[UKUUG Logo] Copyright © 1995-2004 UKUUG Ltd

UKUUG


[Back]

Newsletter Section 1

UKUUG News




Editor's Column

(Susan Small)

[sue] You may have noticed that I am trying to structure the newsletter around particular themes. This month's issue concentrates on Java, a topic it is very hard to ignore at the moment. There are a number of reviews of Java books, pointing you in the direction of good buys and, just as vital, warning you away from the not so good! Your Council agreed that a timely service for members would be the setting up of a Java SIG. Lindsay Marshall has agreed to co-ordinate this and you will find a piece from him on page 6 encouraging your participation. Get in touch with him to make it a reality.

The October issue will concentrate on Linux and we already have a couple of reviews in the pipeline. However, if there is anything you wish to contribute on this topic, let me have your views, preferably by email, by 19 September.

The December issue will be devoted to security issues. However, I didn't want to wait until then to publish, to a wider audience, Andrew Findlay's fascinating report on the IEE colloquium on information security (you'll find it on page 7).

I very much hope that you like the idea of building issues of the newsletter around particular topics. If you do, let me know what topics we should be tackling in 1997.

Best wishes to you all for a good summer.

Report from the Chair

(Mick Farmer)

[mick] As this issue follows soon after our recent AGM, I thought that I would take this opportunity to expand on some of the points made in my report and by members at the meeting.

First, the continuing decline in membership, which is now about 350, down from about 400 a year ago. I have said, on a number of occasions, that this is due to the success of UNIX, not its failure. In my opinion, UNIX is an accepted system across a wide range of applications, from CAD/CAM engines through desktop workstations to networked file servers. Therefore, UNIX on its own is not important any more. This view was shared by a number of our European sister UNIX user groups at a recent EurOpen meeting. Many of them are observing the same decline in their membership as we are. We are at a crossroads as to where to go next. Do we simply shut up shop because the battle has been won, or do we go forward by embracing new and exciting topics to champion?

Of course, I've already gone one step too far by assuming that our membership will increase if we offer more attractive services!

Perhaps the day of the user group is past. However, I think not, primarily because of a meeting that took place last week which, unfortunately, I couldn't attend because of an examiners' meeting. This meeting was arranged by another user group in this country on the simple premise that user groups should get together and see what benefits we could reap by working together in areas of common interest. By all accounts, this was a lively affair attended by representatives from a number of similar groups and I look forward to reporting on any progress that is made in this direction.

Second, a subject related to our membership, namely events. Frankly, we have had a bad year in providing events for members, and non-members alike. In 1995, Rik Farrow's Security Workshop was over-subscribed and we agreed to repeat it in 1996. This time, the number of attendees was disappointingly low, although those who were there thought it was well worth while. In June this year we organised Julian Ellison's Designing for the Web event and, once again, numbers were very low. Again, those who were there loved it. It was said at the AGM that advertising for these events was very late in coming out, and I accept responsibility for this. We have no person on Council in charge of events, which means that I end up getting something out, but too late. In my view, it is time for us to bring an events co- ordinator onto the Council; someone who will liaise with local event organisers and ensure what needs to be done, gets done in plenty of time. Any volunteers?

It is obvious to me that much of our crystal ball gazing, thinking about what events would attract delegates, has been haphazard. Your Council can think that this topic is the hottest thing since sliced toast, but if you, the members, don't submit papers or come as attendees, then we're wrong. So, what events would you like us to provide in the future? One suggestion made at the AGM was to resurrect our annual Lisa Workshop, which was organised successfully by Neil Todd for a number of years. It certainly has an all-embracing title, especially these days, and is certainly worth considering. Would you be willing to give a short talk at such a workshop? Would you be interested in attending such a workshop? Please let us know!

Third, something more exciting. As most of you know, the UKUUG went on-line properly this year and we are continuing to improve our range of electronic services. Our web pages are being built, improved upon, and added to. Interestingly, our secretariat is reporting a steady trickle of membership enquiries coming via our web pages. Let's hope that this translates into a number of new members. Members are gradually becoming aware of our redirection e-mail address for life service and we hope to have the first few members' home pages on the web by the time that you read this. Remember that both these services are free to members.

