[risks] Risks Digest 21.50

From: RISKS List Owner (riskoat_private)
Date: Thu Jul 12 2001 - 16:42:12 PDT

  • Next message: RISKS List Owner: "[risks] Risks Digest 21.51"

    RISKS-LIST: Risks-Forum Digest  Thursday 12 July 2001  Volume 21 : Issue 50
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/21.50.html>
    and by anonymous ftp at ftp.sri.com, cd risks .
    
      Contents: [Back from trips; hiatus unavoidable]
    Microsoft bug causing serious nuclear risk? (Dudi Feuer, Michael D. Levi,
      John Lowry)  
    Fiji has to relive Y2K? (James Paul)
    Intruder crashes United Arab Emirates' only ISP (Dave Stringer-Calvert)
    $480,000,000 for sending 9 parcels (Mark Brader)
    Uncleared disk space and MSVC (David Winfrey)
    Berlin Bank shows sensitive information (Debora Weber-Wulff)
    Power outage means wheel chairs on the go (Ray Todd Stevens)
    Electoral fraud (Tony Finch)
    Risks in inept election fraud (knhaw)
    Yet another e-mail filter effect (Jurjen N.E. Bos)
    Re: Billboard error message (Ben Morphett, Markus Peuhkuri)
    REVIEW: "Fundamentals of Network Security", John E. Canavan (Rob Slade)
    16th Annual Software Engineering Symposium 2001 (Carol Biesecker)
    Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Wed, 11 Jul 2001 12:14:26 -0400 (EDT)
    From: Dudi Feuer <dudiat_private>
    Subject: Microsoft bug causing serious nuclear risk?
    
    According to an article in *The Washington Post*, the US lent Russia
    programs with a bug that loses track of nuclear materials over a period of
    time.  The software has been in use for 10 years, and the latest patch did
    not create a fix for the issue.  Apparently, the Russians initially
    thought the bug was a trojan horse authored by the US.  Then, after
    applying several patches, they realized it was an inherent flaw in the
    program, and most likely exists in the Los Alamos version as well.
    
      [Source: *The Washington Post*, 11 Jul 2001, A19
      http://www.washingtonpost.com/wp-dyn/opinion/A44053-2001Jul10.html]
    
    ------------------------------
    
    Date: Thu, 12 Jul 2001 10:43:21 -0400
    From: Levi_M <Levi_Mat_private>
    Subject: Microsoft bug causing serious nuclear risk?
    
    [...] The article goes on to say that the U.S. was warned of the security
    risks but has made no public comment on the matter.  The article also points
    out that the U.S. no longer maintains (and indeed has destroyed) backup
    paper copies of their inventory: "To reconstruct a reliably accurate
    accounting record, the Energy Department may need to inspect all of
    America's nuclear materials -- a huge task that could cost more than $1
    billion and still might not detect the diversion of some material, should it
    have occurred."
    
    Among other obvious risks is -- always look gift horses in the mouth.
    
    Michael D. Levi, Project Manager, Data Dissemination Systems
    U.S. Bureau of Labor Statistics  (202) 691-5100
    
    ------------------------------
    
    Date: Thu, 12 Jul 2001 10:42:50 -0400
    From: "John Lowry" <jlowryat_private>
    Subject: Microsoft bug causing serious nuclear risk?
    
      [Re: http://www.washingtonpost.com/wp-dyn/opinion/A44053-2001Jul10.html]
    
    LANL supplies MS software to Russia for nuclear material accounting that
    develops data "black-holes" over time.
    
    DoE has apparently abandoned paper trails and so, aside from the ability to
    misappropriate nuclear material that has "disappeared" from the database,
    there is going to be substantial cost incurred to inventory everything -
    even assuming nothing is missing.
    
    What ever happened to assurance testing for critical software ?
    
    Where else is this software being used, and for what?
    
    John
    
    ------------------------------
    
    Date: Thu, 12 Jul 2001 17:26:55 -0400
    From: "James Paul" <James.Paulat_private>
    Subject: Fiji has to relive Y2K?
    
