[risks] Risks Digest 21.58

From: RISKS List Owner (riskoat_private)
Date: Thu Aug 09 2001 - 11:44:28 PDT

  • Next message: RISKS List Owner: "[risks] Risks Digest 21.59"

    RISKS-LIST: Risks-Forum Digest  Thursday 9 August 2001  Volume 21 : Issue 58
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/21.58.html>
    and by anonymous ftp at ftp.sri.com, cd risks .
    
      Contents:
    Half of Norway's banks offline for a week: erroneous keystroke 
      (Nicolai Langfeldt)
    Danish police break "Safeguard" encryption program in tax case 
      (Bo Elkjaer and Jay D. Dyson via Declan McCullagh)
    E-Divorce banned in Singapore (Dave Stringer-Calvert)
    Omron uses GPS to catch a car thief (Monty Solomon)
    Corrupt Michigan cops abuse police database to stalk, harass 
      (Ed Walker via Declan McCullagh)
    OT: rot13, practical uses of (Joe Manfre)
    GA scholarship info exposed (Rachel Slatkin)
    DoCoMo and thttpd: i-mode DDoS attack! (Jef Poskanzer via Dug Song)
    Low-grade cryptography (Gene Wirchenko)
    Automated traffic-camera system has flaws (Dave Kinswa)
    Risks of the Passport Single Signon Protocol (Monty Solomon)
    Hotmail catches Code Red (Brian McWilliams via Dave Farber)
    Toll Road Transponders used to steal food at McDonald's (Arthur Kimes)
    More Adobe plastering (Peter Wayner)
    Re: WinXP blocks some versions of some programs (Michael Loftis)
    Workshop on Trustworthy Elections (David Chaum)
    REVIEW: "Computer Security Handbook", Hutt/Bosworth/Hoyt (Rob Slade)
    Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Tue, 07 Aug 2001 13:50:31 +0200
    From: Nicolai Langfeldt <janlat_private>
    Subject: Half of Norway's banks offline for a week: erroneous keystroke
    
      http://www.digitoday.no/dtno.nsf/pub/dd20010807092448_er_28707255
    (in Norwegian)
    
    This is a mix of abstracting the above article and whatever has been on the
    news the last few days, and one or two of my own comments:
    
    EDB Fellesdata AS runs the computer services of about half of Norway's
    banks.  On Thursday 2 Aug 2001, they apparently installed about 280 disks in
    their Hitachi storage.  Then, instead of initializing the new disks, they
    initalized _all_ their disks -- thereby wiping out the entire warehouse.
    EDB Fellesdata itself declines to make any statements in the case pending
    further contact with their customers, the banks.  They are considering
    lawsuits, but if one of their own employees made a "user error", they may
    have a hard time of it.
    
    Talk about a lot of eggs in one basket, one can only imagine how many
    terrabytes of database this is, considering the number of disks, and how
    long it takes to restore from backup, and how many transactions were waiting
    to be processed from _other_ banks once the restore is done.  Apparently the
    computers were running by Sunday, card services and ATMs were available on
    Monday, but Internet banking and automatic-phone-banking access is limited.
    They have announced that updated account balances will not be available
    until Wednesday, the 7th day after the mishap.  The concerned banks'
    customers could pay their bills by visiting a local branch office the whole
    time, but apparently the transactions had not been processed because
    creditors have been warned that money may be late in arriving (but
    presumably retro-credited once the transaction is processed?).
    
    Some information gotten from the only available statement from EDB
    Fellesdata at
      http://www.edb.fellesdata.no/edb/nyheter/2001/06_08_driftstans.asp,
    also Norwegian.
    
