previous  next  Title  Contents  Index    Top  Detailed TOC   Last Update: 12 oct. 2001

Appendix B: Miscellaneous
(Stuff which I didn't know where to put)

20.1 Template for component security analysis

The following template is used in this document for component analysis/auditing:

Actually, a must better checklist is included in the "Matrix" presentation.

20.2 National Laws: Legal considerations for risk analysis


In the U.S. the following laws should be considered during a risk analysis/security incident handling. There are probably additional relevant laws (e.g. in different states, or concerning civil liability) not listed here.


Within the European Community there is a Data Protection Directive (95/46/EC) which controls how data may be collected, used, processed and to whom it may be sent.


Privacy laws: Personal data is protected by Swiss Law. The VDSG (Vollzugsverordnung zum Bundesgesetz über den Datenschutz) of 14.6.1993 specifies technical and organisational measures necessary to protect personal data, based on the data privacy law, Datenschutzgesetz Artikel 6,7,8,11,16,24 and 36.

Measures for Swiss government bodies are specified in Articles 20-23 and 34. Measures for non government bodies are specified in Articles 8-12.

In addition, Swiss Law (Artikel 135, 197, Ziffer 3, 259, 261, 261bis und 305bis des Schweizerischen Strafgesetzbuches) forbids incitement to racism, gambling, money laundering or the use of, or distribution of, pornographic or violent material. This includes electronic media such as the Internet.


More information can be had from the "Office of the Data Protection Commissioner" . A few relevant laws are:



20.7 ITU & ISO Security standards

What ISO security relevant standards exist?
The standards are available on-line, for a fee. See .

Since TCP/IP is now the accepted protocol standard, several ISO standards designed for OSI protocols are now being moved to TCP/IP:

20.8 POSIX Standards

POSIX.1 is the standardised programming API for access to system services
POSIX.12 is the API for access to the GUI.
POSIX.? Is the system administration commands standard.

20.9 IDEA encryption licensing terms

The IDEA encryption algorithm is not in the public domain. The following text comes directly from the patent holders:

Non commercial use of IDEA is free. The following examples (regarding PGP) should clarify what we mean by commercial and non-commercial use
Here are some examples of commercial use of PGP:

  1. When PGP is used for signing and/or encrypting e-mail messages exchanged between two corporations.
  2. When a consultant uses PGP for his communications with his client corporations.
  3. When a bank makes PGP available to its clients for telebanking and charges them money for it (directly or indirectly).
  4. When you use the software you receive from a company for commercial purposes (telebanking included).

Some examples of non commercial use:

  1. When an individual uses PGP for his private communications.
  2. When an individual obtains PGP on the Internet and uses it for telebanking (assuming this is approved by the bank).
  3. When you use the software you receive from a company for private purposes (telebanking excluded).

You may use IDEA freely within your software for non commercial use. If you include IDEA in your software, it must include the following copy right statement:

Copyright and Licensing Statement
IDEA(tm) is a trademark of Ascom Systec AG. There is no license fee required for non-commercial use. Commercial users of IDEA may obtain licensing information from Ascom Systec AG.
fax: ++41 64 56 59 54

For selling the software commercially a product license is required:
The PRODUCT LICENSE gives a software developer the right to implement IDEA in a software product and to sell this product world-wide. With the PRODUCT LICENSE we supply a source listing in C and a software manual. We charge an initial fee per company and a percentage of sales of the software product or products (typically between .5 and 4 per cent of the sales price, depending on the price and the importance of IDEA for the product).

For further information please do not hesitate to contact us.

Best regards,
Roland Weinhart, Ascom Systec Ltd, IDEA Licensing, Gewerbepark, CH-5506 Maegenwil, Switzerland.
Phone ++41 64 56 59 54 Fax ++41 64 56 59 98

20.10 Protecting against Snooping via Van Eck Radiation/ TEMPEST

Professional espionage does exist. It has been shown (even on popular television) that the radiation given off by computer monitors can be picked up by sensors hundreds of meters away and used to construct an exact copy of the screen contents. An other method is placing a device inside the screen which monitors the video signals (removing sync signals) and retransmits the signals externally to a vehicle (say) on the street.

Since spooks have been at this for years it is assumed that the equipment necessary is now available to professional spies.

Prevention: use of low radiation monitors provides less signal for detection and is better for the user's health. Shielding of buildings and locating sensitive monitors away from windows.

TEMPEST stands for Transient Electromagnetic Pulse Surveillance Technology and is the US Government's program for evaluation of electronic equipment that is safe from eavesdropping. Tempest equipment is not legal for civilian use. The requirements on electromagnetic radiation for Tempest endorsement are defined in the classified document NACSIM 5100A.

20.11 The Ten Commandments of Computer Ethics

The following is a code of ethics suggested by the Computer Ethics Institute, Washington, D.C, USA.

  1. Thou shalt not use a computer to harm other people.
  2. Thou shalt not interfere with other people's computer work.
  3. Thou shalt not snoop around in other people's computer files.
  4. Thou shalt not use a computer to steal.
  5. Thou shalt not use a computer to bear false witness.
  6. Thou shalt not copy or use proprietary software for which you have not paid.
  7. Thou shalt not use other people's computer resources without authorisation or proper compensation.
  8. Thou shalt not appropriate other people's intellectual output.
  9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.
  10. Thou shalt always use a computer in ways that insure consideration and respect for your fellow human being.

20.12 NT Administration problems/limitations (Feb. 26th 1996)

20.13 Types of systems

20.14 Windows File/Directory synchronisation tools  (9.Aug'99)

I use an NT4 Laptop alot and need a reliable way to synchroniase files with my main Workstation.
Microsoft's "Briefcase", delivered with Win95 and NT4 is pretty good, but would some times hang, could not handle certain excel files, on rare occasions got sompletely confused, and always did some kind of timeout when opening directories in the Briefcase offline - so offline access could be dog slow.
I have hundreds or Megabytes in the hundred folders to be synchronised, so I had a look at some other products. However, testing some of them caused me to lose a few files dur to minusderstandings.. I recommend you set up some test directories and use those.

Ease of use is a key requirement, the software must synchronise files as we "expect" (which is not trivial  and needs a good GUI).

Summary: I've not found anything that provide the same functonality as Briefcase, most are pure directory sync or file sync products (and only for one directory or tree).
Typical search words used on the sites below: "directory compare", "directory sync", "file sync"

  2. (search for "file sync") This site only lists zip files and does not offer a summary of tools, to help before you decide which to download:
  3. ("directory compare" and "briefcase", got a list of 16 products)

previous  next  Title  Contents  Index