J A N U A R Y - FEBRUARY THE COMPUTER LAW AND SECURITY REPORT

that frequencies can be re-used across the country provided the buffer cells, operating at differing frequencies, separate the cells operating at the same frequencies. With this'honeycombe' structure the cell can be thought of as roughly hexagonal in shape. Each cell is surrounded by six or seven neighbours and this pattern can be repeated. Thus only seven or eight sets of frequencies are required for the pattern to be repeated over a large area. To begin with there are 400 separate frequencies being used by cellular radio split equally between two operators. Given the need to define six or seven bands of frequencies, to avoid clashes between neighbouring cells, this gives 30 frequencies and hence 30 simultaneous calls in each cell. This communications infrastructure is closely linked to the public telephone network and opens up all the services that are available over the PSTN. Thus, an added attraction of cellular radio is its integration with existing wide area communications facilities.

RAPID EXPANSION

The development of cellular radio has been dramatic. Well etablished services have existed in the United States of America and in Scandinavia for a number of years. The first moves in the UK to establish a cellular radio service were made in 1982 when the Department of Industry announced the award of licences to run commercial cellular radio services after long discussions with the communications industry. Licences were granted to two consortia - one to British Telecorn/ Securicor called CELLNET (previously known as SECTEL) and the other to Racal/Millicom known as RACAL VODAFONE. The licences stipulated a start date of January 1984 and required 90% of the pol~Jlation to be covered by cellular radio by the end of the decade. Both Licences opted to use TACS (Total Access Communications System) which is a development of the AMPS system used in the USA, instead of NMT (Nordic Mobile Telephone) used by Denmark, Finland, Norway and Sweden (and also committed to by Spain, Austria," Belgium, Ireland and the Netherlands). The service has a grown apace since its January start date. By November 1985 both licencees were claiming faster than expected market penetration. The licenceas themselves are not permitted to sell products to the user directly but asociated companies have been set up which sell the equipment either directly or through appointed retailers. At the moment the equipment

must be bought exclusively for one or other of the systems, but users on different networks can talk to each other via the telephone network, Under the terms of the licences, the two networks are supposed to move towards complete compatibility with one another. The investment has been substantial for the two consortia involved with estimates as hioh as £100m for the final figure for each of them. Usage costs reflect this with the costs for CELLNET typically being £60 per month registration fee, £25 per quarter rental and 25p per quarter rental and 25p per minute for calls at peak time. Mobile phones cost between £1000 - £2000 to buy. It is expected that the cost will fall dramatically as the number of subscribers increases.

FUTURE PLANS

There appears to be some excitement in what the future holds for the transmission of data over cellular radio. Given this sort of facility the user wil! be given access to such services as PRESTEL or other Value Added Network Services that are introduced via the PSTN. Many suppliers are developing products, such as modems and data terminals, which will work to cellular radio standards and these open up the prospect of connecting Cellular radio to personal computers. There are some problems in the transmission of data in this way. One problem occurs as the user is transferred from one cell to another. This causes a break in communications for a short space of time, typically a quarter of a second. Although in a voice transmission this is not noticeable, in data transmission this could mean a significant loss of data, Thus, special protocols need to be devised to overcome this sort of problem. RACAL VODAFON E have already announced just such a protocol - Cellular Data Link Control.

Given this sort of development there seems to be no mason why the cellular radio market should not explode. Taxis are being evaluated as possible providers of cellular radio communications for their customers and a recent announcement by BT that the Telecom Gold electronic mail service is now available over CELLNET means that the services are being marketed in a very vigorous way by all concerned. It seems likely that before long, the rather arbitrary distinction between mobile and home/office telephone will be a thing of the past.