Fourth, our SIGs. Our Linux SIG continues to grow with a steady increase in members, especially non-UKUUG ones (who pay £25 per year). Our Linux SIG co-ordinator, Martin Houston, reports that interest in Linux is growing, especially in the UK and Europe. He has also been busy writing for a new publication, Linux World, which should be on the news stands by the time you read this. Members of our Linux SIG

will receive a complimentary copy of this magazine and Martin hopes to get useful feedback from members with their views on this new publication. I recently had a meeting with Martin amd the publisher of Linux World, and we hope to organise some collaborative ventures in the near future.

This issue of the newsletter sees the launch of our new Java SIG, co-ordinated by Lindsay Marshall. Judging by the number of Java books that have suddenly appeared in the bookshops, Java is certainly a hot topic with plenty of interest from people wanting to see how this new language (life style?) can change the way they work. So, in this issue we have Java book reviews, interesting Java web sites, etc. Lindsay will contribute a regular column devoted to Java and we also intend to make a feature of Java on our web server. One possibility under consideration is to provide a forum for those wishing to publicise their own applets. Members could discuss the merits of these, in the newsletter hopefully, and possibly vote on their favourites electronically.

Finally, we have our newsletter. This is the one tangible service that every member receives from the UKUUG, and we are looking at ways of making it more attractive to members. Following the success of the articles concerning electronic money in the last issue, our newsletter editor, Sue Small, is attempting to focus each issue on a particular theme or topic. This issue is devoted to Java, the October issue is being devoted to Linux, and the December issue is provisionally devoted to Network Security and related issues, as these are the themes of our Winter conference, scheduled for then. What topics would you like to see being covered in future issues of news@UK?

Our October issue will also feature a cover CD for the first time, completely full with all things Linux. I especially want to see a cover CD with every issue of the newsletter. CDs are a very cheap and convenient way of storing information. With CD readers now at a price that home users can afford, I think we are seeing an explosion of CDs covering every conceivable subject under the sun. Our intention is that the cover CD should reflect the theme of that particular issue of the newsletter. Obviously, certain popular topics will be repeated, but we make no apology for that. It simply means that you will be receiving the very latest versions each time!

The topic of our newsletter brings me round full circle and back to the question of membership. A lively debate took place at the AGM concerning the cost of membership, which has stood unchanged for a number of years. One member took a hard look at the services provided for members and stated that, since the newsletter was the one thing received by members, he thought that membership should be the same as the subscription for a specialist magazine. I suppose that is around £30! Personally, I don't think that a user group like the UKUUG could survive on an annual subscription at that level, unless we experienced a large increase in the number of members. However, the whole question of subscription rates and membership categories is under consideration by your Council. If you have any views on this most important issue, please let me know.

As I write this, the temperature outside is pushing into the 80s Fahrenheit and I haven't been on holiday yet! May I wish you all a pleasant summer break, if you're taking one, and I look forward to receiving your views on anything you think important. We might even be able to resurrect the letters page!

Report from the Treasurer

(Ivan Gleeson)

[ivan] The following report provides a summary of the financial aspects relating to the operational business of UKUUG Ltd for 1995. It was presented to the AGM in London in June 1996 and is reproduced here for the benefit of those who were unable to attend.

Income

This year's income is £97,561. Although this is up on 1994 income (£88,513) the trend, in line with membership, is down. It is evident that the majority of income comes from membership fees and it is therefore worrying that this is in decline.

This decline reflects the general view that participation in such organisations as UKUUG is reducing, not out of desire, but resulting from operational pressures.

Expenditure

It is with some regret that the majority of expenditure (£105,893) relates to ongoing administration. Given that this is above income, this level of expenditure cannot be maintained. Consequently, reducing the cost of administration will be a primary objective for the new year. Without doubt some difficult decisions lie ahead for the Council.

An important consideration in this year's expenditure relates to historical bad debt (£9,075 in relation to a joint venture with Sun UK User Group. Thus taking this into account, the actual operating profit could be considered as £743. In my view, this reflects the hard work put in by the Council and staff at Owles Hall - doubling the income from events.

System of Control

The system of control can be considered as adequate in relation to the efficiency in operational procedures. To maintain the economic and ongoing operational success of UKUUG the effectiveness of these procedures will need to be reviewed in the coming year.