    A programming error resulted in the deletion of all Fiji Government accounts
    for the year 2000 and the postponement of official audits.  There is
    reportedly some speculation about a cover-up of "mismanagement or abuse of
    taxpayer funds", although the simple solution of a screw-up seems likely.
    The information system dates from the mid-1970s.  Presumably the various 52
    government ministries and departments can retransmit the relevant data.
    [Source: Computer error deletes all Fiji Government accounts, Agence
    France-Presse, 11 Jul 2001, from the *Fiji Times*, 12 Jul 2001]
    
    ------------------------------
    
    Date: Tue, 03 Jul 2001 18:33:20 -0700
    From: Dave Stringer-Calvert <dave_scat_private>
    Subject: Intruder crashes United Arab Emirates' only ISP
    
    A computer whizzkid has been fined £2,000 ($2,600) for hacking into the
    United Arab Emirates' only Internet provider and causing the whole country's
    system to crash. Lee Ashurst, 22, originally from Oldham in Greater
    Manchester, was convicted of misusing equipment, services or facilities
    provided by Emirates Telecommunications Corp Etisalat.  Ashurst, who works
    for a construction company in the Gulf, is now facing a compensation claim
    of more than £500,000 ($650,000) from Etisalat after the Dubai Court of
    First Instance transferred his case to the civil courts.  He was working as
    a computer engineer at a Dubai construction firm in May last year (00) when
    he began hacking into Etisalat's systems.  According to the Gulf News
    newspaper, the court was told the entire United Arab Emirates internet
    system crashed on several occasions over a month.
    
    http://63.108.181.201/2001/07/03/eng-wenn/eng-wenn_001056_76_4245186652988.html
    
    ------------------------------
    
    Date: Thu, 12 Jul 2001 11:16:08 -0400 (EDT)
    From: msbat_private (Mark Brader)
    Subject: $480,000,000 for sending 9 parcels
    
    Edward Rudzki (whose hobby shop in Edmonton, Alberta, Canada, opened in the
    mid-1960s) just received a bill from Canada Post for CA$480,000,000 (roughly
    US$310,000,000), for transactions supposedly having taken place from 1906 to
    1928!  The actual transactions were 9 parcels from a month ago, but the
    dates and dollar amounts were wrong.  Canada Post says the problem occurred
    when they merged 60 databases into one.  [Source: *Toronto Star*, 12 Jul
    2001]
    
    Mark Brader, Toronto  
    
    ------------------------------
    
    Date: Thu, 12 Jul 2001 14:20:52 -0400 (EDT)
    From: David Winfrey <dlwat_private>
    Subject: Uncleared disk space and MSVC
    
    I have a program called "clrspace" which clears the unused space on my hard
    disk. When I use it at work, I set it to fill the space with the company
    name and phone number.
    
    Recently I got a new copy of the Microsoft Visual C++ compiler, version 6,
    introductory edition.
    
    Today, after compiling a program of the "Hello World" level of complexity
    and finding that the resulting program was well over 100 kilobytes, I went
    to the DOS prompt and looked at the .EXE file with a hex editor to try to
    find out why it was so big.
    
    I was surprised to find "Property of Acme Widgets, 301-555-1212" in the .EXE
    file from 0x6000 to 0x14FFF. The compiler had obviously just grabbed a big
    chunk of disk space and stuffed it into the file, without bothering to clear
    it first.
    
    If that particular chunk of disk had been used for something confidential,
    and if this were the production version of the compiler that allows
    redistribution of executables (the intro version doesn't, although this
    restriction is somehow omitted from the outside of the package), then 60
    kilobytes of company plans, source code, spreadsheets, customer lists, or
    whatever could have been burned onto CD and shipped to customers around the
    world.
    
    Anyone compiling programs with MSVC may want to examine the output closely
    for data that shouldn't be there.
    