Andrew Schulkins

i

NEWS HIGHLIGHTS i l l i l l _ i i

SPECIAL REPORT ON ATM FRAUD D O W N UNDER According to the anonymous author of 'The Hackers Handbook" the only frauds that have been perpetrated on Automated Teller Machines have consisted of overriding the restrictions built into the ATMs software to prevent the customer overdrawing his account. (There may have been other types of fraud, but if there have they have been well concealed from the press.) The conclusion to be drawn from that information is that

i ATM fraud poses no significant problem because, in any event, the system also imposes a modest daily withdrawal limit, and an overdrawn account would be closed down within a very short space of time. In Australia the false assumptions present in this chain of logic have been aptly demonstrated in a case in which charges have been made against a 16 year old youth who allegedly defrauded one particular building society, the Hotham, of A$ 40,000 last July.

19

THE COMPUTER LAW AND SECURITY REPORT 5 CLSR

The reason why such a large amount was involved is, with hindsight, easily predictable from the information contained in the opening paragraph: faced with a daily withdrawal limit of AS 300 why not open several accounts and overdraw on each ? Allegedly the youth used false names and four different addresses to obtain more than 12 different credit and ATM transaction cards, with a A$10 deposit in each account. This took some 11 months to set up. The fraud was made possible by the youth's knowledge of a weakness in the system operated by Idaps Australia Ltd., for several Australian building societies: every night the host computer supporting the building society consortium is shut down for less than an hour to perform batch processing tasks. During that time building societies had the choice of either keeping their ATM's open m remote mode, or closing down. Whilst in remote mode the ATM can only verify personal identification numbers. It cannot address customer files and their current account balances. It is not clear from the numerous Australian press reports how this weakness was discovered: a spokesman for Victoria's largest building society, which also uses the Idaps system, has said that inside knowledge would have been required. However, it could simply have been by accident, when an accounts query at an ATM late at night produced no information but still allowed a withdrawal. The withdrawals were made on 1 5th July, between the hours of midnight and 4 a.m. and involved ATMs in several towns. It is believed that several youths were involved in the operation to identify (presumably by account enquiry) the ATMs without mainframe support and to withdraw from them to the transaction limit. On 14th August a youth was charged with the offences: a further 4~0 charges are in the police pipe line. Police have recovered A$ 32,000 and an airline ticket to Perth. To prevent further security breaches Idaps has implemented a program which loads the customer file on to the front end Tandem system, before the IBM is taken off-line. Thus the ATMs can access a customers' last balance on the Nonstop II Tandem system without having to use the IBM. In a second Australian case, held before the Australian High Court, doubt has been cast on the ability of the police to prosecute offenders in this type of case. Unless the banks can prove that they did not intend property, the money taken, to be passed to the person who obtains it, they would be unable to prove larceny; which is the only offence that could be relevant.

At issue is whether by keeping the ATM operational during the nightly batch processing mode, the bank demonstrated an intention to pass property in the money. The defendant, had closed his account with the Savings Bank of South Australia, but used his card and PIN number to obtairj A$ 200 from an ATM which was off line. Counsel argued that the savings bank had constructed the ATM system so that when an ATM terminal was off line, money would be made available to a holder of an appropriate card irrespective of whether there was a credit balance in the account. Accordingly, this indicated an intention by the bank to pass the property, in the money made available, in this

way. The defendant's arguments failed, but only by a majority of 2:1. Leave of appeal has been granted. The case will probably be heard before the Spring.

David Davies

THE CHIP HITS THE N E W S At a time when the big four American chip manufacturers are making losses in the sale of chips, interesting new developments are also occurring. I ntel, one of the four American companies to report recent losses, have at the same time launched the 386 32-bit micro processor chip with a performance capability of 3-4 million instructions per second. This is four to five times faster than the IBM PC/AT range. The chip is expected to be on the market in the Spring. The chip is interesting as it can still cater for existing IBM PC applications, as well as pointing the way towards faster and more powerful IBM machines in the not too distant future.

