Date: Fri, 30 Jul 93 16:29:05 EST
Errors-To: Comp-privacy Error Handler <comp-privacy-request@PICA.ARMY.MIL>
From: Computer Privacy Digest Moderator <comp-privacy@PICA.ARMY.MIL>
To: Comp-privacy@PICA.ARMY.MIL
Subject: Computer Privacy Digest V3#006
Computer Privacy Digest Fri, 30 Jul 93 Volume 3 : Issue: 006
Today's Topics: Moderator: Dennis G. Rears
Re: First Person broadcast on privacy
Re: First Person broadcast on privacy at work
Final program for 5th Incident Response Workshop
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
comp-privacy@pica.army.mil and administrative requests to
comp-privacy-request@pica.army.mil.
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: Todd Jonz <Todd.Jonz@corp.sun.com>
Subject: Re: First Person broadcast on privacy
Date: 28 Jul 1993 23:53:58 GMT
Organization: Sun Microsystems, Inc.
Kevin Calmes <tmis1692@altair.selu.edu> writes:
> What did you think of last nights Maria Schriver story about privacy
> in the workplace? I thought the thing about private e-mail was a
> bit of a stretch. After all it is the employers computer and it is
> the employers right to know what is there. Simply, don't put your
> private information in the company's computer.
I agree with your basic premise that all company resources belong to the
company, may only be used as sanctioned by the company, and may be monitored,
accessed, and controlled as deemed appropriate by the company. However I find
it difficult to apply a common standard to seemingly similar situations. If
we assume, for sake of argumument, that it's acceptable for my employer to
monitor and access my "private" e-mail, then:
o Is it also acceptable for my employer to do monitor my telephone
calls as well? It is, after all, their telephone, and they put it
on my desk for business use. Does this then give them the right to
monitor my calls, with or without my knowledge?
o How about voice mail? Isn't voice mail the moral equivalent of
e-mail that just uses an alternate storage and I/O format? Should
different rules apply to voice mail and e-mail?
o Let go the limit: when the mail robot stops by and I drop a bill
payment in the "Outbound" box, does my company have the right to
open it? (Please, debate the ethics, not the legalities; I'm not
sure when the mail in this box formally becomes U.S. Mail with
which it would be illegal to tamper.)
o How does the previous example change if the "Outbound" box is, by
policy, for business related mail only, but I ignore policy and use
it for personal use? Have I relinquished any rights?
I'm not as interested in who has what rights as I am in how anyone can justify
applying *different* policies for these various scenarios. It seems to me we
need a single, consistent policy that covers all these bases.
-- Todd
------------------------------
From: "Glenn R. Stone" <taliesin@netcom.com>
Subject: Re: First Person broadcast on privacy at work
Date: Wed, 28 Jul 93 22:08:04 PDT
In <comp-privacy3.4.4@pica.army.mil> David Hoffman <hoffman@xenon.stanford.edu> writes:
>I thought Schriver's piece was a little alarmist and sensational -
>she made every attempt to convey the message that "big brother is
>watching and you can't trust anyone - especially your employer".
I didn't see the show (I don't watch network tv anymore, not
even FOX... I watch TBS, PBS, and the two independent stations
here in town. All broadcast, all free, .... and I digress.)
but I think that viewpoint is right on the nose. There are
those in another department at my work who, I am told by
sources I trust, go snooping where they don't belong... and
seem to do so with relative impunity.
>Not once did she mention anything about encryption, which I think
>would have given the stories a very different slant. It's quite a
>trip from "your boss can and will scrutinize every word you type
>and there's nothing you can do about it" to "the wires aren't
>bug-proof, but you can still make the message private". I guess
>it's more dramatic television if you just ignore the fact that
>there are solutions.
True, and true. However, some folk don't have access to the necessary
compilers, some folk wouldn't know where to begin if they did, some
folks' employers would probably go ballistic if the employees started
sending encrypted mail even between officemates, nevermind offsite,
and some folk just need to be alerted that the spooks really are out
there right now and that healthy paranoia is just that. As for me,
I resorted to several approaches.... the most extreme of which is
actually one of the simplest: I'm paying a commercial provider for
this account and keeping my employer totally out of the loop. Twenty
bucks a month is a small price to pay for being able to say what I
want and not have to worry about prying fingers.
Granted that, as much network TV does, it leaves out the solution and
only succeeds in crying about the problem, methinks from what has been
written here that for once, the networks have done us a service by
simply alerting the general public to the problem. Maybe instead of
taking preventative measures, the masses might generate enough outcry
to elimiate the problem, rather than merely providing a solution.
