ch31.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 1,189 行 · 第 1/4 页

<P>The Chinese intend to implement these controls in a hierarchical fashion. In their
scheme, interconnected networks are all screened through the government communications
infrastructure. All local networks are required to patch into these interconnected
networks. Lastly, all individuals must go through a local network. Through this scheme,
they have effectively designed an information infrastructure that is easily monitored.
At each stage of the infrastructure are personnel responsible for that stage's network
traffic.</P>
<P>Moreover, there are provisions prohibiting the traffic of certain materials. These
prohibitions naturally include obscene material, but that is not all. The wording
of the article addressing such prohibitions is sufficiently vague, but clear enough
to transmit the true intentions of the State:

<DL>
	<DD>Furthermore, any forms of information that may disturb public order or considered
	obscene must not be produced, reproduced, or transferred.
</DL>

<P>Reportedly, the Chinese government intends to erect a new Great Wall of China
to bar the western Internet. These reports suggest that China will attempt to filter
out dangerous western ideology.</P>
<P>China is not alone in its application of totalitarian politics to the Internet
and computers. Let's have a look at Russia.
<H2><FONT COLOR="#000077"><B>Russia and the CIS</B></FONT></H2>
<P>President Yeltsin issued Decree 334 on April 3, 1995. That decree granted extraordinary
power to the Federal Agency of Government Communications and Information (FAPSI).
The decree prohibits:

<DL>
	<DD>...within the telecommunications and information systems of government organizations
	and enterprises the use of encoding devices, including encryption methods for ensuring
	the authenticity of information (electronic signature) and secure means for storing,
	treating and transmitting information...
</DL>

<P>The only way that such devices can be used is upon review, recommendation, and
approval of FAPSI. The decree also prohibits:

<DL>
	<DD>...legal and physical persons from designing, manufacturing, selling and using
	information media, and also secure means of storing, treating and transmitting information
	and rendering services in the area of information encoding, without a license from
	FAPSI.
</DL>

<P>In the strictest terms, then, no Russian citizen shall design or sell software
without a license from this federal agency, which in fact acts as information police.
American intelligence sources have likened FAPSI to the NSA. As the article &quot;Russian
Views on Information-Based Warfare&quot; by Timothy L. Thomas notes:

<DL>
	<DD>FAPSI appears to fulfill many of the missions of the U.S. National Security Agency.
	It also fights against domestic criminals and hackers, foreign special services,
	and &quot;information weapons&quot; that are for gaining unsanctioned access to information
	and putting electronic management systems out of commission, and for enhancing the
	information security of one's own management systems.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>&quot;Russian Views on
	Information-Based Warfare&quot; can be found on the Web at <A HREF="http://www.cdsar.af.mil/apj/thomas.html"><TT>http://www.cdsar.af.mil/apj/thomas.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>Despite this cloak-and-dagger treatment of the exchange of information in Russia
(the Cold War is over, after all), access in Russia is growing rapidly. For example,
it is reported in <I>Internetica </I>in an article by Steve Graves that even CompuServe
is a large ISP within the Russian Federation:

<DL>
	<DD>CompuServe, the largest American online service, has local access numbers in
	more than 40 Russian cities, ranging from Moscow and St. Petersburg to Vladivostok.
	Access is provided through SprintNet, which adds a surcharge to the connect-time
	rate. Although CompuServe itself does not charge any more for connections than it
	does in the U.S., the maximum connection speed is 2400 baud, which will greatly increase
	the time required for any given access, particularly if Windows-based software is
	used.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Access Steve Graves's
	article at <A HREF="http://www.boardwatch.com/mag/96/feb/bwm19.htm"><TT>http://www.boardwatch.com/mag/96/feb/bwm19.htm</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>Despite Mr. Yeltsin's decrees, however, there is a strong cracker underground
in Russia. Just ask CitiBank. The following was reported in <I>The St. Petersburg
Times</I>:

<DL>
	<DD>Court documents that were unsealed Friday show that Russian computer hackers
	stole more than $10-million from Citibank's electronic money transfer system last
	year. All but $400,000 of that has been recovered, says a CitiBank spokeswoman. None
	of the bank's depositors lost any money in the fraud but since it happened, Citibank
	has required customers to use an electronic password generator for every transfer.
	The hackers' 34-year-old ringleader was arrested in London three months ago, and
	U.S. officials have filed to have him extradited to the United States to stand trial.
</DL>

