[risks] Risks Digest 22.17

From: RISKS List Owner (riskoat_private)
Date: Wed Jul 24 2002 - 14:12:47 PDT

  • Next message: RISKS List Owner: "[risks] Risks Digest 22.18"

    RISKS-LIST: Risks-Forum Digest  Wednesday 24 July 2002  Volume 22 : Issue 17
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/22.17.html>
    and by anonymous ftp at ftp.sri.com, cd risks .
    
      Contents:
    Warning system failed during fatal tornado (Robert Crump)
    Wrong number costs Gateway $3.6 million (NewsScan)
    WebTV virus dials 911 (Monty Solomon)
    Explanation of Voter-Verified Ballot Systems (Rebecca Mercuri)
    Auditing of voting machines (Daniel Boyd)
    Royalty fees may be the death of Internet radio (NewsScan)
    SSH Protocol Weakness Advisory (Monty Solomon)
    Uselessness of "Dirty word" filters (Danny Lawrence)
    E-mail content filtering may kill the medium (Pascal Bourguignon, 
      Max TenEyck Woodbury)
    Yahoo! *fixes* e-mail as security measure (Robert Gezelter)
    Re: Crackers -- aka hackers -- providing useful information (Fred Gilham)
    Doonesbury, Allen Hutchinson on 802.11 networks and security
      (Declan McCullagh)
    Monty Solomon <montyat_private>
    Setuid Demystified, Chen/Wagner/Dean
    11th USENIX Security Symposium (Alex Walker)
    REVIEW: "Writing Information Security Policies", Scott Barman (Rob Slade)
    Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Tue, 23 Jul 2002 23:18:42 -0400
    From: Robert Crump <rwcrumpat_private>
    Subject: Warning system failed during fatal tornado
    
    Subtitle: Glitch kept radio station from relaying storm alert
    Associated Press, in the *Baltimore Sun*, 23 Jul 2002
    
    According to the National Weather Service, an Emergency Alert System
    designed to enable WTOP in Washington DC to forward warnings of dangerous
    weather conditions to small radio stations in up to 28 counties failed on 28
    Apr 2002, just before a deadly tornado struck Southern Maryland.  The
    warning was intended for 31 DC-area counties, more than the system was
    programmed to accommodate.  The storm system spawned a strong tornado that
    cut through Southern Maryland, causing five deaths, an estimated $120
    million in damage and destroying much of downtown La Plata.  [PGN-ed]
    
    ------------------------------
    
    Date: Mon, 22 Jul 2002 08:41:48 -0700
    From: "NewsScan" <newsscanat_private>
    Subject: Wrong number costs Gateway $3.6 million
    
    A federal court has awarded a Pensacola business $3.6 million in damages
    from Gateway, which had accidentally distributed the wrong phone number for
    customer complaints to more than 275 Gateway stores. The error dated back to
    1999, when someone at Gateway erred by using the 800 prefix instead of the
    correct 888 prefix for the company's toll-free customer complaint line. The
    wrong number was also posted on Gateway's Web site, listed on Internet
    billings and included on a form distributed to more than 100,000 Gateway
    customers. Mo' Money, which manufactures and distributes promotional items,
    said it contacted Gateway six days after the calls began, but that it took
    the computer company more than two years to fix the problem. "It was a
    nightmare," says Mo' Money president Cliff Mowe. "We had as many as 8,000
    extra calls a month, and these were all angry people You couldn't get them
    off the line because the only number they had was ours. You'd have to
    explain it and go through it, and a lot of times they'd call you right back
    anyway." [Associated Press, 19 Jul 2002; NewsScan Daily, 20 July 2002]
      http://apnews.excite.com/article/20020719/D7KS83F82.html
    
    ------------------------------
    
    Date: Tue, 23 Jul 2002 19:45:01 -0400
    From: Monty Solomon <montyat_private>
    Subject: WebTV virus dials 911
    
    Police show up only to find infected WebTVs.
    
    A new virus has hit some WebTV devices, and its effects could have
    ramifications for the emergency phone network.  Reportedly, once an
    attachment is opened using the WebTV set-top box, the virus dials 911.  A
    customer service supervisor at Microsoft confirms that 18 customers have
    called in to report the suspicious WebTV behavior.  WebTVs now go by the
    name MSNTV, but older brands still have the WebTV branding.  According to
    Microsoft, both units are affected.
    
    http://www.techtv.com/news/security/story/0,24195,3392631,00.html
    
      [PGN adds: see also  
    http://www.abcnews.go.com/sections/scitech/TechTV/techtv_911virus020723.html
      ]
    
    ------------------------------
    
    Date: Wed, 24 Jul 2002 15:54:47 -0400
    From: "Rebecca Mercuri" <notableat_private>
    Subject: Explanation of Voter-Verified Ballot Systems
    
    An explanation of the necessity for a
    Voter Verified Physical Audit Trail for Electronic Balloting Systems
    by Rebecca Mercuri, Ph.D.
    Professor of Computer Science at Bryn Mawr College
    Electronic voting info: http://www.notablesoftware.com/evote.html
    Email: mercuriat_private
    Phone: 609/895-1375, 215/327-7105
    
    Many of the new voting products now being purchased in the US are
    self-auditing in that they produce ONLY an internal electronic audit of the
    ballots cast. Some of these machines have been sold with trade secret
    protection such that it is not possible to INDEPENDENTLY examine the
    machines for correct operations (except perhaps under court order, and even
    there the examination may be required to be sealed or not disclosed).
    
    This situation, which is becoming more common as fully-electronic
    (DRE/kiosk) voting systems are introduced, means that the voters as well as
    the poll workers and election officials have NO WAY to verify that their
    ballots are recorded, transmitted and tabulated properly.  Machines have
    failed in actual use and independent recounts have not been provided. (See
    reports in press accounts.)
    
    Some systems re-create a set of ballots, on paper, AFTER the election, which
    is presented for recount purposes.  Since this set of ballots is
    self-generated, errors in the equipment may be reflected in the self-audit,
    with the appearance of being correct.  There is no way to determine whether
    this after-the-fact paper reflects the true contents of the ballots
    cast. Only if the voter has the opportunity to review the paper generated at
    the time of voting, that will be used in the recount, is an independent
    audit possible. In the same way, if the system is used to self-report its
    stored ballots, its true error rate can not be ascertained.
    
    It is essential, therefore, that voters be able to create a physical or
    paper ballot that is deposited at the polling place when their vote is
    cast. This ballot, which can be scanned in or hand-counted since it is
    human-readable, would be used to verify any machine- generated tallies
    produced from electronic (DRE) voting systems.  Only in this way can the
    voters be assured that their ballot will be available for an independent
    recount.
    
    Congress is now in conference on the Voting Rights Act bills H.R. 3295 and
    S. 565.  The Senate bill refers to "audit capacity" and "error rate"
    although the House bill does not mention these specifically.  It is
    imperative that the compromise bill refer to a "physical audit capacity" or
    even more specifically a "voter verified independent physical audit
    capacity" (or audit trail) in order to prevent self-auditing systems from
    continuing to be accepted and used for elections in the United States.
    
    Further explanation follows below:
    
    All Direct Recording Electronic (DRE) voting systems must provide a physical
    audit trail that is reviewed by the voter at the time their ballot is cast.
    (DRE voting systems are those that are constructed as to be self-contained,
    where the voter makes ballot choices that are directly entered onto
    electronic data recording devices.  These would include stand-alone kiosks
    as well as networked machines.)  The physical audit trail could consist of a
    printout that the voter can examine independent of any computerized display.
    If a voter determines, at the time of balloting, that the printout does not
    reflect the votes they just cast on the machine, there must be a procedure
    where the electronic and paper ballot can both be voided and another
    opportunity to vote allowed.  The reviewed and accepted printout would be
    deposited into a ballot box for subsequent optical scanning or hand-counting
    in order to produce the true results for the election.  Totals provided by
    the DRE devices can be used to provide early returns, but the final result
    (in case of dispute) should be determined from the paper ballot set.  The
    voter-verified physical ballots must be those which are used and preserved
    as the permanent audit trail for the election.
    
    Since it is, in principle, impossible to verify that a computational device
    is free from programming errors or nefarious code, no electronic voting
    system can be verified for 100% accuracy, reliability, and integrity.  It is
    also, in principle, impossible for a computational device to provide full
    fail-safe internal verification, hence any ballot audit produced from
    self-stored data could reflect errors or manipulation that occurred between
    the time the voter cast their ballot and the time the ballot was recorded.
    Errors and manipulation of ballots can also occur if data is transmitted
    between devices or over networks.  It is essential, therefore, that each
    voter provide an independent check of their ballot at the time of voting,
    using human-readable media as the manual audit capacity for the voting
    system.
    
    Confidence in the electronic recording devices can be assured only if the
    voters have an independent way of verifying that their ballots were cast and
    submitted for counting (and re-counting) as intended.
    