Despite problems in the US, sales of microchips around the world exceeds $20 billion per annum. The shape of the industry is changing fast, with increased competition both from Japan and Europe. The US are particularly sensitive about this and only recently passed the Semi-conductor Chip Protection Act, designed to provide a form of copyright protection for the embodiment of the mask work on the chip itself. This was essentially designed to counteract the challenge from the Japanese, who were accused of copying American chip designs. Now a further row has broken out following accusations by the American Semi-conductor Industry Association that the Japanese are dumping certain types of chip on the American market below manufacturing price. Meanwhile, European companies are beginning to compete in the specialised market for custom made chips. For example, European Silicon Structures, which entered into being in 1984, has announced plans for developing customised chips for the European market In addition to that, a consortium of French, German and British companies have developed new techniques in the manufacture of chips which will provide greater precision in design and the potential for even more powerful chips in the future. British companies are also doing well alone: Plessey have been supporting research into chip reliability and are developing chips which can monitor themselves for design faults, which will be of particular interest in the field of defence. The next stage wil l be chips that can actually repair themselves by finding a way of by- passing the problem. The latest development comes from the EEC Commission, which is currently preparing a proposal for a Directive which seeks to provide complete and homogenous legal protection for semi-conductor chips in all Member States. One purpose of this is to enable companies within the EEC to obtain protection under the American Act for European chip products, which is only available to countries that provide reciprocal protection under national law.

20

JANUARY - FEBRUARY THE COMPUTER LAW A N D SECURITY REPORT

SOFTWARE C O P Y R I G H T -

U N A N S W E R E D Q U E S T I O N S

Although much publicity has been given to the clarification of the law governing software piracy contained in the 1985 Copyright (Computer Software) Amendment Act, there are still a large number of unanswered questions to be resolved. Until recently the courts were concerned with first generation copyright issues, basically concerned with determining whether copyright did protect software at all and if so, on what basis. Courts were concerned, for example, with whether object code was an adaptation of source code or whether it attracted copyright as an original work itself. The courts have also now resolved for them- selves the distinction between the storage medium and the software contained within it. There were a number of cases around the world where the courts showed confusion on this point, but new legislation combined with sensible appeal court decisions, have enabled courts to rule that whether software is stored on read-only memory chips or in other forms of computer storage as well as in hard copy form, this is a reduction to material form for the purposes of copyright law

The issues currently being confronted concern the extent to which copyright can fairly be used against competitors who take less of the expression but more of the ideas behind a successful piece of software in order to produce a rival version. The issue is really one of how far the courts are prepared to permit reverse engineering of software where the alleged infringer has either had access to the source code or has attempted to extract the underlying structure of the program by feeding the object code through a decompiler. This process can never reproduce the source code in its entirety but it can give valuable informaton about the way in which the program is written. These issues have been raised recently in the American courts in Whelan Associates Inc. v. Jaslow Dental Laboratory" Inc. 22nd Jan, 1985, E.D.Pa. (as yet unreported) and Vault Corp. v. Quaid Software Corp. 15 Oct. and 1st Nov., 1985, E.D. La. (as yet unreported). See the next issue for a full report. Both these cases are still in the process of being litigated but they are interesting because in Whelan the defendant Jaslow was accused of infringing the copyright in the plaintiffs' program to control the operation of a dental laboratory, when the alleged infringing program was written in a different and entirely separate computer language. In that case, however, the defendants did have access to the source code. In Vault, however, the defendants had developed software which was designed to be placed on otherwise blank diskettes and designed to prevent the copying of any software subsequently placed on that disk. Vault argued that in order to develop the unlocking program the defendants must have reverse engineered the plaintiffs' program thereby (inter alia) infringing their copyright. It seems likely that further hearings in these cases will take place shortly.