<P>Unfortunately, there is relatively little information on Russian legislation regarding
the Internet. However, you can bet that such legislation will quickly emerge.
<H2><FONT COLOR="#000077"><B>The EEC (European Economic Community)</B></FONT></H2>
<P>In this section, I address European attitudes and laws concerning computers and
the Internet. Nonetheless, although the United Kingdom is indeed a member of the
European Union, I will treat them separately. This section, then, refers primarily
to generalized EU law and proposals regarding continental Europe.</P>
<P>It is interesting to note that European crackers and hackers often have different
motivations for their activities. Specifically, European crackers and hackers tend
to be politically motivated. An interesting analysis of this phenomenon was made
by Kent Anderson in his paper &quot;International Intrusions: Motives and Patterns&quot;:

<DL>
	<DD>Close examination of the motivation behind intrusions shows several important
	international differences: In Europe, organized groups often have a political or
	environmental motive, while in the United States a more &quot;anti-establishment&quot;
	attitude is common, as well as simple vandalism. In recent years, there appears to
	be a growth in industrial espionage in Europe while the United States is seeing an
	increase in criminal (fraud) motives.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Find &quot;International
	Intrusions: Motives and Patterns&quot; on the Web at <A HREF="http://www.aracnet.com/~kea/Papers/paper.shtml"><TT>http://www.aracnet.com/~kea/Papers/paper.shtml</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>For these reasons, treatment of Internet cracking and hacking activity in Europe
is quite different from that in the United States. A recent case in Italy clearly
demonstrates that while freedom of speech is a given in the United States, it is
not always so in Europe.</P>
<P>Reportedly, a bulletin board system in Italy that provided gateway access to the
Internet was raided in February, 1995. The owners and operators of that service were
subsequently charged with some fairly serious crimes, as discussed by Stanton McCandlish
in his article &quot;Scotland and Italy Crack Down on `Anarchy Files'&quot;:

<DL>
	<DD>...the individuals raided have been formally charged with terroristic subversion
	crimes, which carry severe penalties: 7-15 years in prison...The BITS BBS [the target]
	carried a file index of materials available from the Spunk [underground BBS] archive
	(though not the files themselves), as well as back issues of Computer Underground
	Digest (for which EFF itself is the main archive site), and other political and non-political
	text material (no software).
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Mr. McCandlish's article
	can be found on the Web at <A HREF="http://www.eff.org/pub/Legal/Foreign_and_local/UK/Cases/BITS-A-t-E_Spunk/eff_raids.article"><TT>http://www.eff.org/pub/Legal/Foreign_and_local/UK/Cases/BITS-A-t-E_Spunk/eff_raids.article</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>This might sound confusing, so let me clarify: The files that prompted the raid
(and subsequent indictments) were the type that thousands of Web sites harbor here
in the United States, files that the FBI would not think twice about. An interesting
side note: In the wake of the arrests, a British newspaper apparently took great
license in reporting the story, claiming that the &quot;anarchy&quot; files being
passed on the Internet and the targeted BBS systems were endangering national security
by instructing mere children to overthrow the government. The paper was later forced
to retract such statements.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>To read some of those
	statements, see the <I>London Times</I> article &quot;Anarchists Use Computer Highway
	for Subversion&quot; by Adrian Levy and Ian Burrell at <A 
HREF="http://www.eff.org/pub/Legal/Foreign_and_local/UK/Cases/BITS-A-t-E_Spunk/uk_net_anarchists.article"><TT>http://www.eff.org/pub/Legal/Foreign_and_local/UK/Cases/BITS-A-t-E_Spunk/uk_net_anarchists.article</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>In any event, the Europeans are gearing up for some Orwellian activity of their
own. In a recent report to the Council of Europe, proposals were made for techniques
dealing with these new technologies:

<DL>
	<DD>In view of the convergence of information technology and telecommunications,
	law pertaining to technical surveillance for the purpose of criminal investigations,
	such as interception of telecommunications, should be reviewed and amended, where
	necessary, to ensure their applicability. The law should permit investigating authorities
	to avail themselves of all necessary technical measures that enable the collection
	of traffic data in the investigation of crimes.
</DL>

