.654321)'. If you don't get 5.017something, you have the same problem."

Category 21.2 Security product QA failures 1997-07-18 Internet availability disaster backhoe fiber AP, Newsbytes, Reuter, Independent On 1997.07.17 at 02:45 EDT, an operator at Network Solutions Inc. ignored alarms and released corrupted DNS table updates to the Net; as a result of the corruption, the entire .com and .net domains disappeared for half a day, disrupting worldwide access to e-mail and Web access in those sectors (mostly located in the United States and Canada). A few hours later, a backhoe operator sliced through a fiber-optic cable in Laurel, MD, near Washington, DC and shut down several phone trunks and elements of the Internet backbone, causing massive rerouting of Internet traffic and considerable congestion on the backup routes. The Net was back to normal by around 15:00 the same day. Members of the London Internet Exchange (LINKS) complained about what they described as inadequate accountability at Network Solutions.

Category 21.2 Security product QA failures 1997-07-18 DSN QA RISKS 19 25 On 97.07.17, reported Daniel Pouzzner, the .com and .net domains disappeared from the DNS due to propagation of corrupt namerserver databases. Peter G. Neumann added, "[The problem apparently began around 11:30pm 16 Jul EDT, during the autogeneration of the NSI top-level domain zone files, and resulted from the failure of a program converting Ingres data into the DNS tables, corrupting the .COM and .NET files. Quality-assurance alarms were evidently ignored and the corrupted files were released at 2:30am EDT — with widespread effects. Other servers copied the corrupted files from the NSI version. Corrected files were issued four hours later, although there were still some lingering problems. . . .]

Category 21.2 Security product QA failures 1997-07-26 QA satellite porn RISKS 19 26 When a France Telecom operator inadvertently beamed 20 minutes of hard-core pornography into Saudi Arabia instead of general news, the scandal resulted in cancellation of the Saudi government's contract with the French service and a diplomatic flap whose repercussions lasted for weeks.

Category 21.2 Security product QA failures 1997-08-19 QA harassment RISKS 19 31 According to reports from Britain, people are being harassed by auto-dialers on various machines such as vending machines, oil tanks, and even public toilets. The problem is that a single mis-typed phone number in the programming can cause hundreds of calls to innocent victims who cannot respond, don't know where the call is originating, and can't shut the calls off. About 8,000 people a month report such nuisance phone calls.

Category 21.2 Security product QA failures 1997-08-27 PGP virtual memory pass phrase cache superzap QA quality assurance C|NET http://www.news.com/News/Item/0,4,13853,00.html Australian Christopher Drake discovered that under Windows95, PGP 5.0 allows its passphrase to be stored in virtual memory. It is possible to recover the passphrase from at least five places on disk. The workaround: enable password caching with a small delay (e.g., a second).

Category 21.2 Security product QA failures 1997-08-29 Netscape bug JavaScript Newsbytes Netscape confirmed that Andre dos Santos of University of California at Santa Barbara correctly identified a problem with JavaScript in Navigator 4.01a and 4.02. Until the patches were installed, a user opening a second window at a rogue site might transmit confidential information through an insecure link.

Category 21.2 Security product QA failures 1997-09-13 QA browsers San Jose Mercury News Netscape technicians were embarrassed to find that their newly-enhanced Web site was a mess when viewed with the intended browsers: the latest versions of their own Communicator and Navigator software. Fancy features caused strings of error messages and did not work properly. Another investigation is being initiated to find out why it took the company a week to discover the blunder after it put up the defective pages.

Category 21.2 Security product QA failures 1997-09-17 telco QA area code RISKS 19 38 A bug in the new software for DMS-100 central switches caused billing errors for 167,000 Californians who were billed for long distance calls instead of for local calls. The buggy software got confused by multi-area-code local calling areas.

Category 21.2 Security product QA failures 1997-09-17 telecommunications denial of service disaster QA RISKS 19 39, 40 When a technician uploaded the wrong Routing and Translation tables to an AT&T SS7 switch, the entire 800-number service of AT&T went down for 90 minutes on 97.09.03. Robert Perillo, writing in RISKS, said that such tables should be verified offline before being installed; that an expert system should validate the tables; and that quality assurance requires pre-testing before installation on the production systems.

Category 21.2 Security product QA failures 1997-09-17 QA RISKS 19 39 Lauren Weinstein, editor of the Privacy Forum, noted a dangerous problem with the widely-used Quicken / Checkfree system for paperless banking. Seems that if a user forgets to update banking records before the (typically) 45-day period after which many banks delete online records of customer transactions, the program has no indication that the records have been removed. So from the point of the next (late) update, all the banking statements spit out by the Quicken / Checkfree programs are wrong. Moral: (1) Update your Quicken / Checkfree records frequently; (2) periodically verify your electronic statements against your paper statements.

Category 21.2 Security product QA failures 1997-09-21 QA RISKS 19 39 After Microsoft and PBS announced their collaboration to create Barney dolls that would interact with children under the instructions of an "ActiMates" transceiver synchronized with a new TV show, I suggested that there might be spinoffs: I can see it now: a new genre of horror movie in which animated figures controlled by TV shows take on a sinister glamour and throttle, eviscerate and otherwise harm infants while under the control of the TV set. This development will rejuvenate the Evil Dummy theme and give succor to all the mind-control freaks who already think that TV is a nefarious plot to damage the collective intelligence of the human race.

Come to think of it, they may have a point.

On a more practical note, think about the damage caused by dolls that ate their little owner's hair — and then think about _computer-controlled_ dolls — and then think about _hacked_ computer-control programs for little robots being cuddled by infants. Be afraid. Be very afraid.

Mua-ha-ha-ha. . . . [add reverb effect]

Category 21.2 Security product QA failures 1997-10-01 QA RISKS 19 40 In Britain, over 800 students who had been accepted by universities were informed that they had lost their places because of "computer errors" in transmitting their A-level exam scores. Other students (number unknown) may have been initially refused because of the false scores sent to universities.

Category 21.2 Security product QA failures 1997-10-17 QA RISKS 19 41 Bad Corsican drivers have not been charged with driving offences in Paris since 1990 because the Paris computer system rejected their postal code. The anomaly was detected only after manual verification of the records.

Category 21.2 Security product QA failures 1997-11-11 QA hardware chips RISKS 19 45 Pentium and Pentium MMX chips were discovered to be susceptible to assembly-code that could halt them with a single instruction. Combined with an Internet Explorer flaw, it would be possible to append the fatal machine code to an excessively long URL to cause a Windows95 system to halt simply by attempting to link to a dangerous URL.

Category 21.2 Security product QA failures 1997-12-11 QA spelling checker RISKS 19 50 Martin Bonner, writing in RISKS, contributed this case: >Cambridge City Council (England) wrote to a number of residents. Being careful people, they spell-checked the letter before sending it. The problem was that the spell checker couldn't see anything wrong with a letter that began "Dear Sir or Madman...".<

Category 22.1 DoS attacks 1997-01-15 spam flooding denial of service IRC DoS Business Wire Self-named "Reverend White," dedicated to making "America straighter and whiter," launched denial-of-service and harassment attack against the widely-used Internet Relay Chat (IRC) channels called the Undernet. "White" and his cronies emitted forged racist and homophobic hate e-mail, overloaded IRC channels and issued threats against users.

Category 22.1 DoS attacks 1997-01-20 Spam denial of service DoS RISKS 18 79 Well-known computer scientist and writer Simson Garfinkel's ISP, VineyardNET, was hijacked by CV Communications on 13 Jan 97. The rogue spammers connected directly to the ISP's SMTP server and sent out 66,000 advertisements for — what cheek — spamming services. Most victims of the spammer were subscribers of CompuServe and AOL. Garfinkel tuned his firewall to reject further input from the rogue to prevent any further abuse and adjusted his two-stage mail delivery software to delete all the junk e-mail already on his system.

Category 22.1 DoS attacks 1997-06-16 hacker anti-spam vandalism information warfare hacktivism CNET http://www.news.com/News/Item/0,4,11535,00.html One or more unknowns calling it/themselves "Bluelister" began attacking critics of unsolicited commercial e-mail by sending large amounts of junk e-mail with forged headers from the host sites where such critics have their e-mail addresses. The resulting floods of messages from outraged recipients, unaware that they are falling into the trap laid by the miscreant(s), frequently bring the ISPs or Web sites down. In addition, at least one case of Web site vandalism was attributed to Bluelister: the NetHomes Web-hosting service went down as a result. An unconfirmed message to some NetHomes subscribers, according to Jeff Pelline of CNET, said "The person allegedly responsible for this is the 'Bluelister,' a hacker who reportedly vandalized the NetHomes system and, according to hacked.net and many Internet sources, has perpetrated many other Internet crimes including harassment, mailbombing, etc."

Category 22.1 DoS attacks 1997-09-02 hacker SYN flooding PING flood ISP denial of service Australian Unknown hackers assailed the Zip Internet ISP in Sydney, Australia using SYN-flooding and PING flooding. The system was unusable during the worst floods, which are thought to be from local assailants. The ISP was working with federal police in an effort to catch the malefactors. Zip and its backbone provider, Connect.com, instituted blocking measures to stem the tide of fraudulent packets.

Category 22.4 Accidental availability disruptions 1997-01-09 QA quality assurance loop positive feedback Reuters; RISKS 18 75 When an operator keyed in a special code into the SkyTel control system, it caused a half-hour beeping chorus that rang 100,000 beepers with up to 25 erroneous calls. Seems the technician assigned a PIN to a new customer that was actually a secret code used to broadcast news headlines to those 100,000 beepers. So when the customer used the new PIN, it appeared on all the beepers in question — and many of their users promptly called back SkyTel and entered the PIN, causing ever- increasing waves of beeping. The problem was particularly irritating for West coast residents, since the beeping chorus started at 8:16 am Eastern time, which translated to 5:16 am on the Pacific coast.

Category 22.4 Accidental availability disruptions 1997-01-10 availability ISP AP Flat-rate charges for Internet access will eventually be a eliminated, said industry watchers in January. ISPs begin to lose money once their $20/month users reach about 11 hours a month online. As major ISPs such as AOL struggle with the consequences of decoupling usage from cost of usage, niche markets have opened for ISPs charging premium rates but guaranteeing more than busy signals.

Category 22.4 Accidental availability disruptions 1997-01-12 QA quality assurance availability loop positive feedback EDUPAGE A technical glitch on Thursday the 9th of January 1997 caused the SkyTel paging network to send erroneous call-me-back messages to more than 100,000 customers. The problem was exacerbated when some diligent subscribers returned the call and left their phone numbers so that whoever had beeped them could call back. The result was a 26-minute major phone traffic jam as thousands of other SkyTel customers then called those numbers. Apparently, the whole mess started when a customer desiring a new PIN (personal identification number) was mistakenly assigned one linked to a secret code that the company uses to beam Dow Jones News Service information out to 100,000 customers. The PIN, a seven-digit number that looked like a phone number, was zapped to the Dow Jones subscribers, many of whom then tried to dial it as a local call. Others recognized it as a PIN, and called SkyTel to retrieve the "caller's" number, jamming the lines there. "One frequency of our one-way nationwide network experienced an anomaly in the database that caused customers to be paged erroneously," says a spokesman for SkyTel's parent company, MTel, which has apologized for the snafu. (Wall Street Journal 10 Jan 97 A1)

Category 22.4 Accidental availability disruptions 1997-01-12 availability ISP EDUPAGE IBM responded to e-mail delivery problems on its top-ranked Internet Connection by quadrupling its capacity.

Category 22.4 Accidental availability disruptions 1997-01-16 availability telecommunications ISP EDUPAGE Nortel offered LECs and IECs the opportunity to shift Internet data from congested voice networks to the carriers' data networks.

Category 22.4 Accidental availability disruptions 1997-01-17 availability AOL AP By January, AOL's incredibly stupid decision to offer unlimited access for a flat fee of $19.95 had resulted in endless waits because selfish people stayed online for hours — even running special programs to prevent the network from logging them off for inactivity. Furious customers faced endless busy signals; people depending on the network for important e-mail and other services were cut off from the resources they had come to depend on. Many customers launched lawsuits; several state attorneys general launched investigations of possible commercial fraud and misrepresentation. This is an example of the Tragedy of the Commons described by Garrett Hardin twenty years ago; in that case, he described the destruction of English village commons where people could graze their sheep at no cost. Population growth resulted in a perceived economic advantage in the short term by putting as many sheep as possible on the commons even though the animals destroyed the resource. Similarly, AOL violated a prime principle of the market by providing unlimited access to a limited resource without a feedback mechanism to ensure that users would act responsibly. By the last week in January, AOL had agreed in principle to refund fees to anyone affected by the snafu — potentially millions of people.

Category 22.4 Accidental availability disruptions 1997-01-19 availability ISP EDUPAGE AOL's promised expansion would increase its capacity from 10 million to 16 million sessions a day, at a cost of $400M.

Category 22.4 Accidental availability disruptions 1997-01-21 AOL denial of service DoS AP An unfortunate resident of Cleveland has been kept awake by AOL users who mis-key the service's access number, which is one digit away from his home phone number. Royal Anderson has received over 100 calls a night, with the problem intensifying ever since AOL announced unlimited access for a flat fee.

Category 22.4 Accidental availability disruptions 1997-01-23 AOL availability UPI Three residents of Ohio asked for a class-action suit for damages against AOL because, they claim, AOL offered unlimited access to the Internet but cannot provide it. AOL said it was spending $350 million to build up its network.

Category 22.4 Accidental availability disruptions 1997-01-23 AOL lawsuit availability UPI Twenty state attorneys general discussed AOL's failure to live up to its claims of unlimited access.

Category 22.4 Accidental availability disruptions 1997-01-23 availability telecommunications EDUPAGE According to the Internet Access Coalition, the telcos' whining about congestion on the voice network is due to the antiquated public switched telephone system, which depends on establishing continuous circuits for data transmission. Instead, said the experts, the phone companies should invest in packet-switching to maximize efficiency of the network. The telcos retorted that with an expected 70-fold increase in data traffic from 1987 to 2001, "Someone has to pay for that usage, the subsequent wear and tear on the network, and the new equipment additions necessitated by this rapid growth."

Category 22.4 Accidental availability disruptions 1997-01-23 availability AP The FCC began hearings on how to reduce bandwidth saturation of the Internet resulting in part from AOL and other ISP's decisions to offer unlimited access for a flat fee. LECs and IECs have complained that the ISPs are abusing the public switched telephone network.

Category 22.4 Accidental availability disruptions 1997-01-25 AOL availability lawsuits AP NY's attorney general threatened to join the army of other states in suing AOL for commercial fraud unless the company stops promising unlimited access that it cannot supply. Meanwhile, CompuServe broadcast an advertisement during the Superbowl showing 15 seconds of a blank screen accompanied by the sound of a busy signal.

Category 22.4 Accidental availability disruptions 1997-02-02 availability ISP EDUPAGE Some infuriated customers of AOL are claimed to be planning class-action suits for recovery of consequential damages following a series of service outages by the giant ISP. However, AOL Terms of Service contracts specifically exclude liability for such damage.

Category 22.4 Accidental availability disruptions 1997-02-06 Availability ISP AOL RISKS 18 81 AOL's spectacular misjudgment in allowing unlimited access without extra charges — and resulting gridlock when some users left their modems hooked up to the ISP 24 hours a day — resulted in an embarrassing climb-down in late January. AOL had to impose a 45-minute limit on all sessions. Anyone trying to stay on-line longer than that was unceremoniously kicked off the system until their next logon.

Category 22.4 Accidental availability disruptions 1997-02-06 availability ISP QA EDUPAGE EDUPAGE reported: >America Online subscribers trying to log on during a two-hour period early Wednesday evening [5 Feb] experienced what a company spokesman called a "hiccup" which gave them the message: "The system is temporarily unavailable. Please try again in 15 minutes." The system malfunction was apparently caused by the installation of a software upgrade. (Atlanta Journal-Constitution 6 Feb 97)<

Category 22.4 Accidental availability disruptions 1997-02-06 AOL availability AP, UPI AOL suffered yet another outage for 2.5 hours on 97.02.05 when technicians upgraded its software starting at 17:00 EST. The system was unavailable again later that night between 04:00 and 07:00 EST.

Category 22.4 Accidental availability disruptions 1997-02-13 Web cache RISKS 18 83 At Ontario Hydro, users noticed that they were accessing unexpected and unrequested Web pages; in one case, a user inadvertently brought up someone else's MBANX bank records. The puzzled user accused the owner of the MBANX records of using the finder's PC at night. However, investigation suggested that the server was not forcing users to stop caching forms transmitted under the SSL protocols.

Category 22.4 Accidental availability disruptions 1997-03-03 Explorer browser Web vulnerability AP, COMTEX, RISKS 18 85 Student Paul Greene of the Worcester Polytechnic Institute in Worcester, MA announced on his Web page that Microsoft's Internet Explorer 3.0 and 3.01 running under Window95 (only) allow any Web page to include code for execution of any program on a client machine. Microsoft got its patch up within 48 hours.

A week later, Microsoft was hit with two more announcements of Explorer bugs. Version 4.0 was discovered to be susceptible to "hostile links" embedded in newsgroup messages or in e-mail, according to the anti-virus company Eliashim. Then University of Maryland students announced that Explorer version 3.01 would allow an intruder to install executables on a client system (e.g., to infect the victim's computer with viruses).

Category 22.4 Accidental availability disruptions 1997-03-17 Shockwave security e-mail RISKS 18 91 Browsers with the Shockwave multimedia plug-in from Macromedia allow a Web server to read e-mail files located on a client (browser's) workstation. A variation of the hole allows a server to access any Web site the client can reach, even if they are on secure intranets. For details, see .

Category 22.4 Accidental availability disruptions 1997-03-20 InterNIC denial of service RISKS 18 92 InterNIC lost papers for a company and shut down its DNS entry. Disaster without recovery; took 20 hours to get back online.

Category 22.4 Accidental availability disruptions 1997-03-22 disaster recovery evidence denial of service DoS RISKS 18 93 In Austria, court officials seized all computers and backup tapes at the offices of an ISP. As a result, 2,500 customers went offline without warning. Austrian ISPs rallied to plan a 2-hour shut-down later in the month as a protest against this unprecedented denial of service.

Category 22.4 Accidental availability disruptions 1997-03-28 SSL browser vulnerability Web RISKS 18 95 ff Daniel Klein, a Pittsburgh security consultant, discovered a major hole in both Netscape Navigator and Microsoft Internet Explorer. Servers using the GET command instead of the POST command in Web pages, even those using SSL to encrypt communications. The problem is that improperly written pages allow confidential information resident on the client side to be read by the server for the _next_ Web page loaded: "The information that Web user typed in securely suddenly gets transferred to the logs of the next machine, credit card numbers and all." This bug was confirmed independently by Eric Rescorla and explained in more detail by Anup K. Ghosh, PhD in RISKS 19.02 (97.04.02).

Category 22.4 Accidental availability disruptions 1997-03-28 denial of service ISP Internet DNS domain names DoS RISKS 19 1 Michael Miora, NCSA's Director of Consulting, discovered that he no longer had access to the Net. His ISP, Sprynet, suddenly and without notification cut off service to anyone not using an e-mail address ending in "@sprynet.com." This measure was supposed to cut down on fraud. It presumably cut down on clients.

Category 22.4 Accidental availability disruptions 1997-05-19 air traffic electrical power outage backup disaster denial AP A short circuit in backup MCI communications systems at the Air Route Traffic Control Center in Oberlin, OH wiped out most communications among air-traffic control towers and 180 airplanes in Indiana, Michigan, Pennsylvania, New York, Ohio and West Virginia for 67 minutes. A few low-power channels remained functional and ATC relied in part on cellular phones and some non-MCI phone lines. Flights leaving Cleveland, Pittsburgh and Detroit were delayed by an hour; other planes were rerouted around Ohio air space for the duration of the outage.

Category 22.4 Accidental availability disruptions 1997-05-23 denial of service saturation bandwidth ISP Newsbytes On Wednesday 97.05.21, an e-mail server at the Reston, VA facility of the BellAtlantic.net ISP shut down e-mail delivery to its customers. The system was unable to deliver the mail until Friday the 23rd, when all accumulated messages were on their way to their destinations. No messages were lost.

Category 22.4 Accidental availability disruptions 1997-05-29 Internet availability EDUPAGE A study by Inverse Network Technology suggested that most of the delays in e-mail delivery originate in problems on gateways. The study suggested that 88% of all e-mail takes no more than five minutes to deliver; however, some ISPs allow 10% of their deliveries to take longer than an hour.

Category 22.4 Accidental availability disruptions 1997-07-17 Internet power failure outage availability disaster Newsbytes On 08:17 PDT on 1997.07.16, a rectifier failure in a battery room shut down power to the MAE-West switching center, terminating Internet access for major ISPs and their customers. At 11:00 PDT, someone in Los Angeles cut a fiber-optic cable and shut down ATM (asynchronous transfer mode) links carrying 473 T-3 lines (45 Mbps each). The outages affected Internet traffic throughout the United States, with major congestion and outright outages lasting until 13:40 PDT.

Category 22.4 Accidental availability disruptions 1997-07-25 Internet congestion bandwidth availability AP Elizabeth Weise of AP published a fascinating story in late July that reported on research by communications engineers and physicists explaining why the Internet seems to have unpredictable periods of heavy congestion. Some analysts see a "tragedy of the commons" in which users, unaware of the effects of their largely free use of Internet bandwidth, blithely increase their surfing without regard to equitable sharing with the unknown millions of other users. The Net responds acceptably until key "pipes" are saturated with data — and then response can slow to a crawl. In an interesting effect of mass-action, at some point large numbers of users get disgusted and log off, releasing the gridlock suddenly. Some analysts suggest that charging people for their time online will solve the problem; others argue that defining classes of service will help (e.g., charging for high-priority usage and not for low-priority applications). Critics of these proposals deny the validity of the "commons" model, arguing that increased demand can make increased capacity cost-effective.

Category 22.4 Accidental availability disruptions 1997-09-10 telecommunications denial of service QA disaster RISKS 19 39 Peter G. Neumann, abstracting a report forwarded by Steve Bellovin, wrote "Around 7pm on the evening of 8 Sep 1997, the main MFS Communications switch (MFS Switch One) failed, downing UK telecommunications links provided by MFS, Worldcom, and First Telecom. The outage also affected most of CompuServe's UK customers, whose access is typically via an MFS phone number."

Category 22.4 Accidental availability disruptions 1997-10-09 denial of service backhoe attack AP In Kansas City in October, an unidentified dump-truck driver forgot to lower his truck's bed before speeding through a street and snagging overhead telephone cables. His carelessness interrupted phone and Net access for 119,000 Sprint users for four hours. Victims included people in Oklahoma, Missouri, and all the way into Florida. This is a new variant of the time-honored "backhoe attack" for causing denial of service.