Next Year

I am in no doubt that the value of UKUUG will continue to grow. Sadly, to maintain limited but sustained growth, unpopular actions may be necessary resulting in changes to administration and sponsorships.

Conclusion

In order to maintain our level of reserves a number of changes, on the lines suggested above, will need to be implemented. However, to allow the Council to continue, with the provision of this valuable service, we need the continued support of members.

This support needs to be visible, not only in paying subscriptions, but by full participation in events and providing feedback to the Council.

For the last three years I have been involved with UNIX and, as an IT Auditor with the Bank of England, tend to concentrate on security. I am a member of both the Institute of Internal Auditors (IIA) and the Information Systems Audit and Control Association (ISACA). I currently chair the ISACA UNIX Special Interest Group.

Java SIG

(Lindsay Marshall)

Tidal wave hits programmers. Confusion abounds!

You may have noticed that a programming language rejoicing in the novel name of Java has been receiving a modicum of attention in the press recently. You may even have been sufficiently intrigued by these tantalising announcements to have gone out there and tracked down a Java system and played with it. On the other hand you may have got so sick of the seemingly endless hype that you have washed your hands of the whole thing, sat back and are waiting to see what shapes up 12 months down the road - after all it's just C++ with bits cut out of it isn't?

Well, whatever you think about it Java is going to be important. Too many people have invested too much time and effort (not to mention reputation) into promoting it, that it really cannot be anything else. Those of you who attended the AGM will have heard what I think about the situation and, if I was really nasty, I would bore the rest of you by running over it again, but I won't. Well, I won't if you all promise to help make our new Java SIG a success!

Why a Java SIG? Aren't there enough newsgroups, mailing lists and web pages dealing with Java already? Probably, but have you peeped into their muddied waters? The signal-to-noise ratio makes alt.flame look informative. Our aim is to try to pull together a UK community of expertise in Java (funny how we are all instant experts in it isn't it?) so that we can help each other really become experts. We might even try to organise meetings where we can sit around in bars talking about things whilst people deliver papers in some hall somewhere. (No, silly, I don't mean that kind of delivering papers!)

First off we are going to be very predictable and have a web page hanging off the UKUUG site. However, we would really like to keep this as UK based as possible - there are a gazillion links to Java sites and code all over the world, what we want are links to people who we can go and doorstep until we find out how they wrote that cute animation. So send me the links, send me cute waving Union Jack applets, send me your favourite Java problems for the Java problem page - actually send me anything you want, I'll just bin the junk anyway. If you want to nominate yourself as a Java expert who can be an agony aunt please do. And a prize of a UKUUG sweatshirt from Mick Farmer's washing basket for the best UKUUG animation for the page. As for me, I'm off to play with the tcl/tk plugin for Netscape.....

Lindsay Marshall is a lecturer in the Department of Computing Science at the University of Newcastle upon Tyne. He has some UNIX DECtapes and a paper tape machine in his office.

Information Security - Is IT Safe?

(Andrew Findlay)

[andrewf] On 27 June 1996 the Computing and Control Division of the Institution of Electrical Engineers hosted a colloquium in London under the above title.

The speakers were drawn from Government security services, MoD, the police, and security software houses, so those attending gained a useful insight into the “official” view of information security.

Keynote

The keynote address was given by Andrew Saunders, Director of the Communications-Electronics Security Group (CESG) at Cheltenham. CESG is the UK national authority for cryptography and technical information security. Starting with definitions, IT Security was described as including confidentiality, integrity, and availability. The last of these is often overlooked, but denial-of-service attacks can be as damaging as data theft or data corruption. Balancing risk against benefit requires some careful thought, particularly in the area of threat analysis: there is no point in spending money on securing a system that is unlikely to be attacked, or that is not important to the organisation. The key message from this talk was that security must be a combination of measures: personnel selection, operational procedures, physical security, and technical security.

Product Evaluation

Murray Donaldson of CESG described the progress being made towards common criteria for the evaluation of IT security products, devices, and systems. Starting with the US “Orange Book” in 1985, programmes in the US, Europe, and Canada each developed new sets of evaluation criteria. After much detailed discussion, these have been brought together into one (large) draft document which is now available for comment (URL = http://www.itsec.gov.uk/ ) and which will form the input to a future ISO standard.