    ------------------------------
    
    Date: Thu, 9 Aug 2001 11:24:35 -0400
    From: Declan McCullagh <declanat_private>
    Subject: Danish police break "Safeguard" encryption program in tax case
    
      [From the cryptography mailing list. --Declan; lightly-PGN-ed for RISKS]
    
    > Date: Tue, 7 Aug 2001 22:51:08 +0200 
    > From: bo.elkjaerat_private
    > Subject: Utimacos Safeguard Easy broken by Danish police in tax evasion case
    
    > The German encryption program Safeguard Easy has been broken by the Danish
    > police. Today the police from the city Holstebro in Jutland presented
    > evidence in court, that was provided after breaking the encryption on five
    > out of sixteen computers that where seized april 25 this year.
    
    > All 16 computers were protected with Safeguard Easy from the german
    > encryption provider Utimaco. It is not known whether DES, 128-bit IDEA,
    > Blowfish or Stealth was used as algorithm on the computers. All four
    > algorithms are built in Safeguard Easy. Details are sparse. It is not
    > known how the encryption was broken, whether it was brute forced or flaws
    > in the program was exploited.
    
    > The computers where seized from the humanitarian (leftwing) foundation
    > Tvind (Humana) in connection with a case about tax evasion. Among the
    > evidence provided from the encrypted computers were e-mails sent among the
    > leaders of the foundation, Poul Jorgensen and Mogens Amdi Petersen
    > describing transfers of large sums of money.
    
    > Apparently, but not confirmed, British Scotland Yard has been involved in
    > breaking the encryption. The Danish police doesn't have the capacity to
    > break encryption by themselves. Neither has the Danish civilian
    > intelligence service. Routine is that cases concerning encryption is
    > handed over to the Danish defence intelligence service DDIS. This
    > procedure has been described earlier this year by the Danish minister of
    > justice in connection with another case. DDIS denies involvement with the
    > Tvind case.
    
    > Employees and leaders at Tvind has denied handing over their passwords to
    > the computers. One even wrote a public letter mocking the chief of police
    > in Holstebro, describing how he changed his password weekly, and stating
    > that he'd probably even forgotten his password by now. At a time, the
    > police considered putting employees in custody until passwords were handed
    > over.
    
    > Bo Elkjaer, Denmark
    
      [followed by a response]
    
    > Date: Tue, 7 Aug 2001 16:25:03 -0700 (PDT)
    > From: "Jay D. Dyson" <jdysonat_private>
    > Subject: Re: Utimacos Safeguard Easy broken by Danish police in tax evasion case
    
    > If the OS used was Windows, it's quite likely that the plaintext and/or
    > passphrases were recovered in the Windows swap file.  Barring OS
    > considerations, it's also possible that the police put a keystroke logger
    > on the system, just as the FBI here in the States did with an organized
    > crime suspect.
    
    > My gut sense is that, since only five of sixteen systems were "cracked,"
    > it seems likely that it was the swap file that let the cat out of the bag.
    > Even so, a flaw in the cryptosystem should be investigated and proven or
    > ruled out.
    
    > Let us not also forget that people can be pressured to divulge
    > passphrases.  Rubber-hose cryptanalysis isn't just a humorous concept.
    
    > Jay D. Dyson - jdysonat_private
    
    FROM POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    To subscribe, visit http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    
    ------------------------------
    
    Date: Wed, 08 Aug 2001 20:36:36 -0700
    From: Dave Stringer-Calvert <dave_scat_private>
    Subject: E-Divorce banned in Singapore
    
    SMS (short-text messaging) enables short messages from one cell phone to
    another. Muslim authorities had previously permitted men to divorce their
    wives by SMS.  In April to June 2001, 16 divorces were so reported.
    However, now the Islamic Religious Council of Singapore (MUIS), the Syariah
    Court and the Registry of Muslim Marriages are "unanimous in their view that
    divorce through SMS is unacceptable. ... Only a judge can confirm a divorce
    after deciding that there is merit in the complaint filed by the couple with
    the Syariah Court."  [Source: Singapore bans text-message divorce, CNET
    News.com, 8 Aug 2001; PGNed without comment] 
      <http://news.cnet.com/news/0-1005-200-6815505.html>
    
    ------------------------------
    
    Date: Mon, 6 Aug 2001 01:55:35 -0400
    From: Monty Solomon <montyat_private
    Subject: Omron uses GPS to catch a car thief
    