Category 22.4 Accidental availability disruptions 1997-11-11 QA denial of service power outage e-mail denial of service RISKS 19 45 Another glitch hit AOL on Nov 3, 1997, when users lost e-mail service for an hour or so . Worse still, a bug generated a repeating message apologizing for the loss of service and required forcible termination of the AOL client software to stop the automated grovelling. On Nov 18, the e-mail system was unavailable for up to six hours.

Category 22.4 Accidental availability disruptions 1997-12-24 backup disaster recovery RISKS 19 53 Sun Valley, ID uses a computerized ticketing system involving a database of authorized skiiers and scanners. After a disk crash in December 1997, the company had to order several thousand skiiers to reregister — including new ID cards and photographs.

Category 23 Internet tools 1997-01-29 ActiveX diddling RISKS 18 80 ff The CHAOS Computer Club of Germany demonstrated how a rogue ActiveX applet can insert a fraudulent transaction in a victim's stack of pending QUICKEN transfer orders.

Category 23 Internet tools 1997-02-21 ActiveX RISKS 18 83 Microsoft responded to the CHAOS Computer Club demonstration of a data diddling attack via ActiveX by saying that the same problem could have occurred using Java and Netscape.

Category 23 Internet tools 1997-03-04 digital signatures Authenticode ActiveX RISKS 18 85 ff Bob Atkinson, chief architect of Microsoft's Authenticode system for signing ActiveX controls, responded to criticism of his company's approach to security of third-party executables. Among the key points: Microsoft has never claimed that it would certify the safety of other people's code; authentication is designed solely to permit identification of the culprits _after_ malicious code is detected; Explorer-based distribution of software is no more risky than conventional purchases through software retailers. Subsequent correspondence chastised Mr Atkinson for omitting several other key points; e.g., interactions among ActiveX controls can violate system security even though individual controls are apparently harmless; there is no precedent in fact for laying liability at the feet of software developers even when you _can_ find them; under attack, evidence of digital signature is likely to evaporate from the system being damaged; latency of execution of harmful payloads will complicate identification of the source of damage; malice is not as important a threat from code as incompetence; Microsoft has a history of including security-threatening options such as automatic execution of macros in Word without offering any way of turning off the feature; a Web site can invoke an ActiveX control that is located on a different site or that has already been downloaded from another site and can pass that control unexpected arguments that could cause harm.

Category 23 Internet tools 1997-03-06 Java ActiveX RISKS 18 87 Dr Gary McGraw of Reliable Software Technologies in Sterling, VA reported on some new examples of known security problems in JAVA and ActiveX. A minor JAVA problem concerned the ability to determine a client's IP address without permission. A more serious ActiveX problem allows a server to connect to any arbitrary TCP/IP port on a client system even if a firewall is configured to prevent such connections.

Category 23 Internet tools 1997-03-28 JavaScript denial of service MIME attachment RISKS 18 95 A user posted a warning to a USENET group about a Web page that spawns endless windows from within a Web page. The original Web site was designed as a demonstration of a possible denial of service attack. Unfortunately the USENET poster included the actual HTML code for the offending Web page in his USENET posting. Since Netscape Navigator automatically formats such attachments and executes the script, the USENET message had the same effect as the demonstration Web page. Denial of service by remote control. . . .

Category 23 Internet tools 1997-04-03 ActiveX flaw Reuters CEO Scott McNealy of Sun Microsystems, in his keynote address at the JavaOne Conference, showed how when a specially written program containing ActiveX could be downloaded by a remote user and then took over the user's computer and rifled its files for personal financial information. The ActiveX control had been signed but was still malicious.

Category 23 Internet tools 1997-04-28 YAJF Java flaw authentication RISKS 19 11 Professor Ed Felten's team at Princeton discovered yet another Java security flaw. This one applies to version 1.1.1 of the Java Development Kit (JDK) and version 1.0 of the HotJava browser from Sun Microsystems. Seems that there are two problems: (1) "If an applet's signer is labeled as trusted by the local system, then the applet is not subject to the normal security restrictions." (2) The current flaw is that an applet can redefine the Java interpreter's perception of who signed it. By searching for the signers trusted by the client system, a hostile applet could bypass all normal security restrictions. The bug was fixed in release 1.1.2 of the JDK.

Category 23 Internet tools 1997-05-22 JAVA ActiveX EDUPAGE Pushing executable files out from servers to client systems is outstripping security provisions in JAVA and ActiveX. JAVA is supposed to integrate some security measures into its code (the "sandbox"), but in contrast, Microsoft's ActiveX relies only on certification of origin to reduce risks of Trojans and just plain programming errors. Prof. Ed Felten of Princeton University's Safe Internet Programming project said, "Once an Active X control is running on your machine, you have no way to constrain what it does."

Category 23 Internet tools 1997-08-08 JAVA applet Microsoft Internet Explorer C|Net news.com http://www.news.com/News/Item/0,4,13226,00.html?latest Ben Mesander, a Java developer with CreativeConcepts in Boulder, Colorado, discovered that Internet Explorer 3.x and 4.0 allows Java applets to open a network connection to a server other than the one from which they were downloaded. Such a bug would permit a Trojan applet to redirect interactions from a legitimate site to a rogue site without notifying the user of the change. For example, a modified applet on a bank site might redirect a user to a pirate site where confidential information could be seized. Because Java normally does not permit such connections, and because Netscape Navigator did not show the same problem, analysts concluded that the bug was in Microsoft Internet Explorer.

Category 23 Internet tools 1997-10-01 JAVA vulnerability RISKS 19 40 The Reliable Software Group at University of California Santa Barbara published a new attack on JAVA applications using the CLASSPATH feature. The vulnerability allows a malicious server to spoof an innocent target site, making it look as if the client is communicating with the desired site (e.g., a bank) while actually the data are flowing, unencrypted, to the malicious hijacker site. Check to see if the report makes it to the UCSB Dept of Computer Science compilation of technical reports.

Category 23 Internet tools 1997-10-17 JAVA RISKS 19 41 Another JAVA problem surfaced in October when researcher Andre L. Dos Santos at the Reliable Software Group of the University of California Santa Barbara found a new exploit of the CLASSPATH feature. The demonstration program sends confidential data to a rogue site instead of to the bank that requested it.

Category 23 Internet tools 1997-11-28 data diddling e-mail Java HTML Explorer browser RISKS 19 49 A RISKS correspondent reported that HTML-enabled e-mail was immediately interpreted by MS Internet Explorer 4.0 because its autopreview mode was active. The e-mail downloaded and executed a Java applet that opened a connection to a foreign Web site and would have gone on to many other sites had the user not interrupted it.

Category 23.4 HTML, XML 1997-01-09 web spoofing diddling EDUPAGE Ed Felten's Java-security team at Princeton University published an analysis of many ways that attackers can hijack information being sent to legitimate Web sites by users; one example is to insert unauthorized hot links in a poorly-secured Web site. EDUPAGE reported, "The researchers suggest that Web surfers take the following precautions: disabling JavaScript in their Web browsing software; keeping an eye on the software's location line, to ensure they know where they are; and paying close attention to the addresses they visit. (Chronicle of Higher Education 10 Jan 97 A25) < http://www.cs.princeton.edu/sip/pub/spoofing.html >"

Category 23.6 Web-site infrastructure, general Web security issues 1997-01-03 Web RISKS 18 77 ff A Swedish correspondent reported in RISKS that AltaVista includes the keywords from a user's most recent search in the URL for inline advertisements. This practice, which is undocumented on the search page, compromises the privacy of users.

Category 23.6 Web-site infrastructure, general Web security issues 1997-01-05 Netscape RISKS 18 74 A new bug in Netscape 3.0, 3.01 and 4.01 beta 1 allows a Web site to obtain a browser's e-mail address.

Category 23.6 Web-site infrastructure, general Web security issues 1997-01-13 security Web e-commerce Computerworld Web site O'Reilly & Associates published a survey of 648,613 Web sites in which they found that only 10% of the sites use SSL and only 0.5% offer third-party authentication (necessary for customers to be sure that they are dealing with the business they think they are connected to and not an imposter-site).

Category 24 Operating systems, network operating systems,TCP/IP problems (alerts) 1997-02-12 NT RISKS 18 82 Christopher Klaus describes three classes of attacks on NT systems:

* NT CPU Port Attacks * NT DNS Denial Attack * NT Trojan Password DLL

Category 24 Operating systems, network operating systems,TCP/IP problems (alerts) 1997-04-01 Windows NT passwords EDUPAGE A superzap utility for Windows NT was announced that allows decryption of encrypted password files.

Category 24 Operating systems, network operating systems,TCP/IP problems (alerts) 1997-06-20 hack Windows NT Web server URL denial of service C|Net http://www.news.com Hackers informed Microsoft of a major bug in Windows NT 4.0 running Microsoft's Internet Information Server version 3.0 and promptly shut down Microsoft's Web site by typing in a specific URL in any Web browser. Todd Fast (uncertain if this is a real name or a handle), claiming to have discovered the bug, wrote, "This is a hugely embarrassing bug for Microsoft in my opinion, particularly since they've just been lauded for pulling ahead of Netscape in Web server market. Knowing that anyone with a grudge and a twitchy keyboard could shut down any of their customer's Web sites must bear horribly on their collective conscience." Microsoft had a patch available within a day of the discovery.

Category 24.9 Peer-to-peer networking 1997-03-05 web hack sabotage vandalism NASA One of the NASA administrators posted part of the text of the NASA Web page hack on the USENET.

Category 24.9 Peer-to-peer networking 1997-03-09 penetration Web hack vandalism hacktivists EDUPAGE Criminal hackers with either a sophomoric sense of humor or truly deluded worldview cracked security on the NASA Web site and posted a childish diatribe against commercial use of the Internet. They also posted threats to destroy corporate America within a month using electronic terrorism. They demanded the release from jail of convicted criminal hackers.

Category 24.9 Peer-to-peer networking 1997-03-13 penetration vandalism Web hack EDUPAGE NCAA site was smeared with racist graffiti. Site managers allege that a 14-year old high school student was responsible and have turned over their evident to the FBI.

Category 24.9 Peer-to-peer networking 1997-04-15 Web insurance PR Newswire The InsureSite insurance policy was announced by the Risk and Insurance Management Society. The policy covers third-party liability for monetary losses due to problems on the covered Web site; personal injury resulting from breach of privacy; and physical damage due to vandalism, viruses and other perils. Clients whose Web sites are certified by the NCSA's Web Certification program are eligible for significant discounts.

Category 24.9 Peer-to-peer networking 1997-05-08 Web hacking penetration Polish Radio 1, Reuters Hackers vandalized the Web page of the Prime Minister of Poland, changing headers to "Hackpublic of Poland" and "Government Disinformation Center." A government spokesperson minimized the threat, saying that the Web system is not linked to other government computers and no confidential information was compromised.

Category 24.9 Peer-to-peer networking 1997-05-14 Web vandalism hacktivism RISKS 19 14 According to Martin Minnow, regular contributor to RISKS from Sweden (direct quotation of Mr Minnow's posting),

>The Swedish newspaper *Svenska Dagbladet* reports that the Swedish meat packers, Scan, had their web page replaced by an unknown attacker. The new page looked much like the old, but with changed text, including: "Now we're making our packages EVEN smaller, so that YOU the consumer can buy our meat for even lower prices. Boycott nasty vegetables. Eat more meat, smile, and be happy. And, by the way, you sure don't want to turn your stomach into a composter, right?" [My free translation.]

The page's links take you to the Animal Rights Law Center, McDonalds, and Flashback, a home on the net for a number of underground movements.<

Category 24.9 Peer-to-peer networking 1997-05-23 penetration hacking Web Reuters, Newsbytes Koichi Kubojima (or "Kuboshima"), a 27-year-old computer engineer, was arrested in Tokyo and charged with replacing weather pictures by pornography on the Asahi Broadcasting Co. web pages. He was the first person to be charged under the 1987 anti-hacking law and faces up to five years in jail because of stiff penalties added to the law in 1992. According to Martyn Williams of Newsbytes, "Police tracked down Kuboshima by gaining access to the records of an Internet service provider that he reportedly used to carry out the hack. Local press reports said the account was opened with a false credit card number and name." The site was taken out of service within 10 minutes of the hack at 10:00 and was back on air by 13:00.

Category 24.9 Peer-to-peer networking 1997-05-29 Web hack vandalism penetration UPI, OTC UPI reported that the Los Angeles Police Department Web page was hacked and satirical content substituted for the normal texts. However, investigation by revealed that the tale was itself an error that spread like wildfire through the Net. It seems that someone did post a lampoon of the LAPD's page at a completely separate site and it did include disrespectful language. However, no one broke into the real LAPD site.

On the other hand, claims that Universal Studios' Web hack was a deliberate publicity stunt by the Studios were vigorously denied by spokespersons, who pointed out how pointless it would be to put a fraudulent hack up for all of five hours — from 03:00 until 08:00. The key points in the rant published by Glen Lipka were that the graphics were too good and that date stamps on the graphics files preceded the stamps on the original Web page; neither observation leads unavoidably to the conclusion of fraud. Good graphics packages are available to everyone; and date stamps mean nothing when it's PCs that stamp the files.

Category 24.9 Peer-to-peer networking 1997-05-31 Web vandalism RISKS 19 20 ff According to Reuters, >The opening page for the Web site for the film ``The Lost World: Jurassic Park'' wasn't all it was quacked up to be after hackers got through with it Tuesday. In place of the film's trademark dinosaur logo was a profile of a prehistoric-looking duck, accompanied by the title ``The Lost Pond: Jurassic Duck.'< A later item in RISKS pointed out that the correct form of that vandalism was "The Duck World: Jurassic Pond" which is just as silly. Some cynics argued that the hack was likely to be an inside job and maybe a deliberate hoax; no proof, however, of this conjecture.

Category 24.9 Peer-to-peer networking 1997-06-03 Web vandalism hacking EDUPAGE In Delaware, police arrested a teenager accused of defacing the NASA Web site and leaving graffiti describing site administrators as "extremely stupid." The kid's computer was seized as evidence.

Category 24.9 Peer-to-peer networking 1997-06-24 Web hacker vandalism denial of service EDUPAGE Microsoft's Web site was down for about 10 minutes after a cracker exploited a known flaw in the MS server software. MS posted a fix immediately and got its system up with a simple reboot.

Category 24.9 Peer-to-peer networking 1997-07-19 denial of service mail bombing Web infowar Reuters A Web site supporting ETA guerrillas was mailbombed after ETA killed a Spanish politician. The Euskal Herria Journal of New York was pulled off the Web site of the Institute for Global Communications after its servers were brought to their knees by the flood of duplicate messages and huge binary files sent by opponents of ETA.

Category 24.9 Peer-to-peer networking 1997-07-25 Web vandalism Polish News Bulletin For the second time in three months, hackers broke into the Polish government's computer systems and altered its Internet site, Government Information Centre (CIR) officials admitted. A hacker calling himself "Cyberbob" added several new messages to the Polish-language page: "Lech W. for President," "he he he meee meee" and "Al. Zachlapana 1/3 00-583 Pruszkow," also notifying users of a change in the CIR server's address to "www. playboy.com."

Category 24.9 Peer-to-peer networking 1997-08-07 hackers Web vandalism UPI In late July, someone attacked the Web site of the Minnesota Department of Public Safety; an entire day of work was deleted. Ten days later the site was attacked again and all access to public e-mail was shut down.

Category 24.9 Peer-to-peer networking 1997-08-14 hacker Web server vandalism ISPs FBI Editor & Publisher 130 26 An official of the San Antonio Express-News revealed in August that his company's Web servers were severely damaged by one or more hackers in mid-April. Eight other regional ISPs were damaged in the attacks. Suspects under investigation by the FBI included a high-school student and more experienced Unix hackers. Logic time-bombs were left on the system that eventually interpreted harmless files commands as instructions to delete files. The servers crashed completely soon after the time-bombs detonated. He estimated that 300,000 pages on his Web site were damaged. The newspaper offered a $25,000 reward for information leading to conviction of the perpetrators and this apparently resulted in many helpful leads for investigators.

Category 24.9 Peer-to-peer networking 1997-08-19 Web vandalism hack password intrusion Grand Rapids Press A poorly-chosen password allowed hackers to vandalize First Michigan Bank Corp's WWW site. The main page was replaced by a solid black background with a few identifying scribbles. Luckily, the bank suffered few damages.

Category 24.9 Peer-to-peer networking 1997-09-11 Web security cracking vandalism EDUPAGE Computer Security Canada Inc. posted a database of Web site security breaches; see .

Category 24.9 Peer-to-peer networking 1997-09-30 Web vandalism hacker 2600 AirTran Airways (formerly ValuJet) saw its Web site vandalized in September, with gross references to the 1996 crash that killed 110 people.

Category 24.9 Peer-to-peer networking 1997-12-09 Web hack vandalism extortion AP In early December, hackers attacked the Yahoo site, leaving electronic graffiti threatening a massive logic-bomb attack on the planet's networks on Christmas day and a nationwide power-system failure on

Category 25 Computer remote control & disruption 1997-01-24 RFI RISKS 18 79 High altitude flights may subject modern computers to enough cosmic rays to cause single-bit errors at a rate of about once per hour on typical PCs.

Category 25 Computer remote control & disruption 1997-03-12 infowar HERF EMP TEMPEST information warfare RFI RISKS 18 90 New work on hardening systems against high-energy electromagnetic pulses was published on by Carlo Kopp, and Australian defense analyst.

Category 25 Computer remote control & disruption 1997-04-16 RFI cancer cell phone AP, AAP; RISKS 19 39 Medical experts at a conference in Sydney, Australia presented epidemiological evidence that electromagnetic radiation from cellular phones is associated with cancer and a number of other diseases. In separate research, a few hundred specially-bred mice highly susceptible to spontaneous lymphoma were exposed to cell-phone radiation for 18 months. Cancer rates doubled. It is not yet known if these results can be extrapolated to normal mice and to other species. The results were published in the journal _Radiation Research_ in May. Not incidentally, the results were announced with much hoopla at a press conference held by Microshield, a manufacturer of a phone cover claimed to reduce radiation from the devices. Motorola, a major manufacturer of cell phones, responded by threatening a lawsuit if the claims by Microshield were not withdrawn.

Category 25 Computer remote control & disruption 1997-04-28 RFI RISKS 19 11 A couple of British victims of technology gone mad won a £4,000 judgment for damages because their motorized beds behaved like props from a movie comedy in response to what is assumed to be radio-frequency interference. Instead of providing soothing vibrations, the beds would go off at random, with much buzzing, pounding like jack-hammers, and abrupt changes of head and food tilt angles.

Category 25 Computer remote control & disruption 1997-05-02 RFI lawsuit libel RISKS 19 12 In response to widespread concern about the putative cancer-causing radiation from cell phones, Motorola Australia suggested that it would sue people spreading such claims. Now _there's_ a constructive response to public fear. . . .

Category 25 Computer remote control & disruption 1997-07-22 HERF guns EMP urban myths debunking Netly News Cyber-historian and gadfly George Smith debunked stories of HERF (high-energy radio-frequency) weapons and EMP (electromagnetic pulse) bombs in an article published in July. He presented persuasive arguments that these stories are urban myths devoid of factual evidence.

Category 25 Computer remote control & disruption 1997-08-25 RFI cancel mobile cellular phones brain tumors Reuters A research project led by Dr Luc Verschaeve and sponsored by Belgacom, main owner of Belgium's largest mobile phone network, found no harm to human blood cells from exposure to emissions from their cellular phones. From this work the cellular phone company spokesperson concluded that there ought not to be any association between cell phone emissions and brain or bone cancer. [I think there ought not to be any either, but I'm not sure that looking at erythrocytes is the way to go.]

Category 25 Computer remote control & disruption 1997-09-17 EMI RFI electromagnetic intererence radio-frequency RISKS 19 38 In a court case in September, expert witnesses demonstrated that some GM cruise control systems are susceptible to electromagnetic interference that can cause sudden acceleration. Demonstrations included goosing the cruise control by running a power drill near the car. See for more details on RFI shielding requirements.

Category 25 Computer remote control & disruption 1997-10-01 RFI radio frequency interference RISKS 19 40 In the Netherlands, a bus using an electronic linkage between the accelerator pedal and the throttle mechanism suddenly accelerated and crashed into the restaurant at Eindhoven Central Station, injuring nine people. The bus manufacturer acknowledged that radio-frequency interference from "communications equipment, the 2-way radio, the mobile telephone and/or the little box which operates traffic lights." was thought to account for the rash of such accelerations. Of the 178 busses with the electronic accelerator pedal, 22 have been taken out of service.

Category 25.1 Remote control, RATs, reprogramming, auto-updates 1997-08-21 medical informatics remote sensing telemedicine EDUPAGE MediVIEW and Medically Oriented Operating Network (MOON) from Sabratek Corp. allow intensive remote medical intervention such as alterations of automated flow control devices for drug administration. The initial press releases included no sign that anyone was concerned about security issues in this system. [The risks of system error and hacking now become life-threatening.]

Category 27.1 Vulnerability assessment 1997-01-06 SATAN RISKS 18 74 Dan Farmer's complete unauthorized Internet security survey was made available on < http://www.infowar.com >. The study showed widespread occurrences of well-known vulnerabilities in the majority of systems scanned, including especially financial systems.

Category 27.1 Vulnerability assessment 1997-01-21 SATAN EDUPAGE Dan Farmer's Internet security scan using his SATAN program continued making belated news in the business press. About 68% of the 660 banks studies by Farmer had inadequate security by his standards. Farmer said that system administrators are underfunded and under pressure "just to keep things running — not necessarily secure."

Category 27.1 Vulnerability assessment 1997-02-11 biometrics fingerprint EDUPAGE A biometric authentication device costing $500 and easy to attach to PCs and other computers is being marketed by Oracle Corporation in conjunction with a company called Identix, from Sunnyvale, CA. The device can distinguish a live finger from a model or dead finger using a number of sensors.

Category 27.1 Vulnerability assessment 1997-07-05 computer forensics Financial Post (Canada) The new Geographic Profiling System called Orion (available from Environmental Criminology Research in Vancouver, BC) helps police narrow down the likely residence of serial criminals. Working in conjunction with the RCMP's ViCLAS (Violent Crime Linkage Analysis System) program, Orion helps law enforcement officers enlist the help of local residents where criminals are likely to live.

Category 27.1 Vulnerability assessment 1997-07-24 computer forensics fraud data mining Computing (UK) British Telecom and MCI have been using data mining techniques to identify patterns of phone-card number theft. The joint project, dubbed "Sheriff", applies statistical pattern recognition algorithms for real-time analysis of phone traffic to spot stolen cards.

Category 27.1 Vulnerability assessment 1997-07-24 computer forensics evidence recovery Reuter In Britain, a new firm called Computer Forensic Investigations launched a new data-recovery kit for police officers to salvage data from suspects' computers in the field. The "portable evidence recovery unit" (PERU) has already been widely used by forces in the UK in cases of fraud, murder, blackmail, counterfeiting and child pornography.