Incident reporting

The next speaker was Paul Fleury, Head of the Information Systems Security Group, which is responsible for the non-technical aspects of security policy in government. He described the Unified Incident Reporting and Alert Scheme (UNIRAS - no connection with the graphics package of the same name). This is the government equivalent of CERT: it issues IT Security alerts and briefings to government departments and contractors, and collates incident reports for threat analysis. An important feature is that it guarantees anonymity to anyone reporting an incident, so that the emphasis is on alerting others to potential risks and fixing problems rather than blaming the victims. A report is produced at the end of each financial year summarising the incidents.

In 1995-6 the main categories were: virus infections (1775), theft (1136), hacking (801), and 369 incidents of other types. The effects were characterised as Integrity (33%), Confidentiality (22%) and Availability (45%). The main trends over the year were a large increase in virus reports and in the value of stolen IT

equipment: £6.5M with six individual thefts valued over £100k each. These figures probably parallel the experience of non-government organisations, but comparisons are difficult to make because of different definitions. As an example, 98% of the “hacking” incidents were described as “legitimate users abusing their priviliges” - this is certainly computer misuse, but may not be regarded as “hacking” in other communities.

Data Protection

Elizabeth France, the Data Protection Registrar, started her talk by explaining her role and powers and the fact that she is responsible directly to Parliament and not to Government. Apparently she often has to explain this to ministers and senior members of government agencies too! There are several anomalies in the Registrar's powers and obligations: for example, she can only enforce the law against a registered data user, but has no power to investigate complaints against one who has avoided registration.

The existing Data Protection Act derives from an international agreement known as Treaty 108, and was introduced more to allow the UK to continue trading with other countries than to protect the rights of the citizen. The 1984 Act will have to be replaced by 1998 because the EU has issued a Directive on data protection which must be incorporated into national law. There are explicit references to Privacy (the existing law does not say anything about this) Registration, Consent, and Individual Rights. The Data Protection Principles are largely unchanged, and any organisations that already comply with the spirit of the existing law will find the new law quite easy to comply with.

Mrs France reiterated the point that staff training and awareness is a vital part of a security policy, and cited a case where old medical records were found being used as drawing paper by a Brownie pack! The Registrar's Office gets about 3000 complaints each year, 50% of which lead to investigations. Prosecutions are rare as the approach is to persuade the offending data users to comply with the law. Even so, a few cases do reach the courts each year.

Computer Crime

Detective Inspector John Austen of the Metropolitan Police Computer Crime Unit is a well-known figure in computer security circles, having led several high-profile cases in recent years. He started by describing an incident that took place on the night of 9 January 1995: an obscene image involving a young woman and a horse appeared at the end of a routine bulletin issued by a financial wire service. It was distributed automatically to many customers in several countries. The investigation was easy and a member of staff was soon arrested, but the wire service company lost sixteen major customers almost overnight - not because of the image itself, but because the customers lost faith in the company's security and thus would not trust the information they were buying. The story illustrated the knock-on effects of an apparently small incident and again underlined the importance of all-round attention to security (who vets your office cleaners?)

It is easy to forget that there are computers other than PCs and servers: consider all the computers embedded in complex equipment - they can be hacked too. In fact, 50% of the incidents reported to the Computer Crime Unit relate to private telephone exchanges. Phone Phreaking has been around much longer than computer hacking, and may still account for more financial loss. Equipment such as PABXs and building control systems is often managed by people with no knowledge of computer security, so hackers commonly find standard maintenance accounts with default passwords: enough to run up a hefty phone bill, or bring your organisation to a grinding halt. Password management seems to be something that everyone is bad at: the Metropolitan Police tried one of the simpler bits of captured software against some police computers and achieved a 75% hit rate on some password files.

Poor security system design shows up in many areas: one recent arrest was a New Zealander who had been travelling in comfort for nine months armed simply with a bit of software to re-program credit cards. By taking advantage of the inadequate checks applied by point-of-sale terminals he could simply invent credit card accounts at will.

The talk concluded with a profile of the typical real intruder: not a spotty schoolkid in an attic hacking at night, but a 16-35 year old well educated, frustrated (social/sexual/employment/you-name-it), sci-fi-addicted, vindictive and/or profit-oriented pawn. Pawn, that is, of the elite hackers - the very few really clever ones - and of the criminals or subversives with an interest in the hacker's “product”.