    ------------------------------
    
    Date: Mon, 09 Jul 2001 12:38:37 +0200
    From: Debora Weber-Wulff <weberwu@fhtw-berlin.de>
    Subject: Berlin Bank shows sensitive information
    
    On 2 Jul 2001, a reporter for a local newspaper wanted to check his on-line
    account with the Berliner Sparkasse. Imagine his surprise to find lots of
    interesting data about an account and loans - except that they were not his.
    About 50 persons could not access their own accounts, they were presented
    with data from other people. The bank assures us, that no funds could be
    transferred, it was "just" possible to see how much money was in the
    accounts and to see the last transactions.
    
    They immediately removed the on-line banking from the net. The official
    problem source, according to a spokesperson from the bank, was "strain"
    (Ueberlastung) on the systems. The company DefCom Security worked feverishly
    to get it back on line by Tuesday, but forgot that they had fooled with the
    certificates.  Users were presented with a screen warning them that the
    certificate was issued by a company that was classified as not
    trustworthy.... Maybe it's time to change banks?
    
    If you read German, you can find more information at
    
    http://www2.tagesspiegel.de/archiv/2001/07/03/ak-in-6611353.html
    http://www2.tagesspiegel.de/archiv/2001/07/03/ak-be-447917.html
    
    Prof. Dr. Debora Weber-Wulff
    FHTW Berlin, FB 4, Internationale Medieninformatik
    Treskowallee 8, 10313 Berlin
    Tel: +49-30-5019-2320      Fax: +49-30-5019-2300
    weberwu@fhtw-berlin.de     http://www.f4.fhtw-berlin.de/people/weberwu/
    
    ------------------------------
    
    Date: Thu, 12 Jul 2001 14:27:54 -0500
    From: "Ray Todd Stevens" <raytoddat_private>
    Subject: Power outage means wheel chairs on the go
    
    I witnessed an interesting failure mode during a recent shopping trip.  This
    store had some of the motorized-chair shopping-cart setups for customers who
    need them.  They are all lined up against one wall facing out and plugged
    into the wall charging.  All was well until the power failed.
    
    When the power failed, all of these units took off and most ran into things
    before the staff could stop them, trailing their cords behind them.  I asked
    about this.  It seems that there are several what appear to be glaring
    design flaws in these units.
    
    1. The stopped position on the handle is not the default position.  Instead,
       the control is all the way down for forward, all the way up for reverse
       and half way in between for neither.  Meaning that the nature position is
       forward.
    
    2. There is also a foot brake, but it must be pushed to stop. 
    
    3. Of course there is a power switch.  But it must be turned on to charge
       the unit.
    
    What you do to charge is plug the unit in, and then turn on the power.  The
    fact it is receiving outside power switches it to charge mode and the unit
    will not go anywhere.
    
    Now here comes the power failure.  All of these units (about 7) are turned
    on, brake off, and in forward.  They seem to assume that no electricity
    means that they are now to take off and do so driverless.
    
    Interesting failure mode, and in this time of more and more backup power for
    computers, one we should remember.
    
    Ray Todd Stevens, Senior Consultant, Stevens Services  (812) 279-9394
    R.R. # 14 Box 1400 Apt 21, Bedford, IN 47421  Raytoddat_private
    
    ------------------------------
    
    Date: Thu, 12 Jul 2001 02:00:15 +0100
    From: Tony Finch <dotat_private>
    Subject: Electoral fraud
    
    Following the question "Does the UK have significantly less electoral
    fraud than countries which use untraceable ballot papers?" I wrote this,
    which (although it is a bit late to be a followup to the discussion
    around last year's USA presidential election) might be interesting.
    
    One of the interesting things about the recent general election is that
    fraud has been much easier to perpetrate than usual, but without any
    kind of extra auditing.
    
    The reason that fraud has been worse is because they have increased the
    availability of postal votes. Now, this doesn't inherently imply fraud,
    so I will tell you a tale to explain why I think this is the case.
    