We can only hope.
taliesin
taliesin@netcom.com
------------------------------
Date: Thu, 29 Jul 1993 12:10:18 -0500
Subject: Final program for 5th Incident Response Workshop
From: Gene Spafford <spaf@cs.purdue.edu>
Organization: FIRST Steering Committee
This is the final program for the upcoming workshop. We have a
first-rate agenda of speakers from around the world on incident
response & security.
To answer two common questions:
1) It is still possible to register for the workshop, although
it is at the higher rate. The hotel still has rooms available.
Registration at the door will be possible, but you may not
be able to get copies of the handouts on-site unless you
pre-register.
2) St. Louis is not underwater....at least the workshop hotel and
airport are not. A message from the St. Louis convention bureau
is at the end of this announcement describing conditions.
Please pass this on to anyone interested!
--gene spafford
Workshop Program Co-chair
FINAL AGENDA
5th Computer Security Incident Handling Workshop
Sponsored by the Forum of Incident Response and Security Teams (FIRST)
August 10-13, 1993
St. Louis, MO
TUESDAY, August 10, 1993 Full-day Tutorials
1. Creating a Security Policy, presented by Charles Cresson Wood:
Independent Information Security Consultant
Sausalito, California
Based on his information security consulting work with over 80
organizations, Wood will discuss the practical aspects of information
security policies. He will draw heavily from his third book, entitled
"Information Security Policies Made Easy," which contains 525
already-written policies. His presentation will cover risk
assessments, the role of policies, policy needs analysis, policy
writing, management approval, policy issuance, user training, proper
uses of automated and manual controls, and policy enforcement. The
intention of the workshop will be to acquaint attendees with the need
for policies, how they are best used, and how to handle policies
in-house (avoiding the need to hire a consultant). Wood will also
discuss how policies can help move an information security effort ahead
with velocity while at the same time keeping security costs down.
Special attention will be paid to the people aspects of information
security policies. The workshop will end with critiques of the policy
statements brought by attendees (so bring your policies).
2. Vulnerabilities of the IBM PC Architecture: Virus, Worms, Trojan
Horses, and Things That Go Bump In The Night
presented by A. Padgett Peterson:
An intensive look into the architecture of the IBM-PC and MS/PC-DOS --
What it is and why it was designed that way. An understanding of
assembly language and the interrupt structure of the Intel 80x86
processor is helpful.
The day will begin with the BIOS and what makes the PC a fully
functional computer before any higher operating system is introduced.
Next will be a discussion of the various operating systems, what they
add and what is masked. Finally, the role and effects of the PC and
various LAN configurations (peer-peer and client server) will be
examined with emphasis on the potential protection afforded by login
scripting and RIGHTS.
At each step, vulnerabilities will be examined and demonstrations made
of how malicious software exploits them. Demonstrations may include
STONED, MICHELANGELO, AZUSA, FORM, JERUSALEM, SUNDAY, 4096, and EXEBUG
viruses depending on time and equipment available.
On completion attendees will understand the vulnerabilities and how to
detect attempted exploitation using simple tools included with DOS
such as DEBUG and MEM.
3. Unix Security
presented by Matt Bishop:
This tutorial will examine four areas of security critical to the
functioning of UNIX systems:
* user authentication, which provides the first line of defense
against attackers attempting to penetrate the system;
* management of privileges, and managing access to the superuser
account as well as programming for security;
* defending against malicious logic, which will include a discussion
of the workings of the Internet worm of November 1988, and several
techniques for detecting malicious logic as well as blocking its
effects; and
* networking, covering the security mechanisms available in NIS, NFS,
privacy-enhanced electronic mail, and Kerberos, as well as the
Berkeley "trusted hosts" mechanism, Secure RPC, the network
daemons and calls used by Berkeley's implementation of rlogin, rsh,
and their kin, and (if time permits) both HoneyDanBer and 4.3 BSD
UUCP.
WEDNESDAY, August 11, 1993
8:30 - 8:45 Opening Remarks - Rich Pethia - CERT Coordination Center
8:45 - 9:30 Keynote Speaker - Dr. Vinton Cerf - Corporation for Research
Initiatives
9:30 - 10:00 Break
10:00 - 12:00 International Issues - Computer networks and communication lines
span national borders. This session will focus on how computer
incidents may be handled in an international context, and on
some ways investigators can coordinate their efforts.