In the UK these issues have yet to be considered. Lawyers were beginning to get excited that this would

happen in the case involving Comshare, managed by "IV presenter lan McNaught-Davis- the software and services bureau - and EPS Consultants. EPS had alleged that Comshare (who had agreed with EPS to market their financial modelling program FCS) had reverse engineered their product in preparing a rival. financial package called Wizard. Wizard was designed f o r IBM mainframe machines whereas FCS was originally intended to run on the Xerox Sigma mainframe. As frequently occurs in this country, when both sides realised the complexity of the legal issues involved and the legal costs of fighting the battle through the courts, they decided to settle their differences and withdraw the court actions against each other. In view of the fundamental issues raised by reverse engineering, it can only be a matter of time before someone decides to carry the issue through to a full hearing. When that happens the court will really have to decide the extent to which they are prepared to allow copyright to be used to support the industry. With the Government's White Paper on intellectual property law reform imminent, the pressure groups are already beginning to gear up their campaigns in the face of expectation that futher reform of copyright law in relation to computer software is likely. We await developments with interest.

CITY FRAUD TAKES OVER

It seems likely that 1986 is going to be the year when attention focuses upon fraud in the City. The media has tended to pass this by in favour of the more identifiable forms of computer malpractice, namely software piracy and hacking. The City is becoming an attactive target for various types of fraudulent dealing because, some say, the absence of a UK equivalent to the American Securities and Exchange Commission in favour of self-regulation encourages dubious practices because regulation is ineffectual

As the City begins to hook up to new technology in its business and financial transactions, the possibilities for fraud multiply accordingly. Unless those groups dedicated to fighting fraud can work more closely together the clean-up that people want to see is unlikely to materialise. The Fraud Squad is understaffed, underresourced and undertrained. Until the City stops regulating itself and recognises the need for independent supervision, the best that can be hoped for is that some progress will be made in the Government's Financial Services Bill and that new technology itself will begin to be used to catch the fraudster~ The Stock Exchange have recently introduced a database monitoring system designed to alert the authorities to any sudden shift in share prices that might suggest 'insider trading', Transactions can then be traced back and investigated if necessary. However, the Financial Services Bill has been criticised by some as being too little, too late. It does not, for example cover LLoyds where the most serious fraud allegations have been made. Michael Howard, the Minister responsible for attacking commercial fraud, has himself been crit icised for leaving Lloyds out of the Bill and accused of a conflict of interest as he is himself a member of Lloyds. No- one can say accurately how much fraud is going on:

21

THE COMPUTER L A W A N D SECURITY REPORT 5 CLSR

figures vary from between £400 million and £ 1 billion per annum. With the repo~ted increase in fraud up 47% the annual cost to the nation could be as much as the Falklands war of only three years ago.

DATA PROTECTION CORNER

Its here. Registration has begun. Despite a slow start, between 11 th November last year and the end of April, between 300,000 and 500,000 computer users are expected to register applications under the Data Protection Act. The Act has produced an industry Of its own. Most companies and institutions of any significant size have appointed Data Protection Officers to handle the company's affairs under the Act. Conferences and seminars- some of a dubious nature- have offered 'how to do it' information on what the Act means.for you and your business. This is supported by an army of books and pamphlets produced by publishers, interest groups and professional bodies, each advising on what lies ahead. With so much publicity and discussion one might have expected concern to switch away from the Act to something else; the fact is, however, that the demand for accurate advice and information continues unabated. The major problem is that the Act is couched in such general terms that.it is impossible for many to know precisely what steps to take. There is also scepticism as to whether the Registrar, with such limited resources at his disposal, can really enforce the Act as Parliament laid down. How is he, for example, to know when personal data is being transferred overseas to a country that has not subscribed to the European Convention ? Likewise, if a data user passes information to an unauthorised third party, how is the Registrar to find out and to take steps to enforce the Act ? How often will he use his enforcement powers and what wilt be {he trigger ? How precisely will the Act work in relation to the exemptions and what kind of business records will be acceptable ?

