by Mitchell Kapor BUILDING BLOCKS A

Found at: gopher.meulie.net:70/EFFector/effect03.09

########## ########## ########## |          COMPUTER SPIES
########## ########## ########## |         by Mitchell Kapor
####       ####       ####       | 
########   ########   ########   |BUILDING BLOCKS AS STUMBLING BLOCKS
########   ########   ########   |   A Commentary on the 15th NCSC
####       ####       ####       |        by Rebecca Mercuri 
########## ####       ####       |
########## ####       ####       |           THIS OLD DOS
EFFector Online           November 9, 1992                Issue  3.09
           A Publication of the Electronic Frontier Foundation
                            ISSN 1062-9424

                             Computer Spies
                           by Mitchell Kapor

Can a company lawfully eavesdrop on its employees' telephone calls? Not 
f they have an expectation of privacy. But, at least in most states,
the employer can monitor conversations if it tells the workers that that 
s what it is going to do.

That old legal issue surfaces in a new technological context in Silicon 
Valley, with disturbing consequences for your ability to defend key 
nformation assets. Take a look at how Borland International, a company
that should know better after almost a decade on the leading edge of 
technology, may have hurt itself in a case involving an apparent theft of 
trade secrets.  

The allegations in the tangled legal affair are by now well known. On 
Sept. 1 Eugene Wang, a vice president of Borland's computer languages 
Mail account, where they found, they said, a number of messages that 
they believe prove Wang delivered Borland product plans, memos and other 
and Eubanks and to a civil suit by Borland against Symantec.  

What has been scarcely addressed in newspaper coverage of these events 
s what this case means to the rapidly growing business of electronic

Let's back up and consider the law that protects electronic mail users, 
the federal Electronic Communications Privacy Act of 1986. The privacy 
act protects messages while in transmission on a public mail service 

Borland and its attorneys, in a hurry to prove their suspicions about 
Wang, justified their intrusion into the mailbox as a property right: 
Borland was paying the bills for Wang's MCI account. "E-mail is like an 
n-box on someone's desk,' says Borland spokesman Steven Grady in

Case closed? Not quite. Borland's metaphors fall apart when tested 
against the realities of electronic mail. Unlike in-boxes on an 
abandoned desk, E-mail requires a password, and it can be administered 
by a wholly separate communications company, like MCI. As it stands, in 
a criminal case Wang could challenge the legality of all the evidence 
collected on the basis of the messages found in his MCI account. He may 
also have grounds for a countersuit under the electronic privacy act and 
California law, which goes further in protecting individual privacy.  

an apparent information hemorrhage. But the methods employed by Borland, 
barbarian by the standards of the federal statute. The one thing for 
court battle to sort this out. The final result may be a draw between 
Borland and Symantec, and a new definition of privacy for the rest of 
corporate America.  

Borland could have strengthened its case against Wang if it had followed 
the recommendation of the Electronic Mail Association to announce its 
County District Attorney staff took potential violations of the 
electronic privacy act so seriously that they used a top computer-crime 

Despite Borland's hard-learned lessons, it continues to refuse to 
mplement a formal E-mail privacy policy that declares just when
electronic messages sent from company equipment are company property. 
found. If so, that's naive and shortsighted.  

Some companies may be reluctant to announce in advance that they are 
constantly snooping. So be it, but then they should refrain from 
company's most valuable property  may be intangible the source code for 
a software package, for example an E-mail account may amount to an 
unlocked door on a warehouse.  

The electronic privacy act's procedures may need streamlining, and the 
Borland case may be the ratchet that makes the adjustments. By the time 
Borland could have obtained court authorization to examine Wang's 
electronic mail, some of the messages might have been deleted by MCI's 
automated five-day cleanup function. New legislation requires fine-
tuning in the light of the complexities of real world situations in 
order to be effective for the purposes for which it was originally 
their own policies to fit the technologies they use.  

from Forbes Magazine November 9 1992  

Mitch Ratcliffe, editor-at-large for MacWEEK, provided research assistance
for this column.  



                            By Rebecca Mercuri

         A Report from the 15th National Computer Security Conference 
                    October 13 -16, Baltimore, Maryland.

of coming away with some solutions for the security problems I had 
encountered over the past few years. I left with a longer list of
ncapable or unwilling to yield them publicly.

Let me state clearly here that this comment does not reflect negatively
on the conference organizers. They performed their task well, creating a 
topics. Indeed, "rookies" were liberally mixed on panels with esteemed
"greybeards" and many women (sans beards) were in evidence as session
chairs and presenters (although I was somewhat dismayed to note that
females appeared to constitute less than 10% of the attendees, lower
than in the computing community in general). The breadth and extent of
the conference does not allow one reporter to describe it fully, so I
offer these remarks merely as comment and commentary, perhaps to 

The conference had an international flavor. The keynote was by Roland
Hueber (Directorate General of the Commission of the European
Communities) and the closing plenary on International Harmonization
and solutions.  Diversity, particularly in commerce, inspires
creativity. Monopoly, or single-mindedness, often leaves one at risk of
exploitation by a strong central power, or of attack by those who are
close enough or who understand the system well enough to side-track it
We may need "fault-tolerant" and "diversified" answers.

about encryption systems. For the uninitiated, covert channels are
created when  internal intermittent polling is performed in an effort to
conceal illicit data collection activities. Bob Morris provided the
approximately 1 month. This is at current processing rates, but one can
extrapolate out the Silicon Valley curve and surmise that our current
key encryption systems will be inadequate within the end of the century
(if not now, perhaps).

and formal top level specification. With respect to covert channels, 
Virgil Gligor referred to "formal top level specification as an
unmitigated waste of time," saying that data structures and source may
not map to the top level, there may not be enough relevant details
code/behavior correspondence. Still, formal methods have their
one of their directors (who also publicly revealed that there had been a 
major successful break-in at the lab last month). Interestingly, the
methods and known suspicious behaviors.  Steve Snapp expressed the
and data driven methods should all be used.

The matter of viruses was explored throughout various sessions. The
level following contamination or invasion. 

a "new" virus (that can not be eradicated with existing software) was
offered. This was not consoling to someone who had just last week left a
client's law office with the admonishment "don't use any of the text
files that you've created in the last 6 months until I can find out what
the new virus strain is that appears to have adhered to some unknown
quantity of them."  Here too, the standardization on certain operating
acceptance of specific tools (such as the legal community's reliance on
Word Perfect(TM)) encourages the proliferation of attacks that could

Losses seem to be tied heavily to the bottom line. In banking, it may
not be advantageous to implement a $10M or more security system that
be obtained at a cost of $1M (even if this price only remains low until
there is a hit). 

the bottom line may indeed be one or more people's lives. As true with
tested computer system may cost more lives than providing it while
make improvements and corrections. How does one weigh security,
access to the developing technology? We are faced with a moral dilemma

The area of privacy was eloquently addressed by Attorney Christine
Axsmith who said that our reasonable expectations of privacy, as
expressed by the 4th Amendment, protect people, not just places. But she
Act and other legislation efforts still suffer from a lack of court
mprove security undermine privacy?

Curt Symes (from IBM) stated that "we'll all be using smart cards in the 
future, for a higher level of authentication." Does this mean that I

"Information Systems Security: Building Blocks to the Future" should be 
BLOCKS" or obstacles to our future as security professionals. There is a
blocks, requiring true solutions which appear to not be forthcoming.
What we don't want are systems and design structures that are so
cumbersome as to impede computational progress.  Discussion may be
fruitful, but let us put our noses to the grindstone and provide
functional tools and answers, rather than guidelines and assertions.
While some are working in this direction, many others are needed.

NCSC '92 -- Comment and Commentary
Copyright (c) 1992 by Rebecca Mercuri. All Rights Reserved.
Reposting and/or reprint not granted without prior written permission
from the author. Address questions, response and corrections to:


                         THIS OLD DOS

Hi, I'm Bob Wheeler Dealer, and welcome to This Old DOS.  Last week you 
may remember we renovated the Charles Babbage Family computer.  We 
upgraded their antique CPM to the IBM operating system known as MS DOS.  
And this week on This Old DOS, we're continuing our renovation by 
nstalling a brand new operating system, supposed to be real easy to
use, called Windows.  And boy am I excited.  So let's go around back and 

Bob:  Hi Norm; how's it going?

Norm: Oh, hi Bob.  Well as you can see I'm about to install Windows on 
our old machine.

Bob: No glass in these Windows, huh Norm? Ha ha.

Norm: Ha ha. That's right, just a handful of floppy disks.  This is an 
attempt at making an IBM PC work *a little bit more* like an Apple 
Macintosh.  Instead of typing commands, you just move a lot of little 

Bob: I can't wait.  Sounds simple enough; let's take a whack at it.

Norm: Well, ok, the first thing we do is install these disks.  Pop them 
n the computer and follow the uh directions on the screen.  Here you
try (sound of hard drive grinding).  That's it.

Bob: Simple enough.

Norm: Ok, Bob, now the machine wants to know if you want to modify your 
config.sys or change your autoexec.bat to automatically load when the 
machines boots up.  What do you want to do?

Bob: What's a config.sys? I don't anything about this stuff.

Norm: Never mind, it's ok Bob, I'll take care of it.  There.  Now to be 
of sawing).  That's the computer chip inside inside so that these 
Windows will work fast enough.  Otherwise, you know, you might as well 
Careful!  (sound of machinery) Don't bend the pins!  There, all snapped 

Bob: All right, now we're ready to open Windows, right?

Norm: Not on your life, Bob.  While we're at it we're building an 
extention onto the memory board for those fat, greedy programs that 
nto place (bang bang). There, now we've got 16 megabytes on board.
Narly, man!

Bob: All right, let her rip, Norm.

Norm: Not so fast, Bob!  Those big Windows programs need lots and lots 
of storage space. Charles talked to his banker and decided to spring for 
that 200 megabyte beauty there.  Hand me that..uh

Bob: You mean this thing here? (groaning and grunting)

Norm: Yeah, that's the hard drive.  Ah, thanks.  And they want to do 
multimedia.. you know sound, graphics, computer games... the latest -- 

Bob: Something else?

Norm: A CD ROM drive..

Bob: Something else? More stuff?

Norm: Yeah, we have a sound board and special speakers if you want that 

Bob: This .. this isn't so simple anymore!

Norm: Well,  we're just about ready to go.  That's about it.

Bob: All right now, with all this preparation Norm, this had better be 

Norm: Well, I hope so, let's (sound of drive grinding) load up Word 
(beep.. crash).  Oh-oh.

Bob: What happened?  What happened?

Norm: Well, it looks like a system crash.

Bob: Oh no!

Norm: Don't worry! We can fix this thing.  We can fix it.

Bob: What do we do now, give up?

Norm: No, Never! We drop everything and start over.  That's the American 
Way.  You keep changing stuff until you find what's wrong.

Bob: Now, how long is this gonna take?  I haven't got all weeks to..?

Norm:  Don't worry! We'll I'll have this thing running like top, Bob.  

Bob: All right, you keep working at it Norm.  We're out of time folks.  
Join us tomorrow  for the start of our new 50-part series:  "How to 
nstall and maintain a Local Area Network."  Until then, bye bye for
This Old DOS!

(c) Copyright National Public Radio (R) 1992. The segment by NPR's Ira 
Nation" on September 11, 1992 and is used with permission of National 



becoming a member now. Members receive our bi-weekly electronic
newsletter, EFFector Online, the @eff.org newsletter
and special releases and other notices on our activities.  But because
things even if you do not elect to become a member.

Our memberships are $20.00 per year for students, $40.00 per year for

Our privacy policy: The Electronic Frontier Foundation will never, under
any circumstances, sell any part of its membership list.  We will, from
time to time, share this list with other non-profit organizations whose
explicit permission, we assume that you do not wish your membership

---------------- EFF MEMBERSHIP FORM ---------------

Mail to: The Electronic Frontier Foundation, Inc.
    155 Second St. #39
    Cambridge, MA 02141

    $20.00 (student or low income membership)
    $40.00 (regular membership)
    $100.00(Corporate or company membership.
    This allows any organization to
    become a member of EFF. It allows
    such an organization, if it wishes
    to designate up to five individuals
    within the organization as members.)

    I enclose an additional donation of $




City or Town:

State:     Zip:    Phone:(    )     (optional)

FAX:(    )    (optional)

Email address:

to my Mastercard [  ]     Visa [  ]    American Express [ ]


Expiration date:



other non-profit groups from time to time as it deems
appropriate   [  ]  .

Your membership/donation is fully tax deductible.
     EFFector Online is published by
     The Electronic Frontier Foundation
     155 Second Street, Cambridge MA 02141
     Phone: +1 617 864 0665 FAX: +1 617 864 0866
     Internet Address: eff@eff.org
 Reproduction of this publication in electronic media is encouraged.
 Signed articles do not necessarily represent the view of the EFF.
 To reproduce signed articles individually, please contact the authors
 for their express permission.
     This newsletter is printed on 100% recycled electrons.