[risks] Risks Digest 22.31

From: RISKS List Owner (riskoat_private)
Date: Mon Oct 21 2002 - 16:10:57 PDT

  • Next message: RISKS List Owner: "[risks] Risks Digest 22.32"

    RISKS-LIST: Risks-Forum Digest  Monday 21 October 2002  Volume 22 : Issue 31
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/22.31.html>
    and by anonymous ftp at ftp.sri.com, cd risks .
    
      Contents:
    E-ZPass Users in New Jersey Will Get Replacement Devices (Monty Solomon)
    The high risk of low security: element 118 (Wendell Cochran)
    Password complexity -- not just for computers anymore (Seth Arnold)
    GPS: Keeping Cons Out of Jail (Monty Solomon)
    How mobile phones let spies see our every move (Monty Solomon)
    Airline Security (Morten Welinder)
    GAO: Commercial Satellite Security Should Be More Fully Addressed 
      (Monty Solomon)
    UCSD bans WinNT/2K -- will it do any good? (Jeremy Epstein)
    Outlook knows best! (Jim Bauman)
    Microsoft Skins a Knee on the Astroturf (Monty Solomon)
    Bogus Yahoo e-mail picks up credit-card numbers (Tom Van Vleck)
    A new twist to Bugbear (Paul Edwards)
    How we run elections in the UK (Richard Pennington)
    Re: Risks of automatic Windows updates, and HIPAA legality (Chuck Karish,
      Greg Searle, Douglas Siebert)
    Re: Pac*Bell menu (Crispin Cowan)
    Re: Hazards of online translation and plagiarism (Bob Schuchman)
    Re: Weak encryption kills wolves (Phil Smith III)
    Peter L. Bernstein, Against the Gods: The Remarkable Story of Risk (PGN)
    REVIEW: "Hacking Exposed", Stuart McClure/Joel Scambray/George Kurtz
      (Rob Slade)
    REVIEW: "Have You Locked the Castle Gate", Brian Shea (Rob Slade)
    Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Wed, 16 Oct 2002 03:39:36 -0400
    From: Monty Solomon <montyat_private>
    Subject: E-ZPass Users in New Jersey Will Get Replacement Devices
    
    New Jersey's E-ZPass windshield transponders are wearing out sooner than
    expected, resulting in hundreds of thousands of mistaken violation notices
    being issued.  Similar problems with the manufacturer, Mark IV Industries,
    have arisen in 14 states (not all of which are E-ZPass customers).  Over
    about 900,000 users out of six million will be getting free replacements.
    [Source: Ronald Smothers, *The New York Times*, 16 Oct 2002, PGN-ed]
      http://www.nytimes.com/2002/10/16/nyregion/16PASS.html
    
      [Head them off at the Pass?  PGN]
    
    ------------------------------
    
    Date: Wed, 16 Oct 2002 11:01:13 -0700
    From: Wendell Cochran <atrypaat_private>
    Subject: The high risk of low security: element 118
    
    Recently a prominent physicist at the Lawrence Berkeley National Laboratory
    was fired, and the reported detection of element 118 was retracted.
    Everyone concerned agrees that essential data in a computer file had been
    faked, forged, or fudged.
    
      [What to name the would-be new element?  
      Phonium?  Phakium?  Phorgium?  Phudgium?  PGN]
    
    The fired physicist denies doing the dirty work.  According to *The New York
    Times, Science section, 15 Oct 2002: ``He says he is as perplexed as anyone.
    His account on the laboratory computer system was used by everyone in his
    group, he says, and his password was an open secret.''
    
    Sardonic cackling in the deep background may emanate from the ghost of
    Richard P. Feynman, once the resident lockpicker at Los Alamos.
    
    Wendell Cochran, West Seattle
    
    ------------------------------
    
    Date: Sat, 19 Oct 2002 17:15:15 -0700
    From: Seth Arnold <sarnoldat_private>
    Subject: Password complexity -- not just for computers anymore
    
    The outside key-code on my building has five buttons but ten digits -- two
    digits per button. This allows for 10^n different "combinations" as humans
    must remember it, but 5^n different combinations as the door remembers it.
    
    Who thought of this? Hopefully the same person who thought capitalizing all
    passwords before performing comparisons was a good idea -- I'd hate to think
    there are more than a handful of people making mistakes like this.
    
    ------------------------------
    
    Date: Tue, 15 Oct 2002 19:48:51 -0400
    From: Monty Solomon <montyat_private>
    Subject: GPS: Keeping cons out of jail
    
    An electronic tracking system that follows suspects and criminals around
    their neighborhoods and compares the information to current crimes has
    received, of all things, the stamp of approval from the American Civil
    Liberties Union.  The Global Positioning System's satellites track
    probationers and parolees and compare their whereabouts to the location of
    crimes committed in their vicinity.  ...  [Source: Julia Scheeres,
    wired.com, 15 Oct 2002]
      http://www.wired.com/news/privacy/0,1848,55740,00.html
    
    ------------------------------
    
    Date: Tue, 15 Oct 2002 20:18:45 -0400
    From: Monty Solomon <montyat_private>
    Subject: How mobile phones let spies see our every move
    
    Government's secret Celldar project will allow surveillance of anyone, at
    any time and anywhere there is a phone signal
    
    Jason Burke and Peter Warren, 13 Oct 2002, *The Observer*
    
    Secret radar technology research that will allow the biggest-ever extension
    of 'Big Brother'-style surveillance in the UK is being funded by the
    Government.  The radical new system, which has outraged civil liberties
    groups, uses mobile phone masts to allow security authorities to watch
    vehicles and individuals 'in real time' almost anywhere in Britain.  The
    technology 'sees' the shapes made when radio waves emitted by mobile phone
    masts meet an obstruction. Signals bounced back by immobile objects, such as
    walls or trees, are filtered out by the receiver. This allows anything
    moving, such as cars or people, to be tracked. Previously, radar needed
    massive fixed equipment to work and transmissions from mobile phone masts
    were thought too weak to be useful.  ...
      http://www.observer.co.uk/uk_news/story/0,6903,811027,00.html
    
    ------------------------------
    
    Date: 15 Oct 2002 21:04:26 -0000
    From: Morten Welinder <terraat_private>
    Subject: Airline Security
    
    Finally someone in FAA and in the mainstream press [ahem] has gotten a clue
    and figured out how to improve airline security.  If only all these airline
    security articles had anything to do with comp.risks.
    
      Seeking to address "the number-one threat to airline security," the
      Federal Aviation Administration announced Monday that it will consider
      banning passengers on all domestic and international commercial
      flights. [...]
        http://www.theonion.com/onion3838/faa_passenger_ban.html
    
    ------------------------------
    
    Date: Fri, 18 Oct 2002 01:19:56 -0400
    From: Monty Solomon <montyat_private>
    Subject: GAO: Commercial Satellite Security Should Be More Fully Addressed
    
    GAO: Commercial Satellite Security Should Be More Fully Addressed
    http://www.gao.gov/new.items/d02781.pdf
    
    ------------------------------
    
    Date: Thu, 10 Oct 2002 08:06:55 -0400
    From: "Jeremy Epstein" <jepsteinat_private>
    Subject: UCSD bans WinNT/2K -- will it do any good?
    
    Seen in *Security Wire Digest* ... seems to me it's trading the devil you
    know for the devil you ... know.  Is WinXP really any more secure than
    WinNT/2K?  Now if they banned the use of Outlook, that might be a step
    forward...
    
    BTW, students have to pay for a copy of WinXP.  Maybe this is a fundraising
    effort by Microsoft... put out products that are so vulnerable that users
    have to spend more money to buy a less vulnerable version.  "I'm sorry
    ma'am, but the wheels frequently fall off the 1998 model cars.  We have no
    intention of fixing the problem.  Would you like to buy a 2002 model for
    $20,000?  By the way, you'll also need to build a new garage on your house
    to park it in, and a new driver's license, because the old ones aren't
    compatible."
    
    *UNIVERSITY BANS WINDOWS NT/2000
    Citing security reasons, the University of California at Santa Barbara
    (UCSB) has banned the use of Microsoft Windows NT/2000 on its residential
    network, ResNet. In a posting on the ResNet site, UCSB officials blame the
    OSes for "hundreds of major problems on UCSB's residential network during
    the 2001-2 academic year," including exploited vulnerabilities,
    denial-of-service attacks, port scanning, and infections by Code Red and
    Nimda. UCSB recommends that ResNet users switch to Windows XP Home.
    http://www.resnet.ucsb.edu/information/win2k.html
    
    ------------------------------
    
    Date: Wed, 16 Oct 2002 09:42:50 -0500
    From: Jim Bauman <JBauman@safety-kleen.com>
    Subject: Outlook knows best! ... (Re: Kabay, RISKS-22.30)
    
    I showed my boss the piece that M.E. Kabay submitted regarding Lookout, er,
    I mean Outlook, always forcing the primary over the secondary address.
    She's had the same experience using it at home.  At work, we've been happily
    using Lotus Notes for our mail client for many years. In the near future,
    the powers that be will be switching us to Outlook.  I can't wait!
    
    ------------------------------
    
    Date: Tue, 15 Oct 2002 18:03:12 -0400
    From: "Monty Solomon" <montyat_private>
    Subject: Microsoft Skins a Knee on the Astroturf
    
    A grass-roots campaign orchestrated by a PR department is commonly called
    "astroturf." What shall we call Microsoft's embarrassing sally at Apple's
    successful "Switchers" campaign?  Let's consider "paid testimonial."  ...
    
    No one expects Apple's ads to swing much market share, but perhaps Microsoft
    was feeling their sting.  On Monday the company posted a Web page,
    "Confessions of a Mac to PC convert," supposedly written by a young woman
    who had switched from Apple to Windows XP. Her name was not given.  Her
    picture, as Slashdot posters quickly discovered, was a stock image available
    for purchase from Getty's Photodisc.  (Why the agency did not use an image
    from the competing Corbis service, owned by Bill Gates, is another mystery.)
    
      http://newsletter.mediaunspun.com/index000021694.cfm#a100869
    
    ------------------------------
    
    Date: Fri, 18 Oct 2002 12:18:01 -0400
    From: Tom Van Vleck <thvvat_private>
    Subject: Bogus Yahoo e-mail picks up credit-card numbers
    
    Yahoo Inc. said on 17 Oct 2002 that some of its customers had been tricked
    into giving their credit-card numbers to an unaffiliated third party that
    had posed as Yahoo in a mass e-mail.  [Source: Reuters, Yahoo, 17 Oct 2002]
    
      http://story.news.yahoo.com/news
      ?tmpl=story&ncid=582&e=2&cid=582&u=/nm/20021018/wr_nm/tech_yahoo_fraud_dc
    
    ------------------------------
    
    Date: Wed, 16 Oct 2002 10:15:40 +1000
    From: Paul Edwards <pauleat_private>
    Subject: A new twist to Bugbear
    
    I have just received a Bugbear-initiated e-mail message. What made this one
    different was that the body of the message contained a fragment of another
    e-mail message that stated a username and password for an Australian event
    ticket seller's e-commerce site. I set up an account on said site to see how
    it worked; it appears to automatically recall credit-card details upon
    login, as well as showing the usual personal details (address, phone number,
    email address, etc). There's not even an address to give the Web folks
    feedback.
    
    RISKS? At least three, as I make it:
    
    * Sending the two authorizing IDs in the one message
    * Sending them cleartext
    * Not requiring manual entry of credit-card details per transaction
    
    Paul Edwards, Research Support Officer, Advanced Research Computing
    The University of Melbourne  3010  AUSTRALIA  t: +61 3 8344 8884
    
      [Note added 18 Oct 2002: 
    
        Just to follow up to my original posting, I finally managed to speak to
        someone by phone about the problem. They now appear to have removed the
        automatic link to credit-card details, and some (although not all) of
        the personal details.  PE]  
    
    ------------------------------
    
    Date: Sat, 19 Oct 2002 16:43:55 +0000
    From: Richard Pennington <richardhelen.penningtonat_private>
    Subject: How we run elections in the UK
    
    I have been following, with a mixture of amusement and alarm, the
    correspondence about elections ever since Florida.
    
    In the UK, we have a separate ballot paper for each issue at stake (perhaps
    we're not as democratic as the USA - there is usually just one at a time),
    and we use a manual count.  The counters are usually "volunteered" from the
    class of people most likely to be able to count large numbers of pieces of
    paper quickly and accurately - bank cashiers.
    
    The count proceeds in two stages: separating the votes between the various
    candidates, and then counting the individual piles, grouping them by elastic
    band into packets of 500 or 100.  Dubious cases are taken out and argued
    over separately. The counts are scrutinised by representatives of the
    various political parties and others involved.  A partial recount can be
    done very quickly by counting the number of packets in each candidate's pile
    (e.g. a winning count of 25,000 votes is counted by counting the 50 packets
    of 500 votes each), while a full recount involves recounting the number of
    votes in each packet (not a very long job, but necessary only if the result
    is close).  Any candidate can claim a recount, either if there is doubt
    about who has won, or if there is doubt about whether a candidate has
    obtained enough votes to keep his deposit.
    
    Every general election, there is an informal competition between the various
    constituencies to see which can declare their result first (the declaration
    including a statement of the numbers of votes for each candidate, hence
    requiring a complete count).  With an electorate averaging about 80,000 per
    constituency, the time to first declaration is usually just over one hour
    after the ballot closes.
    
    At a general election, the result is usually clear enough for the loser at
    national level to concede victory before the following dawn, and the removal
    trucks (should they be required) move into Downing Street the day after the
    election (in the UK, the result is, usually, effective immediately).
    
    The system is low-tech, but quick, reasonably efficient, recountable, and
    verifiable.
    
    However, there are moves afoot to introduce electronic voting in the UK, and
    it was reported last week that Dr. Rebecca Mercuri visited the UK last week
    to voice her concerns about some of the proposed voting methods.  I
    sincerely hope that the UK authorities will respect her knowledge and listen
    to her concerns.
    
    Dr. Richard Pennington, Camberley, Surrey, UK 
    
    ------------------------------
    
    Date: Sun, 13 Oct 2002 09:48:49 -0700
    From: Chuck Karish <karishat_private>
    Subject: Re: Risks of automatic Windows updates, and HIPAA legality (R-22.29)
    
    Is Microsoft's End User License Agreement for Windows 2000 Service
    Pack 3 insidious or just sloppily worded?  It's possible to read it
    as being meant primarily to ask for permission to execute certain
    tasks that the user is about to initiate: the tasks that constitute
    the OS upgrade.  There's a big problem, though, in that the EULA
    doesn't spell out that the permission being asked for is limited to
    an immediate response to a specific user request.
    
    * If you choose to utilize the update features within the OS Product or OS
      Components, it is necessary to use certain computer system, hardware, and
      software information to implement the features.  By using these features,
      you explicitly authorize Microsoft or its designated agent to access and
      utilize the necessary information for updating purposes.  Microsoft may
      use this information solely to improve our products or to provide
      customized services or technologies to you.  Microsoft may disclose this
      information to others, but not in a form that personally identifies you.
    
    * The OS Product or OS Components contain components that enable and
      facilitate the use if certain Internet-based services.  You acknowledge
      and agree that Microsoft may automatically check the version fo the OS
      Product and/or its components that you are utilizing and may provide
      upgrades or fixes to the OS Product that will be automatically downloaded
      to your computer.
    
    ------------------------------
    
    Date: Wed, 09 Oct 2002 17:03:38 -0400
    From: Greg Searle
    Subject: Re: Risks of automatic Windows updates, and HIPAA legality (R-22.29)
    
    One solution is simply to turn the automatic update off.  I have had a
    Windows 2000 system that periodically and mysteriously rebooted itself in
    the middle of the night.  Turning this automatic update "feature" off solved
    the problem.
    