    The usual arrangement for an election in the UK is as follows: You have
    (at some point in the past) put yourself on the electoral register by
    filling in a form that says "I live here and this is my name and I am
    entitled to vote", and this means that (amongst the dead tree spam)
    you receive a piece of card through the letterbox shortly before an
    election which explains where you have to go to vote and what your voter
    number is. Now, you might expect (being good RISKS readers and all that)
    that this piece of paper is a physical token that entitles you to vote
    (and the process of registering entails some kind of behind-the-scenes
    checking that this is true), but no. You do not have to take the card
    to the polling station: you merely have to turn up and state your name,
    the only checking being that you have already put your name on the list.
    
    Now, regardless of how bad that is, it gets worse. In the past, postal votes
    were quite hard to get, i.e. (unlike usual votes) some checking
    happened. This was because most postal voters were disabled or expatriates
    or had some other unusual difficulty that prevented them from getting to the
    polling station on the day, so there were few enough of them that checking
    their applications was feasible. The unique thing about this year is that
    large numbers of farmers and other members of the rural community have not
    been able to leave their homes because of the travel restrictions caused by
    the Foot And Mouth epidemic.
    
    The procedure for postal votes this year has been: (1) find out
    the phone number you need to call to get a postal vote; (2) say to
    the person on the other end of the line how many votes you need; (3)
    receive the forms through the post; (4) fill them in; (5) sit back and
    enjoy an extra-large swing in your constituency. If you think that you
    might not have enough votes, feel free to call back again later and
    ask for more. [I know someone who tried this out to see if it worked,
    and it did, but I don't think he actually used the extra votes.]
    
    The general election this year has been characterised by an unusually
    large degree of apathy (59% turn-out, compared to usually 75% or so) but
    the aggregate result has been just as conclusive as the 1997 result (71%
    turnout): a landslide victory for the Labour party. The per-constituency
    change in opinion has made almost no difference to the membership of
    the House of Commons. This means that there has been absolutely no
    worry about electoral fraud, since it couldn't have made a significant
    difference to the overall result.
    
    The interesting thing is that the small turnout is likely to have a greater
    long-term effect than any murmurs of procedural irregularities: the
    proportional-representation faction have made great mileage from saying that
    people are apathetic because they have no control over politics, and they
    have no control because they live in a safe constituency, so their
    third-party Lib-Dem vote counts for nothing. They have made further headway
    because of the Gothenburg summit riots which were perceived to be a
    complaint against the unrepresentative ivory towers of the EU politicians.
    
    So, even though the Brits don't want to look like pillocks for criticising
    the Americans for their banana republic election, we changed none of
    the procedures, had another shambolic election, and breathed a sigh of
    relief because it was a cock-up that didn't matter. It remains to be
    seen whether those in favour of electoral reform will be able to maintain
    their momentum and get a better system working before the next time.
    
    ------------------------------
    
    Date: Wed, 27 Jun 2001 09:44:16 -0700
    From: <knhawat_private>
    Subject: Risks in inept election fraud
    
    Several news outlets are reporting on the recent "No Contest" plea on June
    14th by Christine Gunhus, wife of former U.S. Senator Rod Gram (Republican,
    Minnesota) on criminal violations of Minnesota election code.  Here is the
    posting from Cluebot.com, which reads suspiciously like a RISKS posting ;)
    
    The wife of a U.S. senator who unsuccessfully ran for re-election in 2000
    plead "no contest" on Thursday to charges of using a pseudonym to send email
    messages that disparaged her husband's Democratic rival.
    
    Minnesota prosecutors charged Christine Gunhus, who married former
    Republican senator Rod Grams after working on his campaign, with violating
    state criminal laws. Grams' rival, Democratic-Farmer-Labor candidate Mike
    Ciresi, had filed a complaint under the Minnesota Fair Campaign Practices
    Act.
    