The Registrar has gone some way towards tackling these questions by producing a booklet entitled 'Questions and Answers on the Act (1-20)'. More answers to hypothetical questions are on the way and will, no doubt, be welcomed by the hard pressed data user. However, a word of caution. The Registrar points out that 'Questions and Answers' are not definitive interpretations of the Act and may not be taken as formal decisions of the Registrar with regard to any particular circumstances which may arise. The critical test for the legislation will be whether it does provide the data subject with access to information about him stored on computer. There are already criticisms of the substantial exemptions to the Act, not least access to police data which contain details of more than 5 million people. No manual data is, of course, covered by the Act and Private Members' legislation to extend the Act to this field has not to date been successful. One point not often mentioned is that the Act does not provide individuals with a power to control where personal data about them can be stored. It is remedial statute intended to allow the individual to find out and correct misleading data, but not to have the final say on whether the information should be held in the first place. There are provisions in the Act which would permit

the erasure of personal data, but these are limited. It is not an unreasonable prediction that we have not heard the last of data protection legislation. When the problems and loopholes have been identified, changes can be expected. It is inconceivable that a registration process can survive, given the massive growth in computer use, or that the Act wi l l be confined to personal data at the expense of other sensitive computer records such as corporate data. To obtain the Registrar's booklet or other 'Guideline Series' on the Act contact: The Office of the Data Protection Registrar, Springfield House, Water Lane, W i l m s l o w , Cheshire, SK9 5AX. Tel: (0625) 535777,

DTI BRIEFING

Space is Big Business. Roy Gibson, a space consultant to a number of UK and foreign aerospace companies and former Director General of the European Space Agency, has been appointed Director-General of the British National Space Centre. The BNSC is intended to provide a sharper focus.for Britain's space effort, including the development of a long term space strategy which takes into account the needs of industry, science and other civil and defence users of space. Quite apart from the Star Wars initiative, business projections for space in the year 2000 are already exceeding $20 billion a year, according to the DTI.

EUREKA- for the future. 'EUREKA now has an unstoppable momentum which gives European industry the chance to seize a major share of the world's markets in high technology products', according to Geoffrey Pattie, Minister for Information Technology. At the last meeting of ministerial representatives of EUREKA member countries, several projects were announced involving British companies. These include micro circuits (ICL), broad band switching (Plessey), automated integrated circuit production lines (Cambridge Instruments and British Aerospace). gallium arsenide integrated circuits (GEC) and aerospace technology (British Aerospace).

Changes at the Patent Office. M r Philip Cooper has been appointed Comptroller-General of the Patent Office, taking over from Mr. Ivor Davis from 1st January, 1986. Until now he has been director of the Warren Spring Laboratory. At the same time three companies have been appointed by the Patent Office to carry out technical design studies on a project to computerise the registration of trade marks and other basic Patent Office functions. The studies will be done by Burroughs CAP and Computer Sciences Co.Ltd. The successful company will be offered a contract in June with installation planned for early 1987. The system will considerably ease the problems of the Patent Office which deals with approximately 25,000 trade mark applications each year involving index searching of more than one million individual words and marks. The contract is part of a programme to computerise the whole of the patents and trade marks business. Innovat ion strategy is on target. Having taken stock of the situation, the Government still remains committed to its innovation strategy. So said Geoffrey Pattie

22

J A N U A R Y - FEBRUARY THE COMPUTER LAW A N D SECURITY REPORT

recently when announcing the Government expenditure in support of industrial R ~ D. Innovation and technology transfer had quadrupled from 1979 to £376 million during 1984/85. Since the launch of the DTI's Support for Innovation Programme in 1982, nearly £400 million had been allocated to approximately 3,1 O0 projects. Commenting, he said, 'The purpose of our support has always been to have a catalytic effect, pump priming if you like - and as the pump is successfully primed in one area we expect to be able to deploy it more intensively in another'. Flagship- ALVEY's largest project underway. The DTI has announced details of the flagship project which seeks to develop a fifth-generation information processing system designed to tackle a wide range of general purpose user applications. It will evolve program styles which themselves are designed to make it easier and more economical to construct, modify, prove and maintain application programs. Announcing the project, worth £15.5 million and involving ICL, Plessey, Imperial College and Manchester University, Geoffrey Pattie said 'The importance of parallel processing is recognised world wide, particularly in applications that require massive computational power. This needs innovative thinking to lead to new computer architectures, the use of advanced components such as the INMOS transputer, and the deployment of considerable resources to keep ahead of world competition. Flagship combines all the elements'. Support for Cable, Britain's cable television industry is to get an injection of £5 million of government money over the next five years. The purpose is to promote advanced interactive services on wideband cable systems. These services involve signals being conveyed in both directions along the cable, and among the applications could be home banking and home shopping. Wideband cable systems are licensed by the Cable Authority which assumed its statutory powers under the Cable and Broadcasting Act 1984 on 1 st January, 1985. The Cable Authority has advertised ten new franchise areas so far this year. Cable operators also require a licence from the DTI under the Telecommunications Act 1984. The DTI expects that the scheme will provide an effective test bed for a wide range of interactive services and will also increase public awareness and development of the underlying technology.