    Omron Corp. plans to deliver your stolen car, and the wretched villain
    inside it, right to the nearest koban (Japanese police box).  "Imagine that
    someone steals your car, and a network of sensors in the vehicle knows the
    person driving is not the right person. So using its GPS, it makes the car
    stop outside the nearest koban and locks the driver inside. This is what I
    imagine, this is the next stage," said Shin'ichi Mukaigawa, an engineer at
    Omron's business incubation center, who has designed the basic elements for
    such a system.  [Source: article by Paul Kallender, *EE Times*, 12 Jun 2001,
      http://www.eetimes.com/story/technology/OEG20010612S0059]
    
      [Quite few of you noted this item.  OCSchwarat_private added:  
        How RISKy.  How lovely. Hijack someone's car using this system,
        park it next to an empty koban, and let the Yakuza do their thing.
      PGN]
    
    ------------------------------
    
    Date: Sun, 05 Aug 2001 11:59:48 -0400
    From: Declan McCullagh <declanat_private>
    Subject: Corrupt Michigan cops abuse police database to stalk, harass
    
    [According to the third Detroit Free Press story, a cop who stalked a woman 
    using his access to police databases was "suspended for a day without pay." 
    That'll teach 'em! --Declan]  [FROM POLITECH]
    
    > Date: Sat, 04 Aug 2001 02:08:36
    > From: "Ed Walker" <ed_walkerat_private>
    > Subject: Michigan cops abusing database
    
    > www.governing.com/news had a link to a freep article that may be of
    > interest to politechnicals.  The first two links are the story, and the
    > third is an account of a truly creepy cop stalking someone he met while on
    > duty.
    
    > Michigan Newspaper: Police Abuse Database Police throughout Michigan,
    > entrusted with the personal and confidential information in a state law
    > enforcement database, have used it to stalk women, threaten motorists and
    > settle scores. Over the past five years, more than 90 Michigan police
    > officers, dispatchers, federal agents and security guards have abused the
    > Law Enforcement Information Network, according to a Detroit Free Press
    > examination of LEIN records and police reports.  More: Detroit Free Press
    > http://www.freep.com/news/mich/lein31_20010731.htm
    > http://www.freep.com/news/mich/lein1_20010801.htm
    > http://www.freep.com/news/mich/amber31_20010731.htm
    
    > Ed Walker
    
    ------------------------------
    
    Date: 7 Aug 2001 20:23:21 GMT
    From: manfreat_private (Joe Manfre)
    Newsgroups: alt.usage.english
    Subject: OT: rot13, practical uses of
    
      [Contributed by Mark Brader.  PGN]
    
    Recently there has been some discussion on AUE of the many fascinating
    ways in which the venerable letter-substitution scheme called "rot13"
    can be used.  Well, this article may be of some interest:
    
      http://www.zdnet.com/zdnn/stories/comment/0,5859,2800985,00.html
    
    It deals with a certain Russian cryptanalyst who has been jailed for
    cracking and exposing the encryption schemes that some electronic book
    publishers use to protect their copyrighted properties.  Turns out that one
    publisher of industrial reports was using rot13 to protect its valuable (to
    the tune of $3,000 a pop) works.
    
    Joe Manfre, Hyattsville, Maryland.
    
    ------------------------------
    
    Date: Wed, 8 Aug 2001 09:25:03 -0400
    From: Rachel Slatkin <rslatkinat_private>
    Subject: GA scholarship info exposed
    
    Computer passwords and personal information about participants in Georgia's
    HOPE scholarship program were inadvertently exposed on the web as early as
    December 2000. The information was apparently cached by several search
    engines, including Google. From the *Atlanta Journal Constitution*, 8 Aug
    2001, "State staff may feel byte from hackers":
    
      "Last Nov. 14, he said, a member of the agency's technical staff
      copied a file onto the HOPE computer system that prevents
      Internet search engines from indexing the system's contents.
    