    The risks of using technology you don't completely understand and that could
    leak your identity are worth noting:
    
     * Gunhus is accused of using a Hotmail account (Katie Stevens --
    kylombat_private) to send the disparaging email messages, which talked
    about how Ciresi had represented corporate polluters and anti-union
    companies. But Hotmail includes an X-Originating-IP: header that shows the
    IP address of the sender -- a problem if you're typing it from the opposing
    campaign's computer!
    
     * Prosecutors say they traced the IP address back to an AT&T WorldNet user
    who repeatedly used the "Katie Stevens" Hotmail account by connecting from
    Gunhus' home number. (Guess they keep Caller ID logs.) Apparently the person
    using the "Katie Stevens" pseudonym was smart at first, sending the mail
    from a Kinko's store, but then got sloppy.
    
     * The email attacks included Microsoft Word attachments, which a Ciresi
    aide investigated. The aide found that Word listed the document authors as
    Grams staffers including -- you guessed it -- Christine Gunhus.
    
     * Democratic researchers reported that they found Globally Unique
    Identifiers (GUIDs) in the Word documents. The GUID includes the Ethernet
    MAC address. Prosecutors last August obtained a search warrant to seize
    Gunhus' computer, from which they could extract the MAC address if the
    Ethernet card was still the same.
    
     * Let's not forget the political risk. In an article in the Minneapolis
    Star-Tribune on the pseudonymous mail campaign last year, the Grams campaign
    offered a remarkably narrow denial. A spokesman hedged: "We didn't put this
    together and send it out of the Grams campaign office," leaving open the
    question of whether it was sent by a campaign worker from another location.
    
     * And what about the legal risk to free speech? The Minnesota Civil
    Liberties Union reasonably argues that a criminal law that bans sending
    pseudonymous messages is unconstitutional. A Supreme Court decision,
    McIntyre v. Ohio Elections Commission
    (http://www.epic.org/free_speech/mcintyre.html), says that a prohibition on
    the distribution of anonymous campaign literature violates the First
    Amendment. The state law seems to be ecumenical in its application: A
    Republican has used it to attack the Sierra Club
    (http://www.fcregister.com/ziegler11_6_00.htm).
    
    Epilogue: Grams managed to derail his Democratic rival's primary bid, and
    Ciresi did not win his party's nomination. Even though Grams lost the
    general election in the fall, that hasn't halted his political ambitions.
    The Washington Times reported on April 13 that Grams is reportedly
    considering a challenge in 2002 to U.S. Senator Paul Wellstone, a liberal
    Democrat. "
    
    Cluebot story (with links):
    http://www.cluebot.com/article.pl?sid=01/06/15/0135212&mode=nocomment
    
    Minnesota  Public Radio story on original affidavit:
    http://news.mpr.org/features/200009/08_radila_grams/index.shtml
    
    ------------------------------
    
    Date: Wed, 27 Jun 2001 09:47:41 +0200
    From: j.bosat_private
    Subject: Yet another e-mail filter effect
    
    The IACR (International organisation of Cryptology Research) has someone on
    its Board of Directors named Don Beaver.  The direct result of this is that
    the recent IACR newsletter (a 34K document full of relevant news on the
    cryptologic community) was rejected by our company firewall, because his
    name was in there too many times. It also contained other "dirty" words,
    such as LaTeX, hardcore, and so on.
    
    Our IT department told me that the message would *not* have been rejected if
    it was split in two, since the number of dirty words would have been halved.
    X-|
    
    Sigh. I though cryptology was to prevent us from this kind of misery.
    
    Jurjen N.E. Bos, Risk Management / Information Security Services
    Interpay Nederland BV, Postbus 30500, 3503 AH Utrecht  tel. +31 30 283 6815
    
    ------------------------------
    
    Date: Fri, 08 Jun 2001 10:40:25 +1000
    From: Ben Morphett <morphettat_private>
    Subject: Re: Billboard error message (RISKS-21.45,46,48)
    
    > I was driving on I-405 northbound in southern Los Angeles County when I saw
    > a bitmapped billboard on the east side of the road that was displaying a
    > Windows error message. 
    