Technology Demonstrator Programme

Bob Hill, the Ministry of Defence Project Manager for the Security in Open Systems Technology Demonstrator Programme spoke about the MoD's wish to reduce its dependence on bespoke development and make use of more commercial off-the shelf IT products. This was a session full of acronyms - references in the above sentence alone gave rise to MoD, SOS, TDP, and COTS! The essence of the programme is to show that a secure mail and directory service can be built using components from several manufacturers and that the same components can meet the needs of both government and others. The project claims a world first, in that it has enlisted Microsoft as prime contractor and persuaded it to co-operate with Digital, Nortel, Novell, EDS, SPYRUS, and Zoomit to produce the first demonstrator. Later this year, phase two will start to address the “pull” applications such as database query and WWW.

Hacking

David Ferbrache of DRA is another familiar figure on the UK network security scene. He discussed the nature of the hacking threat to open networks, reminding the audience again about the risk from “social engineering” (Hello? This is the network support centre. We have found a problem with your files and we need your password to sort it out...). Moving on to technical

vulnerabilities, the sheer size and complexity of modern systems is now beyond most people's understanding: a typical UNIX system with X represents about 2.8M lines of code, and a Windows-95 system with a few desktop applications may well be more complex than that. It is easy for vulnerabilities to creep in: buffer overflows have been exploited in many programs, and race conditions are a lot more common than people expected too. Simple things like validation of program arguments are often overlooked, and programs are written using invalid assumptions (everyone will understand what we mean if we only use two digits for the year...). There is a lot of “Somebody Else's Problem” syndrome around: such as the database back-end processes that assume the front-end has done the security checks and are thus vulnerable to anyone who decides to talk directly to the back-end. Finally there are systems developed with no security at all - “it will only be used by our own staff” and “security will be added in the next version” are common ostrich-like statements.

The defence community takes security seriously, and regularly tests its systems by setting “tiger teams” to attack them. The results leave no room for complacency: of 38000 probes made last year, 24000 were successful to some extent, only 9000 of those were detected, and less than 100 of these “incidents” were reported. It does not take much effort to imagine the effect of the same probes in a less security-conscious community!

Firewalls

John Hughes of TIS(UK) spoke about countermeasures to protect against attacks from the Internet. Amid the cowboys-and-indians clipart this was a fairly standard “Firewalls for Managers” talk, though it also highlighted further problems created by export controls on cryptography and provoked a heated debate with a member of the audience on the relative merits of public-key and symmetric cryptosystems for key management.

Commercial Cryptography

Alex McIntosh of PC Security Ltd spoke on “Protection of Commercial Data and National Law Enforcement” - a tense combination as he was quick to admit. The Encryption Debate is raging in public in the US, but is also alive and well in most other countries, as a balance is sought between the perceived needs of government - particularly the law enforcement agencies - and those of other users of cryptography - business and individuals. Governments in many countries allow the use of encryption within national borders, but almost all control its export and some control its import. This makes life very difficult for multinational organisations and leads to some odd anomalies: the US recently relaxed the rules about exporting laptop computers containing encryption technology, but this benefit only applies to US nationals and is not extended to foreign nationals, even if they work for US companies and are based in the US!

One major item in the encryption debate centres around key lengths: longer keys are much harder to attack than shorter ones. If the underlying cryptosystem is good then

adding one bit to the key length should double the length of time taken to break the key. The US government currently takes the position that they will only allow 40-bit keys in freely-exportable cryptosystems, yet a report published in January 1996 (URL = http://theory.lcs.mit.edu/~ri vest/bsa-final-report.ascii ) suggests that businesses should be using at least 70 bit keys if the threat to them is from other businesses, and 75 bits if the threat is from national governments.

A table was exhibited giving estimates of the time required for various types of attacker to break 40-bit and 56-bit keys. These ranged from five hours for a pedestrian hacker with $400 of hardware attacking a 40-bit key to 0.0002 seconds for an intelligence agency with $300M hardware. The story on 56-bit keys is not much better: the pedestrian hacker is set back by a 38-year attack time, but a professional applying $300k of special-purpose hardware could break the same key in three hours and the intelligence agency hardly has time to draw breath in the 12 seconds it would take with their country-sized appropriation.

On 10 June 1996, the UK Government published a proposal for the licencing of “Trusted Third Parties” that would provide encryption services to business and individuals and which could be required to provide decryption keys to law enforcement agencies in certain cicumstances. This proposal is rather different from the US attempts to enforce key escrow, and has some potential merits for organisations and individuals that need encryption but are not competent to build their own system. It is still unlikely to find favour with big business though, and the Shell oil company was used as an example of a business that has already thought through the issues. One very important issue is that of liability: Shell stated that not even the largest government could manage liability for the damage that could be caused by the loss of keys, and went on to define a corporate trust model along the lines of “We do not trust the government of the US. We do not trust the government of the UK....” Eventually Shell implemented their own strong encryption system including key management and key escrow, all operated from their headquarters in London. The work was done by PCSL, and interestingly they have recently obtained agreement from all the relevant US agencies that the same system is acceptable for use by Fortune 500 companies. This is another nail in the coffin of government key escrow, but it does act as a useful reminder that key escrow is an essential service: organisations do not want to lose access to their data if someone forgets a password or leaves the company. Similarly an encrypted will is not much use if the only person knowing the key is the one who has just died!

Standards, Accreditation, Cryptography Law

The final talk was given by Nigel Hickson of the Information Security Policy unit of the Department of Trade and Industry. The DTI is the UK body with control over encryption technology use and export so the audience were able to get authoritative answers to some important questions. The current position could be summarised as:

.     It is legal to use any sort of encryption inside the UK

.     All export of encryption technology is controlled

The details of the export controls are published through HMSO (URL =

http://www.hmsoinfo.gov.uk/ ). The DTI enquiry unit (URL = http://www.dti.gov.uk/Contact s.html or 0171 215 5000) can put you in touch with experts if you need further assistance.

The main part of the talk was concerned with BS7799, the UK standard on information systems security. The standard is a recent one, and was largely developed by the DTI working with people from large companies. Several supporting booklets have now been published and are available from the DTI, in particular the Information Society Initiative security booklet (call 0345 15 2000) and the Information Security Policy Statement (call 0171 215 1399). There are also booklets on “Information Security and the Internet”, “Computer Assurance Guidelines”, and “The Business Manager's Guide to Information Security”. A process for accreditation to BS7799 standards is now being put together: this will be fairly flexible, as the Standard has 105 “controls” and it is up to each organisation to decide which are most appropriate to implement. BS7799 has also been proposed for “fast track” acceptance as an ISO standard, though its chances of success are not clear.

Returning to the encryption issue, it was stated that there would be no new controls, that the concept of licenced trusted third parties was currently favoured, and that international working was recognised as important. The recent announcement provides a framework for policy and more detailed proposals can be expected later in 1996: this means that any comments on the existing proposal should be submitted quickly. The EU is apparently considering a “second information security decision” and an OECD expert group is working on global cryptography guidelines.

Andrew Findlay organises LUUG events, barndances, and ox-roasts. Between these momentous events, he is in charge of the team that deals with the exponential computing requirements of Brunel University.



John Munden is acquitted at last!


(Ross Anderson)

On 8 July 1996 John Munden walked free from Bury Crown Court. This resolved a serious miscarriage of justice, and ended an ordeal for John and his family that has lasted almost four years.

In a judgment loaded with significance for the evidential value of cryptography and secure systems generally, His Honour Justice John Turner, sitting with two assessors, said that “when a case turns on computers or similar equipment then, as a matter of common justice, the defence must have access to test and see whether there is anything making the computers fallible”. In the absence of such access, the court would not allow any evidence emanating from computers.

As a result of this ruling, the prosecution was not in a position to proceed, and John Munden was acquitted.

John was one of our local policemen, stationed at Bottisham in the Cambridge fenland, with nineteen years' service and a number of commendations. His ordeal started in September 1992 when he returned from holiday in Greece and found his account at the Halifax empty. He complained and was told that since the Halifax had confidence in the security of its computer system, he must be mistaken or lying. When he persisted, the Halifax reported him to the police complaints

authority for attempted fraud; and in a trial whose verdict caused great surprise, he was convicted at Mildenhall Magistrates' Court on 12 February 1994.

I told the story of this trial in a post to sci.crypt on 14 February 1994; this is now archived at ftp.cl.cam.ac.uk as the file /users/rja14/post.munden1 . It turned out that almost none of the Halifax's “unresolved” transactions were investigated; they had no security manager or formal quality assurance programme; they had never heard of ITSEC; PIN encryption was done in software on their mainframe rather than using the industry-standard encryption hardware, and their technical manager persisted in claiming (despite being challenged) that their system programmers were unable to get at the keys. Having heard all this, I closed my own account at the Halifax forthwith and moved my money somewhere I hope is safer.

But their worships saw fit to convict John of attempted fraud - which made the national papers.

An appeal was lodged, but just before it was due to be heard - in December 1994 - the prosecution handed us a lengthy “expert” report by the Halifax's accountants claiming that their systems were secure. This was confused, even over basic cryptology, but it was a fat and glossy book written by a “big six” firm with complete access to the Halifax's systems - so it might have made an impression on the court. We therefore applied for, and got, an adjournment and an order giving me - as the defence expert witness - “access to the Halifax Building Society's computer systems, records and operational procedures”.

We tried for nine months to enforce this but got nowhere. We complained, and an order was made by the judge that all prosecution computer evidence be barred from the appeal. The Crown Prosecution Service nonetheless refused to throw in the towel, and they tried to present output such as bank statements when the appeal was finally heard.

However, the judge would have none of it.

Many thanks to all those who helped, and especially to guys like Brian Randell, Chuck Pfleeger and John Bull who wrote in to the Chief Constable and pointed out that the original judgment was patently absurd. It was largely due to their letters that John was suspended from the force rather than sacked.

For the computer security community, the moral is clear: if you are designing a system whose functions include providing evidence, it had better be able to withstand hostile review. This is understood by designers of forensic systems, and the value of hostile review is also well known to the military and the utilities. But with one or two exceptions - such as SET - the banks are just not on the same planet.

PS: Now who would want the Halifax to be their “Trusted Third Party” and provide them with a “key recovery service” in line with the recent DTI/GCHQ proposals?!


News from Owles Hall

(Jane Morrison)

[janem] Since the last Newsletter the Group has held its Annual General Meeting. This was held at the Institute of Education, London on Thursday 27 June 1996. Very few attended, I'm not quite sure if this was because of the tube strike that day, or if you were all too busy to attend.... Anyway, the meeting was held and a copy of the minutes and attachments should be in the envelope sent with this Newsletter to all members.

The WWW Event with Julian Ellison, held on Friday 14 June at Birkbeck College, was very successful, although the number of attendees was lower than we envisaged.

I reminded you all in the last issue about the free service of receiving extra copies of the Newsletter for colleagues - this time I'll remind you of the free email alias for life ( xxx@ukuug.org ) - again only a handful of members have taken up this service. If you are interested please send me ( office@ukuug.org ) your email alias and target address; could you please also indicate your membership status.

The book discount scheme which we have run now for a number of years still remains very popular with members. Orders continue to come in and we are hoping to update the lists in the very near future.

Your committee plans to have a Tele-Conference early in August to discuss future services and events and I hope to be able to update you for the Autumn months in the next issue.

Jane has worked at the Owles Hall Secretariat for almost 8 years. She looks after the administration for the UKUUG, SUN UK User Group and EurOpen. When not working, her pastimes include gardening, swimming, painting and decorating, going on holiday and doing absolutely nothing and trying to keep her 18 year old son on the straight and narrow!



JANET User Support Workshop

10-12 September 1996
Harper Adams Agricultural College

The sixth annual JANET User Support Workshop is organised for people at academic institutions that are connected, or about to be connected, to JANET. It will cover topics related to the use of JANET and the Internet at their institution, and the many networked resources and services now available.

Programme

Some of the topics to be covered are:

.     UKERNA and the networking programme
.     Online information in UK Higher Education - resourcing implications
.     Video conferencing
.     Usenet News
.     Help Desk
.     Supporting the users
.     Networking Training
.     HTML for Beginners aimed at the information providers

The workshop is being limited to 150 people. The full cost of the residential workshop package is £260.

Contact details at the end of newsletter.


[Forward]
Tel: 01763 273 475
Fax: 01763 273 255
Web: Webmaster
Queries: Ask Here
Join UKUUG Today!

UKUUG Secretariat
PO BOX 37
Buntingford
Herts
SG9 9UQ