    ------------------------------
    
    Date: 22 Jul 2002 14:20:03 -0000
    From: Daniel Boyd <boydat_private>
    Subject: Auditing of voting machines
    
    It strikes me that the auditing of the Palm Beach electronic voting machines
    doesn't even reach the level of care applied to Las Vegas slot machines.
    
    Slot machines are governed by a Nevada state agency and are continually
    inspected at random.  The inspectors pull a machine out of service, check
    that the circuit boards are the correct, legally-certified boards that are
    supposed to be in the machine, and read the PROMs.  The state has enough
    access, and knowledge of the design, to verify not only the program that is
    supposed to be running on the hardware, but the hardware itself.
    
    That "proprietary-hardware/trade-secrets" excuse wouldn't get one of those
    Palm Beach machines within ten feet of a casino floor in Nevada.
    
    ------------------------------
    
    Date: Mon, 22 Jul 2002 08:41:48 -0700
    From: "NewsScan" <newsscanat_private>
    Subject: Royalty fees may be the death of Internet radio
    
    All kinds of radio stations -- both Web-based and traditional over-the-air
    broadcasting stations -- have to pay copyright royalties to songwriter
    associations, but only the Web stations are required to pay a new
    performer's fee that goes to record companies. At a rate of seven-hundredths
    of a cent per song per listener, the fee is expected to undo the economic
    viability of almost all of the 10,000 Web radio stations now in existence.
    The 200 stations that have already ceased operations include nonprofit
    stations at UCLA, NYU, and other colleges and universities, and people seem
    to be punching different calculators to attack or defend what's going on:
    Congressman Rick Boucher (D, VA) is introducing a bill in support of small
    Webcasters and says its goal is "to make sure that Webcasters who measure
    their revenues in the tends of thousands are not put out of business by a
    copyright payment requirement in the hundreds of thousands."; using a
    different calculator, Hilary Rosen of the Recording Industry Association of
    America (RIAA) says that most college stations won't owe more than $500 a
    year, and adds, "Given our problems with digital piracy on university
    servers, it is almost comical that they have the nerve to complain about
    $500." [*USA Today*, 21 Jul 2002; NewsScan Daily, 20 July 2002]
      http://www.usatoday.com/tech/news/techpolicy/2002-07-21-radio_x.htm
    
    ------------------------------
    
    Date: Tue, 23 Jul 2002 19:14:15 -0400
    From: Monty Solomon <montyat_private>
    Subject: SSH Protocol Weakness Advisory
    
    http://online.securityfocus.com/archive/1/283688
    
    Cuts like a knife, SSHarp
    http://www.phrack.org/show.php?p=59&a=11
    
    SSH for fun and profit
    http://segfault.net/~stealth/ssharp.pdf
    
    ------------------------------
    
    Date: Mon, 22 Jul 2002 11:20:16 -0400
    From: "Danny Lawrence" <Dannyat_private>
    Subject: Uselessness of "Dirty word" filters
    
    As a horse-racing fan, there are a couple of WWW based message boards that I
    post to.  Some of these have "Dirty word" filters, on one of which each
    mention of the horse Dr. Fager (the only horse to win Eclipse "Horse of the
    year" awards in 4 different categories in one year) got rejected by the DW
    filter.  Why, you ask?  It took me a while to figure out but the DW filter
    was treating the the horse's name as "<derogatory term>" + "er"!
    
    Danny Lawrence, Tiassa Technologies Inc., A Lotus Business Partner
    
      [Long ago, horse's names were restricted to something like 13 characters,
      because of technical restrictions on old-style tote-boards.  Perhaps now
      we will next see horse-name restrictions that ban certain undesirable
      substrings.  And perhaps other sports will ban players with offensive
      names -- unless those players are willing to change their names.  PGN]
      
    ------------------------------
    
    Date: Mon, 22 Jul 2002 08:20:36 +0200 (CEST)
    From: Pascal Bourguignon <pjbat_private>
    Subject: E-mail content filtering may kill the medium (Miller, RISKS-22.16)
    
    There's a very little step we can do to very effectively fight this and many
    other problems: just use PGP.
    
    * Just PGP signing an e-mail is enough to ensure that the e-mail content is
      not altered without notice.
    
    * Just PGP encrypting is enough to ensure that the e-mail content cannot be
      filtered.
    
    Pascal_Bourguignon   http://www.informatimago.com/
    
      [PGP SIGNATURE deleted by PGN, as is his custom for RISKS.]
    
    ------------------------------
    
    Date: Mon, 22 Jul 2002 14:58:18 -0400
    From: Max TenEyck Woodbury <mtewat_private>
    Subject: Re: E-mail content filtering may kill the medium (Miller, RISKS-22.16)
    
    Two questions need to be asked about this line of arguments:
    
    1) What and how damage would result if e-mail was never filtered.
    
    2) Do the opponents of this activity suffer some kind of financial loss when
       it it is performed, and who gains, if anyone, when it happens.
    
    As I understand it, the main purposes of the filters is to control the
    amount of unsolicited (usually commercial) bulk e-mail a.k.a. spam. I've
    seen reports that UBE is a significant contributor to network infrastructure
    costs, which accrue to the recipient, not the sender. The filters do seem to
    be having some positive (from the recipients point of view) impact on the
    spam problem.
    
    Some sophistication may be needed when reading the headlines in the original
    posting. For example, is the 'Killer App' being killed personal e-mail, or
    spam? Are the 'affected users' the targeted recipients or the senders of the
    spam? Is that the 'general utility of e-mail' to the public at large or to
    the spamers that is being reduced? Is this the personal communication medium
    called e-mail or an advertising medium called e-mail being discussed?
    
    There is a substantial risk here, but it may not be the obvious one!
    
    ------------------------------
    
    Date: Mon, 22 Jul 2002 13:00:03 -0500
    From: Robert Gezelter <gezelterat_private>
    Subject: Yahoo! *fixes* e-mail as security measure (Re: Solomon, RISKS-22.16)
    
    Note: Written completely based on "Some Serious Word-Scrambling at Yahoo" 
    *The New York Times*, 22 Jul 2002. 
    
    The risks of this kind of re-writing are many, and the potential damage 
    cannot be easily quantified. As the article notes, it can be humorous (when
    rewriting foreign languages such as French) to the more serious, to wit:
    
     - a rewritten message might trigger another filter in an non-obvious way
       (e.g. Carnivore, SPAM) possibly launching an uncalled for investigation
       (a hazard mentioned in my March talk at E-Protectit; abstract and slides
       at http://www.rlgsc.com/presentations/e-protectit/sorcerers.html);
    
     - damage to business relationships (and the resulting legal exposures);
    
     - damage to personal relationships.
     
    There are numerous cases where micro-parsing of statements has caused much
    confusion (a hazard all to familiar to high-level diplomatic translators).
    
    I do not want to prognosticate on issues such as responsibility, but it
    seems that there is a substantial hazard of "friendly fire" damage in such
    cases.
    
    In short, apparently the re-writes were not advertised and disclaimed, so
    who is responsible when damage occurs?
    
    Robert "Bob" Gezelter, 35-20 167th Street, Suite 215, Flushing NY 11358-1731
    +1 (718) 463 1079  http://www.rlgsc.com  gezelterat_private   
    
    ------------------------------
    
    Date: Mon, 22 Jul 2002 10:50:02 -0700
    From: Fred Gilham <gilhamat_private>
    Subject: Re: Crackers -- aka hackers -- providing useful information
    
    Recently, while doing research on how to use the ELF (extensible linker
    format, or executable and linker format, depending on what you read) I
    discovered that the most useful information was put out by the cracker
    community.  I found three papers that gave detailed information on how to
    use ELF features including example code.  In one case, the intent was to
    allow `parasites' to be embedded in a UNIX program; in another the author
    was exploring binary encryption as a means of preventing forensic analysis
    of an attack.  In the third case, the paper described ways to allow a
    parasite to access shared library functions.
    
    I'm not sure what to make of this.  On the one hand, I don't want anyone
    running `parasites' on my computers.  On the other hand, this information
    saved me a lot of digging and experimentation.
    
    Fred Gilham <gilhamat_private>
    
    ------------------------------
    
    Date: Mon, 22 Jul 2002 00:58:07 -0400
    From: Declan McCullagh <declanat_private>
    Subject: Doonesbury, Allen Hutchinson on 802.11 networks and security
    
    This is hardly a new topic, but it's a good reminder. Also see Doonesbury,
    21 Jul 2002 at http://www.doonesbury.com
    -Declan
    