SPEAKERS:
Harry Onderwater - Dutch Federal Police
John Austen - New Scotland Yard
John Neily - Royal Canadian Mounted Police
12:00 - 1:30 Lunch with Presentations by various Response Teams
1:30 - 3:00 Professional Certification & Qualification - how do you know if
the people you hire for security work are qualified for the
job? How can we even know what the appropriate qualifications
are? The speakers in this session will discuss some approaches
to the problem for some segments of industry and government.
SPEAKERS:
Sally Meglathery - ISC2
Lynn McNulty - NIST
Genevieve Burns - ISSA
3:00 - 3:30 Break
3:30 - 6:00 Incident Aftermath and Press Relations - What happens after an
incident has been discovered? What are some of the
consequences of dealing with law enforcement and the press?
This session will feature presentations on these issues, and
include a panel to answer audience questions.
SPEAKERS:
Laurie Sefton - Apple Computer
Jeffrey Sebring - MITRE
Terry McGillen - Software Engineering Institute
John Markoff - NY Times
Mike Alexander - InfoSecurity News
7:00 - 9:00 Reception
THURSDAY August 12
8:30 - 10:00 Preserving Rights During an Investigation - During an
investigation, sometimes more damage is done by the
investigators than from the original incident. This session
reinforces the importance of respecting the rights of victims,
bystanders, and suspects while also gathering evidence that may
be used in legal or administrative actions.
SPEAKERS:
Mike Godwin - Electronic Frontiers Foundation
Scott Charney - Department of Justice
Frank Dudley Berry Jr. - Deputy District Attorney
Santa Clara County
10:00 - 10:30 Break
10:30 - 12:00 Coordinating an Investigation - What are the steps in an
investigation? When should law enforcement be called in? How
should evidence be preserved? Veteran investigators discuss
these questions. A panel will answer questions, time permitting.
SPEAKER:
Jim Settle - FBI
Jack Lewis - US Secret Service
John Smith - Santa Clara DA's office
12:00 - 1:30 Special Interest Lunch
1:30 - 3:00 Liabilities and Insurance - You organize security measures but
a loss occurs. Can you somehow recover the cost of damages?
You investigate an incident, only to cause some incidental
damage. Can you be sued? This session examines these and
related questions.
SPEAKERS:
Mark Rasch - Arent Fox
Bill Cook - Willian, Brinks, Olds, Hoffer, & Gibson
Marr Haack - USF&G Insurance Companies
3:00 - 3:15 Break
3:15 - 5:30 Incident Role Playing -- An exercise by the attendees
to develop new insights into the process of
investigating a computer security incident.
Organized by Dr. Tom Longstaff of the CERT Coordination Center.
7:30 - ? Birds of a Feather and Poster Sessions
FRIDAY August 13
8:30 - 10:00 Virus Incidents - How do you organize a successful virus
analysis and response group? The speakers in this session have
considerable experience ans success in doing exactly this. In
their talks, and subsequent panel, they will explain how to
organize computer virus response.
SPEAKERS:
Werner Uhrig - University of Texas, Austin
David Grisham - University of New Mexico
Christoph Fischer - CARO
Karen Pichnarczyk - LLNL/DoE CIAC
10:00 - 10:15 Break
10:15 - 11:15 Databases - How do you store incident, suspect, and
vulnerability information safely, but still allow the
information to be used effectively? The speakers in this
session will share some of their insights and methods on this
topic.
SPEAKERS:
John Carr - CCTA
Michael Higgins - DISA/CISS
11:15 - 1:00 Threats - Part of incidence response is to anticipate risks and
threats. This session will focus on some likely trends and
possible new problems to be faced in computer security.
SPEAKERS:
Karl A. Seger - Associate Corporate Consultants, Inc.
Craig Worstel - Boeing
Genevieve Burns - Monsanto
1:00 - 1:10 Closing Remarks - Dennis Steinauer (NIST/FIRST)
1:10 - 2:00 Lunch
2:00 - 3:00 FIRST General Meeting and the Steering Committee Elections
3:00 - 4:00 FIRST Steering Committee Meeting
^^^^^^^^^^^^^^^^^^^^^Registration Information/Form Follows^^^^^^^^^^^^^^^^^^^^^
INQUIRES:
Direct questions concerning registration and payment to: Events at 412-268-6531
Direct general questions concerning the workshop to: Mary Alice "Sam" Toocheck
at 214-268-6933
st@cert.org
Return to: Helen E. Joyce
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
Facsimile: 412-268-7401
TERMS:
Please make checks or purchase orders payable to SEI/CMU. Credit cards are not
accepted. No refunds will be issued, substitutions are encouraged.