Category 27.4 Firewalls & other perimeter defenses 1997-05-31 addiction cyber-pets RISKS 19 20 In a further outbreak of silliness, Dr Daniel DeSouza of Toronto set up an Internet support group to help bereaved owners of dead Tamagotchi cyber-pets.

Category 27.4 Firewalls & other perimeter defenses 1997-06-17 Internet addiction EDUPAGE A Cincinnati mother lost possession of her children when police discovered she was locking them into a filthy room in order to surf the Net 12 hours a day.

Category 27.4 Firewalls & other perimeter defenses 1997-09-09 Internet addiction AP A woman with the wonderful eponymous married name of "Sandra Hacker" was ordered by a judge in Cincinnati to take parenting classes after she pleaded guilty to midemeanor child endangering. She was arrested in a filthy apartment where her 2, 3 and 5-year old children grovelled in squalor while she spent 12 hours a day surfing the Internet.

Category 27.4 Firewalls & other perimeter defenses 1997-10-02 ergonomics information fatique syndrome EDUPAGE In an exhausting piece of news, Reuters reported that half of all senior managers and a third of all managers suffer from Information Fatigue Syndrome and are getting physically sick from the stress of information overload.

Category 27.4 Firewalls & other perimeter defenses 1997-12-17 video seizures epilepsy RISKS 19 51 Hundreds of children in Japan went into seizures when a TV cartoon show flashed stoboscopic images of a colorful explosion on their screens.

Category 31 The state of information security & technology 1997-02-03 security business Farmer SATAN survey Business Journal web site Ted Julian of IDC (Framingham, MA), author of a study of firewalls, predicts 300% growth in the number of installed firewalls in 1997 over 1996; he estimates revenues growing from $338M to $600M in the same period. Hewlett-Packard reports significant growth in the amount of security consulting they are called on to do; McAfee's revenues have grown from $9M to $150M in three years.

Category 31 The state of information security & technology 1997-02-13 audit survey fraud PA News The audit Faculty of the Institute of Chartered Accountants of England and Wales, in conjunction with _Accountancy Age_ magazine, reported the results of a survey showing that many professionals expect to see an increase in the rate of corporate fraud. Reasons given by the respondents included reduced staffing and increased performance pressure. People thought that legal protection for whistle-blowers and increased vigilance would help fight fraud. The size of the respondent population was not given in the Press Association report.

Category 31 The state of information security & technology 1997-02-20 credit card fraud PA News Barclays Bank in England warned shoppers to be on guard against credit-card fraud. Although losses have been dropping, theft using cloned (counterfeit) cards are large enough at 23.6M pounds (about U$40M) to warrant investment in smart cards. In the UK alone, said a Barclays' spokesman, over half a million retail points of sale will have to be converted to interact with the microchips on the new credit cards.

Category 31 The state of information security & technology 1997-03-09 statistics crime EDUPAGE The 1997 Computer Security Institute survey of computer crime revealed that 75% of 563 respondents had lost money because of computer crimes in the past year. United Press International reported, "The institute says 26 respondents reported a total of $24.8 million in losses due to telecommunications fraud; 22 reported $21 million in losses from theft of proprietary information; 26, nearly $4.3 million from sabotage of data or networks; 22, nearly $4 million from unauthorized access by insiders; and 22, $2.9 million from system penetration by outsiders. Computer virus infestations caused nearly $12.5 million in losses for 165 respondents. Laptop theft caused $6.1 million in losses for 160 respondents; employee abuse of Internet privileges caused more than $1 million in losses to 55 organizations."

Category 31 The state of information security & technology 1997-04-07 Internet computer network hacker policy http://www.cert.org/research/JHThesis/Start.html John D. Howard published his PhD dissertation at Carnegie Mellon University: An Analysis Of Security Incidents On The Internet 1989 - 1995. He analyzed 4,299 Internet-related security incidents. Highly recommended: read the full document starting at .

Category 31 The state of information security & technology 1997-06-09 privacy cookies Web AP The Electronic Privacy Information Center (EPIC) released its survey on Web privacy just before an important US government hearing of the Federal Trade Commission. Their research found widespread use of intrusive technology such as cookies files without requesting permission from their users. David Kalish, writing for AP, stated that "The survey found that of the Internet's 100 most popular Web sites, about half collect personal information from users who click on their sites or through mailing lists and other means. Only 17 sites even mention the privacy issue, and most of those fell far short of what the group considered adequate disclosure — explaining why information is collected, how it will be used, and what steps will be taken to limit improper use."

Category 31 The state of information security & technology 1997-06-27 policy implementation survey PR Newswire A survey of 333 system integrators, value-added resellers, vertical resellers and consultants was conducted during May 1997.by J. River Inc. and revealed that only about half the companies replying had implemented any network security policies despite widespread plans for intranets and Internet communications. In other sections of the research, there were indications that about half the companies involved used only user IDs and passwords for security and that about a third used no security at all.

Category 31 The state of information security & technology 1997-06-30 statistics disasters hard drive failures Information Systems Update 97 7 Christopher D. McDonald, editor of the Information Systems Update, wrote: >Stuart Hanley, a data recovery manager with Ontrack Data International, has an article in the June 1997 edition of "Contingency Planning & Management", entitled "Minimize Loss, Maximize Recovery". He presents a pie-chart for 50,000 hard drives and other data storage devices which Ontrack has examined upon failure since 1987. Again here are REAL numbers to consider for contingency planning. Reasons for failure include: 44% hardware or system malfunction; 32% human error; 14% software program malfunction; 7% computer virus; and 3% natural disasters. CP&M is available free to qualified individuals.<

Category 31 The state of information security & technology 1997-08-14 CERT alerts warnings patches vulnerabilities COMPUTER WEEKLY The Computer Emergency Response Team Coordination Center (CERT-CC) issued yet another alert warning administrators that their failure to keep up to date in applying patches for known vulnerabilities increases the risk of hack attack. [Eventually, one hopes, some enraged stockholder will sue the administrators who do not apply patches in time; in justice, the lawsuits should also name upper managers who refuse to allocate sufficient resources to their network and security managers for effective response to CERT alerts.]

Category 31 The state of information security & technology 1997-09-05 hackers defense police policy Newsbytes Japanese police asked computer operators to increase security in an attempt to resist increasing attacks by hackers. Reported hacking increased 25% in the first six months of 1997. Recommendations included better password management, installation of fire walls, and effective encryption.

Category 31 The state of information security & technology 1997-11-08 bank reporting hacking intrusion law Privacy Guild Vin McLellan of the Privacy Guild circulated what appears to be a draft letter from the Federal Reserve Bank to all member banks in the United States warning them that they are obliged under law to report all violations of computer security to the FBI.

Category 31.1 Surveys, studies, audits of security 1997-01-02 passwords security management PA News A recent survey by Compaq in the financial district of London showed that poor choices are the norm for computer passwords there. A staggering 82% of the respondents said they used, in order of preference, "a sexual position or abusive name for the boss" (30%), their partner's name or nickname (16%), the name of their favorite holiday destination (15%), sports team or player (13%), and whatever they saw first on their desk (8%).

Category 31.1 Surveys, studies, audits of security 1997-06-24 denial of service interrupts EDUPAGE Pitney Bowes sponsored a study by the Gallup organization and San Jose State University that revealed high levels of interrupts from messages among 972 top-level staff of Fortune 1000 companies. Half of the respondents said they were interrupted at least every 10 minutes and felt overwhelmed by the volume of messages.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-01-16 censorship china C EDUPAGE China marginally relaxed its restrictions on Internet access, but it continues to block sites that report news from Hong Kong and Taiwan.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-01-16 Internet regulation availability Reuters Experts argue that the Internet is unstoppable and that governments will try, but fail, to control its use. Neil Winton, writing for the Reuter news agency, reported in January on his interviews with leading thinkers about government control over cyberspace. Some of the key findings: * "Governments which seek to restrain the freedom of speech and tax the vast electronic commerce spawned by the Internet will almost certainly be wasting their time, experts say." * "Dr Bob Glass of the U.S. technology leader Sun Microsystems Inc said any attempt by governments to curtail any of this would be a waste of time. Not even the most powerful computers will be able to effectively patrol the world's telephone lines. Individual computer experts will always be one step ahead." * Attempts to force Internet users to pass through proxy servers to limit their access to the Net fail when users use the public switched telephone network to access uncontrolled ISPs. * Even if governments attempt to monitor all telephonic communications through their land lines, low-orbit satellite telephony will defeat their interference.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-01-17 censorship hate Reuters The German government filed charges against Angela Marquardt, the 25-year-old, blue-and-purple-haired deputy leader of the communist Party of Democratic Socialism, for linking from her Web page to a banned issue magazine called _Radikal_. The issue of _Radikal_ was banned because it included detailed instructions on how to sabotage railway lines. According to the public prosecutor, "It has nothing to do with censorship. Criminally relevant materials are subject to classification by the district attorney or criminal prosecutors." In early June, the court hearing opened and adjourned after an hour so the magistrates could arrange for expert testimony to explain the Net and the Web when the case reconvened toward the end of June. On June 30, the court ruled that maintaining a hyperlink to objectionable material is not tantamount to publication of that material.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-01-19 censorship NY EDUPAGE New York's recently-passed online-decency law barring computer-based distribution of indecent materials harmful to minors was challenged by the ACLU and 14 other organizations. EDUPAGE summarized their case: >The ACLU argues that New York's law "does not define the relevant 'community' for purposes of determining what is 'patently offensive' in the global medium of cyberspace," nor does it distinguish between what might be harmful to young children and vs. what might be harmful to teenagers. Finally, the lawsuit says the statute violates the Commerce Clause because it attempts to regulate communications that take place outside New York, poses an unreasonable burden on interstate and foreign commerce, and subjects interstate use of the Internet to inconsistent regulations. (BNA Daily Report for Executives 15 Jan 97 A13)<

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-01-21 CDA censorship law UPI US Department of Justice prepared to support the Communications Decency Act by claiming that because families and children use the Internet, therefore the CDA is not an infringement of the First Amendment to the US Constitution (guaranteeing free speech). Copyright © 2003 M. E. Kabay. All rights reserved. Page 95 INFOSEC Year in Review 1997

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-01-25 Net censorship Reuters The United Arab Emirate's government-controlled ISP has set up a proxy server to censor the Net. The country's 9,669 Etisalat users are required by law to configure their Web browsers to use the official proxy server that filters out offensive materials.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-02-02 infowar censorship culture EDUPAGE EDUPAGE reported: >An editorial in the Iraqi government newspaper Al-Jumhuriya says that the Internet — which is not accessible in Iraq — is "the end of civilizations, cultures, interests, and ethics," and "one of the American means to enter every house in the world. They want to become the only source for controlling human beings in the new electronic village." (AP 17 Feb 97)<

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-02-03 Law RISKS 18 81 A Maryland bill that would make it illegal to send "annoying" or "embarrassing" e-mail was introduced in early February by Democratic General Assembly member Samuel Rosenberg. Critics describe the proposed legislation as using impossibly vague terms and being unconstitutional.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-02-04 censorship culture EDUPAGE Not everyone supports calls for freedom of speech and absence of government controls on the Net. At the World Economic Forum in Switzerland, representatives from such countries as Iran called the pressure for unfettered communications an ideology and explicitly rejected liberalism.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-02-19 censorship racism PA News The British government announced that it may introduce legislation to interfere with neo-Nazi use of the Internet.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-03-12 censorship Vietnam C RISKS 18 89 Vietnam joined the growing roster of authoritarian regimes scared into needing laxatives by the prospect of allowing their citizens to read whatever they want.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-03-25 Sweden free speech internet RISKS 18 94 A new law proposed in Sweden would guarantee free speech rights to people publishing non-modifiable texts on the Internet provided that a named person be the "responsible editor" who would have legal responsibility for the texts being posted.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-04-17 porn EDUPAGE, Reuters The Bavarian state prosecutor's office laid criminal charges in April against Felix Somm, head of CompuServe Germany. The indictment cites the online availability of "images of child pornography, violent sex and sex with animals" through CompuServe's making the USENET available to its users. CompuServe vowed to support its employee in the case. An interesting development occurred in June, when the federal parliament began consideration of the Information and Communications Services Law, which would exempt carriers and ISPs from prosecution for the content of their traffic.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-04-17 censorship porn libraries filter EDUPAGE The ACLU threatened to launch court actions against the Ohio Public Library Information Network because state librarians decided to install Net filters to stop kids from surfing through pornographic and other undesirable sites. Undesirable by others than the children, that is. The fuss began when six boys in a county library were discovered to be gawking at pornographic pictures from the Internet. A month after the ACLU's intervention, a parents' group, Citizens for the Protection of Children, vigorously supported the proposed filters.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-05-11 censorship EDUPAGE In Virginia, state employees such as professors at state-funded universities and colleges are forbidden to view sexually explicit online materials. Six Virginia university professors and the ACLU filed a challenge to the legislation, which interferes with online access to materials that are available on paper without question. Currently, it is ""a crime for state employees using state- owned computers to `access, download, print or store any information . . . having sexually explicit content.'"" The law also seems to apply to non-pornographic but sexually-explicit information such as the classic English poetry of Swinburne or the historically important works of Sigmund Freud. The federal lawsuit demands that this state law be overturned. The plaintiffs say this is insulting and a breach of academic freedom.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-05-20 censorship slander law ISP CDA Wired via PointCast Two self-described worshippers of Satan launched a lawsuit against ElectriCiti Inc., a San Diego ISP, for failing to shut down one of their persistent anonymous public critics. The ISP's lawyers countered that the short-lived Communications Decency Act precluded suing ISPs for the content of messages posted on the Net. In addition, the defendants claimed that the lawsuit by Michael and Lilith Aquino is a "SLAPP" — "strategic lawsuit against public participation" and should be dismissed out of hand.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-06-14 Internet pornography ISP law AP In a Federal Circuit court in Florida, Judge James Carlisle ruled in June that AOL is not liable for the content of cyberchat. The case concerned a civil lawsuit by the parents of a 14-year-old boy who was raped by Richard Lee Russell in 1994 after the two met in an AOL chat room. The parents said they would appeal the ruling.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-06-17 censorship CDA EDUPAGE The White House backpedaled on its support for the notorious Communications Decency Act, apparently anticipating the Supreme Court's rejection of this law's constitutionality. Observers chuckled over the abrupt reversal from the Department of Justice's position in March, when the administration vigorously asserted the value of this law.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-06-21 Internet law pornography pseudonyms AP In a case brought by the ACLU, U.S. District Judge Loretta Preska issed a temporary injunction in June preventing prosecutions under New York State's new law making it a criminal offense for pedophiles to use the Net to entrap children. The Judge wrote, "The protection of children from pedophilia is an entirely valid and laudable goal of state legislation. The New York act's attempts to effectuate that goal, however, fall afoul of the (federal) Commerce Clause." In a similar case in Georgia, Senior U.S. District Judge Marvin Shoob of the Atlanta federal court ruled that the Georgia law making it illegal to use pseudonyms on the Net was subject to challenge by the ACLU and others and suspended enforcement pending resolution of the lawsuit.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-06-22 censorship law CDA New York Georgia NY GA EDUPAGE In New York, a judge voided that state's version of the Communications Decency Act without waiting for the Supreme Court of the United States; the law was invalid, said the judge, because it attempted to regulate interstate activities in violation of the US Constitution. In Georgia, a federal judge imposed a preliminary injunction against enforcement of a state law making it illegal to use pseudonyms on e-mail.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-06-25 censorship law China ISP C RISKS 19 23 China passed even more draconian laws restricting access to the Internet by its citizens. The regulations force all Net access to go through the government's proxy servers to permit extensive censorship.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-06-26 CDA censorship law RISKS, AP 19 23 In a stinging rebuke to censorship buffs in the US, the Supreme Court issued its ruling on the Communications Decency Act, finding that it violated First Amendment protection of free speech. The unanimous opinion stated that the effort to protect children from sexually explicit material goes too far because it also would keep such material from adults who have a right to see it. Justice John Paul Stevens wrote for the court, "The (Communications Decency Act) is a content-based regulation of speech. The vagueness of such a regulation raises special First Amendment concerns because of its obvious chilling effect on free speech. . . . As a matter of constitutional tradition . . . we presume that governmental regulation of the content of speech is more likely to interfere with the free exchange of ideas than to encourage it."

See or for the full text of the ruling, which was noteworthy for the clarity of its prose and spirited defense of free speech on the Net.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-06-29 censorship law international Europe CDA EDUPAGE In the wake of the CDA decision by the Supreme Court of the U.S., European Internet experts warned that no country should try to "change the Internet we know and love into a kindergarten." Regulating the Internet would in any case require extensive international cooperation because of the international nature of the Net.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-07-01 Internet filtering SCOTUS libraries freedom of speech American Library Association The American Library Association's Intellectual Freedom Committee issued a statement on the problems faced by libraries in using Internet-filtering software. The report pointed to the Supreme Court ruling of 1997.06.29 on the Communications Decency Act affirming the protected status of speech on the Internet. In addition, said the ALA statement's authors, libraries must serve a wide range of users; filtering software is generally designed for families or corporations where centralized controls can successfully be dictated for children or employees. Filtering software imposes unreasonable restrictions on everyone to protect a minority of users; "can impose the producer's viewpoint on the community;" does not "generally reveal what is being blocked, or provide methods for users to reach sites that were inadvertently blocked;" and use "vaguely defined and subjectively applied" criteria for blocking sites.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-07-06 censorship Internet Germany EDUPAGE The German federal legislature passed a law to prosecute Internet Service Providers that make illegal materials available on-line; e.g., child pornography or Nazi publications. Commentators scoffed that the law was too vague for enforcement and could not be made to apply to international networks. In other developments, government representatives from Canada, Europe, Japan, Russia and the U.S. met in Bonn with officials from ISPs to sort out the issue of regulation and prevent hobbling the new mode of communication.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-07-16 pornography law Australia police filtering censorship Newsbytes The Australian government proposed new laws under the Broadcasting Services Act to make ISPs liable for criminal breaches of the regulations of the Office of Film and Literature Classification and other laws. The Australian Industry Association hailed the proposals as "a sensible balance between community concerns over Internet content and business concerns on over- regulation." Communications Minister Richard Alston stated that the government realizes that it cannot regulate the global Internet, but said the government will help control access by minors so that parents and guardians can prevent abuse.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-07-16 Net filters censorship RISKS 19 24 Another farcical situation was revealed when three counties in New Jersey discovered that their sites are blocked by the notorious AOL "Scunthorpe" filter. All the sites included the three letters "sex" in their names.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-08-24 censorship advertising Net Web law EDUPAGE According to the Investor's Business Daily, the recent deal between tobacco companies and many states would prohibit tobacco advertising on the Internet. Commentators worry that this precedent could cripple online speech from international companies by enforcing the most restrictive laws found anywhere around the world.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-08-26 cellular phones censorship repression Yemen infowar Reuters The Yemeni government suspended cellular phone services to 9,000 residents because of security concerns. The authoritarian government has been fighting a resurgance of terrorism in the country and unfettered communication is clearly seen as a threat to its power.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-09-05 Internet censorship government law AAP Communications Minister Richard Alston announced that the Australian Broadcasting Authority would begin discussions with ISPs to establish new codes of practice to prevent distribution of offensive materials through the Internet.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-09-10 Internet censorship government regulation law content Newsbytes The Office of the Ontario Attorney General suggested that it might make ISPs legally responsible for content made available to Canadians through their facilities. Canada has much stricter regulations on hate-speech, for example, than the US, and such regulations are theoretically possible but difficult to impose in practice because of the international nature of the Internet.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-09-29 censorship government law AP In the United Arab Emirates, hackers are more interested in evading clumsy government attempts to limit access to the Internet than in invading other people's computer systems. Savvy users have been sidestepping government restrictions to access pornography and — even worse — to talk to Israelis. In Saudi Arabia, fear of the Net has prevented any local ISP from being set up, but rich users simply place international long-distance calls to external ISPs.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-10-06 child pornography rape law AP The Pennsylvania legislature unanimously passed a law criminalizing the use of the Internet to lure children or teens into sex acts.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-10-09 child pornography rape censorship law New York Times (Cybertimes) New York Penal Law 235.22 criminalizes the distribution of indecent material online to minors that is for the specific purpose of inducing them to engage in sexual acts. This law, to take effect 1 Nov 96, has gained the support of free speech advocates and opponents of child pornography alike. It was successfully upheld in the case of People v. Barrows, Justice Alan Marrus of the New York State Supreme Court presiding. He ruled for the first time to uphold an indictment under the luring statute. The case involved a 56-year-old man who is alleged to have tried to lure a 13-year old virtual girl into a meeting — and arrived equipped with a rope, lubricants and paper towels. He was arrested by a female police officer posing as the child. His attorney protested the grand jury indictment on free speech grounds but lost because, ruled the judge, the element of luring overshadowed speech issues.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-10-14 censorship Web site Globe & Mail, EDUPAGE In October, the Canadian Human Rights Tribunal began an interesting hearing into the possibility of limiting the publication of the writings of notorious Holocaust-denier Ernst Zundel on a Web page physically located in California. EFF Canada President, David Jones of McMaster University warned that the law in question was written to handle hate-messages on phone- answering machines and suggests that extending it to deal with the Internet ought to be subject to wide public debate. In an editorial, the Globe & Mail came down, as usual, strongly in favor of free speech. Marginal and delusional cases like Zundel don't deserve the publicity they garner through legal prosecution.

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-10-23 library Internet filtering censorship free speech UPI Members of the Library Board in Loudon County, VA voted 6-2 in July 1997 to install filtering software on their Internet terminals and to ask adults to request inactivation of the filters when desired. Children aged 16 and younger will have unfettered access to the Internet from Library terminals only when their parents are with them. In October 1997 they voted 5- 4 to extend the filtering to adult patrons despite indications from the American Civil Liberties Union that the filtering, when applied to adults, clearly violates First Amendment rights. In February 1998 the ACLU and seven other plaintiffs filed suit on First-Amendment grounds. EDUPAGE noted, "The X-Stop software, which is intended to screen out obscene material or sexually explicit language, is blocking sites that include some mainstream newspapers, a Methodist church, a university women's association, and a safe-sex page for teenagers."