    > Date: Sat, 20 Jul 2002 19:17:30 -0700
    > From: "Allen Hutchison" <allenat_private>
    > Subject: Watch your wireless configs...
    > 
    > Last night I was playing around with the newest version of Lindows. I
    > haven't worked with the OS much to date, because it didn't have support for
    > my Cisco Aironet card. Since the card was the only way laptop can connect to
    > the network I didn't want interrupt that ability. Anyway, yesterday a
    > college of mine told me that Lindows now had support for wireless cards. So,
    > I took the plunge and installed the OS on my laptop.
    > 
    > The first thing I noticed, after the installation completed, was that my
    > wireless card was blinking. I thought that the Lindows install had grabbed
    > the settings for my card before it wiped windows off the machine. So I
    > started trying to download software and access my network resources. Then I
    > noticed that the network seemed really unresponsive. I started looking more
    > closely at the network, and found that Lindows had not grabbed my previous
    > settings, and I was associated with someone else's access point. To be sure
    > I went to the default router address with a www browser, and found that it
    > was a linksys.
    > 
    > Well, I thought, that isn't too strange, I have a linksys on my network too.
    > So I tried to log in, but it wouldn't take my password. So I tried the
    > default password on a linksys router "Admin" and I got in. Then I realized
    > that I wasn't logged into my network at all. I was getting to the net
    > through somebody else's access point somewhere else in the network.
    > 
    > This person had never bothered to do anything to secure his network. Upon
    > further inspection with a sniffer, I found that I could grab all of his
    > traffic off the air in my office. He was using no encryption and no access
    > control. I could browse the shares on his computer, I could see his password
    > flying by. If I only knew where he lived, I could go tell him, and help him
    > set up something more secure. All I know, however, is a general direction
    > from my condo, South.
    > 
    > This goes to show how important it is for vendors to stress security with
    > their wireless products. Information is becoming more and more of a
    > commodity, and the information that describes us is moving around on the
    > Internet every day. When we install new technology, it is the responsibility
    > of a vendor to explain the security consequences. It was obvious in the case
    > of my mysterious neighbor that he hasn't installed any security on his
    > network. It is quite possible he isn't even aware of the security hole he
    > has opened onto his data.
    > 
    > Something to think about.
    > 
    > www.hutchison.org/allen
    > 
    > FROM POLITECH -- Declan McCullagh's politics and technology mailing list
    > You may redistribute this message freely if you include this notice.
    > To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    > This message is archived at http://www.politechbot.com/
    
    ------------------------------
    
    Date: Tue, 23 Jul 2002 19:29:56 -0400
    From: Monty Solomon <montyat_private>
    Subject: Setuid Demystified, Chen/Wagner/Dean
    
    Setuid Demystified
    Hao Chen, Computer Science Department, University of California at Berkeley
    David Wagner, Computer Science Department, University of California at Berkeley
    Drew Dean, Computer Science Laboratory, SRI International
    Proceedings of the 11th USENIX Security Symposium, 5-9 Aug 2002 [see next item]
    
    Abstract
    
    Access control in Unix systems is mainly based on user IDs, yet the system
    calls that modify user IDs (uid-setting system calls), such as setuid, are
    poorly designed, in-sufficiently documented, and widely misunderstood and
    misused. This has caused many security vulnerabilities in application
    programs. We propose to make progress on the setuid mystery through two
    approaches. First, we study kernel sources and compare the semantics of the
    uid-setting system calls in three major Unix systems: Linux, Solaris, and
    FreeBSD. Second, we develop a formal model of user IDs as a Finite State
    Automaton (FSA) and develop new techniques for automatic construction of
    such models.  We use the resulting FSA to uncover pitfalls in the Unix API
    of the uid-setting system calls, to identify differences in the semantics of
    these calls among various Unix systems, to detect inconsistency in the
    han-dling of user IDs within an OS kernel, and to check the proper usage of
    these calls in programs automatically. Finally, we provide general
    guidelines on the proper us-age of the uid-setting system calls, and we
    propose a high-level API that is more comprehensible, usable, and portable
    than the usual Unix API.
    
    http://www.cs.berkeley.edu/~daw/papers/setuid-usenix02.pdf
    
      [Nifty paper.  PGN]
    
    ------------------------------
    
    Date: Tue, 23 Jul 2002 10:44:48 -0700
    From: Alex Walker <alexat_private>
    Subject: 11th USENIX Security Symposium
    
    There's still time to register for 11th USENIX Security Symposium being held
    5-9 Aug 2002 in San Francisco. Check out http://www.usenix.org/sec02 for
    detailed information and to register.  This year's Symposium features the
    most recent developments in vb and network security.  Keynote speakers
    Whitfield Diffie & Howard Schmidt, free vendor exhibition, the latest
    Research in OS Security, Access control, Hacks/Attacks, Web Security,
    Sandboxing, Deploying Crypto, and much more.
    