      But another program in the system deletes unused files after 30
      days, Newsome said. So about Dec. 15, the security file was
      wiped out, exposing other files."
    
    It's not clear what "security file" was accidentally removed. The news
    articles I've read about this have not named the file. I'm guessing it was
    either robots.txt or .htaccess, hopefully the latter.
    
    Many system administrators have discovered the risks of deleting "unused"
    files without being sure of their purpose. Having the procedure happen
    automatically compounds the problem.
    
    Rachel Slatkin  rslatkinat_private  http://pobox.com/~rslatkin/
    
    ------------------------------
    
    Date: Thu, 2 Aug 2001 20:06:05 -0400
    From: Dug Song <dugsongat_private>
    Subject: DoCoMo and thttpd: i-mode DDoS attack!
    
    Poor jef has become the victim of his own success (and DoCoMo's)!
    Perhaps this qualifies as the first cellphone-based (i-mode)
    distributed denial-of-service attack? :-/
    Dug Song, Security Architect, Arbor Networks, Inc.
    
      Date: Thu, 02 Aug 2001 11:22:14 -0700
     >From: Jef Poskanzer <jefat_private>
      To: thttpdat_private
      Subject: [THTTPD] DoCoMo and thttpd
    
      Hey, is anyone on the list familiar with DoCoMo?  Apparently it's a type
      of cell-phone / web browser device from Japan.  I have suddenly started
      getting a [whole] lot of hits to http://www.acme.com/software/thttpd/ with
      various versions of DoCoMo in the user-agent field.  Unfortunately the
      referrer field is blank, which makes it difficult to figure out why this is
      happening.  Current working theory is that some server run by the DoCoMo
      company switched over to using thttpd, and I'm getting the usual spillover
      from any 404 pages on their site.  I've seen this effect before with large
      ISPs, but never with such a high volume of hits.  My bandwidth is pegged
      to the throttle right now, and they're not even fetching the inline images
      (which by the way means I'm not getting any ad impressions from these
      hits, which is somewhat annoying).  [...]
      Jef Poskanzer  jefat_private  http://www.acme.com/jef/
    
    ------------------------------
    
    Date: Tue, 07 Aug 2001 22:31:48 -0700
    From: Gene Wirchenko <genewat_private>
    Subject: Low-Grade Cryptography
    
      DMCA and encryption is discussed in this article:
        http://www.zdnet.com/zdnn/stories/comment/0,5859,2800985,00.html
    
    My favourite part: "Publishers encrypt their books to prevent them from
    being read by anyone except the registered owner... they hope. But it turns
    out that the encryption software of at least two manufacturers is so weak
    that it can be broken instantly. One publisher, Sklyarov found, uses a
    cypher called rot13 ...".   [Doggedly rot-wily?  PGN]
    
    ------------------------------
    
    Date: Sun, 05 Aug 2001 12:03:57 -0700
    From: dAVe <kinswaat_private>
    Subject: Automated traffic-camera system has flaws
    
    >From the Seattle Times:
    http://seattletimes.nwsource.com/html/localnews/134326067_trafficam05m.html
    
    It was not the kind of "Kodak moment" the city of Lakewood hoped for.  Its
    high-tech traffic camera had just nabbed Cyn Mason for doing 38 in a 30-mph
    zone. The camera captured the license plate on the Tacoma woman's car as it
    sped through a school zone June 8. Or so it seemed.
    
    After receiving a notice, a thumbnail copy of the incriminating image and a
    demand for $71, Mason put pen to paper:
    
    "This is my sworn statement, under penalty of perjury, that your system
    cannot distinguish between the sporty coupe shown in the ticket picture, and
    the Honda CR-V sport-utility vehicle that I drive. In other words, I swear
    that you have the wrong car, since the one shown in the ticket is not my
    vehicle. Is this sufficient to correct your error, or would you like me to
    swear at you some more?"
    
    ------------------------------
    
    Date: Mon, 6 Aug 2001 22:35:53 -0400
    From: Monty Solomon <montyat_private>
    Subject: Risks of the Passport Single Signon Protocol
    
    David P. Kormann and Aviel D. Rubin,
    Risks of the Passport Single Signon Protocol,
    IEEE Computer Networks, volume 33, pages 51-58, 2000.
    
    David P. Kormann and Aviel D. Rubin
    AT&T Labs - Research
    180 Park Avenue
    Florham Park, NJ 07932
    {davek,rubin}@research.att.com
    http://avirubin.com/passport.html
     
    Abstract: Passport is a protocol that enables users to sign onto many
    different merchants' web pages by authenticating themselves only once to a
    common server. This is important because users tend to pick poor (guessable)
    user names and passwords and to repeat them at different sites. Passport is
    notable as it is being very widely deployed by Microsoft. At the time of
    this writing, Passport boasts 40 million consumers and more than 400
    authentications per second on average. We examine the Passport single signon
    protocol, and identify several risks and attacks. We discuss a flaw that we
    discovered in the interaction of Passport and Netscape browsers that leaves
    a user logged in while informing him that he has successfully logged out.
    Finally, we suggest several areas of improvement.
    
    ------------------------------
    
    Date: Wed, 08 Aug 2001 18:01:34 -0400
    From: Brian McWilliams <brian@pc-radio.com>
    Subject: Hotmail catches Code Red (via Dave Farber's IP)
    
      [From Dave Farber's IP: http://www.interesting-people.org/ ]
    
    Microsoft's Hotmail Is Red Hot From Worm
    
    Several systems hosting the MSN Hotmail service have been infected by 
    variants of the Code Red worm, Microsoft has confirmed.
    
    http://www.newsbytes.com/news/01/168837.html
    
    ------------------------------
    
    Date: Thu, 02 Aug 2001 19:32:39 -0700
    From: Arthur Kimes <artkiat_private>
    Subject: Toll Road Transponders used to steal food at McDonald's (Re: R-21.43)
    
    > McDonald's customers will wave the "Speedpass" ... at a drive-through window
    (also see RISKS-21.46 and 21.49)
    
    Some toll roads in Orange County, California, do use those transponders (not
    the Mobil "speedpass") and local McDonald's have been accepting those as
    payment since April 2000.  Since then, according to the Transportation
    Corridor Agencies, there has been $4,000 in charges for food at McDonald's
    using stolen transponders.  [Source: *Los Angeles Times*, 23 Jul 2001]
    
    ------------------------------
    
    Date: Fri, 3 Aug 2001 09:10:36 -0400
    From: Peter Wayner <pcwat_private>
    Subject: More Adobe plastering (Re: Maggard, RISKS-21.56)
    
    In RISKS-21.56, Michael Maggard writes, "...Adobe has been installing a
    mysterious file of their own that regularly 'calls home' for reasons
    unknown."
    
    Perhaps this kind of reporting software is necessary, but it may be the
    reason why I'm slowly giving up on Adobe products. My version of InDesign
    crashes frequently. My version of ImageReady has the strangest bug. If my
    system has been up for a bit, ImageReady refuses to run. If I reboot, it's
    fine. I suspect this has something to do with the quick blip of the network
    access LED on the router that flickers just after starting up. Maybe that
    little phone-home program doesn't say the right thing to ImageReady. I
    thought about complaining or investigating, but I decided that making the
    transition to GIMP is simpler.
    
    This topic has been on my mind while I've been working on creating simple
    watermarks for a pay-per-copy experiment. (See
    http://www.flyzone.com/satstory/ or just end $.75 to satstoryat_private
    for a copy of a story on DirecTV hacking) I considered complicated
    encryption mechanisms and gave up. The complexity took too long to develop
    and excluded too many legitimate customers. In the end, I just insert the
    purchaser's name in the file on the way out the door.
    
    This kind of watermark may be easy to defeat, but that has
    advantages. First, bright kids get no boost from hacking the system.  It's
    trivial. But it is still complex enough to require someone to take a
    positive step to defeat it. If they can live with themselves, well, they'll
    get enough punishment. Finally, there is no complexity to crash systems and
    drive users nuts.
    
    ------------------------------
    
    Date: Tue, 07 Aug 2001 20:33:15 -0700
    From: Michael Loftis <mloftisat_private>
    Subject: Re: WinXP blocks some versions of some programs (Griffin, RISKS 21.57)
    
    They're blocking drivers because too many vendors have been implementing bad
    code in their drivers.
    
    ------------------------------
    
    Date: Wed, 08 Aug 2001 14:23:15 -0700
    From: David Chaum <davidat_private>
    Subject: Workshop on Trustworthy Elections
    
    26-29 August 2001, Tomales Bay, California: WOTE (Workshop on Trustworthy
    Elections) is a small research-oriented workshop devoted to advancing
    technologies for election integrity and ballot secrecy, organized by David
    Chaum and Ronald L. Rivest.  Topics include: Cryptographic protocols,
    computer security, audit, operational procedures, certification,
    tamper-resistance, document security, integrity, ballot secrecy, voter
    authentication, all as related to trustworthy elections.
    http://www.vote.caltech.edu/wote01/index.html
    
    ------------------------------
    
    Date: Tue, 7 Aug 2001 11:07:47 -0800
    From: Rob Slade <rsladeat_private>
    Subject: REVIEW: "Computer Security Handbook", Hutt/Bosworth/Hoyt
    
    BKCMSCHB.RVW   20010530
    
    "Computer Security Handbook", 1995, Arthur E. Hutt/Seymour Bosworth/
    Douglas B. Hoyt, 0-471-11854-0
    %E   Arthur E. Hutt
    %E   Seymour Bosworth
    %E   Douglas B. Hoyt
    %C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
    %D   1995
    %G   0-471-11854-0
    %I   John Wiley & Sons, Inc.
    %O   U$90.00 416-236-4433 fax: 416-236-4448
    %T   "Computer Security Handbook, Third Edition"
    
    Overall, this work appears to be strongly influenced from a time when
    computers were mainframes locked in glass rooms, and the information
    technology department was under the jurisdiction of accounting.  Although
    some effort has been made to address more recent topics, the attempt is
    piecemeal at best, and quite limited in depth.
    
    Part one looks at the responsibility of management in the security concern.
    The first essay, specifying the role of management, certainly dates the work
    in the big iron era, defining security solely from the perspective of
    availability.  Disclosure of information does get a mention, but even the
    list of risks to be considered concentrates primarily on malfunction or
    disaster.  A second paper takes a rather vague look at policies and related
    documents, but is backed up with a number of examples.  The review of risk
    analysis is similarly nebulous, although it does have some potentially
    useful tables of probable threats.  Optimism about the availability of
    background information seems to surround the discussion of employee
    policies, but some important basic principles are presented.  Legal issues
    are dealt with briefly, but over a wide range of topics.  The article on
    computer crime is not particularly realistic: as one example, the
    examination of controls concentrates on provisions for preventing
    programmers from installing logic bombs, but the case studies actually cited
    as examples of the need for such controls were perpetrated as fraud by those
    in positions of authority.
    
    Part two outlines basic safeguards.  Disaster recovery is, again, reviewed
    primarily from the mainframe perspective.  The principles may be the same,
    but the important resources for a corporation probably involve many more
    aspects than just a mainframe and data.  An overview of insurance sounds
    very much like a sales pitch, although it does divide the topic up by type
    of threat, and examines different factors that can affect price and the
    willingness of the insurers to make good on a loss.  (I was amused to note
    that the section on viruses basically admits that vendors will use
    extraordinary interpretations of standard wording to weasel out of paying.)
    The chapter on auditing appears to have been written solely from an
    accounting perspective, and, while the points listed would be helpful in
    creating part of a security policy, they address only those issues related
    to internal fraud.  System application controls are discussed strictly in
    terms of development cycles and ideas such as "total quality management"
    (TQM).
    