Category 32 Censorship, indecency laws, 1st amendment (law) 1997-11-07 extortion publication Web Internet censorship The Guardian (London) The power of national governments and legal systems to control publication of what they don't like is being eroded by access to the World Wide Web and the rest of the Internet. Ian Katz of _The Guardian_ wrote that Richard Tomlinson, a former M16 agent charged in November with breaking the Official Secrets Act, had allegedly placed a manuscript of his revealing memoirs on the Internet. Unless they computers received a signal from him once a week the book would be automatically published on the Internet. In another case of opposition to legal constraints, McDonald's Corporation has proved powerless to prevent availability of critical comments about its food and employment practices on the McSpotlight sites, run by volunteers in 22 countries.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-01-17 e-mail evidence slurs racism appropriate use policy AP R. R. Donnelly & Sons, a Chicago printing firm, is being sued by over 500 workers after they were fired. As evidence, the workers' lawyers submitted "165 racial, ethnic and sexual jokes" circulated through the company's e-mail system.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-01-29 e-mail appropriate use threats UPI Between November 1994 and January 1995, two perverts exchanged e-mail describing their sexual excitement at imagining violence against women. Jake Baker described his fantasies of raping a named woman from one of his classes at University of Michigan and was arrested and charged with engaging in interstate communications containing threats to kidnap or injure another person. The federal court in Detroit ruled that these sexually-oriented electronic messages do not constitute a threat and are protected speech subject to the First Amendment rights. At the end of January, the 6th U.S. Circuit Court of Appeals upheld the dismissal.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-01-30 censorship appropriate use EDUPAGE In Oklahoma, federal Judge Wayne E. Alley ruled that the University of Oklahoma was entitled to impose restrictions on access to Internet news groups through its computer systems. The judge reasoned that, "The OU computer and Internet services do not constitute a public forum. There was no evidence at trial that the facilities have ever been open to the general public or used for public communication." The services are therefore not subject to First Amendment controls over restriction of content.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-02-02 censorship acceptable use EDUPAGE Japanese companies and the government are planning to provide facilities for blocking access to various undesirable Web sites and are developing a Japanese analog to the US PICS (Platform for Internet Content Selection) scheme.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-02-06 Spam acceptable use RISKS 18 81 ff 3 Feb: Cyber Promotions Inc. barred from sending junk e-mail to CompuServe subscribers. 4 Feb: Enjoined not to falsify its From: addresses in junk e-mail to AOL subscribers. 5 May: Cyber Promotions mail-bombed into system failure by an organized attack by cyber-vigilantes. 6 May: CP computers subjected to arp-attack (millions of requests for hardware information)

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-02-11 junk e-mail acceptable use EDUPAGE CompuServe won an injunction preventing the cyberscum Cyber Promotions from sending junk e-mail to CompuServe users. Arguments from the defendant's lawyer claiming First Amendment protection for his client were summarily rejected: "[The] plaintiff is not a government agency or a state actor which seeks to preempt defendants' ability to communicate but is instead a private actor trying to tailor the nuances of its service to provide maximum utility to its customers."

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-02-13 acceptable use RISKS 18 83 The University of Wisconsin-Madison is faced a sexual harassment lawsuit, claiming a former medical professor used campus computers to copy hundreds of pornographic pictures from the Internet. Another employee sued because the professor propositioned her.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-02-16 e-mail acceptable use EDUPAGE EDUPAGE reported: "Early findings of a study e-mail use at a large mid-Atlantic university suggest there is, in general, no more harassment by e-mail than by telephone or snail mail, but that sexual harassment of women by e-mail is four to five times more likely than racial or ethnic harassment. The Prejudice Institute, a nonprofit group in Baltimore that released the study, found that 10% of the women who responded to its survey said that they received threatening e-mail, while 3% of the survey respondents said they had received racial or ethnic hate mail. (New York Times 16 Feb 97)"

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-02-18 acceptable use RISKS 18 83 ff In mid-February, two black employees of the Citibank NA unit of Citicorp filed a race discrimination lawsuit because of racist jokes allegedly sent via electronic mail by several bank supervisors. The e-mail was identical to a set of racially charged jokes at the center of a lawsuit against Morgan Stanley & Co. The lawsuit affirms that corporate management did little or nothing to stop the distribution of racist materials.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-02-20 junk e-mail spam AP, EDUPAGE Cyber Promotions, the Satan of Spam, gave up trying to find an ISP that would tolerate their behavior and announced that they would form their own ISP specializing in junk e-mail. Sanford Wallace admits that his firm currently sends out 15-20M junk messages a day. Cyber Promotions began serving as an ISP in early March.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-03-02 junk e-mail acceptable use EDUPAGE The Canadian Advertising Foundation is gearing up to receive and act upon consumer complaints about junk e-mail. The Foundation will publicly shame advertisers who use junk e-mail.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-03-04 junk e-mail acceptable use EDUPAGE In Nevada, sending junk e-mail may soon become a misdemeanor. Other states currently considering such laws include CA, VA and CT.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-05-07 spam ISP VAN Wired In early May, junk e-mailer Cyber Promotions suffered a number of blows. CompuServe won a permanent injunction against all further harassment of its members without explicit permission for junk e-mail by each recipient plus legal costs. Then Earthlink won the right not only to bar Cyer Promotion's spewing e-mail engines but also to forbid the use of its services to mask the origin of the junk; in addition, it demanded $3M in compensatory damages. These ISPs join Prodigy and AOL in their successful attack on the deceitful practices of the premier junk e-mailer in the world. In an unrelated development, vigilantes flooded the Cyber Promo site with millions of _arp_ requests for hardware configuration information, bringing the spammer's servers down.

A few weeks later, Earthlink announced a zero-tolerance policy for spammers and those who use the Earthlink name in fraudulent return addresses. It named eight companies: three companies offering Internet and financial services: Creative Finance Alternatives; Internet Communications; and New York Internet Center; and the other five — Sexy Girls Publishing, LCGM, Real Time Entertainment, S. Maddie Productions and Prosperity Books — that offer pornography. These spammers sent 200,000 messages through Earthlink and generated 16,673 complaints (8%).

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-05-08 spam junk e-mail EDUPAGE CompuServe and Cyber Promotions agreed that the junk-mail king would refrain from harassing CompuServe subscribers with unsolicited commercial e-mail. Cyber Promotions also agreed to pay CompuServe $65,000 for legal fees. Unfortunately for us biased anti-spammers, CompuServe agreed to spend $30,000 advertising through Cyber Promotions.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-05-20 appropriate use censorship EDUPAGE The American Library Association published practical guidelines for librarians to help their patrons use the Internet without being pounded for accidental contact with indecent materials. See for details.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-05-22 monitoring appropriate use privacy UPI The American Management Association surveyed more than 900 companies and found that about 35% "monitor employees by recording phone calls or voice mail, checking computer files or e-mail, or videotape them at work."

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-05-22 spam law US RISKS 19 18 ff Two proposals were introduced in the US Congress. The House bill from Chris Smith (R-NJ) was called the "Netizens Protection Act of 1997." The Senate bill was the "Unsolicited Commercial Electronic Mail Choice Act of 1997" from Sen. Murkowski (R-AK). The House bill would extend legislation restricting junk fax; the Senate bill would require junk e-mail to include "ADVERTISEMENT" as the first word of the subject line. ISPs would be required to move toward providing filtering software to bar such tagged e-mail. Critics pointed out that the Senate bill had serious flaws, including no provision for interdicting non-commercial spam. In addition, the proposal for allowing filtering does not deal with the underlying problem: the floods of junk would still enter the Internet and travel to their unwilling recipients before being discarded.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-06-10 spam law EDUPAGE Cyber Promotions was back in court when Web Systems of Houston, TX accused the king of spam of including the plaintiff's Internet domain in a fraudulent return address. The victim received large numbers of offensive messages and huge amounts of bounced e-mail. The plaintiffs said they'd try to turn their suit into a class action to force spammers to use their real e-mail addresses in the REPLY-TO field.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-06-12 spam FTC law AP The FTC warned spammers that fraudulent return addresses on junk e-mail and outright scams being advertised through unsolicited e-mail could result in injunctions and fines up to $10,000 per incident for repeat offenders. The Commission invited consumers to contribute information about fraudulent junk e-mail. See for information about the FTC and send copies of junk e-mail that has fraudulent headers or reply-to entries and some physical address to .

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-06-15 spam FTC law EDUPAGE The FTC announced that some of the flood of spam annoying e-mail users is fraudulent, and the Commission intends to find and punish such spammers. Some estimates of spam suggest that up to 30% of the e-mail entering AOL every day is spam.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-06-29 junk spam unsolicited commercial e-mail law AP Donna Murphy Weston, writing for AP at the end of June, summarized several bills in the U.S. federal legislatures in June. "Sen. Robert Torricelli, D-N.J., has proposed a bill that would prohibit junk e-mailers from disguising their identity, continuing to send messages to those who ask to be taken off their list, and using automated programs to cull e-mail addresses from news groups and chat forums." Another proposal, by Sen. Frank Murkowski (R-Alaska), would require labelling of unsolicited commercial e-mail to allow victims to filter the junk out manually or electronically. In the House, Rep. Chris Smith (R- Robbinsville, NJ) wants to ban junk e-mail outright by extending existing telecommunications law (in particular The 1991 Telephone Consumer Protection Act, which protected consumers against abuse of their fax machines) to include computers explicitly "in a ban on transmission of unsolicited ads through telephone lines." Some free-speech advocates object to any government regulation of e-mail at all. Chet Dalzell, speaking for the Direct Marketing Association, claimed, "When you have any new technology, you'll find there are people who'll push the parameters. . . .[b]ut all indications are that marketplace forces will drive development of technology to protect consumers without government regulation."

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-07-06 spam EDUPAGE The Hormel Foods Corporation strongly objects to the use of its trademarked spiced-meat-and-fat-product-in-a-can as a synonym for abuse of the Internet. The company demanded that junk-e-mail panderer Sanford Wallace cease and desist from using "Spam" in its advertising and remove the picture of a can of Spam from its Web site.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-07-07 e-mail policy management InfoWorld Bob Lewis, writing in InfoWorld, recounted the story of an employee who forwarded a mild joke from his boss to three other employees at work using corporate e-mail. As punishment, he was fined a week's pay. Lewis commented that this kind of ham- fisted over-reaction can destroy morale and drive good employees away.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-07-29 spam junk unsolicited commercial e-mail AP Several US law-makers expressed interest in stemming the tide of junk e-mail. Sen. Frank Murkowski (R-AK) proposed a law to require marketers to identify themselves, their telephone number, physical and electronic address, and to clearly label their messages as advertisements. Sen. Robert Torricelli (D-NJ) proposed a bill that would prohibit junk e-mailers from disguising their identity, from using automated programs to gather e-mail addresses from USENET groups, mailing lists and chat forums, and from ignoring REMOVE messages. Rep. Chris Smith (R-NJ) wants an all-out ban on spam by br.oadening existing telecommunication laws to extend the ban on transmission of unsolicited ads through telephone lines to Internet messages.

The ACLU (American Civil Liberties Union) and CDT (Center for Democracy and Technology) argue that government interference with junk e-mail would be in violation of First Amendment protection on speech. Many free-speech advocates support the use of civil law to sue junk e-mailers for damages and to apply cease-and-desist orders. The Direct Marketing Association expresses horror at the thought of government intervention. Chet Dalzell of the DMA says, "When you have any new technology, you'll find there are people who'll push the parameters. But all indications are that marketplace forces will drive development of technology to protect consumers without government regulation."

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-08-05 spam netiquette EDUPAGE, AP In August, a coalition of system administrators blocked all inbound e-mail from UUNET, accusing the ISP of refusing to curb its spammers. UUNET officials responded grudgingly within a few days to attack its problems.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-08-06 spam junk unsolicited commercial e-mail Newsbytes Ron Schwartz is a co-author of the textbook "Using Vbscript." He is also an anti-spam activist. When reports surfaced of unsolicited commercial e-mail from AMAZON.COM, however, Schwartz fought back by posting a request on on his AMAZON Web page telling people to buy the book elsewhere. AMAZON rejected accusations that it was using spam and insisted that it sends e-mail only to people who have signed up for such announcements.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-08-07 spam hacking vandalism information warfare Newsbytes An angry hacker posted a 931 Kb file to several USENET groups containing many details of Cyber Promotion's user-IDs, passwords and all of the Internet domains hosted by this company. These included such junk-mailers as answerme.com, cheapcalls.com and savetrees.com as well as many pornography sites such as slutpics.com, nudeteens.com and oralsexpictures.com. The hacker pointed out that Cyber Promotions is the host of "the ever-popular godhatesfags.com domain" which specializes in hate-speech. In addition, the hacker warned Netcom that Cyber Promotions looks at their system every ten minutes to find new e-mail addresses for its junk e-mail lists.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-08-11 Internet browsing policy law monitoring PA News Barclays Bank reported its own employees to the British police after staff were found downloading pornography from the Internet.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-08-11 appropriate use games porn Internet Web policy productivity AP Maggie Jackson, writing for Associated Press, reported on trends in appropriate-use policies for access to the Web. Some employees note that the Web is so interactive and stimulating that it can be seductive — entire days can be frittered away in fun and games. Employees who download and display pornography and hate propaganda are potentially contributing to a hostile work environment, which in turn can lead to expensive lawsuits and huge fines for the employer. Some organizations have installed filters and find that these programs can help; others have taken a more liberal approach and simply measure the total usage of the Web. Those who seem to be online excessively are warned in a friendly way, and self-policing seems to be getting the desired effects.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-08-12 spam USENET policy cancelbots NoCeM ZDNet News Matthew Broersma, writing in ZDNet News, reported on the volunteer spam-cancelers — USENET administrators who delete junk postings. Using cancelbots, the administrators can catch postings from known spammers or identify multiple postings of the same message to to one or more groups. Another tool for fighting spam on the USENET is NoCeM, which uses shared lists of spammers to blank out such messages from News readers.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-08-20 spam costs RISKS 19 32 Keith Lynch commented in RISKS that spam is having unexpected consequences on the Net because of attempts to counter floods of unwanted mail. He suggests that, among other problems, spam-filters often discard non-junk e-mail; writers aware that the USENET and mailing lists are a rich source of e-mail addresses for spammers may reduce their postings and remove their articles from archives; fraudulent return addresses lead to harassment of innocent victims.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-09-02 spam privacy EPIC CDT Wired A clerk at Experian erroneously issued a press release announcing support for the company's "EHI" anti-spam solution from the Electronic Privacy Information Center (EPIC) and the Center for Democracy and Technology (CDT). Unapologetic Experian director Ian Oxman dismissed public repudiation by EPIC's Marc Rotenberg by snapping, ""I think the people who understand the plan won't pay any attention to Marc's sniping. Marc doesn't know what he's talking about." Unfortunately for Mr Oxman, Marc Rotenberg is highly regarded in the online world for his intelligence and integrity.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-09-02 spam forgery trademark lawsuit defamation Wired In mid-April, two well-known science fiction afficionados begain receiving a flood of outraged correspondence and a tide of bounce messages when someone used James MacDonald's online pseudonym, "yog," to spam the world with propaganda for his own science-fiction site. In August, MacDonald and his colleague Jeffry Dwight launched a civil suit against Carlos Lattin, who allegedly sent the spam, charging him with illegal misappropriation of MacDonald's name and also with "trademark infringement, unfair competition, defamation, deceptive trade practices, and false designation of origin."

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-09-25 ethics appropriate use guidelines universities colleges EDUPAGE Across the US, academic institutions have been increasing their efforts to train their students in ethical use of computer systems and networks. Some, such as University of Delaware and Cornell University, are making permanent user IDs contingent on successful completion of appropriate-use courses and tests.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-10-02 junk e-mail unsolicited commercial spam law UPI In another attempt to use civil law to stop abuse of the Net, AOL sued Over the Air Equipment Inc. for refusing to stop sending AOL customers junk e-mail. In addition, the suit alleges, the defendent used false e-mail headers and illegally used AOL trademarks to lend a spurious air of authenticity to their junk.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-10-03 spam unsolicited commercial e-mail ISP denial of service Newsbytes, PR Newsbytes, ZDNET Apex Global Internet Services (AGIS) sadly had to reconnect Cyber Promotions back to the Internet as a result of a court ruling forcing the ISP to give the junk-e-mail sender 30 days notice before cutting off their service to reduce attacks on AGIS' network by anti-spam vandals. The disgusted ISP had cut off Cyber Promotions and several other spammers in late September after going down under a barrage of pings apparently directed at harassing the spammers. Later in October, Sanford "Spamford" Wallace was quoted in the New York Times as saying that his firm would not be much affected by being thrown off AGIS because they now serve the other parasites who send junk e-mail by supplying consulting services.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-10-06 spam unsolicited commercial e-mail TechWeb Some USENET veterans banded together to re-establish the style of trusted interactions that characterized the USENET before know-nothing scum flooded the Net with unsolicited commercial postings. According to some studies, 80% of the total traffic on the current USENET is now garbage. USENET2 would establish a new top-level domain called net.* and would require all participants to guarantee they would govern their users to prevent spam. In addition, participating ISPs would block all postings with forged headers.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-10-19 junk e-mail regulation PR Newswire, EDUPAGE Apex Global Internet Services, Inc (AGIS) of Dearborn, MI, demanded that all members of the Internet E-Mail Marketing Council (IEMMC) stop sending bulk e-mail through the AGIS network. The chief culprits in the ongoing spam wars, Cyber Promotions, Cybertize E-mail, Integrated Media Promotions, ISG, and Quantum Communications, agreed to stop using AGIS for their junk e-mail as of 97.05.25. The IEMMC proposes to serve as a voluntary watchdog for the junk e-mail industry; however, it is entirely unclear how voluntary agreements among members of the IEMMC could possibly influence non- members, such as the amateurs who use high-volume junk e-mail generators in pursuit of hare-brained and usually fraudulent get-rich-quick schemes. In October, AGIS terminated all services to Wallace's company, but he said it no longer mattered to him — he now serves primarily as a consultant.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-10-20 spam free speech unsolicited commercial e-mail COMTEX Newswire (Newsbytes) Rebecca Vesely stepped into a cross-fire in October when, writing in Wired, she announced that unsolicited commercial e-mail (UCE, "spam", "junk e-mail") is protected speech under the 1st Amendment to the Constitution of the United States and therefore there's nothing anyone can do about it. Wrong, said critics: just because commercial speech is protected against government interference in a public place it does not mean that private resources such as our e-mail accounts can be used with impunity by spammers.

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-10-21 spam civil litigation lawsuit EDUPAGE EDUPAGE reported, "America Online is suing Prime Data Worldnet Systems for evading AOL's anti-spamming measures to send large quantities of unsolicited email messages to America Online subscribers."

Category 33 Acceptable-use policies, spam & anti-spam (laws, technology) 1997-11-13 spam civil lawsuit damages fraud ISP Business Wire SimpleNet, a San Diego ISP, filed suit against several originators of spam. The plaintiff demanded an injunction to stop the spam and damages for the trouble the unsolicited e-mail caused. They also asked the San Diego County District Attorney's Office to consider bringing criminal charges under the California Data Access and Fraud Act. The defendants allegedly used forged headers to avoid identification for the hundreds of messages per hour which bombarded the ISP.

Category 33.1 Acceptable use policies 1997-06-05 appropriate use net filter productivity Internet Web EDUPAGE A recent thesis on employee use of the Web for entertainment while being paid for work suggests at least a couple of hours of productivity per week down the tubes. Other more informal estimates range from 5% to 40% lost time. In addition, such goofing-off consumes network resources; pornography and games take up a lot of bandwidth.

Category 34 Net filters, monitoring (technologies) 1997-01-17 Web monitoring filtering PA News CyberGuard introduced their Webtrack package to create audit records of where employees surf to on the World Wide Web. Employers have expressed concern about the amount of time that employees can waste by surfing the Net without discipline.

Category 34 Net filters, monitoring (technologies) 1997-01-23 Spam RISKS 18 79 Filtering to refuse junk e-mail can lead to problems when the filters contain misspellings. Legitimate sources of e-mail can then be rejected because of similarities to the offending domain names.

Category 34 Net filters, monitoring (technologies) 1997-03-25 appropriate use censorship PR Newswire WebAware, Inc. announced its new WebPrints product, which allows parents and corporate supervisors to see exactly which Web pages have been browsed by the users they supervise. See for details. The product would appear to work only if the users being audited are unaware that they can empty their cache of images at the click of a button. By July, the URLs listed in the Yahoo directory were inoperative.

Category 34 Net filters, monitoring (technologies) 1997-03-25 spam filter EDUPAGE An enraged programmer from California has developed software called Dead Bolt that allows victims of spam to pool their blacklists and thus improve anti-spam filtering. Critics charge that the system may be vulnerable to abuse if innocent people's addresses are fraudulently added to the list of spammers.

Category 34 Net filters, monitoring (technologies) 1997-03-27 pornography filters EDUPAGE, AP Filtering technology is still relatively crude, with amusing false positives and the possibility that objectionable Web sites can evade restrictions by avoiding key words used by the filters.

Category 34 Net filters, monitoring (technologies) 1997-06-26 censorship decency children online CDA PR Newswire The Children's Partnership announced its publication _The Parents' Guide to the Information Superhighway: Rules and Tools for Families Online._ See . According to their press release, "The _Parents' Guide_ provides strategies and tips for parents to use to help their children benefit from computer technologies and online resources, while helping to ensure that their children will be safe while exploring the Information Superhighway. The guide includes age- specific tips for online activities as well as listings of blocking device software."

Category 34 Net filters, monitoring (technologies) 1997-06-30 censorship pornography filter AP Calvin Woodward of the Associated Press investigated the effectiveness of computerized smut filter programs. A test of Cyber Patrol, a popular tool for parental controls, showed inconsistent results when tested with requests including words such as "personal," anything but "ducks" ending in -"ucks," words containing "sex" (although the subtlety was improved, with Anne Sexton's work and geographical place names being passed through), and spotty results in the "health" and "sex education" areas. Experts continue to warn that no programmatic filter can replace parental involvement with their children's Web surfing.

Category 34 Net filters, monitoring (technologies) 1997-07-25 Web vandalism PA News Allied Domecq, British makers of Barking Frog "alcopop" (alcoholic beverages that can hook children into alcohol dependency) offered its young victims the opportunity to build their own mini-Web-sites on its own Web site. Although the company normally screens such personal pages, it missed one in which someone posted references to the Devil and advice on how to masturbate. Embarrassed by these references (but not by selling alchol to kids), the company pulled this feature from its Web site.

Category 34 Net filters, monitoring (technologies) 1997-07-30 pornography ISP AP CompuServe announced new regulations that would require its 5.4 million customers to register for access to "adult" materials online. Confirmation of such registration will be mailed to the account holders.

Category 34 Net filters, monitoring (technologies) 1997-08-17 Internet pornography games AP Parents and residents of Dunblane, Scotland as well as many others were shocked and disgusted when a warped user of Virgin Net, a London ISP, created and distributed a computer game where players gained points by killing children. The ISP terminated the account of the creator of this disgusting exercise as soon as it was brought to their attention.

Category 34 Net filters, monitoring (technologies) 1997-08-27 e-mail filter children education Internet Newsbytes A new consortium began providing e-mail for children in September. Called "WhoWhere?", the consortium includes The Lightspan Partnership and Computers for Education. Because most schools cannot provide one computer for each child, WhoWhere stores its e-mail centrally. Children access their e-mail from any terminal or computer. The service includes e-mail filtering to protect the children against inappropriate content. See for more information.

Category 34 Net filters, monitoring (technologies) 1997-09-11 pornography filter DPA In Darmstadt, Germany, US scientist James Ze Wang presented Internet pornography filtering software based on pattern recognition of images. Porno-Blocker should be available soon with support from Stanford University, which owns commercial rights to Dr Wang's invention.

Category 34 Net filters, monitoring (technologies) 1997-10-05 pornography statistics appropriate use policy EDUPAGE, OTC According to the EDUPAGE editors, "A study conducted by Digital Detective Services found that one in four corporate computers investigated contained pornographic files, including some cases of child porn. The study was based on 150 investigations over an 11-month period. (Investor's Business Daily 3 Oct 97)" The firm, based in Falls Church, VA, also reported that many small and medium firms have no formal policies on Internet use. Relying on self-policing does not work.

Category 34 Net filters, monitoring (technologies) 1997-10-26 anti-spam proxy server EDUPAGE Lucent Technologies announced the Personalized Web Assistant as an anti-spam system that filters out unwanted commercial e- mail. Lucent said they might offer the product to ISPs as a value-added feature for e-mail users.

Category 34.1 Net filters 1996-12-20 net filter censorship Netly News http://cgi.pathfinder.com/netly/editorial/0,1012,453,00.html In July 1996, Declan McCullagh and Brock Meeks, authors of the aggressively confrontational and always interesting "Cyberwire Dispatch," revealed the hidden political agenda of Solid Oaks Software, makers of the CyberSitter net filter. Seems the lightly-encrypted list of forbidden sites included not only pornography purveyors but also the Web page for the National Organization of Women, the International Gay and Lesbian Human Rights Commission, and even of sites critical of CyberSitter and Solid Oaks. In December 1996, McCullagh reported on the responses of Brian Milburn, President of Solid Oak Software. In quick succession, he and his lawyers * accused the writers of decompiling his copyrighted software in violation of the Solid Oak copyright and threatened criminal prosecution (never materialized); * demanded that several Web sites critical of their product be shut down and the Web site managers expelled from their ISPs. Think twice about what kind of automated controls you choose to put on your computers. You may be filtering more than you thought you would.

Category 35 DNS conflicts, trademark violations (Net, Web) 1997-02-12 Internet DNS domain names AP In February, the International Ad Hoc Committee proposed seven new top-level domains: .store — businesses offering goods, .info — information services .nom — personal sites .firm — businesses or firms .web — entities emphasizing the World Wide Web .arts — cultural groups .rec — recreational or entertainment activities.

These proposals were greeted with expressions of horror and outrage by members of the Association for Interactive Media and the Open Internet Congress, whose heated press release termed the proposals "an attempted takeover." In a Question and Answer section, the opponents of the IAHC write, "The Internet is likely to break apart on October 15, 1997. That is the date that the coup leaders intend to re-route the Internet to be under their control against the advice of those who keep things running smoothly today. When they rip the essential root servers off the Internet backbone, the entire system may begin to fragment. Your email will be returned and your Web site visitors will be turned away. These organizations have refused to recognize the validity of the registries that ensure that traffic is successfully delivered to .com, .org, and .net addresses. Serious concern has arisen over the possibility of malicious viruses and Trojan Horses being hidden in the software that runs the Internet."

See for details.

Category 35 DNS conflicts, trademark violations (Net, Web) 1997-02-20 Internet DNS domain names PA News Organizations who fail to register domain names that are appropriate for them may be losers on the Net, according to Giles Turnbull of PA News. For example, www.smarties.com has nothing to do with the popular multicolored candy; instead, it posts pornography. Experts urge

Category 35 DNS conflicts, trademark violations (Net, Web) 1997-02-27 Internet domain hijackings DNS Reuters As companies recognize the value of the Net, newcomers are finding that their names have been hijacked by speculators who registered obvious domain names in the hope of selling them back to the legitimate users at a high price. Some victims are going to court, charging trademark infringement. Others are paying fees of up to $150,000 to gain control of domain names that they feel they need for their business.

Category 35 DNS conflicts, trademark violations (Net, Web) 1997-04-20 Internet DNS domain names EDUPAGE Network Solutions, Inc. proposed that the FCC temporarily take over registration of top-level domain names in the DNS until a world-wide system can be agreed upon. A few days later the National Science Foundation announced that it is washing its hands of the whole DNS mess and wants the Internet community to manage domain naming any damn way it wants to. In July, reports surfaced that the U.S. Department of Justice was investigating Network Solution Inc. for possible antitrust violations in its monopoly control of the DNS.

Category 35 DNS conflicts, trademark violations (Net, Web) 1997-05-04 Internet DNS domain names EDUPAGE Fifty-seven companies signed the DNS management proposals put forth by the International Ad Hoc Committee to define seven new domain names and define 28 new DNS registrars. In addition, 23 other companies indicated their intention to sign. However, unless the agreement is universal, it may lead to confusion in the DNS with disastrous consequences for the Internet.

Category 35 DNS conflicts, trademark violations (Net, Web) 1997-05-15 DNS QA Internet domain names RISKS 19 15 The Association for Computing Machinery may have forgotten to pay its DNS renewal of $50, or maybe the InterNIC fouled up; but in any case, for a brief period in May the ACM was out of reach of Internet e-mail.

Category 35 DNS conflicts, trademark violations (Net, Web) 1997-06-03 Internet trademark EDUPAGE Honors Technologies Inc. of Reston, VA, runs automatic teller machines for about 450 financial institutions. In 1990, it was called Internet, Inc. and registered the word "Internet" as a trademark in the U.S. Now Honors Technology executives are upset by the widespread use of the word "Internet" in banking and has sent lawyers' letters to other companies warning them to stop using that word. The Internet Society protests the whole idea that "Internet" is a valid trademark and wants the registration rescinded.

Category 35 DNS conflicts, trademark violations (Net, Web) 1997-06-03 trademark DNS Internet domain names conflict EDUPAGE Microsoft lawyers are huffing and puffing over the registration of a dozen and more DNS entries such as "microsoftnetwork.com" by a college student in California. According to Microsoft, he "is clearly involved in copyright infringement, trademark infringement and unfair trade practices. We will try to contact him and request him to stop. Failing that, we'll send a cease-and-desist letter requesting he stop infringing upon our name."

Category 35 DNS conflicts, trademark violations (Net, Web) 1997-06-05 Internet DNS domain names speculation parasites extortion EDUPAGE Speculation on Internet domain names increased with the announcement of plans to extend the range of top-level domains. One speculator claims to have received 1,800 pre-registrations of specific names at $15 a pop, with $35 more due if he actually gets the name for his anxious clients. In Houston, a company is claimed to have paid $150,000 to buy the rights to "business.com" from the British firm that registered it four years before.

Category 35 DNS conflicts, trademark violations (Net, Web) 1997-07-08 Internet DNS domain names speculation parasites extortion OTC William Dutcher reported on the growing traffic in reserved Internet domain names in an article in July. It seems that many larger firms are paying good money to gain control of domain names they want; prices range from a few thousand dollars to a million dollars for "billgates.com". Some speculators have been registering thousands of likely domain names hoping to find victims who will pay for their reserved names. It's difficult to find any redeeming social value in such practices, any more than in the actions of ticket scalpers. These people are equivalent to parasites, taking advantage of an economic niche and exploiting others for no benefit to anyone except themselves.

Category 35 DNS conflicts, trademark violations (Net, Web) 1997-07-14 trademark DNS Internet domain names conflict OTC NASA and the FTC both complained to Network Solutions Inc. about the sites "nasa.com" which, they allege, is a violation of The National Aeronautics and Space Act of 1958. This Act, "as amended, clearly prohibits the knowing use of the letters 'NASA' in connection with a product or service 'in a manner reasonably calculated to convey the impression that such product or service has the authorization, support, sponsorship, or endorsement of [NASA]. . . ." when such authorization etc. do not exist. However, some legal experts doubted that the Act would apply to the "nasa.com" site, which included a picture of boxer Evander Holyfield's ear and pointed to a pornographic site but could not be construed as being approved by NASA. Network Solutions responded to the legal pressure by removing the site's DNS entry.

Category 35 DNS conflicts, trademark violations (Net, Web) 1997-07-17 Internet DNS domain names corruption hacking diddling EDUPAGE After a competitor of Network Solutions deliberately introduced fraudulent entries into the DNS, corruption spread rapidly throughout the world to other DNS servers. Many addresses in the .com and .net domains were unreachable as a result of the hack and users found their e-mail undeliverable and their Web sites unreachable.

Category 35 DNS conflicts, trademark violations (Net, Web) 1997-07-25 Internet DNS domain names corruption hacking diddling Inter@ctive Week Online Eugene Kashpureff filed fraudulent information with InterNIC for its DNS updates in July, forcing domain name servers around the globe to recognize temporary and unauthorized Internet addresses ending in .xxx, .mall, .nic and .per. A few weeks later, he inserted false information that forced people trying to access the Web site of Network Solutions Inc. to end up at Kashpureff's Alternic site. Alternic is fighting NSI's monopoly over the .com, .net, .edu, .gov and .org domains. Kashpureff faced civil suits from NSI for damages and may face criminal charges of computer trespass.

Category 35 DNS conflicts, trademark violations (Net, Web) 1997-07-29 Internet DNS domain names law Reuters At the end of July, the Information Technology Association of America brought together parties interested in the Domain Name System to resolve conflicts over expansion of top-level domains. With termination in March 1998 of Network Solutions Inc.'s monopoly on .com, .edu, .net and .org, efforts to control the DNS increased in sharpness and urgency.

Category 35 DNS conflicts, trademark violations (Net, Web) 1997-08-03 trademark DNS Internet domain names conflict EDUPAGE In yet another conflict over scarce domain names, an American firm — Prince Sports Group — is protesting the allocation of "prince.com" to a British firm — Prince Plc. A British court refused the US company's plea, but the companies are now in litigation in the USA.

Category 35 DNS conflicts, trademark violations (Net, Web) 1997-08-11 DNS spoof fraud vulnerability WebWeek http://www.webweek.com:80/current/infrastructure/19970811- secure.html Two weeks after Eugene Kashpureff contaminated the DNS by inserting fraudulent pointers to his own AlterNIC site, he claimed to be working with victim Network Solutions Inc. to improve DNS server software to prevent future similar attacks, which may have succeeded because of free access to a "helpful hints" field that can trick a server into associating a requested address with some other, unauthorized address on the Net. The IETF continued its work on a news secure a DNS which would include encrypted authentication for all DNS server updates, including controls over the "helpful hints" field. In November, Kashpureff was arrested by Canadian Immigration officials and handed over to the FBI on a warrant for violations of computer crime statutes.

Category 35 DNS conflicts, trademark violations (Net, Web) 1997-08-26 Internet DNS domain names InterNIC availability integrity QA RISKS 19 34 When the InterNIC, run by Network Solutions Inc. (Herndon, VA) lost the $50 payment for renewal of a customer's DNS entry, the consequences were unusually public: NASDAQ was off the net for segveral hours on 19 Aug 97.

Category 35 DNS conflicts, trademark violations (Net, Web) 1997-10-03 Internet DNS domain names law Wired In response to the efforts by the Geneva-based International Ad Hoc Committee to rationalize top-level domains in the Internet, US House members began considering legislation to force all registration entities to be located in the USA. "American taxpayers, companies, and government built the Internet," said Rep. Chip Pickering (R-Mississippi), chairman of the House Science subcommittee on Basic Research. Speaking at the second domain-name hearing, he said, "This is something uniquely American."

Category 35 DNS conflicts, trademark violations (Net, Web) 1997-10-16 trademark DNS Internet domain names conflict EDUPAGE In Britain, several firms joined in a court case demanding that cybersquatters One In A Million Ltd stop using Internet domain names that violate their trademarks.

Category 38 Consumer/employee privacy, profiling, trade in personal information 1997-01-21 Cookies RISKS 18 78 Some Web sites pass cookies to the next URL which can include sensitive information.

Category 38 Consumer/employee privacy, profiling, trade in personal information 1997-01-24 phone fraud PA News In Britain, the Telecommunications Fraud Bill cleared the Commons and the Lords. The law makes telecommunications fraud and the possession of equipment to perpetrate such fraud an arrestable offense, punishable by up to five years' in jail.

Category 38 Consumer/employee privacy, profiling, trade in personal information 1997-02-02 cellular phone privacy PA News Civil liberties groups in Britain condemned the use of cell phones as "tags" allowing tracking of the carrier without permission.

Category 38 Consumer/employee privacy, profiling, trade in personal information 1997-02-09 privacy cellular phones AAP In Australia, the chair of the New South Wales Privacy Commission warned that cellular phones emit a tracking signal at least every half hour if they are on; such signals could be used by telecommunications companies or criminal hackers to track the phones. However, a spokesperson for Telstra, the Australian telecommunications company, said that such tracking is extremely difficult and expensive.

Category 38 Consumer/employee privacy, profiling, trade in personal information 1997-04-03 Social Security database privacy SSN RISKS 19 5 Simson Garfinkel published a detailed analysis of the Social Security debacle, when the SSA put its PEBES (Personal Earnings and Benefit Estimate Statement) system on its Web site for free access. No one has any idea how many of the requests, which need only the mother's maiden name and state of birth for validation of the request by Social Security Number, are fraudulent. Three days after the Garfinkel column, the site was shut down. It reopened in September with careful modifications — earning histories were removed from the display — to prevent abuse.

Category 38 Consumer/employee privacy, profiling, trade in personal information 1997-04-10 Privacy EDUPAGE The U.S. Social Security Administration shut down the Web page where it provided detailed information about individual income and retirement benefits after complaints that anyone could access anybody's records merely by providing widely- available data: name, address, telephone number, place of birth, Social Security number, and mother's maiden name.

Category 38 Consumer/employee privacy, profiling, trade in personal information 1997-04-17 privacy law EDUPAGE According to EDUPAGE editors John Gehl and Suzanne Douglas, "Senators Dianne Feinstein (D, California) and Charles Grassley (R, Iowa) . . . introduced legislation that would bar commercial use of Social Security numbers and make it illegal for credit bureaus to disseminate Social Security numbers, unlisted phone numbers, birthdates, or individuals' mothers' maiden names. In the House of Representatives, Congressman Paul E. Kanjorski (D, Pennsylvania.) submitted legislation that would create a Commission on Privacy of Government Records and ban Social Security or Internal Revenue Service records from being posted on the Internet without an individual's written permission. (Washington Post 17 Apr 97)"

Category 38 Consumer/employee privacy, profiling, trade in personal information 1997-05-07 privacy medical online Wired In California, Rep. Liz Figueroa (D -San Francisco Bay Area) moved ahead with her proposal to put physicians' professional records online. She agreed to remove the controversial inclusion of malpractice settlements (often agreed to simply to prevent costly legal fees). Other sensitive matters, however, continue to be included in the public information: doctors' education, malpractice, and disciplinary history in hospitals, especially if based in alcohol or other drug abuse.

Category 38 Consumer/employee privacy, profiling, trade in personal information 1997-06-01 law harassment anonymity Internet privacy EDUPAGE In Florida, the state attorney's office reluctantly concluded that there is no valid state statute making it illegal for creepy perverts to publish libelous information anonymously on the Net. The case started with 19-year old weirdoes who alleged that one of their teachers and another student were involved in homosexuality. Although Florida does have a law forbidding "anonymous publication of material that holds a person up to ridicule or contempt," the legal experts concluded that such a limitation on speech is unconstitutional.

Category 38 Consumer/employee privacy, profiling, trade in personal information 1997-06-10 privacy database FTC EDUPAGE Lexis-Nexis and seven other large U.S. personal-information database companies agreed to apply modest controls to their products such as restrictions on what kind of personal information they store and refusing to integrate market-data such as purchasing preferences into their records. However, defenders of privacy worried that the controls had no provisions for monitoring of compliance with and enforcement of these rules.

Category 38 Consumer/employee privacy, profiling, trade in personal information 1997-06-12 privacy RISKS 19 22 In a move that had privacy advocates howling with horror, The Public Link Corp. of Dallas, TX installed a database lookup service on their Web page that allows anyone to find the address of the owner of a vehicle with Texas license plates. The opportunities for abuse include targeting owners of expensive automobiles for theft and providing stalkers with an easier way of locating their victims.

Category 38 Consumer/employee privacy, profiling, trade in personal information 1997-06-16 privacy workplace monitoring Dow Jones, Wall Street Journal The Japanese firms that controls the widespread 7-Eleven stores in the US proposed in June to equip their point-of-sale (POS) terminals with sophisticated monitoring software to track the rhythm and types of sales in all its stores — and to force managers to pore over these statistics daily.

Category 38 Consumer/employee privacy, profiling, trade in personal information 1997-06-24 privacy online databases AP Two weeks after the online database industry assured the public in early June that it was committed to protecting the privacy of data subjects, Lexis-Nexis announced plans to release its P-Trak data so that individuals could verify their own records. Privacy advocates expressed concern about controls over who could see these data.

Category 38 Consumer/employee privacy, profiling, trade in personal information 1997-06-26 privacy AP In Dover, NH, City Prosecutor George Wattendorf started publishing the names of people arrested and charged with domestic violence. The city's Web site now has a section listing such information, which the Prosecutor considers a matter of public record. Some civil libertarians were livid, as were a number of the accused.

Category 38 Consumer/employee privacy, profiling, trade in personal information 1997-07-19 privacy AP Presented with alternatives pitting personal privacy against public disclosure, 86% of 1008 US respondents to an AP poll chose to support personal privacy. On the other hand, 70% of the respondents supported public access to drivers' records.

Category 38 Consumer/employee privacy, profiling, trade in personal information 1997-07-21 bank privacy policy ABA AP The American Bankers Association promulgated a set of principles governing client privacy at its directors' meeting in Colorado Springs in late July. The principles included the following good ideas: — Recognition of a customer's expectation of privacy. — Customer information should be used, collected and retained only if the bank believes the customer would benefit. — Maintenance of accurate information. — Limiting bank employee access to customer information. — Information should be protected by established security procedures. — Disclosure of account information should be restricted. — Customer privacy should be maintained in dealings with third parties. — A bank should make its privacy policies known to its customers.

Category 38 Consumer/employee privacy, profiling, trade in personal information 1997-07-24 ISP AOL privacy junk phone EDUPAGE, CNET, AP AOL began a firestorm of protest by announcing that it would rent out members' phone numbers for a fee. The company made no announcement of its change of policy other than posting a modest change of its Terms of Service. Within one day of publication of hostile stories in the press, the company backtracked and reversed its new policy.

Category 38 Consumer/employee privacy, profiling, trade in personal information 1997-07-29 privacy eavesdropping cellular Web AP The Chair of the House Commerce Committee's Telecommunications Subcommittee, Rep. Billy Tauzin (R-LA), introduced legislation to stop companies from disclosing or using without consent people's medical and financial records, as well as government information such as social security numbers that are available online. In a separate measure, he proposed to increase penalties against eavesdropping on cellular phone communications and to forbid tampering with radio equipment for the purpose of such interception.

Category 38 Consumer/employee privacy, profiling, trade in personal information 1997-08-01 health privacy confidentiality medical records AP U.S. Health and Human Services Secretary Donna Shalala said that a national system is needed to replace a patchwork of state laws governing privacy of health records. Speaking at the National Press Club, Shalala recommended that Congress prohibit use of personal information for anything other than health care and punish those who misuse it; require data keepers to keep the information secure; allow consumers to see what is in their health records; and give them a way to change incorrect data. she added, however, that privacy rights cannot be absolute; the public interest (e.g., public health, research, and fraud investigations) may require access to health data without permission.

Category 38 Consumer/employee privacy, profiling, trade in personal information 1997-08-29 cellular phone tracing privacy RISKS 19 35 British Telecom announced that the new MOSA (Mobile Social Alam) cellular phone will allow determination of its physical location to within 30 feet (about 10 m).

Category 38 Consumer/employee privacy, profiling, trade in personal information 1997-08-31 journalism libel hoax EDUPAGE, AP, ZDNN Matt Drudge may have gone too far in recent postings on his electronic scandal sheet when he made unsubstantiated accusations about White House advisor Sidney Blumenthal's marriage. Professional journalists pounced on the amateur hack and tore him to bits, as it were, for shoddy journalism. Blumenthal and his wife filed a $30M libel suit against Drudge even after the scandal monger apologized for failing to verify the gossip he disseminated. Drudge then got on his high horse, claiming that public White House support for Blumenthal amounted to a threat against free speech.

Category 38 Consumer/employee privacy, profiling, trade in personal information 1997-10-01 privacy crypto law key escrow recovery policy RISKS 19 41 Bruce Schneier and Dave Banisar published their new book on electronic privacy issues. Schneier, B. & D. Banisar (1997). _The Electronic Privacy Papers: Documents on the Battle for Privacy in the Age of Surveillance_. John Wiley & Sons (New York). ISBN: 0-471-12297-1; 747 pages. See for details.

Category 38 Consumer/employee privacy, profiling, trade in personal information 1997-10-09 privacy medical AP California doctors and dentists sued the Medical Board of California in October to prevent Web publication of the home addresses of thousands of doctors. The physicians want more time to ensure that their home addresses not be disclosed without explicit permission, preferring to use office and hospital addresses in the public list instead.

Category 38 Consumer/employee privacy, profiling, trade in personal information 1997-10-28 health privacy medical law hospital records patient AP The US Senate's Labor and Human Resources Committee heard in October from proponents of strict laws to restrict the use of medical information to medical applications. Legislation expected to be introduced in early 1998 by Sen. Robert Bennett (R- Utah) would provide federal protection for such records. Sen. Patrick Leahy (D-VT) was working on even stricter protections focusing in particular on access to medical records by law enforcement officials.

Category 38 Consumer/employee privacy, profiling, trade in personal information 1997-11-09 book privacy laws confidentiality RISKS 19 45 Philip E. Agre and Marc Rotenberg published a new book entitled _Technology and Privacy: The New Landscape_ (MIT Press, 1997) ISBN 0-262-01162-x. vi + 325 pp. Peter Neumann, the RISKS moderator, praised the work, writing, "This is a remarkably comprehensive and provocative collection of essays. . . . The analysis is generally penetrating and informative, and fundamental to the interactions and tensions between the steadily advancing information technology and the corresponding risks to privacy."

Category 38.6 US legislation & regulation concerning privacy 1997-01-07 privacy AP The FTC declared in January that consumers ought to be given control over whether personal information can be gathered and used on the Internet.