The registrations fee includes materials, continental breakfast, lunches (not
included on August 13), morning and afternoon breaks and an evening reception
on August 11.
GOVERNMENT TERMS:
If your organization has not made prior arrangements for reimbursement of
workshop expenses, please provide authorization (1556) from your agency at the
time of registration.
GENERAL REGISTRATION INFORMATION:
Workshop................................. ..............$300.00
All registrations received after July 10, 1993..........$350.00
Tutorial................................................$190.00
NAME:
TITLE:
COMPANY:
DIVISION:
ADDRESS:
ZIP:
BUSINESS PHONE:
EMERGENCY PHONE:
FACSIMILE NUMBER:
E-MAIL ADDRESS:
DIETARY/ACCESS REQUIREMENTS:
CITIZENSHIP: Are you a U.S. Citizen? YES/NO
Identify country where citizenship is held if not the U.S.:
(Note: there will be no classified information disclosed at this workshop.
There is no attendance restriction based on citizenship or other criteria.)
GENERAL HOTEL INFORMATION:
RATES: A block of rooms has been reserved at the Hyatt Regency at Union
Station, One St. Louis Union Station, St. Louis, Missouri 63103. The hotel
will hold these rooms until July 10, 1993. Hotel arrangements should be made
directly with the Hyatt, 314-231-1234. To receive the special rate of $65.00
per night, please mention the Fifth Computer Security Incident Handling
Workshop when making your hotel arrangements.
ACCOMMODATIONS: Six-story hotel featuring 540 guest rooms, including 20
suites. All rooms have individual climate control, direct-dial telephone with
message alert, color TV with cable and optional pay movies. Suites available
with wet bar. Hotel offers three floors of Regency accommodations, along with
a Hyatt Good Passport floor, and a special floor for women travelers.
LOCATION/TRANSPORTATION FACTS: Downtown hotel located in historic Union
Station one mile from Cervantes Convention Center and St. Louis Convention
Center and St. Louis Arch. Fifteen miles (30 minutes) from St. Louis Zoo.
DINING/ENTERTAINMENT: Italian Cuisine is features at Aldo's, the hotel's
full-service restaurant. Enjoy afternoon cocktails in the Grand Hall, an
open-air, six-story area featuring filigree work, fresco and stained glass
windows. The station Grille offers a chop house and seafood menu.
RECREATIONAL/AMUSEMENT FACILITIES: Seasonal outdoor swimming pool.
Full health club; sauna in both men's and women's locker rooms.
Jogging maps are available at the hotel front
desk.SERVICES/FACILITIES/SHOPS: Over 100 specialty shops throughout
the hotel, including men's and women's boutiques, children's toy shops
and train stores.
==================================================
July 19, 1993
TO: Meeting Planner
FROM: St. Louis Convention & Visitors Commission
RE: Flooding
The ongoing Midwest flooding along the Mississippi River obviously is a great
and unfortunate drama--and we in no way seek to minimize the tragedy of loss
of lives, homes and businesses.
However, in the midst of national media coverage of flooding above and below
St. Louis, people are being left with the impression that St. Louis itself is
under water. The St. Louis Convention & Visitors Commission's telephone lines
are constantly busy as our information specialists answer calls from anxious
travelers who have made plans to visit St. Louis this summer. They wonder if
the Arch is "OK," if Union Station is "submerged" as they have heard, and
where the Cardinals will be playing baseball if Busch Stadium is under water!
We're doing our best to battle these and other misperceptions, but your help
would be greatly appreciated in getting the word to your readers.
Here's the truth: A visitor to St. Louis will be able to do everything he
could have done before the floods (see baseball games, ride to the top of the
Arch, enjoy dockside riverboat gaming, visit the brewery, zoo, art museum,
etc...) with the exception of taking Mississippi River sightseeing cruises.
And all highway access to St. Louis is clear and open. The flood crested
today, and the waters are beginning to recede.
So, as you can see, it is a battle of perception versus reality in St. Louis'
hospitality industry. If you're interested in talking about this aspect of the
flood, please contact the Convention Services Department at 1-800-325-7962.
Thanks very much for the consideration.
ST LOUIS CONVENTION & VISITORS COMMISSION
10 SOUTH BROADWAY
SUITE 1000
ST. LOUIS, MISS0URI 63102
(314) 421-1023 (800) 325-7962 FAX (314) 421-0039
------------------------------
End of Computer Privacy Digest V3 #006
******************************