<P>European sources are becoming increasingly aware of the problem of crackers, and
there is a strong movement to prevent cracking activity. No member country of the
Union has been completely untouched. The French, for example, recently suffered a
major embarrassment, as detailed in the article &quot;French Navy Secrets Said Cracked
by Hackers,&quot; which appeared in <I>Reuters</I>:

<DL>
	<DD>Hackers have tapped into a navy computer system and gained access to secret French
	and allied data, the investigative and satirical weekly <I>Le Canard Enchaine</I>
	said...Hackers gained access to the system in July and captured files with acoustic
	signatures of hundreds of French and allied ships. The signatures are used in submarine
	warfare to identify friend and foes by analyzing unique acoustic characteristics
	of individual vessels.
</DL>

<H2><FONT COLOR="#000077"><B>The United Kingdom</B></FONT></H2>
<P>The United Kingdom has had its share of computer crackers and hackers (I personally
know one who was recently subjected to police interrogation, search and seizure).
Many UK sources suggest that English government officials take a decidedly knee-jerk
reaction to computer crimes. However, the UK's main body of law prohibiting cracking
(based largely on Section 3(1) of the Computer Misuse Act of 1990) is admittedly
quite concise. It covers almost any act that could be conceivably undertaken by a
cracker. That section is written as follows (the text is converted to American English
spelling conventions and excerpted from an article by Yaman Akdeniz):

<DL>
	<DD>A person is guilty of an offense if (a) he does any act which causes an unauthorized
	modification of the contents of any computer; and (b) at the time when he does the
	act he has the requisite intent and the requisite knowledge.
</DL>

<P>You will notice that intent is a requisite element here. Thus, performing an unauthorized
modification must be accompanied by intent. This conceivably could have different
implications than the court's interpretation in the Morris case.</P>
<P>A case is cited under that act against an individual named Christopher Pile (also
called the Black Baron), who allegedly released a virus into a series of networks.
Pile was charged with (and ultimately convicted of) unlawfully accessing, as well
as damaging, computer systems and data. The sentence was 18 months, handed down in
November of 1995. Pile is reportedly the first virus author ever convicted under
the act.</P>
<P>Akdeniz's document reports that English police have not had adequate training
or practice, largely due to the limited number of reported cases. Apparently, few
companies are willing to publicly reveal that their networks have been compromised.
This seems reasonable enough, though one wonders why police do not initiate their
own cracking teams to perform simulations. This would offer an opportunity to examine
the footprint of an attack. Such experience would likely prove beneficial to them.
<H2><FONT COLOR="#000077"><B>Finland</B></FONT></H2>
<P>Finland has traditionally been known as very democratic in its application of
computer law. At least, with respect to unauthorized snooping, cracking, and hacking,
Finland has made attempts to maintain a liberal or almost neutral position regarding
these issues. Not any more. Consider this statement, excerpted from the report &quot;Finland
Considering Computer Virus Bill&quot; by Sami Kuusela:

<DL>
	<DD>Finnish lawmakers will introduce a bill in the next two weeks that would criminalize
	spreading computer viruses--despite the fact that many viruses are spread accidentally--This
	means that if someone in Finland brings a contaminated diskette to his or her workplace
	and doesn't check it with an anti-virus program, and the virus spreads into the network,
	the person will have committed a crime. It would also be considered a crime if a
	virus spreads from a file downloaded from the Internet.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Check out <A HREF="http://www.wired.com/news/politics/story/2315.html"><TT>http://www.wired.com/news/politics/story/2315.html</TT></A>
	to see Kuusela's report. 
<HR>


</BLOCKQUOTE>

<P>At this stage, you can undoubtedly see that the trend (in all countries and jurisdictions)
is aimed primarily at the protection of data. Such laws have recently been drafted
as proposals in Switzerland, the UK, and the United States.</P>
<P>This trend is expected to continue and denotes that computer law has come of age.
Being now confronted with hackers and crackers across the globe, these governments
have formed a type of triage with respect to Internet and computer laws. At this
time, nearly all new laws appear to be designed to protect data.
<H2><FONT COLOR="#000077"><B>Free Speech</B></FONT></H2>
<P>Users may erroneously assume that because the Communications Decency Act died
a horrible death in Pennsylvania, all manners of speech are free on the Internet.
That is false. Here are some examples: