[risks] Risks Digest 22.16

From: RISKS List Owner (riskoat_private)
Date: Sun Jul 21 2002 - 14:54:07 PDT

  • Next message: RISKS List Owner: "[risks] Risks Digest 22.17"

    RISKS-LIST: Risks-Forum Digest  Sunday 21 July 2002  Volume 22 : Issue 16
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/22.16.html>
    and by anonymous ftp at ftp.sri.com, cd risks .
    
      Contents:
    U.S. House approves life sentences for crackers (NewsScan)
    Expert says Palm Beach's new voting machines have problems (PGN)
    Palm Beach voters at it again (Dan Scherer)
    'Face testing' at Logan is found lacking (Monty Solomon)
    Japanese service links ATMs to cell phones (Mich Kabay)
    Yahoo admits changing e-mail text to block hackers (Monty Solomon)
    IIS Mail exploit (Matthew Byng-Maddick)
    E-mail content filtering may kill the medium (Derek K. Miller)
    "You may not have received this e-mail" (Monty Solomon)
    Forensic programming course outline (Rob Slade)
    Re: EULA (Derek J. Balling)
    REVIEW: "The Hacker Diaries", Dan Verton (Rob Slade)
    REVIEW: "Hacker Attack", Richard Mansfield (Rob Slade)
    Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Tue, 16 Jul 2002 09:18:43 -0700
    From: "NewsScan" <newsscanat_private>
    Subject: U.S. House approves life sentences for crackers
    
    The U.S. House of Representatives has approved the Cyber Security
    Enhancement Act (CSEA) by a near-unanimous vote [385-3].  Among the Act's
    provisions are an expansion of police ability to conduct Internet or
    telephone eavesdropping without first obtaining a court order, and the
    approval of life prison sentences for malicious computer hackers (crackers)
    whose acts "recklessly" put others' lives at risk.  In the case of wiretaps,
    the Act would permit limited surveillance without a court order when there
    is an "ongoing attack" on an Internet-connected computer or "an immediate
    threat to a national security interest."  The surveillance would be limited
    to collecting a suspect's telephone number, IP address, URLs or e-mail
    header information -- not the content of an e-mail message or phone
    conversation.  In addition, the Act would permit ISPs to disclose the
    contents of e-mail messages and other electronic records to police in cases
    when "an emergency involving danger or death or serious physical injury to
    any person requires disclosure of the information without delay."  The Act
    is not expected to meet any serious opposition in the Senate. [CNet News.com
    15 Jul 2002; NewsScan Daily, 16 July 2002]
      http://news.com.com/2100-1001-944057.html?tag=fd_top
    
      [Declan McCullagh notes that the CSEA had been written before 11 Sep
      2001.  PGN]
    
    ------------------------------
    
    Date: Wed, 17 Jul 2002 00:34:50 -0400
    From: Peter G Neumann <Neumannat_private>
    Subject: Expert says Palm Beach's new voting machines have problems
    
    Associated Press item by Jill Barton, 16 Jul 2002
    
    The voting machines that replaced butterfly ballots and hanging chads are
    checked by an "Enron-style of auditing" and don't provide voters any
    assurance that their votes are being cast, an expert testified Tuesday.
    Rebecca Mercuri, a computer science professor at Bryn Mawr College in
    Pennsylvania, said questions remain about the $14 million machines Palm
    Beach County purchased to improve its voting system because they are
    designed to audit themselves.  "The problem with the self-auditing machines
    is if it's broken, how can it tell you that it's broken?" Mercuri said.
    
    Mercuri's testimony provided the latest criticism of a county still
    embarrassed by the 2000 election debacle. She was called in a Tuesday
    afternoon hearing to bolster a Boca Raton man's claims that he lost a City
    Council election in March because the new machines malfunctioned.
    
    Former Mayor Emil Danciu's suit seeks to have the results overturned and a
    new election held.  The suit includes affidavits from eight voters who said
    they had trouble casting ballots on the ATM-style machines and says voters
    should be given paper receipts to confirm their vote was recorded.  It also
    seeks to allow an independent review of the voting machines and related
    software and security features.
    
    Supervisor of Elections Theresa LePore says such a review would void the
    machines' warranty and that they've been reviewed twice by labs appointed by
    the federal government and also by a state worker.  She says most of the
    information the plaintiffs are seeking is filed with the state Division of
    Elections in Tallahassee and even if it were available, she couldn't provide
    it because it includes trade secrets of Sequoia Voting Systems Inc., which
    manufactures the machines.  "I'm not willing to let anyone take a machine
    and take it apart," LePore said. "I don't think the taxpayers would
    appreciate them taking apart a $3,500 machine and voiding the warranty."
    LePore has said the only problems reported to her office following the March
    election were screens temporarily freezing when voters chose between English
    and Spanish, which did not prevent voting.  She said the machines further
    demonstrated that they work Saturday when the county held a mock election in
    supermarkets and shopping malls allowing voters to try out the machines.
    
    ------------------------------
    
    Date: Sat, 20 Jul 2002 11:43:35 -0700
    From: "Dan Scherer" <dansat_private>
    Subject: Palm Beach voters at it again
    
    As noted in an AP news article 
      http://ap.tbo.com/ap/florida/MGAIFTWBQ3D.html 
    and reviewed on /. 
      http://slashdot.org/articles/02/07/20/0124232.shtml?tid=126 
    some West Palm County voters and politicians are upset that their new "ATM
    style" voting machines have an internal auditing system that doesn't allow
    access to the "self-auditing" side of the software.  Voters are claiming
    that the machine didn't register their votes, and that an election hangs in
    the balance because of the discrepancies.
     
    The Slashdot crowd is holding this up as an example of where open source
    needs to be used while the equipment manufacturer refuses to disclose their
    trade secrets on the "self auditing" software.
     
    The RISKS are obvious.
    
    ------------------------------
    
    Date: Wed, 17 Jul 2002 23:08:15 -0400
    From: Monty Solomon <montyat_private>
    Subject: 'Face testing' at Logan is found lacking
    
    A test at Boston's Logan International Airport has found that computerized
    facial-recognition systems, one of the most trumpeted new technologies in
    the war on terrorism, may not be a practical tool for airport security.  The
    machines were fooled when passengers turned their heads in certain
    directions, and screeners became overtaxed by the burdens of having to check
    passengers against a large pool of faces that closely resemble theirs.
    Hiawatha Bray, *The Boston Globe*, 17 Jul 2002.
    
    http://www.boston.com/dailyglobe2/198/metro/_Face_testing_at_Logan_is_found_lacking+.shtml
    
    ------------------------------
    
    Date: Wed, 17 Jul 2002 18:56:07 -0400
    From: Mich Kabay <mkabayat_private>
    Subject: Japanese service links ATMs to cell phones
    
      NTT DoCoMo is set to launch the world's first service that enables cell
      phone users to withdraw cash from automated teller machines located in
      convenience stores and supermarkets. Instead of inserting a bank card into
      the designated slot, users of DoCoMo's 504i handsets would push a few
      buttons on their phones in order to complete an ATM transaction. Analysts
      said the system was certainly novel, but it's still unclear how
      user-friendly it will prove. "Younger people may be more receptive, but
      people generally already have cash cards," says on analyst at a foreign
      securities firm. DoCoMo says the new system, which it is offering in
      partnership with IY Bank, likely will launch sometime in early 2003.
      (Reuters/Yahoo, 16 July 2002)
    
    http://story.news.yahoo.com/news?tmpl=story2&cid=581&ncid=581&e=9&u=/nm/20020716/tc_nm/financial_japan_iybank_dc_2
    
    I think no comment is necessary on the RISKS of linking banking systems to
    wireless phone systems.  It will be worth watching developments.
    
    M. E. Kabay, PhD, CISSP, Dept CompInfoSys, Norwich University, Northfield VT
    http://www2.norwich.edu/mkabay/index.htm
    
    ------------------------------
    
    Date: Wed, 17 Jul 2002 23:09:10 -0400
    From: Monty Solomon <montyat_private>
    Subject: Yahoo admits changing e-mail text to block hackers
    
    ... Yahoo! Inc. has confirmed that its e-mail software automatically changes
    certain words -- including "evaluate" -- in a bid to prevent hackers from
    spreading viruses.  Although the company declined to list the words its
    software had been changing, a report on the technology news Web site,
    News.com, reported that the program changes "mocha" to "espresso," and the
    phrase "eval" to "review."  [Article by Andrea Orr, Reuters, 17 Jul, 2002,
    noting that your applications for employment may have been altered!  PGN]
    
    http://finance.lycos.com/home/news/story.asp?story=27883602
    
    ------------------------------
    
    Date: Sun, 14 Jul 2002 23:50:55 +0100
    From: Matthew Byng-Maddick <mbmat_private>
    Subject: IIS Mail exploit
    
    The recent IIS Mail encoding bug has not yet made it into RISKS. The bug in
    question was an encoding error in the mail component of IIS, but unlike a
    lot of the other encoding bugs in IIS, which, as far as I understand it,
    only allow the server in question to be compromised, this bug makes the
    server into an open relay. What's the difference, you may ask. Spammers have
    been looking at exploiting mail relays for some time in an effort to avoid
    some of the audit trail used in the message (the Received: headers, inserted
    by the MTAs), they've tried with buffer overflows and other such things. Now
    they suddenly have a trivial way of trying to relay a message. Of course,
    all that will happen is that the test should get added to a half of the
    current Open Relay Blacklists (ordb, orbz etc.), but then we risk
    blackholing a fair amount of the Internet, because, like it or not, large
    numbers of Microsoft servers are appearing and being used.
    
    When will it all stop?
    
    Matthew Byng-Maddick <mbmat_private> http://colondot.net/
    
    ------------------------------
    
    Date: Wed, 17 Jul 2002 12:48:18 -0700
    From: "Derek K. Miller" <dkmillerat_private>
    Subject: E-mail content filtering may kill the medium
    
    E-mail filtering, in an effort to stop spam, has become insidious. Used
    properly -- especially by individual users -- it can be quite helpful. Used
    sloppily to filter for semi-arbitrary spamlike content (as it often is by
    server administrators and others), it risks killing e-mail as a useful form
    of communication.
    
    I'd highly recommend the following articles and discussion at the TidBITS
    mailing list site, which cover the issue and its hazards in clear and useful
    detail:
    
    Killing the Killer App
      http://db.tidbits.com/getbits.acgi?tbart=06866
    
    Content Filtering Exposed
      http://db.tidbits.com/getbits.acgi?tbart=06869
    
    Various discussion threads:
      http://db.tidbits.com/getbits.acgi?tlkthrd=1679
      http://db.tidbits.com/getbits.acgi?tlkthrd=1680
      http://db.tidbits.com/getbits.acgi?tlkthrd=1681
      http://db.tidbits.com/getbits.acgi?tlkthrd=1683
      http://db.tidbits.com/getbits.acgi?tlkthrd=1684
    
    Here's a pertinent excerpt:
    
    > * Email is increasingly being filtered for its content;
    >
    > * That filtering is often being done without the knowledge or
    >   consent of affected users;
    >
    > * Over time, inaccurate filtering will substantially reduce
    >   the general utility of email.
    >
    > In short, we're starting to see signs that email, often hailed
    > as the Internet's "killer app," is in danger of becoming an
    > unreliable, arbitrarily censored medium - and there's very little
    > we can do about it.
    
    Derek K. Miller, Vancouver, BC, Canada  dkmillerat_private
    http://www.penmachine.com
    
    ------------------------------
    
    Date: Wed, 17 Jul 2002 23:10:26 -0400
    From: Monty Solomon <montyat_private>
    Subject: "You may not have received this e-mail"
    
    Web Informant #293, 9 July 2002:
    You may not have received this e-mail
    
    George Carlin once had a bit about the seven dirty words that couldn't be
    said on TV: if only our email systems were as discrete and predictable about
    the nature of their censorship. Indeed, I can almost guarantee that if I
    include certain words in this message (such as viag--, -orn, make -oney
    -ast, or any of Carlin's seven choice words), many of you won't ever get
    this email.
    
    The trouble is that spammers, virus authors (or whatever deriding term you
    would like to use to call the scum that create these annoyances), and others
    have become too clever at creating their garbage. And in the ever escalating
    war of technology, email filtering products have become too good at cutting
    off legitimate messages, just because they contain the equivalent of
    Carlin's list.
    
    The best research on this was an article that was posted to the TidBITS
    mailing list this past week. If you are interested in Macs and in general
    the Internet, this is a weekly series of essays that Adam Engst and other
    write and distribute for free via e-mail to over 40,000 people, along with
    posting it to tidbits.com and many other web sites. Geoff Duncan concludes
    several trends:
    
    http://strom.com/awards/293.html
    
    ------------------------------
    
    Date: Sun, 21 Jul 2002 14:15:51 -0800
    From: Rob Slade <rsladeat_private>
    Subject: Forensic programming course outline
    
    I am currently teaching forensic programming, at roughly the third-year
    college/university level, at BCIT, and the course will also be run in the
    fall and again in the spring.  Since this is the first course of its kind
    (as far as I have been able to determine), and since most of the resources
    (somewhat by necessity) are online, I am beginning to put together the
    course outline and resources as a set of Web pages.  This is not (so far)
    anything like a full online course: for one thing, I have not (so far)
    written out complete lecture notes.  However, for those interested, the
    "table of contents" page is available at
      http://victoria.tc.ca/techrev/fptoc.htm or 
      http://sun.soci.niu.edu/~rslade/fptoc.htm (and also 
      http://cstbtech.bcit.ca/FP/index.html).
    
    This is very much a work in progress, and will be updated and expanded
    frequently in the coming weeks.
    
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
    
    ------------------------------
    
    Date: Mon, 15 Jul 2002 10:58:08 -0400
    From: "Derek J. Balling" <dreddat_private>
    Subject: Re: EULA
    
    Something which occurred to me, working in the healthcare industry 
    these days, is that I'm not sure - given HIPAA compliancy regulations 
    and the like - that I *can* agree to allow companies permission "to 
    install random software on random machines without any notice or 
    confirmation".
    
    As security concerns, especially in terms of personal information protection
    and such, get more and more codified into law, the chance that a business
    will run afoul of the "Choose between obeying the law and obeying the EULA"
    dilemma are going to be on the increase. Given certain Pacific Northwest
    companies' love for deep-pockets litigation to enforce EULA's after the
    fact, whichever choice is made is certain to be costly in one manner or
    another.
    
    I've already pointed out to the head our IT department that from my cursory,
    non-lawyer, reading of the WinXP EULA, we have to move it from the "we don't
    support this" category to the "this is explicitly forbidden from our
    machines" category.
    
    Derek J. Balling <dreddat_private>  www.megacity.org/blog/
    
    ------------------------------
    
    Date: Mon, 15 Jul 2002 07:59:32 -0800
    From: Rob Slade <rsladeat_private>
    Subject: REVIEW: "The Hacker Diaries", Dan Verton
    
    BKHCKDRY.RVW   20020519
    
    "The Hacker Diaries", Dan Verton, 2002, 0-07-222364-2, U$24.99
    %A   Dan Verton
    %C   300 Water Street, Whitby, Ontario   L1N 9B6
    %D   2002
    %G   0-07-222364-2
    %I   McGraw-Hill Ryerson/Osborne
    %O   U$24.99 905-430-5000 +1-800-565-5758 fax: 905-430-5020
    %P   219 p.
    %T   "The Hacker Diaries: Confessions of Teenage Hackers"
    
    Teenaged hackers are misunderstood.  Definitions are for lamers,
    morality is a "bogus" concept.  These noble idealists are questers
    after the Holy Grail of knowledge: problem solvers who are attempting
    to enlighten the masses.  Given a little dedication, you too can,
    inside of six months, go from being a technopeasant to "knowing
    everything there [is] to know" about computers.  Thus it is written in
    the Gospel of Verton.
    
    (While we are at it, I have this nice bridge you might want to purchase ...)
    
    Even if you ignore questions about the definition of what "hacking" actually
    is, and even if you leave aside the author's biased sympathy for
    rebels-without-a-clue, the introduction alone points out that Verton has not
    performed the research one would think minimal to such a project: reading
    the "popular" literature on the subject, never mind the more serious
    analyses by researchers like Denning and Gordon.  How else can he make the
    statement that this book is the first ever to try and penetrate the veil of
    secrecy surrounding the computer vandal community, an assertion that must
    come as a bit of a shock to authors like Levy ("Hackers," cf. BKHACKRS.RVW),
    Sterling ("Hacker Crackdown," cf. BKHKRCRK.RVW), Taylor ("Hackers,"
    cf. BKHAKERS.RVW), Dreyfus ("Underground," cf. BKNDRGND.RVW), and a host of
    others.  It is, therefore, no surprise that this author gets basic factual
    information wrong, such as the confusion of the infamous Operation Sundevil
    with more successful prosecutions of computer crime.
    
    Verton decries the blind and ignorant stereotyping of loners who are more
    comfortable with computers than with their peers, but he is, himself, guilty
    of promoting the same kind of confusion.  The group targeted after the
    Columbine shootings was not the computer community but the Goths, who share
    almost no characteristics with hackers except for a slightly obsessive
    interest in an esoteric topic and a position outside the mainstream.  (Well,
    possibly also an aversion to sunlight ...)  Verton has attempted to include
    "representative" examples of both maladjusted criminals and ethical hackers,
    but draws no distinctions between them and, indeed, seems to be trying to
    lump them all together.
    
    No, I've changed my mind.  Let's not leave aside the question of a
    definition of hacking.  Like too many authors, Verton also wants to continue
    the confusion of the original idea of a hacker as a skilled technologist
    with the more recent concept of the vandals of computer systems.  But he
    also immediately destroys his position by pointing out that a cracker cannot
    change his "handle," the (usually offensive) nickname used to achieve both
    identity and anonymity online.  If an underground "hacker" changes his
    handle, he loses his status and becomes just another wannabe.  Verton does
    not seem to realize the import of this statement.  A cracker's credibility
    is tied to his nickname, since he is only as good as his "rep," the record
    of defacements or intrusions he is able to boast about.  There is no actual
    skill set behind such a reputation.  In opposition, if true hackers like
    Richard Stallman or Eric Raymond were to change their names, and were then
    to write new programs and release them to the world, those programs would
    still be useful and of good quality.  (Top programmers would, in fact,
    probably be able to identify the authors of emacs and fetchmail by
    programming excellence and style.)
    
    Verton's writing seems clear and readable unless you start to think about
    it.  A story will say that A happened, then B happened, then C happened,
    then B happened, then D happened, then B happened.  Times are quite
    indefinite, but since the narrative is unclear even about simple sequences
    it is not any real shock to find out that the author does not know larger
    items of technical history, such as that UNIX predates VMS.  Likewise,
    Verton isn't interested in having consistency get in the way of a good
    story, even if the story doesn't make any sense.  Directions and motivations
    change suddenly and without apparent reason: reading between the lines
    indicates that there is a lot that we aren't being told.  Probably the
    author wasn't told, either.  It sounds like he didn't even ask.  (The
    interview subjects seem to have realized that they were dealing with a
    credulous author: Verton retails stories out of common urban legends and
    jokes without seeming to have identified them as such.  Despite his
    credentials as a reporter for a computer trade magazine Verton's technical
    knowledge is questionable--he doesn't know a denial of service attack from a
    reformat nor that the Macintosh doesn't have a Windows Registry.)
    
    Despite tidbits of trivia, ultimately the book is boring.  One can only read
    so many times that Amanda (or Betty or Cathy) accidentally touched a
    computer on her seventh birthday and thereafter became obsessed with
    re-writing the CP/M kernel before one loses interest.  The names may change,
    the hacks may change, the outcomes and choices of whether or not to be
    useful or messed up may change, but in the end, the lessons are the same:
    non-existent.
    
    copyright Robert M. Slade, 2002   BKHCKDRY.RVW   20020519
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
    
    ------------------------------
    
    Date: Thu, 18 Jul 2002 15:30:41 -0800
    From: Rob Slade <rsladeat_private>
    Subject: REVIEW: "Hacker Attack", Richard Mansfield
    
    BKHCKATK.RVW   20020519
    
    "Hacker Attack", Richard Mansfield, 2000, 0-7821-2830-0,
    U$29.99/C$44.95/UK#19.99
    %A   Richard Mansfield earthat_private
    %C   1151 Marina Village Parkway, Alameda, CA   94501
    %D   2000
    %G   0-7821-2830-0
    %I   Sybex Computer Books
    %O   U$29.99/C$44.95/UK#19.99 510-523-8233 Fax: 510-523-2373
    %P   293 p.
    %T   "Hacker Attack: Shield Your Computer from Internet Crime"
    
    "FACT: It's unlikely that you'll ever personally experience a computer
    virus in your home computer."  Ah, those glowing, carefree days of
    yore when ... wait a minute.  This book wasn't published all THAT long
    ago ...
    
    This work is intended to address three issues: intrusions, privacy,
    and viruses.  The author hopes that it will be as much fun to read as
    it was to write.  Given the unrealistic assessment of risk levels, the
    almost random choice of topics, and the lighthearted approach, I did
    not start out feeling confident of the chances of finding useful
    information herein.
    
    (While we may agree that script kiddies and such cracker wannabes are
    grubs and insects, the security community does *not* refer to them as
    "larvae.")
    
    Part one is entitled "Hackers, Crackers, and Whackers."  Chapter one is a
    generic warning about the fact that some people may be trying to probe you.
    Some information (such as directions on turning file and print sharing off)
    are useful, others (such as the need to share IP addresses--assuming you
    even know them--with friends for chatting and instant messages) are either
    wrong or not very useful.  Port scanning gets mentioned, and, aside from the
    fact that there are more reliable ways of determining open ports, the
    specific example of an open port used isn't terribly handy since we are told
    neither what it is nor how to turn it off.  Phone phreaks are discussed in
    chapter two--without mention of the fact that in-band signalling is now
    obsolete.  Hackers are academics studying decryption, viruses can harvest
    your passwords, and munging your e-mail address is an effective tool against
    spam, or so we are told in chapter three.  Chapter four gives names to some
    really silly cracking techniques.  Some equally silly defences are suggested
    in chapter five.  Chapter six does say that there are better protections
    available, but doesn't talk about how to implement them.  High-speed
    connections are said to be security risks (the real culprit being static IP
    addresses) in chapter seven.  A variety of URLs are given for the ZoneAlarm
    product, and instructions for getting warnings about cookies from one
    version of the Internet Explorer browser are provided in chapter eight.
    
    Part two is supposed to deal with privacy.  Chapter nine does, with a
    rapid race through a number of related issues.  Chapters ten through
    thirteen, however, examine a number of encryption technologies that
    are no longer used.  The algorithm central to DES (Data Encryption
    Standard) is used as an example of a symmetric encryption system in
    chapter fourteen.  Chapter fifteen explains the use of prime numbers
    to create asymmetric (public key) systems.  Both of these chapters are
    remarkably unhelpful in terms of the actual use of encryption. 
    Chapter sixteen explains digital signatures, but very briefly.  The
    dialogue boxes involved in using the Encrypting File System of Windows
    2000 are displayed in chapter seventeen.  Chapter eighteen speculates
    on quantum computers.  Source code for a random number generator for a
    one-time pad is given in chapter nineteen.
    
    Part three looks at viruses.  (Ready?)  Chapter twenty gives a brief
    account of the Internet/Morris/UNIX Worm of 1988, informing us that
    viruses had been used for years for network administration (untrue)
    and failing to explain what defrauding your girlfriend has to do with
    the worm.  Some basics of virus structure are correct in chapter
    twenty one, but there is also confusion of pranks and trojans, and the
    discussion of virus functions applies only to boot sector infectors. 
    Chapter twenty two provides an overview of Melissa and Loveletter. 
    Useless means of defending against Microsoft Word macro viruses (known
    to have been bypassed long before this book was written) are given in
    chapter twenty three.  Chapter twenty four tells us that viruses are
    mainly hype.
    
    Well, there are a few tips in this work that might help you to prevent
    intrusions, protect your privacy, and avoid viruses.  Very few.  The
    material is scant, and is padded out to book length with random
    insertions only nominally related to the topics at hand.  Although not
    stated, it is fairly clear that the volume is intended for the average
    computer user rather than the security specialist.  In terms of that
    general audience, the text is nowhere near detailed enough in those
    areas that the typical user can address.  The material on network
    intrusions has some points, but many gaps.  The section on
    cryptography might be interesting to a few, but is of little practical
    use.  The opining on viruses is too often flatly wrong.
    
    copyright Robert M. Slade, 2002   BKHCKATK.RVW   20020519
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
    
    ------------------------------
    
    Date: 29 Mar 2002 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
    
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
     if possible and convenient for you.  Alternatively, via majordomo,
     send e-mail requests to <risks-requestat_private> with one-line body
       subscribe [OR unsubscribe]
     which requires your ANSWERing confirmation to majordomoat_private .
     If Majordomo balks when you send your accept, please forward to risks.
     [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
     this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
     Lower-case only in address may get around a confirmation match glitch.
       INFO     [for unabridged version of RISKS information]
     There seems to be an occasional glitch in the confirmation process, in which
     case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
       .MIL users should contact <risks-requestat_private> (Dennis Rears).
       .UK users should contact <Lindsay.Marshallat_private>.
    => The INFO file (submissions, default disclaimers, archive sites,
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 21" for volume 21]
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing,
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    
    ------------------------------
    
    End of RISKS-FORUM Digest 22.16
    ************************
    



    This archive was generated by hypermail 2b30 : Sun Jul 21 2002 - 15:39:24 PDT