BRITISH TELECOM UPDATE

Joint electronic business venture. British Telecom and McDonnell Douglas have announced the formation of a new high technology company called Edinet Ltd. to provide and market a range of IT services known as Electronic Data Interchange (EDI). EDI will provide direct computer-to-computer exchange of business documents, such as purchase orders, invoices and statements. These will be sent in electronic form in such a way as to reconcile differences in computers and document formats. The company has already begun marketing its services in the UK: customers should contact Edinet at Freefone LinkLine No.0800181300.

Prestel taking off. Use of Prestel, BT's public viewdata service, has grown by 44% in the past year with more than one million pages a day being accessed and more than 100,000 electronic mail messages a weel~ Prestel, which until now has been trading at a loss, is now in profit on its own account, not including the substantial revenue it generates through telephone calls. British Telecom goes 'Plug-compatible' . A new£2 million plug-compatible computer has been installed by BT at its Watford Computer Centre. The computer- an Amdahl 5850 mainframe - is being used by BT's National Networks Division for general computing work. A plug-compatible computer is the term used to describe a machine which is the direct equivalent of a mainframe of comparable power from another manufacturer (usually IBM) and will operate directly on its software. BT is currently examining the possibility of buying other IBM plug-compatible machines in the future.

New Optical Fibre record set. A new world record for optical fibre transmission has been set by British Telecom. A team of engineers have succeeded in transmitting data over 32 kilometres of fibre at the rate of 2,400 million bits of information per second. This represents a 16-fold capacity increase over existing systems and is equivalent to passing 30,720 separate speech channels or 32 full bandwidth colour television pictures down the same single optical fibre. The feat was achieved using an existing cable and according to BT illustrates the feasibility of upgrading existing optical systems without the need to replace cables. This could save considerable sums in the future by removing the need to replace complete systems. New terminal electronics would be all that would need to be provided.

World's largest satellite network. British Telecom International (BTI) is creating the world's largest satellite sound and vision network linking 93 locations in 52 countries. Seven satellites around the world will be used in the network with London acting as the control centre, sending and receiving live and recorded transmissions to and from all 93 locations. BIT has been involved in the organisation of global satellite networks for events like the Olympic Games, the World Cup, Papal visits, the recent Live Aid concert and major political and economic summit conferences. The latest project is being prepared for Explo 85, an

inter-continental satellite congress linking up to 15 million Christians around the world.

Software to smooth elections. A software package to computerise election administration has been launched by BT in conjunction with West Wiltshire District Council. The Election Administration System deals with all the legal, administrative and financial requirements of an election, acts as an aide rnemoire to ensure the completion of all tasks, and produces every piece of documentation. It can handle any type of election - parliamentary, European, county, district or parish. The system can therefore guide a Returning Officer through all the paperwork and legal intricacies which characterise each stage of the election process. The system will run on both ICL and IBM computers.