Category 42 Crypto algorithm weakness, brute-force attacks, implementation flaws 1997-01-29 cryptanalysis RSA challenge 40-bit key AP RSA Data Security Inc. established a contest to crack ciphertexts created with keys of different lengths. A graduate student at U Cal Berkeley tackled the message encrypted with a 40-bit key — the longest key routinely granted export permits by the United States government. Ian Goldberg used 250 workstations in parallel and tested 100 billion keys an hour for 3.5 hours and read the cleartext: "This is why you should use a longer key." RSA Data Security Inc. spokesman Kurt Stammberger said, "It shows you that any kid with access to computers can crack this kind of cryptography. The cryptography software that you are allowed to export is so weak as to be useless."

Category 42 Crypto algorithm weakness, brute-force attacks, implementation flaws 1997-01-31 Cryptanalysis RISKS 18 80 In late January, UC Berkeley graduate student Ian Goldberg took a mere 3.5 hours to decrypt a message encrypted using the RC5 algorithm with a 40-bit key — the most secure length of encryption key that the federal government allows U.S. companies to export.

Category 42 Crypto algorithm weakness, brute-force attacks, implementation flaws 1997-06-19 cryptanalysis DES brute force parallel PR Newswire The 56-bit DES encryption standard, long claimed adequate by the U.S. Government, was shattered in early June using 14,000 computers; the winning key was found by Michael K. Sanders, an employee of iNetZ, a Salt Lake City, Utah-based online commerce provider using an ordinary Pentium PC. Sanders was part of a loosely organized group of computer users responding to the "RSA $10,000 DES Challenge." The code-breaking group distributed computer software over the Internet for harnessing idle moments of computers around the world to perform a "brute force" attack on the encrypted data. The cracking effort required four months to decrypt a single message. The key happened to be about 25% of the way through the keyspace; on average, such a crack would be expected to run through half the keyspace. RSADSI's Jim Bidzos interpreted the exercise as a triumph: "We've been saying for a long time that DES is no longer secure and here is the proof." Other observers suggested that four months and 14,000 computers running in parallel to decipher a single message seems like evidence of pretty effective encryption — as long as the confidentiality of the message were to evaporate within a few months.

Category 43 I&A products (tokens, biometrics, passwords, Kerberos) 1997-03-20 cellular-phone crypto RISKS 18 92 Bruce Schneier and colleagues at UC Berkeley announced in March that the most advanced digital cellular phones in use today have a flawed cryptographic algorithm, the Cellular Message Encryption Algorithm (CMEA), that can allow an eavesdropper with a PC to crack the conversations in minutes. The scientists blame the flaw on the closed-door, secret process in which the algorithm was implemented and make a plea for open analysis of cryptographic algorithms. They criticize pressure from the US government that they argue pushed the developers into the closed-door development.

Category 43 I&A products (tokens, biometrics, passwords, Kerberos) 1997-03-20 cryptanalysis eavesdropping cellular phone NYT Cryptanalysts David Wagner (University of California at Berkeley), Bruce Schneier and John Kelsey (both of Counterpane Systems) announced that they had successfully cracked the proprietary encryption incorporated into the new generation of digital phones. The cryptographers strongly criticized industry for trying to secure systems without opening their algorithms to public scrutiny. Said famed author Schneier, ""Our work shows clearly why you don't do this behind closed doors. I'm angry at the cell phone industry because when they changed to the new technology, they had a chance to protect privacy and they failed." An additional criticism of the way the cell-phone industry incorporated encryption was that it deliberately adopted a weak standard to comply with U.S. government regulations forbidding the export of strong cryptography. John Markoff, writing in the New York Times, quoted James X. Dempsey, senior staff counsel for the Center for Democracy and Technology as saying, "This should serve as a wake-up call. . . . This shows that Government's effort to control encryption technology is now hindering the voice communications industry as well as the data and electronic communication realm."

Category 43 I&A products (tokens, biometrics, passwords, Kerberos) 1997-11-26 phone phreaking cellular research RISK 19 48 Prof. Ross Anderson and his team at Cambridge University took up a challenge by MobilCom, a subsidiary of Deutsche Telekom, to phreak a specific cellular phone protected by a smartcard. After some effort, they developed a scheme that would appear to allow them to crack any GSM phone for which the digital identifier could be captured. Unfortunately, the challenge and offer of 100,000 DM had been withdrawn by the time the team finished its work.

Category 43 I&A products (tokens, biometrics, passwords, Kerberos) 1997-12-22 RFI eavesdropping theft authentication transponder RISKS 19 52 Philip Koopman reported on risks of the new Speedpass automatic payment scheme being promoted by Mobil Oil in the US. The main vulnerability appears to be weak encryption in the low-frequency, low-power radio transponders, resulting in easy capture and decryption of identification codes. Spoofing the devices should be easy with this captured information, leading to easy theft of fuel.

Category 44 New encryption algorithms, products 1997-05-07 ENTRUST crypto Canadian Corporate News Entrust Technologies Inc. received Network Computing's Software Product of the Year award at Networld+Interop '97 exhibition.

Category 44 New encryption algorithms, products 1997-05-07 crypto algorithm RC2 S/MIME e-mail Wired Phil Zimmermann of PGP Inc is battling Netscape and Microsoft because they incorporate the crippled 40-bit encryption of S/MIME from RSADSI. Another political problem in the e-mail encryption arena is the attempt by RSADSI and supporters to have S/MIME, a proprietary product, declared as an industry standard.

Category 44 New encryption algorithms, products 1997-06-27 crypto algorithm RC2 S/MIME e-mail RSADSI press release RSA Data Security Inc. released the full specifications of its proprietary RC2 encryption algorithm to the IETF for consideration as part of the new S/MIME standard for secure electronic messaging. See for details of the interoperability testing.

Category 44 New encryption algorithms, products 1997-07-08 crypto algorithm EDUPAGE IBM scientists are exploring a new concept for a public key cryptosystem: hyperplanes in 100-dimensional hyperspace. This approach appears to have the advantage not only of generating key pairs that are incredibly difficult to find using brute-force cracking but also of ensuring continued employment for professors of cryptography who will have to explain the inconceivable to the next generations of computer science students.

Category 44 New encryption algorithms, products 1997-08-20 disaster recovery Internet backup storage COMTEX newswire Netstore Data Recovery Service allows automated backup of data on portables, desktop PCs, workstations and servers over the Internet. Since only 7% of the UK's PC users back up their data regularly, such a service could be useful. User data are encrypted before being transmitted to the backup site using 40-bit DES encryption and access to the stored data is severely limited by multiple passwords.

Category 44 New encryption algorithms, products 1997-08-22 hacker challenge crypto Dow Jones, EDUPAGE Crypto-Logic Corp. has offered to pay $1M to anyone who cracks its e-mail encryption system within a year. The encryption depends on a one-time pad and is, in theory, unbreakable.

Category 44 New encryption algorithms, products 1997-09-02 crypto standards Internet Inter@ctive Week In September, the IETF told RSADSI that unless it surrendered its patents on its RSA cryptographic algorithms, there was no question of allowing S/MIME to become an Internet standard. No such standard has ever required royalty payments for use of its algorithms, as RSA expects. A competing Open PGP standard would require no royalties because it uses the Diffie- Hellman algorithms for a public key cryptosystem and those patents expired at the start of September 1997.

Category 44 New encryption algorithms, products 1997-10-26 cryptography spoofing crackers EDUPAGE NEC reported a new 128-bit encryption product that substitutes false keys when someone tries to use the product to attack the ciphertext using brute force.

Category 45 E-commerce security, digital signature, products, digital cash, e-payments 1997-01-21 e-commerce smart card universal ID PA News The European Union floated a proposal for a smart card that would double as a bank card and as a universal identity document. Some anti-EU British politicians immediately branded the proposal as a threat to British sovereignty and a threat to civil liberties.

Category 45 E-commerce security, digital signature, products, digital cash, e-payments 1997-01-30 electronic commerce EDUPAGE EDUPAGE reported: "Accounting firm Deloitte & Touche is teaming up with private merchant group Thurston Group to provide an electronic service called NetDox Inc., which will offer banks, insurance companies, law firms and others a means of transferring legal documents via a secure electronic system. NetDox will track the documents through delivery, will return a receipt to the sender, and will retain an electronic "thumbprint" of the document in case any questions regarding its authenticity or delivery time arise. The service should be operational by summer. (Wall Street Journal 30 Jan 97)"

Category 45 E-commerce security, digital signature, products, digital cash, e-payments 1997-02-03 PIN mnemonic PA News CPP Card Protection Plan announced a simple grid for helping people retrieve up to six personal identification numbers using a two-digit code.

Category 45 E-commerce security, digital signature, products, digital cash, e-payments 1997-02-11 electronic commerce smart cards EDUPAGE EDUPAGE reported: >Visa International will launch a major trial of "electronic purse" cards in Great Britain, similar to the one it sponsored at the Atlanta Olympics last summer. Unlike the Olympic cards, the ones issued for the Leeds trial will be equipped with both public- and private-key encryption technology for security against hackers and other criminals. The cards contain a microchip storage capacity that can be credited and debited with a monetary value over a telephone line or at an ATM machine. (Wall Street Journal 10 Feb 97)<

Category 45 E-commerce security, digital signature, products, digital cash, e-payments 1997-02-12 e-commerce smart card Reuters Fischer International Systems Corp. introduced a $60 device that fits into a normal floppy drive to allow PCs to interact with smart cards. The company foresees major applications in electronic commerce, where the smart cards can serve as authentication devices and also as electronic wallets for electronic cash.

Category 45 E-commerce security, digital signature, products, digital cash, e-payments 1997-02-23 electronic commerce passwords EDUPAGE It seems that passwords protecting paid access to Web sites are being freely shared among acquaintances. Some sites are setting definite limits on how many visits a day a user-ID can make; e.g., three. Others are limiting the total number of data that a single ID can download in a day; e.g., 300 Mb. In addition, new software is available from Internet Billing to control how many times a user ID can be used per day to access a Web site.

Category 45 E-commerce security, digital signature, products, digital cash, e-payments 1997-03-04 crypto public key infrastructure e-commerce EDUPAGE Ten different US government agencies began testing various forms of a public key infrastructure using systems other than the DES and the DSS.

Category 45 E-commerce security, digital signature, products, digital cash, e-payments 1997-03-17 electronic commerce smart cards e-commerce RISKS 18 91 David Randolph, a correspondent for RISKS, reviewed a paper entitled "Facing the Smart-Card Security Issue" from _Card Technology_ magazine; the key point was that smart card security can be cracked in a few days or a few hours once the system were in place. Randolph wrote, "Based on that, I believe that the challenges to smart cards are very real and that the cost of breaking a smart card is low enough to make it worth while for organized crime to use."

Category 45 E-commerce security, digital signature, products, digital cash, e-payments 1997-03-27 network computer access control smartcard e-commerce EDUPAGE The OpenCard Framework established by IBM, Netscape, Oracle, Sun and Network Computer Inc. provides access control for network computers using a smart card and a PIN. To access services, a user would pop his or her smartcard into whichever NC happened to be available.

Category 45 E-commerce security, digital signature, products, digital cash, e-payments 1997-03-27 electronic commerce Web browser hole SSL Inter@ctive Week, RISKS A newly-discovered hole in Web security allows information from a secure transaction to be captured by subsequent Web sites. Eugene Spafford and Steve Bellovin concur that the problem is a serious issue that will require major re-engineering to surmount. Patches are expected to take weeks.

Category 45 E-commerce security, digital signature, products, digital cash, e-payments 1997-04-15 biometric speech identification authentication PR Newswire The Speech Recognition API Committee announced release of the Speaker Verification API Specification (SVAPI), version 1.0. This specification helps developers working on speech recognition and authentication. See for details.

Category 45 E-commerce security, digital signature, products, digital cash, e-payments 1997-05-04 Internet law commerce EDUPAGE Quoted from EDUPAGE (written by John Gehl and Suzanne Douglas) with addition of * to mark points:

"ADMINISTRATION FAVORS HANDS-OFF APPROACH TOWARD INTERNET

The Clinton administration is working on a White Paper outlining its position on electronic encryption and Internet commerce issues, says Ira Magaziner, senior advisor to the president for policy development. A number of principles will be articulated in the White Paper, including: * The Internet should be a tax- and duty-free zone; governments of the world should agree to avoid regulating electronic payments systems; * Private sector consortia, rather than governments, should set technical standards; * a uniform commercial code should be developed; * protection of intellectual property on the Internet is important; * voluntary ratings and filtering systems should be used rather than government-imposed censorship of indecent material on the Internet; and * a market-oriented approach to privacy is Preferable to government regulation. (BNA Daily Report for Executives 30 Apr 97)"

Category 45 E-commerce security, digital signature, products, digital cash, e-payments 1997-06-22 hack challenge electronic commerce SOUTH CHINA MORNING POST; Canada Newswire VirTech, a Canadian company running a virtual mall, challenged hackers and anyone else to break into its server for a prize worth about $7,000 (C$10,000). The Vanhacking Challenge Web Site asked attackers to seize a password, enter a restricted page, and alter a phrase in the closed page. It was designed to demonstrate how hard it is to capture credit-card data from a properly-secured Web site. By the close of the contest in mid-July, there were no winners.

Category 45 E-commerce security, digital signature, products, digital cash, e-payments 1997-07-12 hackers onlin banking Internet Web Guardian Weekly The Chartered Institute of Bankers in the United Kingdom commissioned an analysis of online-banking risks. The authors, Drs Anthony Gandy and Chris Chapman, pointed out that banking is already practically virtual today: many customers rarely visit their branch and carry on all their transactions using direct-deposit, credit-cards, debit cards and checks. Rational risks analysis would compare the risks of interception and data diddling to real-world risks resulting from widespread user errors such as keeping PINs near one's debit card, losing sight of one's credit card in restaurants, and giving out credit card numbers freely over the phone.

Category 45 E-commerce security, digital signature, products, digital cash, e-payments 1997-07-20 e-commerce SET EDUPAGE VISA and MasterCard agreed on the specifications of the SET 1.0 standards for Secure Electronic Transactions. Pilots were announced in 25 countries, with possible production use by the end of 1997. See for details about SET 1.0.

Category 45 E-commerce security, digital signature, products, digital cash, e-payments 1997-08-05 statistics data reporting crime break-ins attacks networks American Banker The American Bankers Association announced a new, voluntary system for banks to report attacks on their computer systems. According to the ABA, this voluntary system would provide reassurance to a nervous public and reduce pressures from law enforcement and government officials who have been moving towards legislated reporting mandates. Data would be shared among participating banks and with some government officials. One commentator wrote, "This action displays everything wrong with the current state of the information systems intrusion tracking. Their focus is to prove that break-ins are rare and not identify problems and threats, nor do they plan on sharing the data with law enforcement or intelligence community. When individuals forget they are part of a society with shared problems and goals then we no longer have a society. It will take cooperative effort to track this threat, and this effort will only make them more vulnerable."

Category 45 E-commerce security, digital signature, products, digital cash, e-payments 1997-08-19 SET e-commerce crypto RISKS 19 31 Jerome Svigals, writing in RISKS, criticized the SET process because of three major vulnerabilities: "However, the SET process has three serious exposures - confirmed with IBM and HP/Verifone. The process does NOT know who is presenting the certificate. The process does NOT know if merchant employees have redirected the certificate through another merchant. All of the critical software is directly accessible by the card users, merchant employees and bank employees. Historically, these individuals have been the prime source of fraud in credit card transaction systems."

However, Phillip M. Hallam-Baker retorted that "The purpose of financial cryptography is to control, not eliminate, risk." He also pointed out that future revisions of SET would likely increase security step by step.

Category 45 E-commerce security, digital signature, products, digital cash, e-payments 1997-08-21 fraud bank Internet scam ZDNN The European Union Bank, supposedly based in Antigua, advertised extensively on the Internet and offered 21% interest on its offshore deposits. Unfortunately for the gullible, the bank appears to have been linked to the Russian mafia; its directors disappeared with $10M in assets. Investigators report that of the 1,200 banks with Web sites in 1997, 50 offered online transactions — and 5 of those were fraudulent. Legitimate Internet bankers warn the public to be sceptical of inflated claims, just as they would in the real world.

Category 45 E-commerce security, digital signature, products, digital cash, e-payments 1997-10-05 smart cards banking e-cash Reuters In October, Chase Manhattan Corporation and Citicorp began a coordinated trial of the Visa Cash and Mondex smart cards in the New York City area. The banks hope to demonstrate customer and retail acceptance of the technology and to prove interoperability of the cards with standard hardware.

Category 45 E-commerce security, digital signature, products, digital cash, e-payments 1997-11-24 Internet Web security certification logo PR Newswire MasterCard introduced its new "Shop Smart!" logo for certified Web sites dealing with financial information. See for details of certification criteria.

Category 45.4 E-payments / e-wallets 1997-01-05 Ecommerce SET EDUPAGE A pilot project got underway in Denmark when Mastercard and IBM established an electronic commerce system for secure use of credit cards over the Internet in collaboration with a Danish bank. The trial applies the Secure Electronic Transaction standard (SET), which is expected to be in use in 50 pilot projects in 20 countries by the end of 1997.

Category 45.5 Watermarks / digital-rights management 1997-01-02 pornography digital authentication PA News A British firm, Highwater Signum, has developed a method for imprinting digital images with an invisible digital signature encoding the serial number of the camera used for taking the picture. A special reader can detect the signature in even small portions of the final image. Hopes are high that such technology, if widely integrated into digital cameras world wide, will interfere with the ability of pedophiles and other pornographers to market or otherwise distribute their pictures with impunity.

Category 46 Cryptography exports from US 1996-12-31 Crypto exports RISKS 18 75 ff Anxiety rose quickly in the security world when readers of the new US cryptographic export restrictions realized that practically all security software is theoretically banned from export without a license. This restriction apparently includes anti-virus software. Export has been redefined to making such software available on the World Wide Web or via FTP.

Category 46 Cryptography exports from US 1997-01-14 crypto exports EDUPAGE Bill Larson, McAfee Associates CEO, criticized the US administration's restrictions on crypto exports, saying that export controls are completely futile. "If there were any terrorists who wanted to get 180-bit encryption, all they would have to do is walk into any U.S. store and buy our PCCrypto product. They could put one floppy into a briefcase and get on an airplane."

Category 46 Cryptography exports from US 1997-02-11 crypto exports EDUPAGE Under the marginally relaxed new rules governing crypto exports, Digital Equipment Corp., Cylink Corp. and Trusted Information Systems were granted permission by the Department of Commerce of the U.S. to export 56-bit keylength strong cryptography.

Category 46 Cryptography exports from US 1997-02-14 Cryptanalysis RISKS 18 82 In early February, Germano Caronni, a graduate student at the Swiss Federal Institute of Technology coordinated the efforts of 3,500 computers to decrypt a message encrypted using a 48-bit RC5 key. The search took 312 hours to test 57% of the keyspace.

Category 46 Cryptography exports from US 1997-03-31 crypto export Dow Jones At the end of March, McAfee Associates announced that it had received permission under the federal Export Administration Regulations to sell 56-bit encryption products overseas.

Category 46 Cryptography exports from US 1997-05-08 crypto export laws Wired At the American Bankers Association meeting in Washington, Undersecretary William Reinsch outlined an Administration plan to allow banks to export direct-home-banking products with arbitrarily-long encryption keys. The allowance applies only to individual banks, not to software companies supplying banks. All third-party encryption software that could be used for general purposes would have to abide by strict government restrictions on encryption technology. SET-compliant programs would be expected to qualify for export under the new rules.

Category 46 Cryptography exports from US 1997-05-09 crypto export law key recovery Wired Senator Bob Kerrey's (D - Nebraska) Secure Public Network Act supports the White House's approach to cryptography: strict export controls, key recovery, and criminalization of encryption used in a crime. In addition, the proposed legislation would include a Presidential override with no restrictions other than a requirement to report the waiver within 30 days to Congress. The proposed law conflicts with other encryption initiatives that liberalize (some say rationalize) US crypto policy; e.g., SAFE, by Rep. Bob Goodlatte (R-Virginia), and Pro-CODE, by Sen. Conrad Burns (R-Montana) and Sen. Patrick Leahy (D-Vermont).

Category 46 Cryptography exports from US 1997-05-18 SAFE law crypto exports EDUPAGE In mid-May, the House Judiciary Committee approved the "SAFE" bill — "Security and Freedom Through Encryption Act" that would remove restrictions on export of encryption using keyspaces of up to 56 bits. The bill would also stop the US government from making key escrow systems mandatory. However, more problematically, the bill would also attempt to make it a felony to use encryption to conceal evidence when carrying out a felony.

Category 46 Cryptography exports from US 1997-05-20 crypto export EDUPAGE Sun Microsystems got around the stupid US cryptography-export laws by contracting with Russian programmers for cryptographic code to be included in software for overseas customers. According to John Fontana, writing in _Communications Week_, "the product Sun will OEM is Secure Virtual Private Network for Windows. Developed by Moscow- based ElvisPlus Co., the product will be sold through Sun channels under the name PC SunScreen SKIP E+. The software is based on Sun's Simple Key Management for IP (SKIP) encryption and key management technology. It will ship with algorithms for 56- and 64-bit DES, two- and three-key triple DES and 128-bit ciphers for both traffic and key encryption."

Category 46 Cryptography exports from US 1997-05-22 crypto export key escrow recovery EDUPAGE A committee of 11 respected cryptographers and computer security experts released a report condemning the proposed US regulations tying permission for export of strong cryptography to implementation of key-recovery technology. See for the full text of the report. William Reinsch, Bureau of Export Administration in the Department of Commerce, retorted that the computer scientists were demolishing a straw man and that the Administration has no intention of mandating a centralized key-recovery system. Instead, said Reinsch, the intention is to require individual organizations to maintain their own key-recovery systems; these could then be used under court order to satisfy the requirements of law enforcement agencies.

Category 46 Cryptography exports from US 1997-05-22 crypto exports law Communications Week The Clinton Administration was apparently dubious about the legality of the Sun Microsystems deal with a Russian cryptography company. The White House statement said, "We are reviewing our regulatory posture with Sun to ensure that their arrangement with the Russian encryption company is in compliance with U.S. export controls."

Category 46 Cryptography exports from US 1997-06-03 crypto export EDUPAGE PGP Inc. finally got permission from the U.S. Department of Commerce to export its products with up to 128-bit keyspace to 100 foreign offices of large U.S. corporations.

Category 46 Cryptography exports from US 1997-06-19 crypto export law EDUPAGE, RISKS 19 23 The McCain-Kerrey "Secure Public Networks Act" was introduced in the Senate, proposing to establish a public infrastructure to implement key recovery. The bill would allow licensed export of strong encryption but would allow the Department of Commerce to impose arbitrary export restrictions on any product if (in the words of the EDUPAGE editors) there were "evidence that the product was destined for military, terrorist or criminal use, or for re-exportation to third countries, or for acts against the national security, the public safety, transportation systems, communications networks, financial institutions or other essential interstate commerce systems." Peter G. Neumann added in RISKS 19.23, "The bill was slipped through the committee as a substitute for ProCode, with essentially no discussion. It appears that there are many lurking issues that were not adequately understood by the Senators. Serious study seems urgently needed. [(PGN's note) See http://www.epic.org and http://cdt.org for text and analyses of the bill. . . .]"