    Alex Walker, Production Editor, USENIX Association
    2560 Ninth Street, Suite 215, Berkeley, CA 94710  1-510-528-8649 x33
    
    ------------------------------
    
    Date: Mon, 22 Jul 2002 08:00:12 -0800
    From: Rob Slade <rsladeat_private>
    Subject: REVIEW: "Writing Information Security Policies", Scott Barman
    
    BKWRINSP.RVW   20020601
    
    "Writing Information Security Policies", Scott Barman, 2002,
    1-57870-264-X, U$34.99/C$52.95/UK#27.50
    %A   Scott Barman scottat_private www.barman.ws/wisp
    %C   201 W. 103rd Street, Indianapolis, IN   46290
    %D   2002
    %G   1-57870-264-X
    %I   Macmillan Computer Publishing (MCP)/New Riders
    %O   U$34.99/C$52.95/UK#27.50 800-858-7674 317-581-3743 infoat_private
    %P   216 p.
    %T   "Writing Information Security Policies"
    
    Until recently, the classic resource for those charged with writing security
    policies was "Information Security Policies Made Easy" (cf.  BKISPME.RVW).
    Trouble was, that book made it a little bit too easy: the format encouraged
    people to use pieces without modification, and one size, in the security
    field, definitely does not fit all.  This book, however, takes the opposite
    approach.  While still aimed at the non-technical manager responsible for
    producing the policy, it uses minimal examples, concentrating on the process
    of policy formation.
    
    Part one looks at starting the process.  Chapter one defines what policies
    are and why they are important, and outlines the first steps needed to
    proceed.  A good, broad outline of what your company should have in the way
    of a policy comes in chapter two.  Finally, the responsibilities of
    different departments; their activities and roles; are presented in chapter
    three.
    
    Part two covers the main body of security policy development.  Chapter four
    starts out with physical security.  As noted above, readers will have to go
    beyond the example policies given in the text, but these samples do provide
    a reasonable guide for what the final items should look like.
    Authentication and network security is dealt with in chapter five, although
    the telecommunications material is quite limited.  Some of this lack is made
    up in chapter six's review of Internet policy, which goes beyond firewalls
    to examine training, applications, e-commerce, and other areas.  E-mail use
    has a set of special requirements separate from those of the net, and these
    are addressed in chapter seven.  Unfortunately, as with all too many works,
    the review of malware policies, in chapter eight, is weaker than the rest of
    the book.  (Does the example policy to use "all means to prevent the spread
    of computer viruses" mean that you can't use Microsoft products?  And why,
    in this day and age of "fast burner" e-mail viruses, is a signature update
    every thirty days deemed sufficient?)  The limited technical background also
    contributes to the frailty of chapter nine's overview of encryption.  Some
    policies are too broad, while there are missing areas that may need to be
    addressed, depending upon industry and operations.  Chapter ten has very
    solid coverage of application development policies, which are all too often
    neglected in other works.
    
    Part three is concerned with maintaining the policies.  Chapter eleven seems
    slightly off topic, as it deals with acceptable use policies.  However,
    chapter twelve looks at the roles and responsibilities involved in
    compliance and enforcement.  A short precis of the policy review process
    ends the book in chapter thirteen.
    
    While not a panacea, this book is clear, well written, and helpful.  There
    is valuable advice packed into few enough pages that a manager should be
    able to read it on a cross-country plane trip.
    
    copyright Robert M. Slade, 2002   BKWRINSP.RVW   20020601
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
    
    ------------------------------
    
    Date: 29 Mar 2002 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
    
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
     if possible and convenient for you.  Alternatively, via majordomo,
     send e-mail requests to <risks-requestat_private> with one-line body
       subscribe [OR unsubscribe]
     which requires your ANSWERing confirmation to majordomoat_private .
     If Majordomo balks when you send your accept, please forward to risks.
     [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
     this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
     Lower-case only in address may get around a confirmation match glitch.
       INFO     [for unabridged version of RISKS information]
     There seems to be an occasional glitch in the confirmation process, in which
     case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
       .MIL users should contact <risks-requestat_private> (Dennis Rears).
       .UK users should contact <Lindsay.Marshallat_private>.
    => The INFO file (submissions, default disclaimers, archive sites,
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 21" for volume 21]
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing,
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    
    ------------------------------
    
    End of RISKS-FORUM Digest 22.17
    ************************
    



    This archive was generated by hypermail 2b30 : Wed Jul 24 2002 - 14:57:42 PDT