    [greg_searle(at)hotmail(dot)com]
    
    ------------------------------
    
    Date: Wed, 9 Oct 2002 20:34:53 +0000 (UTC)
    From: Douglas Siebert <dsiebertat_private>
    Subject: Re: Risks of automatic Windows updates, and HIPAA legality (R-22.29)
    
    Well, it does say "recording electrodes", which sounds to me like there's no
    output voltage.  Unless there's a need to send a small voltage pulse out to
    cause a response for certain things being recorded, of course.
    
    However, if it did control voltages, and those voltages had a range high
    enough to cause damage to the patient, you are correct there's a big risk
    here.  Whether that's from MS having an OS that might update itself during
    surgery, or a hospital dumb enough to put something that could be harmful to
    the patient on the Internet where MS updates are only one of a number of bad
    things that can happen to it, I'm not sure.
    
    ------------------------------
    
    Date: Tue, 15 Oct 2002 20:40:19 -0700
    From: Crispin Cowan <crispinat_private>
    Subject: Re: Pac*Bell menu (Stringer-Calvert, RISKS-22.30)
    
    Seems perfectly sane to me, if you allow for modular composition.
    
    Consider software functions. You make them general, so that they can be
    called from multiple contexts. From some contexts, some parameter arguments
    will never occur.
    
    Now consider that the phone menus are functions ....
    
    Given the sad state of software engineering, and the generally accepted view
    that modularity is good for software quality, I'm not particularly troubled
    that the phone people didn't bother to special-case this.
    
    Crispin Cowan, Chief Scientist, WireX       http://wirex.com/~crispin/
    Security Hardened Linux Distribution:       http://immunix.org
    
    ------------------------------
    
    Date: Tue, 15 Oct 2002 16:25:53 -0700
    From: Bob Schuchman <schuchmanrat_private>
    Subject: Re: Hazards of online translation and plagiarism (Mannes, RISKS-22.30)
    
    Anyone who called this story the result of an online translation and
    plagiarism problem hasn't read the facts at
    http://www.pinoylife.com/article.php?sid=88 . An inexperienced student
    journalist didn't realize that pinoylife.com is an "insider"
    Filipino-American site with it's tongue in it's cheek. She might not even
    know what the tongue in the cheek meant. How she found the site is anybody's
    guess, but don't they have a proofreader or at least an editor at the 
    *Daily Evergreen*?
    
    What about the risk of telling a story without presenting all the facts and
    giving it a loaded title?
    
    ------------------------------
    
    Date: Sun, 20 Oct 2002 23:13:53 -0400
    From: "Phil Smith III" <phs3at_private>
    Subject: Re: Weak encryption kills wolves (Fredriksson, RISKS-22.29)
    
    One solution to the hunters using the wolf-tracking devices for hunting
    would be to deploy a large number of bogus trackers (assuming they're
    inexpensive enough).  Perhaps a number of sheep could be equipped and
    deployed for this purpose, with the added benefit of providing food to help
    the struggling wolf population.  They would, of course, also be sheep in
    wolves' clothing, so to speak...
    
    ...phsiii (smiling, um, sheepishly)     [Watch out for ewe turns.  PGN]
    
    ------------------------------
    
    Date: Mon, 21 Oct 2002 13:45:14 PDT
    From: "Peter G. Neumann" <neumannat_private>
    Subject: Peter L. Bernstein, Against the Gods: The Remarkable Story of Risk
    
    I finally caught up with a fascinating analysis of the history of risk
    management over the previous millennium.  Although the book is somewhat
    slanted toward the financial world, it nevertheless has an incisive and yet
    broadly quasi-mathematical thoughtful perspective on risk management, and
    could be of interest to you.  However, you might browse before you buy.  It
    is not a typical page-turner, and is probably better digested slowly.
    