    Recently I was on a carnival ride called "The Drop Zone" with my nephews
    when I saw a similar Windows error message.
    
    The Drop Zone is rather fun.  They strap you in the ride, you are lifted
    to the top of a tower, about 100m from the ground.  There are computer
    screens at the top which give you a narrative about how some spacecraft
    is going down and the whole crew are going to have to bail out, and then
    they drop you.  You experience free fall for a few seconds.  The kids
    scream.  You land safely.
    
    The second time we did the ride, we got to the top and Windows had
    crashed.  This time it was my turn to scream.  "I *really* hope my life
    is not depending on Windows right now!  It's crashed!"  
    
    Ben Morphett, Bell Labs Research & Development
    
    ------------------------------
    
    Date: Tue, 19 Jun 2001 11:46:24 +0300 (EET DST)
    From: Markus Peuhkuri <puhuriat_private>
    Subject: Re: Billboard error messages (RISKS-21.45,46,48)
    
    > signs that was declaring in foot-high letters "BATTERIES NEED RECHARGING".
    
    That may be all that stupid if the system has no other way indicating
    problems (some better formulation like "Malfunction: .." could help).
    But, if it has some other means to inform operator, then it is stupid.
    
    > The general risk, of course, is in piping STDERR to STDOUT.  Web
    > sites that send complex error dumps to visitors' browsers are doing
    
    There is a more risk than just user just being stumped by obscure
    messages.  In many cases I've seen the error message has revealed
    quite much of internal workings of web service.  I remember even
    seeing something like
    
           db_connect(user=db, passwd=pass): failed no connection
    
    The security risks are obvious.
    
    Markus Peuhkuri            ! http://www.iki.fi/puhuri/
    
    ------------------------------
    
    Date: Mon, 25 Jun 2001 12:18:24 -0800
    From: Rob Slade <rsladeat_private>
    Subject: REVIEW: "Fundamentals of Network Security", John E. Canavan
    
    BKFNNTSC.RVW   20010512
    
    "Fundamentals of Network Security", John E. Canavan, 2001,
    1-58053-176-8, U$69.00
    %A   John E. Canavan canavanat_private jcnvat_private
    %C   685 Canton St., Norwood, MA   02062
    %D   2001
    %G   1-58053-176-8
    %I   Artech House/Horizon
    %O   U$69.00 617-769-9750 fax: 617-769-6334 artech@artech-house.com
    %P   319 p.
    %T   "Fundamentals of Network Security"
    
    This commonplace guide to security can provide the newcomer with some basic
    information.  However, it also contains some rather large gaps, and not a
    little misinformation.
    
    Chapter one outlines the usual reasons why we need security, and it also
    provides some basic security terms and concepts.  Most of the material is
    reasonable, but some is not quite standard.  A number of different threats
    are outlined in chapter two.  However, errors are rife in this material,
    although most are fairly minor.  Of the fourteen mailing lists it is
    suggested readers might find useful, at least three have been dead for over
    a year; at least two of those for more than three.  The overview of
    cryptology, in chapter three, is at a very high level, with limited
    discussion of key management, and almost none dealing with strength and key
    length.  Chapter four starts out very badly, by stating that Kerberos uses
    both symmetric and asymmetric cryptography.  (It doesn't: despite proposals
    for public key extensions, Kerberos itself uses a very elegant system of
    purely private key encryption to avoid sending passwords and keys in clear
    text at any time.  Such a basic misunderstanding taints everything else in
    the chapter.)  World Wide Web encryption is supposed to be the topic of
    chapter five.  However, after a very terse outline of SSL (Secure Sockets
    Layer) and SHTTP (Secure HyperText Transfer Protocol), and a tiny bit of the
    missing discussion of key length, we get pages of screen shots of browser
    certificates, which are almost meaningless without the background review.
    There is also a tiny overview of Authenticode, with no mention of its flaws.
    Chapter six presents something of a grab bag of email related topics,
    mentioning encryption systems, spam, identity problems, privacy of employee
    email, and even auto-responders.  With the addition of more screen shots a
    number of pages are taken up with little information imparted.
    