23

THE COMPUTER LAW A N D SECURITY REPORT 5 CLSR

Mercury - BT to link up. The Office of Tele- communiations which is overseeing the link-up between British Telecom and Mercury Communications has called upon the networks to link together at at least 34 exchanges by the end of March. Mercury's managing director, Gordon Owen, believes that he can undercut BT's charges by at least 10% and is confident of taking at least 5% of the market revenue in 1986. Mercury

begin with an advantage, since all of its systems are computerised: BT, despite its modemisation program, still contends with obsolete equipment which has yet to be phased out. Approval for the link-up was given as long ago as October 1 984, but only now has OFTEL managed to sort out an agreement between the network providers. BT's concern is that Mercury will cream off the most profitable sections of the market, leaving BT to support the local core end of the market.

i i

NEWS AND SECURITY UPDATE FROM THE US In my last U.S. focus column I discussed some trojan horse programs that have been appearing on bulletin boards here in the United States. Nowa U.S. computer game manufacturer has released a game with the hope that hackers will stop hacking real computers and start hacking their game instead.

The game, Hacker, was created by Steve Cartwright, one of Activision's premier video game designers. AT 29, Cartwright has 5 arcade video games to his credit. In creating the Hacker, Can'wright said he "understood the excitement' of hacking and wanted to capture it in a game.

At first, I had serious reservations about any game that would simulate hacking. Because of the security implication,~ but as it turns out, the game only simulates a log-on sequence for a few minutes and then lets you into a game which is a cross between the famous MIT (Massachusetts Institute of Technology) Adventure game and the U.S. television show "Let's Make A Deal'.' 'Let's Make A Deal' is a popular game show where contestants trade things they brought for unknown prizes behind numbered doors or boxes. I use this analogy because in Hacker, you have to trade things with spies all over the world (in their native language no less) for parts of a secret communique. What happens after you get the communique, I have no idea, as I didn't get that far in the game.

Charlotte Taylor, a product communications associate for Activision, said Activision hopes that Hacker will keep people from trying to hack into real computers. But, while the game is cute, I doubt it will deter any hackers. Hacker should be currently available in the U.K. for about £9.99.

FEDERAL PASSWORD GUIDELINES

The National Bureau of Standards recently released Federal Information Processing Standard (FIPS) 1 1 2, which identifies different factors for password design and control The National Bureau of Standards is a federal government organisation that advises federal agencies on up-to- date EDP management and procurement policies, recommends federal information processing standards, and conducts research in computer science and related technologies, among other functions. Some of the points in FIPS 112 included the following:

• Passwords should be complicated enough to foil non-authorized users, yet simple enough for a user to remember.

• Audit records should be generated when password changes are made.

• Passwords should be assigned to individuals, not groups.

• Idle terminals should be automatically logged- off.

A copy of FIPS 112 can be obtained by contacting the National Technical Information Service, U.S. Department of Commerce, Springfield, Virginia, 22161.

PENDING U.S. COMPUTER LEGISLATION

There are several computer-related Bills now pending in the U.S. Congress. Here is a list of some of these Bills and a brief summary of each: Bills Pending in The House of Representatives

• H.R. 930, The National Computer Systems Protection Act of 1985, would strengthen existing law to cover computer abuse in interstate or foreign commerce, as well as in government computers. The Bill proposes stiff criminal penalties, including a maximum lO- year prison sentence and a 250,000 Dollar fine.

• H.R. 995 would make accessing and/or altering of medical record information by unauthorised individuals via a telecommunications device a federal crim~.

• H.R. 1001, The Counterfeit Access Device and Computer Fraud and Abuse Act of 1985, would provide protection to private computer installations from criminal abuse.

• H.R. 2889, The Computer Security and Training Act, would enable the National Bureau of Standards to institute a research and training program for the protection of information in Federal computers.

Bills Pending in The Senate

• S.440. The Computer Systems Protection Act of 1985, similar to H.R.930, would provide Federal sanctions for unauthorised computer access.

• S. 610 would impose criminal penalties on anyone who modifies, destroys, or prevents the use of information in a government computer system or on anyone who used or disclosed information individually identifiable in such a system.

24