      Peter L. Bernstein
      Against the Gods: The Remarkable Story of Risk
      John Wiley & Sons, New York
      1996
      ISBN 0-471-29563-9
    
    The inside cover has this sentence:
    
      This book chronicles the remarkable intellectual adventure that liberated
      humanity from oracles and soothsayers by means of the powerful tools of
      risk management that are available to us today.
    
    [Thanks to David Huestis for lending me this book.]
    
    ------------------------------
    
    Date: Thu, 10 Oct 2002 10:19:31 -0800
    From: Rob Slade <rsladeat_private>
    Subject: REVIEW: "Hacking Exposed", Stuart McClure/Joel Scambray/George Kurtz
    
    BKHCKEXP.RVW   20020911
    
    "Hacking Exposed", Stuart McClure/Joel Scambray/George Kurtz, 2001,
    0-07-219381-6, U$49.99
    %A   Stuart McClure stuartat_private
    %A   Joel Scambray joelat_private
    %A   George Kurtz georgeat_private
    %C   300 Water Street, Whitby, Ontario   L1N 9B6
    %D   2001
    %G   0-07-219381-6
    %I   McGraw-Hill Ryerson/Osborne
    %O   U$49.99 905-430-5000 fax: 905-430-5020
    %P   729 p. + CD-ROM
    %T   "Hacking Exposed: Network Security Secrets and Solutions, 3rd Ed"
    
    Yes, I know that this book has the most sales for any security work,
    ever.  And, for the life of me, I still can't figure out why.
    
    Part one looks at gathering data for an attack.  Chapter one discusses
    company information that is generally available.  However, while it
    may alert some to the fact that a lot of information can be obtained
    about them, most of the material deals with facts that you either want
    to make available, or that you must make available.  Some suggested
    countermeasures are useful, while others strain the topic, such as the
    protection against domain hijacking.  Scanning for weaknesses and
    loopholes, mostly with individual tools, in this edition, is the topic
    of chapter two.  Enumeration, or finding weak user accounts and
    unprotected system resources (mostly on Windows 2000) is covered in
    chapter three.
    
    Part two looks at details of specific systems.  Chapter four touches
    on Windows 9x.  NT gets a fair amount of detail in chapter five, but
    such vital and standard topics as disabling the Administrator account
    and setting up auditing are barely mentioned.  Windows 2000 now has
    its own chapter: six.  Some common NetWare attacks are listed in
    chapter seven.  UNIX has the most extensive coverage, in chapter
    eight, but it is hardly comprehensive.
    
    Part three deals with network weaknesses.  Most of chapter nine
    discusses war-dialling and dial-up, but there is a brief mention of
    Virtual Private Networks (VPN).  Some device weaknesses (vendor
    specific bugs, that is) are listed in chapter ten.  (There is also a
    very brief mention of wardriving and detecting wireless networks.) 
    Firewalls, in chapter eleven, are primarily addressed in terms of
    scanning to (for identification) or through.  Chapter twelve describes
    a few denial of service attacks.  (Something has been lost in the
    update: a discussion of IP fragmentation attacks refers to "earlier"
    material on teardrop that no longer appears in the book.)
    
    Part four looks at software.  Chapter thirteen deals with remote
    access software in fair detail.  Hijacking and backdoors are discussed
    in chapter fourteen.  Miscellaneous Web site bugs are reviewed in
    chapter fifteen.  Chapter sixteen is a confusing amalgam of ActiveX
    design flaws, Internet Explorer implementation bugs, and random
    discussions of malware.
    
    The original preface (which no longer appears in the work) stated that the
    book was intended for system administrators, but it did, and still does,
    read more like a cookbook for security breaking.  The authors defend
    themselves against this charge in advance, and certainly "keep quiet" versus
    "let it all hang out" is a constant debate in security circles.  However,
    the attack descriptions are far more detailed than the countermeasures
    sections, and many attacks are presented without any specific protections
    being mentioned.  There are a number of points in the book that can be
    helpful in identifying specific security weaknesses.  However, the book
    can't be comprehensive in that regard, and what it fails to do is give an
    overall concept of, or framework for, security on an ongoing basis.  The
    examples given are frightening and stimulating, but the authors present them
    as the entire picture.  In fact, even the picture as presented is not
    entire.  A number of descriptions given in the book either do not mention,
    or gloss over, the fact that, for example, sniffers must be placed on a
    local, promiscuous, network, and session hijacking requires that the
    attackers somehow get "between" two systems.
    