The Center for Democracy and Technology issued a blistering analysis of the bill. See for details.

Category 46 Cryptography exports from US 1997-06-24 crypto exports PR Newswire In June, Netscape announced that the Department of Commerce had granted it permission to export Netscape Communicator browser software with 128-bit encryption.

Category 46 Cryptography exports from US 1997-06-25 crypto exports law AP Microsoft and Netscape received an exemption from the Commerce Department's Export Administration Regulations to sell sophisticated cryptographic programs overseas for use in banks. Microsoft's Mike Dusche, financial services industry manager for Microsoft, explained, "There seems to be a trusted relationship between banks in most countries and the U.S. That trusted relationship allows that type of encryption to be available."

Category 46 Cryptography exports from US 1997-07-31 crypto export EDUPAGE Entrust Technologies posted its encryption software, "Solo," on its Web site for free and unrestricted access worldwide.

Category 46 Cryptography exports from US 1997-07-31 encryption law restriction export AP Administration officials protested H.R. 695 (sponsored by Rep. Bob Goodlatte, R-VA), a bill to relax export restrictions on cryptography and which was approved by both the House Judiciary Committee and the International Relations Committee. Opponents of the bill, including the DoD and the FBI, pointed to increased difficulty in wiretapping international criminals; supporters, including the Business Software Alliance, ridiculed the notion that preventing exports in any way inhibits criminals from obtaining and using encryption software.

Category 46 Cryptography exports from US 1997-08-13 encryption policy law export restrictions ZDNN In Oslo, opponents of crypto exports posted the source code for the current version of Pretty Good Privacy (PGP 5.0), the famous encryption program that cannot legally be exported in electronic form from the United States. However, the Export Administration Regulations (EAR) that govern encryption exports apparently do not apply to paper source code, so the product was legally sent out of the country on 6,000 pages of printout, scanned back into ASCII, and proofread by an international team of programmers before being posted on the World Wide Web.

Category 46 Cryptography exports from US 1997-08-26 Crypto export policy law controls free speech EDUPAGE, UPI, Reuter, MSNBC, AP, CNN At the start of the year, Professor Daniel Bernstein's lawyers demanded that the US government not enforce its new export restrictions until they have been examined in a court of law to establish their constitutionality. In June, the federal judge whose ruling on the unconstitutionality of the Computer Decency Act in 1996 presaged the Supreme Court's rulings in the same matter said that she expected to rule in favor of plaintiff Daniel Bernstein, a Professor at University of Illinois in Chicago. Prof. Bernstein is furious that current cryptography export regulations have interfered with his ability to publish encryption algorithms in international journals and to teach classes in cryptography to foreign students at his University. In August, Judge Marilyn Patel of the U.S. District court in San Francisco ruled against the Export Administration Regulations, saying that the US governments rules lack all logic in allowing printed source code to be exported but interfering with electronic versions. The government quickly obtained a temporary stay of the judgement pending appeal.

Category 46 Cryptography exports from US 1997-08-26 crypto policy law export controls AP U.S. District Judge Marilyn Hall Patel ruled in late August that the Administration's new export controls on cryptography were a violation of free speech. Patel issued an injunction prohibiting enforcement against Professor Daniel Bernstein and anyone else who wants to use, publish, or discuss the Snuffle encryption algorithm.

Category 46 Cryptography exports from US 1997-09-09 crypto export law AP Speaking to the Software Publishers' Association in September, Vice President Al Gore Tuesday reaffirmed the Clinton administration's policy against restricting the sale in the United States of high-tech devices that maintain the privacy of computer messages.

Category 46 Cryptography exports from US 1997-09-18 crypto export foreign law EDUPAGE Ross Anderson, famed British cryptographer and gadfly, criticized the US for weakening cryptography around the world. He cited weaknesses caused by enforcing small (and thus weak) keys in "the Europe-wide Global System for Mobile Communications telephone networks, commercial banking networks and television broadcasting networks."

Category 46 Cryptography exports from US 1997-12-23 crypto export escrow authentication RISKS 19 52 John Gilmore issued a blistering challenge to the US cryptographic export regulations by publishing cryptographic authentication code online and issuinga scathing press release attacking the whole idea of cryptographic export controls.

Category 47 Key escrow / recovery laws 1997-01-30 crypto exports key escrow EDUPAGE The Information Technology Association of America criticized the Administration's key escrow proposals, saying that such regulations "could have a detrimental effect on international trade and the world's ability to use the Internet for international commerce."

Category 47 Key escrow / recovery laws 1997-03-13 crypto escrow RISKS 18 90 Mark Seecof of the LA Times attacked Professor Dorothy Denning for supposedly refusing "to recognize the possibility of misconduct or incompetence by escrowed-key holders or the governments to which they may be subject." He accused her of tarring anyone who disagrees with her position as "crypto-anarchists" and of claiming that encryption would completely stymie police investigations. Dr Denning rebutted this attack, writing that the criticism was directed at a two-year old paper and that her views are constantly evolving (see for all her papers). Far from believing that key escrow could not be subverted, she had already written that strong safeguards are essential for government access to keys (GAK) to be tolerated. She does not perceive people who disagree with her as evil; and she reported that she was in the process of investigating the link between encryption, crime and law enforcement in much more detail than heretofore.

Category 47 Key escrow / recovery laws 1997-03-25 crypto escrow law EDUPAGE Four bills dealing with cryptology are pending in the US Congress. The latest attempts to define a key management infrastructure and specifically proposes to allow the use of any encryption at will within the US and the legal procedures for requiring that keys be surrendered to law enforcement agencies.

Category 47 Key escrow / recovery laws 1997-03-27 crypto export escrow policy EDUPAGE, news wires The OECD responded with mixed signals to the US proposals for key escrow.

Category 47 Key escrow / recovery laws 1997-05-09 crypto laws cryptanalysis Netly News Declan McCullagh publishes a blistering attack on the Kerrey bill, The Secure Public Network Act. Criticism focused especially on the criminalization of cryptanalysis, which experts believe to be at the heart of effective evaluation of cryptographic strength.

Category 47 Key escrow / recovery laws 1997-05-29 crypto key recovery escrow law RISKS 19 19 The final version of the important report, "The Risks of Key Recovery, Key Escrow and Trusted Third-Party Encryption" was put on the Web at at the end of May. The authors include Hal Abelson, Ross Anderson, Steve Bellovin, Josh Benaloh, Matt Blaze, Whit Diffie, John Gilmore, Peter Neumann, Ron Rivest, Jeff Schiller, and Bruce Schneier; the report looked at the technical implications, risks, and costs of the key recovery, key escrow and trusted third-party encryption systems proposed by various government bodies and came down pretty hard against their practicality and advisability.

Category 47 Key escrow / recovery laws 1997-06-18 crypto key escrow recovery US NYT The Clinton administration began ten pilot projects to create key-recovery systems for its own use. As predicted by critics of key escrow policies, the plans quickly abandoned a centralized escrow agency because the different parts of government wanted no one who had access to their particular encryption keys. Furthermore, none of the internal key-recovery systems under development would store the private keys used to authenticate documents with digital signatures; they would store only the temporary "session keys" used to encrypt specific documents in transit.

Category 47 Key escrow / recovery laws 1997-07-10 crypto key escrow law FBI AP In early July, FBI Director Louis Freeh told the Senate Judiciary Committee that "Law enforcement is in danger of being outwitted by criminals inside and outside the United States who are using computer data-scrambling devices to traffic in drugs and distribute child pornography," according to Cassandra Burrell of Associated Press. On 24 September, the House Commerce Committee rejected 35 to 16 a proposed bill supported by Freeh, Drug Enforcement Administrator Thomas Constantine and Treasury Undersecretary Raymond Kelly that would have mandated access to cryptographic keys such as key escrow or back doors. The Clinton Administration said in July that any such interference with mandatory key escroew would "severely compromise law enforcement's ability to protect the American people from the threats posed by terrorists, organized crime, child pornographers, drug cartels, financial predators, hostile foreign intelligence agents and other criminals."

Category 47 Key escrow / recovery laws 1997-08-12 eavesdropping FBI wire-tapping EDUPAGE The FBI's proposed to force telecommunications companies to include technological facilities for full wire-tapping of all calls. Civil libertarians and telephone companies objected.

Category 47 Key escrow / recovery laws 1997-09-08 crypto law key escrow back door trap policy RISKS 19 37 Congress' proposed legislation to ban domestic US encryption unless the algorithm includes a back door allowing decryption on demand by law enforcement authorities moved famed Ron Rivest to satire. Writing in RISKS, the co-inventor of the Public Key Cryptosystem and founder of RSA Data Security Inc. wrote, "Congress is apparently considering legislation that would make it illegal to post portions of the Bible on the Internet. FBI Director Louis Freeh wants to make it illegal to use secret codes on the Internet that the FBI can't break, and some members of Congress have been drafting legislation in support of Freeh's position. However, such a law might have startling consequences." He explained his _cryptic_ remark with, "A recent best-selling book, "The Bible Code," claims that the Bible is full of secret messages and codes. These messages are only partially decoded so far. If true, the proposed legislation would make it illegal to post the Bible on the Internet, unless someone provides the FBI with a way to decode all of these secret messages contained within the Bible. In addition, perhaps "smiley faces" would have to be registered, as would the sale of all computers, since they are universally devices ". . .that can be used to encrypt communications or electronic information. . . ."

Category 47 Key escrow / recovery laws 1997-09-09 crypto key escrow back door policy law EDUPAGE The Clinton administration proposed a new law that would mandate a back door for decryption of all domestic encryption. In addition, the proposal would force telcos and ISPs to implement a bypass for decryption of all traffic encrypted by their chosen protocols (e.g., Secure Sockets Layer).

Category 47 Key escrow / recovery laws 1997-09-25 crypto policy law export escrow EDUPAGE James Barksdale, CEO of Netscape, lashed out at proposed restrictions on encryption. As reported in the Wall Street Journal, he said, "By taking away encryption as we know it today, the FBI proposal would expose computer users to assault by hackers intent on economic espionage, blackmail and public humiliation. At a recent congressional hearing, one witness testified that with ... $1 billion and 20 people using existing technology, he could effectively shut down the nation's information infrastructure, including all computer, phone and banking networks. . . . The FBI cannot catch every hacker. But there will be fewer and fewer of them trying to penetrate sensitive networks if those networks are adequately protected and communications secured through the use of strong encryption."

Category 47 Key escrow / recovery laws 1997-09-25 crypto policy law export escrow EDUPAGE According to Alan McDonald of the FBI, people opposing the Administration's policy on restricting strong encryption are elitist, nondemocratic threats to law enforcement.

Category 47 Key escrow / recovery laws 1997-09-25 crypto law regulation policy EDUPAGE Several professional organizations including the American Association of the Advancement of Science, the American Mathematical Society, the Institute of Electronics and Electrical Engineering, and the American Association of University Professors issued a letter opposing the Administration's proposals for restrictions on encryption technology. A few days later, Netscape CEO James Barkdale cam down hard against the proposed restrictions, saying it could seriously damage US pre- eminence in software. The executive said, ""By taking away encryption as we know it today, the FBI proposal would expose computer users to assault by hackers intent on economic espionage, blackmail and public humiliation. At a recent congressional hearing, one witness testified that with the $1 billion and 20 people using existing technology, he could effectively shut down the nation's information infrastructure, including all computer, phone and banking networks... The FBI cannot catch every hacker. But there will be fewer and fewer of them trying to penetrate sensitive networks if those networks are adequately protected and communications secured through the use of strong encryption."

Category 47 Key escrow / recovery laws 1997-11-24 digital signatures policy federal government states Reuters At the end of October, the Clinton administration opposed any moves to enact uniform laws covering digital signatures. Speaking at the House Science Committee's Technology Subcommittee, Andrew Pincus (General Counsel of the Department of Commerce) stated that the federal government does not yet know enough about digital signatures to force states into compliance with a general standard. Industry spokespersons such as Jim Bidzos of RSADSI argued strongly that lawmakers should distinguish clearly between keys used for encryption and keys used for digital signatures; any legislation requiring mandatory key escrow should explicitly exclude allowing access to keys used for digital signatures.

Category 47 Key escrow / recovery laws 1997-11-24 cyberspace crime FBI criminals crypto policy Reuters FBI Director Louis Freeh continued pushing for legal restrictions on stron g cryptography in a speech at the Intl Assoc. of Chiefs of Police in Orlando, FL. Freeh pointed out that criminals can communicate securely with each other via encrypted e- mail and that it is impossible for law enforcement officials to read these messages in a timely fashion, if at all. Freeh complained that the Clinton Administration and "very powerful industry forces" oppose his proposed policies.

Category 47 Key escrow / recovery laws 1997-11-25 encryption controls regulations laws banking EDUPAGE Reports surfaced in November that the Clinton Administration might support conventional banks and law enforcement agencies in their attempt to block the use of powerful encryption technology in the financial sector.

Category 48 Foreign cyberlaws (not cases or sentences) 1997-03-28 crypto key escrow UK RISKS, COMPUTING/I.T. 18 95 Ross Anderson, famed British cryptographer and civil libertarian, sounded a warning when the Department of Trade and Industry of the UK government posted proposals for imposing licensing on the use of encryption tools. The preamble included the familiar language of those prepared to restrict encryption in the name of public safety: "These proposals - aimed at facilitating the provision of secure electronic commerce - are being brought forward against a background of increasing concern, not about the technology, but about the security of information itself. In a world where more and more transactions are taking place on open electronic networks like the Internet, there has been a growing demand from industry and the public for strong encryption services to help protect the integrity and confidentiality of information. These proposals have been developed to address those concerns, but at the same time are aimed at striking a balance with the need to protect users and the requirement to safeguard law enforcement, which encryption can prevent." Anderson summarized the key issues (with supporting quotations) as follows: * Licensing will be mandatory; * The scope of licensing is broad; * Total official discretion is retained; * Encryption keys must be escrowed, and delivered on demand to a central repository within one hour; * Government access to private keys, even if used only for _authentication_, is proposed.

A week later, Cyber-Rights and Cyber-Liberties (UK) and 16 other civil liberties organizations world-wide issued a critical report damning the proposals.

In June, the European Electronic Messaging Association (EEMA) issued a blistering attack on the proposals.

Category 48 Foreign cyberlaws (not cases or sentences) 1997-04-13 law Singapore EDUPAGE "Owners of color photocopiers in Singapore must have a permit to do so, which requires submitting a list of all users, keeping the machine locked up, notifying authorities within a week if it's moved, and keeping a log detailing what is copied, when it was copied, who copied it, etc."

Category 48 Foreign cyberlaws (not cases or sentences) 1997-08-05 hackers Australia firewalls crypto policy The Australian At a seminar in organized by Starcom Group in Australia, several firewall experts urged governments to cooperate in promoting cryptography as a fundamental tool in firewall technology and information security in general. The experts were Paul Emerson, president and co-founder of Global Technology Associates; Dr Stephen Emerson, vice-president of Global Technology; and former deputy director-general of ASIO (Australian Security Information Organization) Gerard Walsh.

Category 48 Foreign cyberlaws (not cases or sentences) 1997-10-09 crypto key recovery escrow law export EDUPAGE The European Commission rejected the Clinton Administration's proposals for key recovery/escrow in encryption systems, dismissing them as not only objectionable because of threats to privacy and commerce but also as ineffective.

Category 48 Foreign cyberlaws (not cases or sentences) 1997-10-21 encryption France law regulation key-recovery EDUPAGE The French government proposed a mandatory key-recovery systems for all encryption used in France despite the opposition of business and of the European Commission.

Category 4A Evolution of Net law: framing, pointing, linking, jurisdiction 1997-03-06 infowar propaganda law EDUPAGE The _Dallas Morning News_ posted news of Timothy McVeigh's supposed confession on its Web site in advance of publication in its morning edition; analysts suggest that the reason for this decision was to circumvent legal injunctions against publication by presenting a fait accompli.

Category 4A Evolution of Net law: framing, pointing, linking, jurisdiction 1997-03-25 liability Web frames copyright RISKS; also EDUPAGE 18 94 Several publishers launched a lawsuit against TotalNews, which uses frames to point visitors to different news sources. However, the copyright owners claim that this display of their materials in the context of TotalNews own Web page violates their ownership rights. The problem seems to be exacerbated by the banner advertisements that TotalNews places on its Web page, thus benefiting from revenue while using other people's property without recompense.

Category 4A Evolution of Net law: framing, pointing, linking, jurisdiction 1997-03-27 e-commerce gambling EDUPAGE An Arizona representative introduced the Internet Gambling Prohibition Act of 1997, which would make all transmission of gambling information through the Net illegal . ISPs would have to cut off service to violators only upon receipt of a legally- valid notice.

Category 4A Evolution of Net law: framing, pointing, linking, jurisdiction 1997-03-28 elections censorship law Canada RISKS 18 95 Elections Canada proposed to ban posting of opinion-polls on the Internet within 48 hours before a federal election. No bureaucrat ventured a public guess as to how such a ban would be enforced.

Category 4A Evolution of Net law: framing, pointing, linking, jurisdiction 1997-04-14 Web passwords RISKS 19 7 Bob Frankston reported that the new public Web-browsing kiosks being installed by a USWest affiliate store the passwords visitors use when accessing closed Web sites. Presumably clicking "back" on the browser allows any subsequent user to branch back to the secured pages. Frankston reminds users to uncheck the "save password" box before leaving the kiosk.

Category 4A Evolution of Net law: framing, pointing, linking, jurisdiction 1997-04-29 Web law copyright intellectual property trademark EDUPAGE In a startling case of anhistorical cluelessness about the history and even the definition of the World Wide Web, Ticketmaster Group sued Microsoft for including a hot link from Microsoft Web pages to Ticketmaster Web pages without a formal agreement granting permission for such links. The problem apparently stemmed from Ticketmaster's perceptions that Microsoft was deriving benefit from the linkage but bypassing Ticketmaster's advertising. A few weeks later, Ticketmaster programmed its Web pages to lead all Sidewalk users trying to follow unauthorized links to a dead end, where they were confronted with the statement, "This is an unauthorized link and a dead end for Sidewalk. Ticketmaster does not have a business relationship with Sidewalk and you do not need them to visit us. They want to traffic on our good name and your desire for information on live entertainment events to sell advertising for their sole benefit while offering nothing in return."

Category 4A Evolution of Net law: framing, pointing, linking, jurisdiction 1997-05-25 cookies Web EDUPAGE, AP The IETF proposed to change browser defaults to control the ability of Web sites to store information in users' files. Not surprisingly, the online marketing industry, in the form of the Association of Online Professionals and the Internet Advertising Bureau, vigorously opposes such a change in the default. Netscape, Firefly Network Inc. and VeriSign Inc proposed the Open Profiling Standard and were supported by 60 other companies, not including Microsoft. Two weeks later, Microsoft dropped its opposition and agreed to join Netscape and the others in supporting this proposal.

Category 4A Evolution of Net law: framing, pointing, linking, jurisdiction 1997-05-27 censorship law election Canada Wired via PointCast Electronic Frontier Canada protested a ruling by Elections Canada that forced Ottawa environmental activist Krishna Bera to take down his Web page, "Vote Green." Elections Canada warned that he faced a fine of about U$750 or a year in jail for posting advertising during an election campaign without identifying the sponsor. Defenders of anonymity argued that the public interest is best served by allowing individuals to express possibly unpopular positions without suffering discrimination or persecution; defenders of the law argued that the public interest is best served by ensuring that voters know who is trying to influence their vote. The EFC said it would challenge the ruling in court.

Category 4A Evolution of Net law: framing, pointing, linking, jurisdiction 1997-06-03 privacy electronic commerce Web AP, PR Microsoft proposed its own alternative to the Open Profiling Standard offered by Netscape and five dozen other companies to protect the privacy of browsers on the World Wide Web. The World Wide Web Consortium's Platform for Privacy Preferences, or P3, backed by Microsoft and by the Center for Democracy and Technology, is an extension of the existing standard for communicating meta-data between Web site and Web browser. P3 would extend the Platform for Internet Content Selection (PICS) to include limitations on what kind of information about the user could be stored by a Web site or passed on to others. A third alternative for protecting privacy is eTrust certification, supported by the Electronic Frontier Foundation; it would certify what kind of privacy safeguards a given site implements and would periodically audit compliance with the stated standards. The term "eTrust" was soon changed to "TRUSTe." See for details.

Category 4A Evolution of Net law: framing, pointing, linking, jurisdiction 1997-06-12 privacy standards Web EDUPAGE In a startling outbreak of common sense, Microsoft announced that it would support industry-wide privacy standards instead of inventing its own and ramming them down the market's throat. The Platform for Privacy Preferences are sponsored by the World Wide Web Consortium and supported by (gasp!) Netscape and many other companies; they would help Web browsers restrict the types of personal information to be captured about users without permission. In a charming bit of self-satire, a Microsoft executive was quoted as saying, "This is unprecedented, but we realized that we need to work together for the common good." Observers are now on the lookout for flying pigs.

Category 4A Evolution of Net law: framing, pointing, linking, jurisdiction 1997-06-12 censorship Web link law RISKS 19 22 In a curious case of extra-territoriality, a British court in Nottinghamshire warned a Canadian in British Columbia that he would be sued in _British_ court if he refused to take down (1) an article called the JET Report (dealing with accusations of satanic child abuse in Nottinghamshire) from his Web site; and (2) remove all links from his Canadian site to mirror sites where the JET Report might be found. The English barrister who wrote to Jeremy Freeman said that he was infringing on their copyright of the Report — and so were links to other sites with unauthorized copies of that report. See for details.

Category 4A Evolution of Net law: framing, pointing, linking, jurisdiction 1997-06-15 Web language law Canada EDUPAGE In another piece of anti-English government persecution, the Office de la Langue Française (known as the Language Police) of the Province of Québec ordered a computer store to change its Web page to respect laws demanding either unilingual French commercial texts or (in public places) assurance that English shall be no more than half the size of the French lettering on the sign. The store, Micro-Bytes Logiciels of Pointe Claire took its Web site off-line, inconveniencing both anglophone and francophone customers. A week later, the rabidly anti-English Culture and Communications Minister, Louise Beaudoin, declared that the Province would exert control over Web sites in order to protect the French language despite formal federal jurisdiction over telecommunications — constitutional change by fiat.

Category 4A Evolution of Net law: framing, pointing, linking, jurisdiction 1997-06-17 Web standards P3 PR Newswire Jesse Berst, ZDNet AnchorDesk editorial director, launched an e-petition demanding that Microsoft and Netscape agree on a single standard for HTML on the World Wide Web. The text of the Web Interoperability Pledge (WIP), supported by the World Wide Web Consortium (W3C) reads as follows: Web Vendors: "I pledge to support recommended HTML tags as defined by W3C, and submit all extensions to HTML to W3C before shipping them." Web Publishers: "I pledge to use only recommended HTML tags as defined by W3C."