    Most of chapter seven concentrates on access control and passwords.  The
    material is reasonable, if not deep, but could be better organized.  So too
    with the suggested policies for network management in chapter eight,
    although the author does seem to think that one set of recommendations can
    fit all LANs.  Chapter nine's look at network media does not really deal
    with security at all, unless you count the somewhat problematic opinions
    regarding the relative difficulty of tapping.  There really isn't much
    discussion of routers and SNMP (Simple Network Management Protocol) in
    chapter ten: it concentrates on a few proprietary products.
    
    Chapter eleven mentions a number of VPN (Virtual Private Network) related
    protocols, but gives neither details for assessment nor conceptual
    discussions for determining relative usage.  There is a decent overview of
    basic firewall terms, with some areas of confusion, in chapter twelve.
    Chapter thirteen has a basic outline of biometric concerns, but no details
    of the technologies.  The review of security policy development in chapter
    fourteen is pedestrian.  Chapter fifteen, entitled "Auditing, Monitoring,
    and Intrusion Detection," is oddly confused since the author makes no
    distinction between outside audits, and the ongoing auditing of materials
    that result from regular monitoring.  There is unimaginative advice on
    disaster recovery in chapter sixteen.  "Cookies, Cache, and AutoComplete" is
    a strange add- on: yes, there are security risks associated with these
    functions, but they are hardly fundamental to network security.
    
    In the introduction, while stating that this book is intended for beginners
    to computer security, the author disclaims the title of computer security
    expert, and, in fact, asserts that many who do profess ace status may not
    have as much right as they maintain.  I can greatly sympathize with this
    sentiment.  However, simply by writing a book, Canavan implicitly professes
    some mastery of the subject, and the mere abdication of the rank does not
    relieve him of the responsibility for his mistakes.  There are a number of
    other texts with better coverage, greater readability, superior accuracy,
    and less wasted space.
    
    copyright Robert M. Slade, 2001   BKFNNTSC.RVW   20010512
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
    
    ------------------------------
    
    Date: Thu, 12 Jul 2001 14:07:23 +0000 (UTC)
    From: cbat_private (Carol Biesecker)
    Subject: 16th Annual Software Engineering Symposium 2001
    
    SEI 16th Annual Software Engineering Symposium 2001
    Theme: Acquiring the Strategic Edge
    October 15 - 18, 2001 
    Grand Hyatt at Washington Center 
    Washington, D.C.
    http://www.sei.cmu.edu/symposium/
    
    Contact: Symposium 2001 Conference Coordinator
    Phone: 412 / 268-3007
    FAX:   412 / 268-5556
    E-mail: symposiumat_private
    
    ------------------------------
    
    Date: 12 Feb 2001 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
    
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) 
     if possible and convenient for you.  Alternatively, via majordomo, 
     SEND DIRECT E-MAIL REQUESTS to <risks-requestat_private> with one-line, 
       SUBSCRIBE (or UNSUBSCRIBE) 
     which now requires confirmation to majordomoat_private (not to risks-owner)
     [with option of E-mail address if not the same as FROM: on the same line,
     which requires PGN's intervention -- to block spamming subscriptions, etc.] or
       INFO     [for unabridged version of RISKS information]
     .MIL users should contact <risks-requestat_private> (Dennis Rears).
     .UK users should contact <Lindsay.Marshallat_private>.
    => The INFO file (submissions, default disclaimers, archive sites, 
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All 
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 20" for volume 20]
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a 
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing, 
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    
    ------------------------------
    
    End of RISKS-FORUM Digest 21.50
    ************************
    



    This archive was generated by hypermail 2b30 : Thu Jul 12 2001 - 17:32:38 PDT