    On the other hand, the book is quite readable and can give you some tips.
    And, I wouldn't mind seeing a few sysadmins a little more scared than they
    are at the moment.  As long as they don't think that this is *all* you need
    to do.
    
    copyright Robert M. Slade, 2000, 2002   BKHCKEXP.RVW   20020911
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
    
    ------------------------------
    
    Date: Mon, 21 Oct 2002 08:17:56 -0800
    From: Rob Slade <rsladeat_private>
    Subject: REVIEW: "Have You Locked the Castle Gate", Brian Shea
    
    BKHYLTCG.RVW   20020825
    
    "Have You Locked the Castle Gate", Brian Shea, 2002, 0-201-71955-X,
    U$19.99/C$31.99
    %A   Brian Shea
    %C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
    %D   2002
    %G   0-201-71955-X
    %I   Addison-Wesley Publishing Co.
    %O   U$19.99/C$31.99 416-447-5101 fax: 416-443-0948
    %P   193 p.
    %T   "Have You Locked the Castle Gate: Home and Small Business
          Security"
    
    Chapter one is entitled "Assessing Risk."  It deals with the basic concepts,
    but in a somewhat confused manner, and sometimes stresses or sensationalizes
    minor points.  A grab bag of security concepts drifts into Windows specifics
    in chapter two.  The author has said that he will be concentrating on
    Windows, since it is the most widely used system for home computers, but the
    material tells only *how* to, for example, set up groups, and not what
    groups are used for in terms of security.  Chapter three is more of the
    same: more miscellany, and more Windows.  The discussion of servers, in
    chapter four, is almost entirely devoted to Windows, and is weak on security
    concepts and technologies such as firewalls.  There is a set of vague ideas
    about the Internet in chapter five.  Chapter six, on email security, has
    some good suggestions, but a number of gaps.  Web security is a questionable
    checklist of browser settings, almost entirely for Internet Explorer, in
    chapter seven.  "Defending Against Hackers," in chapter eight, sounds like
    it should be important, but it is hard to find any point.  Chapter nine, on
    viruses, starts with a surprisingly good set of definitions (recognizably
    from "Robert Slade's Guide to Computer Viruses") but quickly deteriorates
    into errors (the Internet Worm was *not* an accident), and poor suggestions
    (it does not make an awful lot of sense to talk about "boot disks" for
    scanning Windows systems without getting into a lot of detail).
    
    I am all in favour of having a relatively simple and straightforward guide
    to security for home and small business users.  But Jeff Crume already did
    "Inside Internet Security" (cf. BKININSC.RVW), and did a much better job.
    
    copyright Robert M. Slade, 2002   BKHYLTCG.RVW   20020825
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
    
    ------------------------------
    
    Date: 29 Mar 2002 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
    
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
     if possible and convenient for you.  Alternatively, via majordomo,
     send e-mail requests to <risks-requestat_private> with one-line body
       subscribe [OR unsubscribe]
     which requires your ANSWERing confirmation to majordomoat_private .
     If Majordomo balks when you send your accept, please forward to risks.
     [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
     this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
     Lower-case only in address may get around a confirmation match glitch.
       INFO     [for unabridged version of RISKS information]
     There seems to be an occasional glitch in the confirmation process, in which
     case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
       .MIL users should contact <risks-requestat_private> (Dennis Rears).
       .UK users should contact <Lindsay.Marshallat_private>.
    => The INFO file (submissions, default disclaimers, archive sites,
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 21" for volume 21]
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing,
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    
    ------------------------------
    
    End of RISKS-FORUM Digest 22.31
    ************************
    



    This archive was generated by hypermail 2b30 : Mon Oct 21 2002 - 17:02:40 PDT