    Part three moves to physical protection.  Hardware protection takes a
    detailed look at internal error situations right down to the gate level, as
    well as a more superficial examination of architecture concerns and
    environmental problems.  Accidental calamities are also the major emphasis
    in computer facility protection, although there is some attention paid to
    the need to secure cabling.  "Monitoring and Control Devices" presents
    theory behind surveillance and alarm systems.
    
    Part four starts to look into technical aspects of data security.  A chapter
    on software and information security appears to have some valid points to
    make (aside from the misinformation on viruses) but is written in such a
    convoluted manner that most material must be read several times to puzzle
    out the meaning.  An essay on records retention has been retrofitted to
    become an examination of computer data security.  The paper on encryption is
    extremely disjointed (for example, dropping a discussion of network
    topologies into a purported explanation of the RSA [Rivest Shamir Adleman]
    encryption algorithm), and almost completely lacking in details.  A rather
    generic security overview (with questionable virus information) is supposed
    to address data communications and networking.  A grab bag of penetration
    techniques and countermeasures provides some interesting prompts to consider
    various attacks, but is not organized or complete enough to fully cover the
    subject.  The chapter on viruses and related threats is rife with errors,
    and confuses the various types of problems with each other as well as with
    unverified speculation.
    
    Part five deals with special protection issues.  Chapter twenty suggests
    that you might want to be a little careful when dealing with outside
    contractors.  While there is some disorganization, and a few odd
    anachronisms, the paper on personal computers is much more practical than
    most of the preceding material.  The essay on LANs presents a primer on
    networks, and then a generic overview of security, without an awful lot of
    relation between the two.  The chapter on Internet security has some basic
    information, but is quite disorganized.
    
    Supplements are supposedly produced to update the work.  Some such documents
    ask you to replace paragraphs and correct errors: others offer additional
    sections to enhance the original essays.  In the 1997 supplement (ISBN
    0-471-17297-9) there are some weak addenda for auditing, encryption, and
    viruses, as well as a decent, though still disorganized, extension to the
    Internet material.  There is also a first rate examination of e-mail privacy
    issues and a reasonable though uninspired review of single sign-on.  When I
    contacted the publisher, I was told that the 2000 supplement was still in
    the editorial stage.  In fact, so was the 1998 supplement!  So I wouldn't
    expect any updates for the book in the near future.
    
    Most of the material is fairly obviously old, and originally intended to
    address topics applicable solely to mainframe computer establishments, or
    even non-computerized systems.  Patchwork updating is evidently an
    afterthought.  A great deal of material is repeated many times over in
    different essays.  Generally the papers have little detail or depth, so the
    recapitulations do not add much new content each time.
    
    There is useful material in the work, but it is difficult to abstract the
    good from the outdated and mundane unless you are already quite expert in
    the field.  The newcomer would be advised to get some basic training or
    reading before attempting to deal with this work, but the expert will be
    able to find some useful nuggets.
    
    copyright Robert M. Slade, 2001   BKCMSCHB.RVW   20010530
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
    
    ------------------------------
    
    Date: 12 Feb 2001 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
    
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) 
     if possible and convenient for you.  Alternatively, via majordomo, 
     send e-mail requests to <risks-requestat_private> with one-line body
       subscribe [OR unsubscribe] 
     which requires your ANSWERing confirmation to majordomoat_private .  
     [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
     this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
     Lower-case only in address may get around a confirmation match glitch.
       INFO     [for unabridged version of RISKS information]
     There seems to be an occasional glitch in the confirmation process, in which
     case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
       .MIL users should contact <risks-requestat_private> (Dennis Rears).
       .UK users should contact <Lindsay.Marshallat_private>.
    => The INFO file (submissions, default disclaimers, archive sites, 
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All 
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 20" for volume 20]
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a 
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing, 
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    
    ------------------------------
    
    End of RISKS-FORUM Digest 21.58
    ************************
    



    This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 12:46:38 PDT