Category 4A Evolution of Net law: framing, pointing, linking, jurisdiction 1997-07-03 Web law copyright intellectual property trademark EDUPAGE Intellectual property attorneys and civil liberties lawyers were puzzling over the implications of legal actions to prevent reference to Web sites — that is, to forbid the unauthorized use of what makes the World Wide Web the World Wide Web. In federal court in Georgia, a judge ruled that the state law forbidding unauthorized linkage to a Web site was open to challenge on First Amendment grounds.

Category 4A Evolution of Net law: framing, pointing, linking, jurisdiction 1997-07-16 hacking course law enforcement police training Providence Journal-Bulletin Law enforcement officials in the Master's degree in Administration of Justice at Salve Regina University in Providence, RI can take a Hacking-101 course called "Culture, Computers and the Law." Instructor Nicholas Lund-Molfese hopes the officers will be able to apply their new knowledge of the hacking subculture and techniques to preventing crime and catching cyber- criminals.

Category 4A Evolution of Net law: framing, pointing, linking, jurisdiction 1997-07-17 privacy Web EDUPAGE According to EDUPAGE editors, "The Federal Trade Commission has announced that the managers of Web sites that collect personal information about children must obtain parental consent before releasing it to third parties. Although the FTC does not regulate advertising for children over the Net, it does have general jurisdiction over any deceptive market practices."

Category 4A Evolution of Net law: framing, pointing, linking, jurisdiction 1997-07-24 Internet state law interstate commerce UPI Missouri Attorney General Jay Nixon accused Hog's Head Beer Cellars of North Carolina of selling beer to an 18-year old without requesting her age before accepting a credit-card number for the sale. Delivery on July 15 took place without a request for proof of age. The suit seeks a court order preventing Hog's Head from marketing and selling alcohol without a Missouri license and engaging in the sale of alcohol to minors or failing to verify the age of a customer.

Category 4A Evolution of Net law: framing, pointing, linking, jurisdiction 1997-09-11 Web law copyright links EDUPAGE Tim Berners-Lee, one of the founders of the World Wide Web, criticized Ticketmaster for suing Microsoft over "unauthorized" hot links to their Web site. He said that pointing at someone's public Web site was analogous to discussing a topic without asking for anyone's permission to do so.

Category 4A Evolution of Net law: framing, pointing, linking, jurisdiction 1997-10-01 ISP libel law UPI In San Franscisco at the start of October, Superior Court Judge David Garcia ruled against Michael and Lilith Aquino, founders of a temple allegedly devoted to worshipping Satan. Apparently a pseudonymous person or persons called "Curio" had accused the couple of various Bad Things and they sued "Curio's" ISP, ElectriCiti. The judge stated that federal law protects ISPs against lawsuits for the behavior of users of their services.

Category 4A Evolution of Net law: framing, pointing, linking, jurisdiction 1997-11-03 cyberspace law Internet publication date AP On March 21, 1996 the Web site for _Business Week_ posted an article entitled, "The Fall of the Wizard of Wall Street." The next day, the magazine published the article in its paper edition. On March 24, 1997, Julian H. Robertston Jr sued the publishers for $1B in damages for libel. The date his suit was filed was a year and a day after the online publication date (excluding a weekend in the way). New York's libel law has a 1 year statute of limitation, so the lawyers for _Business Week_ asked the trial judge to dismiss the suit, claiming that its online posting constituted publication. The plaintiffs argue that the clock was reset by the paper publication.

Category 4A Evolution of Net law: framing, pointing, linking, jurisdiction 1997-11-27 Copyright Web RISKS 18 78 ff The Shetland Times case continued in 1997, when a British judge ruled in favor of an interim interdiction of the use of direct linkages to the Times' Web page by its competitor, The Shetland News. Lord Hamilton of the Outer House of the Court of Session, agreed that, at least until the case comes to full trial, the fact that users of the News Web site could branch directly to the Times' stories without passing through the Times' home page — and therefore missing Times advertising — constituted prima facie evidence of damage to the plaintiff. Some observers interpreted the interim ruling as applying purely to the use of the headlines, as copyrighted materials, without permission; these observers argue that the judgment does not, in fact, bear on whether the hot links point to the original Times articles or to something else. In November, the feuding editors agreed to an out-of-court settlement. They agreed that the News is entitled to link directly to stories in the Times by means of headlines, provided that each link to any individual story carry the legend, "a Shetland Times story" beneath the headline. Additionally, the agreement requires the News to insert, adjacent to each Times headline, a "button" or icon showing the Shetland Times logo. The button and the legend would be linked to the home page of the Shetland Times. The headlines would be linked directly to a Times article. However, the News editor pouted that he wouldn't link to the Times site at all under those circumstances: Nyah!

Category 4A3 Jurisdiction 1997-01-05 Internet Web language law France Reuters, EDUPAGE, AP Georgia Tech Lorraine, a French campus of the Georgia Institute of Technology, was in hot water in January when French courts opened hearings on whether the French government has any right to force Web sites physically resident in France to publish their materials in French. All of the students at the campus are required to be fluent in English and all the courses are in English. In June, the case was dismissed on a technicality by French courts, leaving unresolved the question of whether the government of France is legally entitled to order the language of expression of Web sites pertaining to French affairs. According to an AP report by Nicolas Marmie, "Georgia Tech had faced possible fines of up to $4,300 each time the untranslated Internet site was visited."

Category 4A3 Jurisdiction 1997-01-07 internet gambling EDUPAGE EDUPAGE reported on a case of international gambling: >Minnesota law enforcement officials have targeted an Internet- based bookmaking operation being run from a Native reserve in New Brunswick. Representatives of the Tobique Band say they are not violating any laws because the toll-free number is not accessible by Canadians and Americans must call a foreign country to place bets on sporting events because telephone wagering is also illegal there. Minnesota investigators point to a recent victory over a band in Idaho that thought it was immune from laws in other states. (Toronto Globe & Mail 6 Jan 97 A8)<

Category 4B Intellectual property: patents, copyrights (law) 1997-01-28 software theft UPI, AP The FBI launched a nationwide investigation of the software piracy problem in the US. The FBI said that some BBS operators have graduated from exchanging stolen software on into other kinds of criminal activity.

Category 4B Intellectual property: patents, copyrights (law) 1997-01-30 software theft China Reuters The Chinese government announced strict penalties for illegal reproduction of copyrighted materials.

Category 4B Intellectual property: patents, copyrights (law) 1997-02-02 intellectual property copyright EDUPAGE The battle between the NBA and pager companies to stop them from sending basketball scores to subscribers flipped again to the defendants' side. The Second U.S. Circuit Court of Appeals in New York ruled that such transmission is not theft of property. The NBA was expected to appeal.

Category 4B Intellectual property: patents, copyrights (law) 1997-02-04 internet copyright plagiarism AAP Australian Helen Darville claims she did not realize that including large chunks of material taken verbatim from Internet postings and failing to attribute them was a problem. She was fired for her article, "When I am an Evil Overlord." Darville said she thought anything posted on the Net is in the public domain. Media commentators responded that plagiarism is a widespread and under-monitored practice in the news media. Darville was in the news in 1995 when she invented a persona as the daughter of Ukrainian immigrants, published a novel under a false name, and even won an award for her work. At that time, she was accused of thoroughgoing plagiarism by having included large tracts of text without attribution from several other authors. It should be noted that whether or not material is in the public domain, quoted materials must be attributed.

Category 4B Intellectual property: patents, copyrights (law) 1997-02-20 piracy EDUPAGE EDUPAGE reported: "According to provisional data released Feb. 13 by the Business Software Alliance and the Software Publishers Association, software company losses due to international piracy totaled around $4 billion last year. The data shows China ranking number one in illegal copying of programs, followed by Brazil, Russia, Italy and Canada. (BNA Daily Report for Executives 14 Feb 97)"

Category 4B Intellectual property: patents, copyrights (law) 1997-03-06 intellectual property copyright EDUPAGE The National Conference of Commissioners on Uniform State Laws proposed to make shrink-wrap license contracts legally enforceable.

Category 4B Intellectual property: patents, copyrights (law) 1997-05-01 copyright EDUPAGE Xerox's new Digital Property Rights Language (DPRL) is being converted to JAVA. The system works with DPRL-compliant equipment (e.g., printers) to control how copyrighted materials are allowed to be used. See for details.

Category 4B Intellectual property: patents, copyrights (law) 1997-05-08 intellectual property theft extortion Netly News The availability of anonymously-created web pages has generated a cottage industry of pirating new recordings. The pirate web sites sometimes last only a day or two before they move to another provider or to new locations with new false names for the authors. AOL, Prodigy, and GeoCities are choice sites for the nomad sites because of their size and tolerance of pseudonyms. Another problem comes from the increasing use of foreign ISPs, few of which care about protecting intellectual property rights. In a recent case, Chico, Calif.-based SciTech Software received e-mail demanding $20K—or their proprietary source code would be splashed publicly all over the Net. FBI investigators traced the e-mail to a Polish ISP, but there the hunt ended, since there is no reciprocity with Poland over such matters. It is unknown whether the ISP user is Polish or from another country.

Category 4B Intellectual property: patents, copyrights (law) 1997-05-11 crypto lawsuit intellectual property patent license EDUPAGE, San Jose Mercury News RSA Data Security Inc. filed a lawsuit against Pretty Good Privacy claiming violation of a licensing agreement. Seems that Lemcom, with which PGP recently merged, allegedly had no right to let anyone else examine RSA source code.

Category 4B Intellectual property: patents, copyrights (law) 1997-05-15 copyright EDUPAGE, Reuters Oasis, a rock band from the UK, announced a 30-day grace period during which unauthorized use of its copyrighted materials (photos, video fragments, song lyrics and excerpts from its albums) should be retired from Web sites. After that, it announced, it would file lawsuits charging violation of copyright laws.

Category 4B Intellectual property: patents, copyrights (law) 1997-05-23 intellectual property software theft PA News Ian Du'Kett, 43, an unemployed man in Peterborough, Cambridgeshire, organized a ring of software pirates who burned CD- ROMs with tens of millions of dollars worth of proprietary software — and sold them throughout England. He was sentenced to 28 months in jail and fined the equivalent of $16,000; his six confederates were sentenced to lesser terms and fines. All of their computer equipment was ordered seized and some of them had to pay court costs in addition to their fines. Du'Kett still didn't understand the issue. "The police have gone completely over the top in this. I am not a criminal," he said. "The price of software is too high. Software is getting out of everybody's reach. The public are being ripped off."

Category 4B Intellectual property: patents, copyrights (law) 1997-05-29 copyright piracy software intellectual property Canada NewsWire via PointCast Microsoft sued PC Village Co. Ltd., an Ontario firm that allegedly repeatedly sold computers with "loaded hard disks." The disks contained illegal copies of Microsoft software, including counterfeit MS-Windows 95 and Office 95. Undercover agents working in collaboration with the Canadian Alliance Against Software Theft (CAAST) bought two computer in a row with illegal software — one immediately after a meeting during which Microsoft representatives discussed the first case with PC Village managers. Microsoft and CAAST urge consumers to be aware of the signs of hard-disk loading: - No end user license agreement. - No Certificate of Authenticity - Prices that are "too good to be true." - No product registration card. - No backup disks, manuals, or other materials for software installed on a new computer system. - Backup disks have hand-written labels, are not shrink-wrapped, or appear to be of inferior quality. - Manuals are photocopied, are not shrink-wrapped, or appear to be of inferior quality.

Report suspected piracy to Microsoft at 1-800-RU-LEGIT, via e-mail at [email protected] or for Canadians, visit .

Category 4B Intellectual property: patents, copyrights (law) 1997-06-05 copyright EDUPAGE Intersect, Inc. announced a new product for scanning Web sites to locate pirated audio and video clips. A week after the announcement, the Recording Industry Association of America announced that it would soon be launching lawsuits against sites on the Internet that support music piracy (regardless of whether the sites charge for their services). A few weeks later, the RIAA filed suit against three pirate Web sites.

Category 4B Intellectual property: patents, copyrights (law) 1997-07-03 software theft intellectual property law OTC Microsoft reported a growing number of piracy cases involving naïve business personnel who allow unscrupulous vendors to "load" their hard disks with illegal copies of software such as Windows NT or Microsoft Office 98. Anyone buying systems with software included should demand full original documentation and a way to register their software. Call Microsoft's Anti- Piracy Hotline (800-RU-LEGIT = 800-785-3448) if you have any doubts about what you are buying.

Category 4B Intellectual property: patents, copyrights (law) 1997-07-22 intellectual property EDUPAGE In July, programmer Evan Brown, formerly of DSC Communications in Plano, TX, appealed a court order that would force him to tell his former employer how to convert old source code into modern equivalents. Apparently he signed an employment agreement years ago that made "all ideas related to DSC's line of business" the property of that company.

Category 4B Intellectual property: patents, copyrights (law) 1997-08-05 Inslaw copyright software theft AP A long-running software copyright violation case ended in August. In 1982, software developer Inslaw provided the U.S. Justice Department with a case-management program. When the Department of Justice canceled the contract, Inslaw sued the DoJ and received much favorable press coverage in trade magazines. In 1987, a federal bankruptcy judge ruled in favor of Inslaw and awarded $7M to the owners of the defunct company. Finally, after 10 years of litigation, a federal appeals court overruled the original ruling and canceled the award.

Category 4B Intellectual property: patents, copyrights (law) 1997-08-05 copyright law felony EDUCOM Rep. Robert Goodlatte (R-Va.) has proposed a bill to make illegal copying of software a felony. For 10 or more illegal copies with a retail cost of $5,000 or more, the convicted felon would face up to three years in jail, with penalties doubling for a second conviction.

Category 4B Intellectual property: patents, copyrights (law) 1997-08-14 copyright intellectual property reproduction EDUPAGE The battle between writers and publishers over electronic reproduction rights continued in August when a federal judge in Manhattan ruled that publishers can continue to reproduce freelance writers' work on CD-ROMs and in databases without paying extra royalties. Writers immediately planned to appeal the decision.

Category 4B Intellectual property: patents, copyrights (law) 1997-08-22 lawsuit defamation copyright industrial espionage theft Reuters In August, the conflict between arch-rivals McAfee and Symantec hit a new high (or low) when McAfee sued Symantec for defamation and asked the courts for $1B in damages. Earlier in the year, Symantec had sued McAfee for alleged copyright violations found in the source code of McAfee's VirusScan. In August, McAfee issued a press release asserting that a programmer had downloaded the 100 lines of code in question from the Internet — and that they were thus not stolen by McAfee from Symantec. The next morning, some enthusiastic hack at Symantec announced in _their_ press release that "McAfee confirms that VirusScan contains misappropriated Symantec code." Within hours, the happy lawyers at McAfee had launched their client's lawsuit for defamation.

Category 4B Intellectual property: patents, copyrights (law) 1997-09-02 IETF S/MIME RSA patents crypto algorithm Inter@ctive Week The IETF dmanded that RSA give up its patents on its proprietary S/MIME scheme if it expected to have it accepted as an Internet standard for e-mail encryption. RSA did not express enthusiasm for this idea.

Category 4B Intellectual property: patents, copyrights (law) 1997-09-02 DNS domain names TechWire The World Intellectual Property Organization (WIPO) tried to establish worldwide control over the domain name system (DNS) and failed when delegates to the meeting in Geneva in September protested that the proposals were ambiguous and would clash with local laws and customs.

Category 4B Intellectual property: patents, copyrights (law) 1997-09-07 copyright intellectual property law EDUPAGE In September, Sen. John Ashcroft (R-MO) introduced the Digital Copyright and Technology Education Act to protect ISPs against lawsuits based on abuse of copyright by their subscribers. At Senate hearings on these issues, ISPs pointed out that monitoring individual traffic on the Net would be an enormous burden. AOL's General Counsel said, "With billions of messages flowing across the Internet on a single day, a monitoring requirement would not be financially feasible or, frankly, consistent with the nation's commitment to communications privacy."

Category 4B Intellectual property: patents, copyrights (law) 1997-09-14 copyright intellectual property public domain EDUPAGE Proposed legislation in the US Congress would extend all current copyrights by 20 additional years. Commentators expressed concern over the erosion of the concept of public domain.

Category 4B Intellectual property: patents, copyrights (law) 1997-10-02 intellectual property Internet technology EDUPAGE The Association of American Publishers proposed the "digital object identifier" to label all documents and multimedia objects with information such as its origin, copyright restrictions, and legal ownership. Clicking on the DOI icon would link the user to the owner's home page on the Web.

Category 4B Intellectual property: patents, copyrights (law) 1997-10-03 intellectual property law Wired Evan Brown used to work for DSC Communications of Texas. He thought up a neat method for reserve engineering executable code by decompiling it into higher-level languages. DSC started off offering him a partnership, but then withdrew the offer and inisted on his giving them his idea for free, citing his employment agreement. Brown argued that his idea was thought up off company premises on his own time and has nothing to do with his job or his (now former) employer's business. They were off to court in Novermber.

Category 4B Intellectual property: patents, copyrights (law) 1997-10-09 intellectual property law Web Wired Intellectual property lawyers have been chasing down amateur Web sites where fiction refers to characters from copyright works. The "fan fiction" tradition takes well-known characters such as the crew of the Millennium Falcon from Star Wars and places them in new fiction, some of it good, some of it bad. The owners of the copyrights generally dislike this uncontrolled use of their creations, so many fans have been getting lawyers' letters telling them to cease and desist. The information-wants- to=be-free crowd protests this rigid interpretation of the existing laws, urging owners to give up their rights for the public good.

Category 4B Intellectual property: patents, copyrights (law) 1997-10-13 intellectual property Web CMP TechWeb via PointCast A new bill on intellectual property rights was approved in October by the House Judiciary Committee. HR 2265 would punish pirates who post copyrighted materials on the Web without permission; fines of up to $250,000 and jail of up to 3 years should provide a disincentive for creative copying if the bill is passed.

Category 4B Intellectual property: patents, copyrights (law) 1997-10-16 intellectual property Internet Web EDUPAGE BMI announced invention of a "Musicbot" to scan the Web for pirated music and count the number of visitors to those sites. Eventually the music licensing organization is expected to initiate legal proceedings against copyright violators who use the Web.

Category 4B Intellectual property: patents, copyrights (law) 1997-11-06 intellectual property copyright theft law EDUPAGE Rep. Bob Goodlatte (R-Va.) introduced draconian legislation that would punish software pirates and other copyright violators with fines of up to $250,000 and jail terms of up to three years — and that's for first-time offenders. Repeat offenders would get whacked even worse.

Category 4B2 Patents 1997-05-14 intellectual property patent antivirus COMTEX Newswire Trend Micro Inc. sued McAfee Associates and Symantec Corp. for patent infringement because the competitors offer antivirus products that scan inbound files from the Internet for viruses. Trend Micro's General Counsel, Robert Lowe, said, "The broadest set of claims basically addresses when you have a server intercepting data being sent from one computer to a second computer, when you perform certain types of virus scanning processes such as separating high risk data from low risk data, and having certain types of predetermined actions that occur when a virus is detected, such as deleting it or storing it in a quarantine area." Other antivirus manufacturers might face lawsuits from Trend Micro as well, said the lawyer.

Category 4C Security paradigms, risk management, site-security certification, professional c 1997-08-05 security awareness UK certification Universal News Services The British Department of Trade and Industry, the U.K. Accredited Certification Service, and the British Standards Institution are developing a new Code of Practice for Information Security Management (BS 7799). To achieve this level of certification, organizations will have to implement minimal standards of security. This new certification scheme would be complementary to the ICSA's Web Certification program.

Category 4C Security paradigms, risk management, site-security certification, professional c 1997-09-06 infowar critical infrastructure AP The President's Commission on Critical Infrastructure Protection continued its work as its October deadline for a final report drew nearer. Chairman Robert T. Marsh emphasized that although there have been no disasters due to attacks on the American infrastructure, it is important to prevent any such damage. He specifically named the Internet as an increasingly vital component of the infrastructure.

Category 4D Funny / miscellaneous 1997-01-30 pornography EDUPAGE In its defense of the Communications Decency Act, lawyers for the government argued that censoring the Net is designed to protect First Amendment rights by allowing parents to use the Net without fear for their children's moral development. The ACLU responded that this argument was outrageous and oxymoronic. For some survivors of the sixties, it reminded one of the satirical slogan, "Kill for Peace!" and other more risqué versions.

Category 4D Funny / miscellaneous 1997-02-25 censorship CDA law EDUPAGE Over two dozen organizations, including the American Association of University Professors, filed a brief in the U.S. Supreme Court in preparation for the deliberations over the constitutionality of the Communications Decency Act. The AAUP commented that it "is concerned that the CDA will chill online expression and discussion on a wide variety of academic subjects (e.g., medicine, biology, anatomy, social work, art, and journalism), impairing use of this promising new medium for legitimate pedagogical and research purposes."

Category 4D Funny / miscellaneous 1997-05-04 law e-mail archives EDUPAGE With more and more e-mail and other files being left on disks and tapes, lawyers find that the costs of discovery are sometimes so huge that lawsuits are being settled out of court just to avoid having to delve into the electronic mountains of material. More important, having plaintiffs required to dig through defendants' hard drives raises serious questions of industrial espionage. According to Judge Paul Niemeyer of the U.S. Court of Appeals in Baltimore, "I sense that discovery is being used as a tool of oppression, rather than as a tool of fairness."

Category 4D Funny / miscellaneous 1997-07-17 speech recognition EDUPAGE Lernout & Hauspie announced plans for voice-operated control over Microsoft Word. Commentators imagined a new form of hacking: yelling commands through open doors to bollix up voice-operated software. A hoax message instantly popped up claiming that at a demonstration, someone in the audience yelled "FORMAT C colon return" and another one yelled immediately "YES return" — ignoring the fact that the software cannot control DOS.

Category 4D Funny / miscellaneous 1997-09-30 security paradigm criteria Information Systems Security Update 97 9 At the 13th International Information Security Conference, 14-15 May 1997 in Copenhagen, RAND Corporation's Willis Ware presented a paper on "New Vistas on Info-System Security" emphasizing the importance of moving away from DoD dogma that he characterized as "protect the system and data at any cost" and urged practitioners to emphasize protection at acceptable cost. Dr Ware's paper (RAND #P-7996) is available for $5 and shipping by searching on "Ware" using the engine at .

Category 4D Funny / miscellaneous 1997-11-23 social effects computerization EDUPAGE Speaking at an OECD conference in November, Ira Magaziner (the White House Special Advisor on Technology) warned that the effects of increasing computerization will be as overwhelming as the industrial revolution. Millions of people will lose their jobs and millions of other people will take on new jobs, he said. One of the big questions, said the Director General of the OECD, Donald Johnston, is whether and how governments should tax transactions carried out internationally via the Internet.